Critical infrastructure—the facilities and systems that support banking, commerce, energy, and more—is vital to our national economy, security, and public health. It can also be vulnerable to cyber attacks, which are increasing in frequency, sophistication, and severity. In the event of a major cyber attack against critical infrastructure, the Department of Defense may be called upon to support civil authorities with their response. Are they prepared to answer the call? Today’s WatchBlog looks at whether DOD has enough of a plan in place to provide the necessary support after a cyber attack. Who’s in charge? When the Department of Homeland Security calls DOD for help with cyber incident response, who answers the phone? The answer depends on who you ask. According to a DHS and DOD agreement, it’s the U.S. Cyber Command—which coordinates DOD cyberspace operations globally. Officials from U.S. Cyber Command told us that they expect to lead civil support activities for domestic cyber incidents. However, U.S. Northern Command contends that it is responsible for cyber incidents within its region—covering the continental United States, Alaska, and Caribbean territories. Similarly, the U.S. Pacific command expects to lead cyber incident response in Hawaii and the Pacific territories. Officials from both commands told us that they consider cyber incident response to be in their authority, and expect their command to lead civil support activities for cyber incidents in their regions, with U.S. Cyber Command acting in a supporting role. This lack of command clarity could hinder the timeliness or effectiveness of critical DOD support to civil authorities in response to a cyber incident. The logistics of dual-status commanders We found a similar lack of clarity when it came to defining key DOD roles and responsibilities in helping with cyber incident response. For example, most states allow some DOD commanders to jointly command federal troops and state National Guard (“dual-status”) during an emergency to better coordinate incident response efforts. However, DOD guidance does not specify the roles and responsibilities of dual-status commanders during a cyber incident. Therefore, the dual-status commander’s role was uncertain during a recent cyber incident response exercise, resulting in an uncoordinated effort from DOD and National Guard forces. We recommended that DOD clarify roles and responsibilities in cyber civil support guidance for lead commands, supporting commands, and dual-status commanders. DOD concurred with our recommendation and plans to issue clarifying guidance.