Skip to main content

Is DOD Ready to Support a Response to a Cyber Attack?

Posted on August 01, 2017
Critical infrastructure—the facilities and systems that support banking, commerce, energy, and more—is vital to our national economy, security, and public health. It can also be vulnerable to cyber attacks, which are increasing in frequency, sophistication, and severity. In the event of a major cyber attack against critical infrastructure, the Department of Defense may be called upon to support civil authorities with their response. Are they prepared to answer the call? Today’s WatchBlog looks at whether DOD has enough of a plan in place to provide the necessary support after a cyber attack. Who’s in charge? telephoneWhen the Department of Homeland Security calls DOD for help with cyber incident response, who answers the phone? The answer depends on who you ask. According to a DHS and DOD agreement, it’s the U.S. Cyber Command—which coordinates DOD cyberspace operations globally. Officials from U.S. Cyber Command told us that they expect to lead civil support activities for domestic cyber incidents. However, U.S. Northern Command contends that it is responsible for cyber incidents within its region—covering the continental United States, Alaska, and Caribbean territories. Similarly, the U.S. Pacific command expects to lead cyber incident response in Hawaii and the Pacific territories. Officials from both commands told us that they consider cyber incident response to be in their authority, and expect their command to lead civil support activities for cyber incidents in their regions, with U.S. Cyber Command acting in a supporting role. This lack of command clarity could hinder the timeliness or effectiveness of critical DOD support to civil authorities in response to a cyber incident. The logistics of dual-status commanders We found a similar lack of clarity when it came to defining key DOD roles and responsibilities in helping with cyber incident response. For example, most states allow some DOD commanders to jointly command federal troops and state National Guard (“dual-status”) during an emergency to better coordinate incident response efforts. However, DOD guidance does not specify the roles and responsibilities of dual-status commanders during a cyber incident. Therefore, the dual-status commander’s role was uncertain during a recent cyber incident response exercise, resulting in an uncoordinated effort from DOD and National Guard forces. We recommended that DOD clarify roles and responsibilities in cyber civil support guidance for lead commands, supporting commands, and dual-status commanders. DOD concurred with our recommendation and plans to issue clarifying guidance.
About Watchblog

GAO's mission is to provide Congress with fact-based, nonpartisan information that can help improve federal government performance and ensure accountability for the benefit of the American people. GAO launched its WatchBlog in January, 2014, as part of its continuing effort to reach its audiences—Congress and the American people—where they are currently looking for information.

The blog format allows GAO to provide a little more context about its work than it can offer on its other social media platforms. Posts will tie GAO work to current events and the news; show how GAO’s work is affecting agencies or legislation; highlight reports, testimonies, and issue areas where GAO does work; and provide information about GAO itself, among other things.

Please send any feedback on GAO's WatchBlog to