DOD Needs to Clarify Its Roles and Responsibilities for Defense Support of Civil Authorities during Cyber Incidents
GAO-16-332: Published: Apr 4, 2016. Publicly Released: Apr 4, 2016.
- Highlights Page:
- Full Report:
- Accessible Version:
- Related WatchBlog Post:
- Related WatchBlog Post:
What GAO Found
The Department of Defense (DOD) has developed overarching guidance about how it is to support civil authorities as part of its Defense Support of Civil Authorities (DSCA) mission, but DOD's guidance does not clearly define its roles and responsibilities for cyber incidents. Specifically, DOD has developed and issued key DSCA guidance—such as DOD Directive 3025.18, Defense Support of Civil Authorities— that provides guidance for the execution and oversight of DSCA. However, DOD guidance does not clarify the roles and responsibilities of key DOD entities—such as DOD components, the supported command, and the dual-status commander—that may be called upon to support a cyber incident. Specifically:
- DOD components: DOD Directive 3025.18 identifies the specific responsibilities of DOD officials who oversee DOD components responsible for various elements of DSCA, such as the Assistant Secretary of Defense for Health Affairs for health or medical-related support, but does not specify the responsibilities of DOD components (such as the Assistant Secretary of Defense for Homeland Defense and Global Security) in supporting civil authorities for cyber incidents.
- Supported command: Various guidance documents are inconsistent on which combatant command would be designated the supported command and have primary responsibility for supporting civil authorities during a cyber incident. U.S. Northern Command's DSCA response concept plan states that U.S. Northern Command would be the supported command for a DSCA mission that may include cyber domain incidents and activities. However, other guidance directs and DOD officials stated that a different command, U.S. Cyber Command, would be responsible for supporting civil authorities in a cyber incident.
- Dual-status commander: Key DSCA guidance documents do not identify the role of the dual-status commander—that is, the commander who has authority over federal military and National Guard forces—in supporting civil authorities during a cyber incident. According to U.S. Northern Command officials, in a recent cyber exercise there was a lack of unity of effort among the DOD and National Guard forces that were responding to the emergency but were not under the control of the dual-status commander.
DOD officials acknowledged the limitations of current guidance to direct the department's efforts in supporting civil authorities in a cyber incident and discussed with GAO the need for clarified guidance on roles and responsibilities. DOD officials stated that the department had not yet determined the approach it would take to support a civil authority in a cyber incident and, as of January 2016, DOD had not begun efforts to issue or update guidance and did not have an estimate on when the guidance will be finalized. Until DOD clarifies the roles and responsibilities of its key entities for cyber incidents, there would continue to be uncertainty about which DOD component or command should be providing support to civil authorities in the event of a major cyber incident.
Why GAO Did This Study
Cyber threats to U.S. national and economic security are increasing in frequency, scale, sophistication, and severity of impact. DOD's 2013 Strategy for Homeland Defense and Defense Support of Civil Authorities states that DOD must be prepared to support civil authorities in all domains—including cyberspace—and recognizes that the department plays a crucial role in supporting a national effort to confront cyber threats to critical infrastructure.
House Report 114-102 included a provision that GAO assess DOD's plans for providing support to civil authorities related to a domestic cyber incident. This report assesses the extent to which DOD has developed guidance that clearly defines the roles and responsibilities for providing support to civil authorities in response to a cyber incident.
GAO reviewed DOD DSCA guidance, policies, and plans; and met with relevant DOD, National Guard Bureau, and Department of Homeland Security officials.
What GAO Recommends
GAO recommends that DOD issue or update guidance that clarifies DOD roles and responsibilities to support civil authorities in a domestic cyber incident. DOD concurred with the recommendation and stated that the department will issue or update guidance.
For more information, contact Joseph W. Kirschbaum at (202) 512-9971 or firstname.lastname@example.org.
Recommendation for Executive Action
Comments: The Department of Defense concurred with the recommendation and indicated that, in response, it would update existing agency guidance (e.g., doctrine, directives, instructions) or develop new guidance as appropriate. Since we issued our report, DOD has issued several guidance documents-including Directive Type Memorandum 17-007, Interim Policy and Guidance for Defense Support to Cyber Incident Response (June 2017); and Joint Publication 3-12, Cyberspace Operations (June 2018)-to prepare the department to provide support to civil authorities for a cyber incident. However, the Directive Type Memorandum did not identify or clarify which DOD combatant command (i.e. NORTHCOM and PACOM versus CYBERCOM) would serve as the supported versus supporting command or the roles and responsibilities of a dual-status commander when DOD is providing support to civil authorities for a cyber incident. Rather, the memorandum tasked Joint Staff to designate the command responsibilities. Also, this Directive Type Memorandum was effective for one year and expired in June 2018. DOD has drafted a DOD Instruction that will replace this memorandum. Similarly, DOD has drafted another DOD Instruction that will supposedly provide policy and guidance on the use of dual-status commanders when providing support to civil authorities in a cyber incident. Joint Publication 3-12 similarly does not clarify roles and responsibilities of combatant commands and the dual-status commander. Specifically, the joint publication states that when DHS requests support, the fundamental principles of DSCA used to respond to domestic emergencies in the physical domains also apply to cyberspace operations support. Per DOD's Unified Command Plan, NORTHCOM and PACOM are the supported commands for DSCA missions in the physical domain. However, Joint Publication 3-12 does not re-iterate those roles and responsibilities. Instead, when describing CYBERCOM's roles and responsibilities, it states that CYBERCOM could assume either supported or supporting command responsibilities based on the military order that is issued. When describing NORTHCOM and PACOM's roles and responsibilities, it states that those commands fulfill specific cyberspace operations responsibilities related to DSCA and homeland defense with CYBERCOM others, as required. While the publication re-iterates a basic DOD concept - DOD components should work together - the publication does not provide any clarification on which command will take lead in planning, coordination, and execution (i.e. supported command). In summer 2019 we followed-up with DOD. While DOD has issued a supplemental DSCA execute order, neither this document--nor any other documents provided to us to date--clarifies roles and responsibilities for relevant entities and officials--including the DOD components, supported and supporting commands, and dual-status commander--to support civil authorities as needed in a cyber incident. Until DOD clarifies the roles and responsibilities of its key entities for cyber incidents, as we recommended, DOD will continue to experience uncertainty about the roles and responsibilities of different DOD components and commands with regard to providing support to civil authorities in the event of a significant cyber incident.
Recommendation: To help improve DOD's planning and processes for supporting civil authorities in a cyber incident, the Secretary of Defense should direct the Under Secretary of Defense for Policy in coordination with the Chairman of the Joint Chiefs of Staff to issue or update guidance that clarifies roles and responsibilities for relevant entities and officials--including the DOD components, supported and supporting commands, and dual-status commander--to support civil authorities as needed in a cyber incident.
Agency Affected: Department of Defense