Defense Department Cyber Efforts:

DOD Faces Challenges In Its Cyber Activities

GAO-11-75: Published: Jul 25, 2011. Publicly Released: Jul 25, 2011.

Additional Materials:

Contact:

Brian J. Lepore
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

According to the U.S. Strategic Command, the Department of Defense (DOD) is in the midst of a global cyberspace crisis as foreign nation states and other actors, such as hackers, criminals, terrorists, and activists exploit DOD and other U.S. government computer networks to further a variety of national, ideological, and personal objectives. This report identifies (1) how DOD is organized to address cybersecurity threats; and assesses the extent to which DOD has (2) developed joint doctrine that addresses cyberspace operations; (3) assigned command and control responsibilities; and (4) identified and taken actions to mitigate any key capability gaps involving cyberspace operations. It is an unclassified version of a previously issued classified report. GAO analyzed policies, doctrine, lessons learned, and studies from throughout DOD, commands, and the services involved with DOD's computer network operations and interviewed officials from a wide range of DOD organizations..

DOD's organization to address cybersecurity threats is decentralized and spread across various offices, commands, military services, and military agencies. DOD cybersecurity roles and responsibilities are vast and include developing joint policy and guidance and operational functions to protect and defend its computer networks. DOD is taking proactive measures to better address cybersecurity threats, such as developing new organizational structures, led by the establishment of the U.S. Cyber Command, to facilitate the integration of cyberspace operations. However, it is too early to tell if these changes will help DOD better address cybersecurity threats. Several joint doctrine publications address aspects of cyberspace operations, but DOD officials acknowledge that the discussions are insufficient; and no single joint publication completely addresses cyberspace operations. While at least 16 DOD joint publications discuss cyberspace-related topics and 8 mention "cyberspace operations," none contained a sufficient discussion of cyberspace operations. DOD recognizes the need to develop and update cyber-related joint doctrine and is currently debating the merits of developing a single cyberspace operations joint doctrine publication in addition to updating all existing doctrine. However, there is no timetable for completing the decision-making process or for updates to existing doctrine. DOD has assigned authorities and responsibilities for implementing cyberspace operations among combatant commands, military services, and defense agencies; however, the supporting relationships necessary to achieve command and control of cyberspace operations remain unclear. In response to a major computer infection, U.S. Strategic Command identified confusion regarding command and control authorities and chains of command because the exploited network fell under the purview of both its own command and a geographic combatant command. Without complete and clearly articulated guidance on command and control responsibilities that is well communicated and practiced with key stakeholders, DOD will have difficulty in achieving command and control of its cyber forces globally and in building unity of effort for carrying out cyberspace operations. DOD has identified some cyberspace capability gaps, but it has not completed a comprehensive, departmentwide assessment of needed resources, capability gaps, and an implementation plan to address any gaps. For example, U.S. Strategic Command has identified that DOD's cyber workforce is undersized and unprepared to meet the current threat, which is projected to increase significantly over time. While the department's review of some cyberspace capability gaps on cyberspace operations is a step in the right direction, it remains unclear whether these gaps will be addressed since DOD has not conducted a more comprehensive departmentwide assessment of cyber-related capability gaps or established an implementation plan or funding strategy to resolve any gaps that may be identified. GAO recommends that DOD (1) establish a timeframe for deciding on whether to complete a separate joint cyberspace publication and for updating the existing body of joint publications, (2) clarify command and control relationships regarding cyberspace operations and establish a timeframe for issuing the clarified guidance, and (3) more fully assess cyber-specific capability gaps, and (4) develop a plan and funding strategy to address them. DOD agreed with the recommendations.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: DOD concurred with the recommendation. DOD indicated that the Secretary of Defense selected cyber defense as one of eight issues for a Front End Assessment for the FY 2012-2016 program-budget cycle with a common focus on identifying operational risk and mitigation of that risk, and the need for management and/or authorities adjustments to improve efficiency or performance. DOD has since taken several actions related to this recommendation. As a sub-unified command subordinate to U.S. Strategic Command, U.S. Cyber Command has provided input into the U.S. Strategic Command's integrated priority lists for the past several years. As a result, U.S. Strategic Command's integrated priority lists for fiscal years 2014-2018 and 2015-2019 each contained cyberspace-related capability gaps resulting from U.S. Cyber Command's assessments. Further, DOD's Joint Requirements Oversight Council (JROC), issued a classified capability gap assessment memorandum in May 2012 that includes DOD cyberspace capability gaps, proposed mitigation actions, and estimated completion dates. Taken together, these actions address the intent of the recommendation.

    Recommendation: To ensure that DOD takes a more comprehensive approach to its cyberspace capability needs and that capability gaps are prioritized and addressed, the Secretary of Defense should direct the appropriate Office of the Secretary of Defense officials, in coordination with the secretaries of the military departments and the Joint Chiefs of Staff, to develop a comprehensive capabilities-based assessment of the departmentwide cyberspace-related mission and a time frame for its completion.

