Skip to Highlights
Highlights

According to the U.S. Strategic Command, the Department of Defense (DOD) is in the midst of a global cyberspace crisis as foreign nation states and other actors, such as hackers, criminals, terrorists, and activists exploit DOD and other U.S. government computer networks to further a variety of national, ideological, and personal objectives. This report identifies (1) how DOD is organized to address cybersecurity threats; and assesses the extent to which DOD has (2) developed joint doctrine that addresses cyberspace operations; (3) assigned command and control responsibilities; and (4) identified and taken actions to mitigate any key capability gaps involving cyberspace operations. It is an unclassified version of a previously issued classified report. GAO analyzed policies, doctrine, lessons learned, and studies from throughout DOD, commands, and the services involved with DOD's computer network operations and interviewed officials from a wide range of DOD organizations..

Skip to Recommendations

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Defense 1. To strengthen DOD's cyberspace doctrine and operations to better address cybersecurity threats, the Secretary of Defense should direct the Chairman of the Joint Chiefs of Staff in consultation with the Under Secretary of Defense for Policy and U.S. Strategic Command to establish a time frame for (1) deciding whether or not to proceed with a dedicated joint doctrine publication on cyberspace operations and for (2) updating the existing body of joint doctrine to include complete cyberspace-related definitions.
Closed - Implemented
DOD concurred with this recommendation and indicated that as part of implementing the National Military Strategy for Cyberspace Operations, an assessment of joint doctrine was underway and expected to be completed by the end of fiscal year 2011. DOD also indicated that the joint doctrine process will include related lexicon/definitions which will be synthesized with the interagency work on cyber lexicon. Some of this was represented in the revised Air Force Doctrine Document 3-12, "Cyberspace Operations," update on November 30, 2011. Additionally, DOD issued a "Department of Defense Strategy for Operating in Cyberspace" in July 2011, which takes into consideration the standup of the U.S. Cyber Command and the results of the 2010 Quadrennial Defense Review, 2010 National Security Strategy, and the 2008 National Defense Strategy. DOD also issued a classified joint doctrine publication on cyberspace operations in February 2013. Taken together, these actions, among others, address the intent of the recommendation.
Department of Defense 2. To strengthen DOD's cyberspace doctrine and operations to better address cybersecurity threats, the Secretary of Defense should direct the appropriate officials in the Office of the Secretary of Defense, in coordination with the Under Secretary of Defense for Policy and the Joint Staff, to clarify DOD guidance on command and control relationships between U.S. Strategic Command, the services, and the geographic combatant commands regarding cyberspace operations, and establish a time frame for issuing the clarified guidance.
Closed - Implemented
DOD concurred with this recommendation. The Principal Director, Cyber and Space Policy, Office of the Assistant Secretary of Defense (Global Strategic Affairs) indicated that the Secretary of Defense, through the June 23, 2009, memorandum as well as the Unified Command Plan, has promulgated clear guidance for command and control relationships between the U.S. Strategic Command (USSTRATCOM), the Services, and the geographic combatant commands regarding cyberspace operations. The Secretary of Defense memorandum establishing the U.S. Cyber Command alludes to the U.S. Cyber Command implementation plan, which does contain some information on command and control relationships but does not provide the kind of clear guidance we describe as lacking in our report. U.S. Cyber Command's 2010 Concept of Operations provides additional information on command and control guidance. The 2011 update to the Unified Command Plan also discusses missions and responsibilities for U.S. Strategic Command (U.S. Cyber Command's superior command) in cyberspace operations, but there is no reference to U.S. Cyber Command's specific role in this effort. DOD issued a classified joint doctrine publication on cyberspace operations in February 2013 that discusses planning, coordination, and command and control among and between DOD commands and organizations. Taken together, we believe these actions advance DOD's guidance for clarifying cyberspace command and control relationships and address the intent of the recommendation.
Department of Defense 3. To ensure that DOD takes a more comprehensive approach to its cyberspace capability needs and that capability gaps are prioritized and addressed, the Secretary of Defense should direct the appropriate Office of the Secretary of Defense officials, in coordination with the secretaries of the military departments and the Joint Chiefs of Staff, to develop a comprehensive capabilities-based assessment of the departmentwide cyberspace-related mission and a time frame for its completion.
Closed - Implemented
DOD concurred with the recommendation. DOD indicated that the Secretary of Defense selected cyber defense as one of eight issues for a Front End Assessment for the FY 2012-2016 program-budget cycle with a common focus on identifying operational risk and mitigation of that risk, and the need for management and/or authorities adjustments to improve efficiency or performance. DOD has since taken several actions related to this recommendation. As a sub-unified command subordinate to U.S. Strategic Command, U.S. Cyber Command has provided input into the U.S. Strategic Command's integrated priority lists for the past several years. As a result, U.S. Strategic Command's integrated priority lists for fiscal years 2014-2018 and 2015-2019 each contained cyberspace-related capability gaps resulting from U.S. Cyber Command's assessments. Further, DOD's Joint Requirements Oversight Council (JROC), issued a classified capability gap assessment memorandum in May 2012 that includes DOD cyberspace capability gaps, proposed mitigation actions, and estimated completion dates. Taken together, these actions address the intent of the recommendation.
Department of Defense 4. To ensure that DOD takes a more comprehensive approach to its cyberspace capability needs and that capability gaps are prioritized and addressed, the Secretary of Defense should direct the appropriate Office of the Secretary of Defense officials, in coordination with the secretaries of the military departments and the Joint Chiefs of Staff, to develop an implementation plan and funding strategy for addressing any gaps resulting from the assessment that require new capability development or modifications to existing programs.
Closed - Implemented
DOD concurred with the recommendation. The Principal Director, Cyber and Space Policy, Office of the Assistant Secretary of Defense (Global Strategic Affairs) indicated that the Front End Assessment as well as the development of the National Defense Strategy for Cyberspace Operations will inform the Department on the gaps and the requisite mitigation strategy required. In May 2012, DOD's Joint Requirements Oversight Council (JROC) issued a classified capability gap assessment memorandum that identifies cyberspace-related gaps, recommends mitigation actions, identifies organizations of primary responsibility, and provides estimated completion dates. If executed fully and diligently, the details surrounding these actions should help DOD balance effectiveness and efficiency in developing new capabilities or modifying existing capabilities. This addresses the intent of the recommendation.

Full Report