    Agency Affected: Department of Defense

  2. Status: Closed - Implemented

    Comments: DOD concurred with this recommendation. The Principal Director, Cyber and Space Policy, Office of the Assistant Secretary of Defense (Global Strategic Affairs) indicated that the Secretary of Defense, through the June 23, 2009, memorandum as well as the Unified Command Plan, has promulgated clear guidance for command and control relationships between the U.S. Strategic Command (USSTRATCOM), the Services, and the geographic combatant commands regarding cyberspace operations. The Secretary of Defense memorandum establishing the U.S. Cyber Command alludes to the U.S. Cyber Command implementation plan, which does contain some information on command and control relationships but does not provide the kind of clear guidance we describe as lacking in our report. U.S. Cyber Command's 2010 Concept of Operations provides additional information on command and control guidance. The 2011 update to the Unified Command Plan also discusses missions and responsibilities for U.S. Strategic Command (U.S. Cyber Command's superior command) in cyberspace operations, but there is no reference to U.S. Cyber Command's specific role in this effort. DOD issued a classified joint doctrine publication on cyberspace operations in February 2013 that discusses planning, coordination, and command and control among and between DOD commands and organizations. Taken together, we believe these actions advance DOD's guidance for clarifying cyberspace command and control relationships and address the intent of the recommendation.

    Recommendation: To strengthen DOD's cyberspace doctrine and operations to better address cybersecurity threats, the Secretary of Defense should direct the appropriate officials in the Office of the Secretary of Defense, in coordination with the Under Secretary of Defense for Policy and the Joint Staff, to clarify DOD guidance on command and control relationships between U.S. Strategic Command, the services, and the geographic combatant commands regarding cyberspace operations, and establish a time frame for issuing the clarified guidance.

    Agency Affected: Department of Defense

  3. Status: Closed - Implemented

    Comments: DOD concurred with this recommendation and indicated that as part of implementing the National Military Strategy for Cyberspace Operations, an assessment of joint doctrine was underway and expected to be completed by the end of fiscal year 2011. DOD also indicated that the joint doctrine process will include related lexicon/definitions which will be synthesized with the interagency work on cyber lexicon. Some of this was represented in the revised Air Force Doctrine Document 3-12, "Cyberspace Operations," update on November 30, 2011. Additionally, DOD issued a "Department of Defense Strategy for Operating in Cyberspace" in July 2011, which takes into consideration the standup of the U.S. Cyber Command and the results of the 2010 Quadrennial Defense Review, 2010 National Security Strategy, and the 2008 National Defense Strategy. DOD also issued a classified joint doctrine publication on cyberspace operations in February 2013. Taken together, these actions, among others, address the intent of the recommendation.

    Recommendation: To strengthen DOD's cyberspace doctrine and operations to better address cybersecurity threats, the Secretary of Defense should direct the Chairman of the Joint Chiefs of Staff in consultation with the Under Secretary of Defense for Policy and U.S. Strategic Command to establish a time frame for (1) deciding whether or not to proceed with a dedicated joint doctrine publication on cyberspace operations and for (2) updating the existing body of joint doctrine to include complete cyberspace-related definitions.

    Agency Affected: Department of Defense

  4. Status: Closed - Implemented

    Comments: DOD concurred with the recommendation. The Principal Director, Cyber and Space Policy, Office of the Assistant Secretary of Defense (Global Strategic Affairs) indicated that the Front End Assessment as well as the development of the National Defense Strategy for Cyberspace Operations will inform the Department on the gaps and the requisite mitigation strategy required. In May 2012, DOD's Joint Requirements Oversight Council (JROC) issued a classified capability gap assessment memorandum that identifies cyberspace-related gaps, recommends mitigation actions, identifies organizations of primary responsibility, and provides estimated completion dates. If executed fully and diligently, the details surrounding these actions should help DOD balance effectiveness and efficiency in developing new capabilities or modifying existing capabilities. This addresses the intent of the recommendation.

    Recommendation: To ensure that DOD takes a more comprehensive approach to its cyberspace capability needs and that capability gaps are prioritized and addressed, the Secretary of Defense should direct the appropriate Office of the Secretary of Defense officials, in coordination with the secretaries of the military departments and the Joint Chiefs of Staff, to develop an implementation plan and funding strategy for addressing any gaps resulting from the assessment that require new capability development or modifications to existing programs.

    Agency Affected: Department of Defense

 

Explore the full database of GAO's Open Recommendations »

Dec 10, 2014

Sep 25, 2014

Sep 23, 2014

Jun 10, 2014

May 22, 2014

May 12, 2014

May 8, 2014

Looking for more? Browse all our products here