U.S. Cyber Command lacks the authorities it needs to manage personnel, set standards for training and ensure its Cyber Mission Force teams are properly equipped for combat, according to a Department of Defense watchdog.
A classified November 2015 report by the Pentagon inspector general assessed whether the CMF teams “had adequate facilities, equipment and capabilities to effectively perform missions.” A heavily redacted version was released to CyberScoop this week as the result of a Freedom of Information Act request.
Although the report is almost two years old, many of the problems it describes persist, according to former military officials who spoke to CyberScoop on condition they not be identified or quoted, owing to the classified nature of the issues.
The Trump administration’s plan to elevate U.S. Cyber Command to full-fledged Unified Combatant Command status — and other changes proposed and in some cases implemented since the report was issued — will help to address the problems, which are to be expected in a new organization, former officials said. The order to create Cybercom came in 2009, and it became fully operational in 2010. The stand up of Cyber Mission Forces begun in 2012.
Although the report’s detailed findings were redacted, it’s clear from one of the headings that the cyber forces were “inadequate.” Auditors blamed the failures on:
- The absence of a single vision for, and a lack of cooperation between, Cyber Command and the four military services.
- Inadequate authorities for and insufficient planning and execution by Cyber Command.
“U.S. Cyber Command [and] the service components … did not take sufficient steps to ensure all [CMF] teams had adequate capabilities and facilities. Specifically, [they] lacked a unified approach to ensure that [CMF teams] had adequate capabilities to perform offensive and defensive missions,” the report says.
Cybercom’s process for developing warfighter cyber capabilities was “ineffective,” found auditors.
Worse, because of classification and cooperation issues, commanders sometimes didn’t know for sure what the other forces’ cyber units were capable of performing.
Cybercom officials told IG staff “they did not have assurance that all service component cyber capability efforts were vetted through the [capabilities development process] or included in the [Cyber Capabilities Registry, or] CCR” — a supposedly comprehensive database cataloguing the cyber powers of U.S. military units.
“The CCR was unreliable for providing situational awareness and did not support tool developers, operators and planners” because it only listed capabilities which were “developed” and didn’t include those “under development,” the report explains.
The rapidly evolving global cyberthreat environment presented “unparalleled challenges to traditional military integration, synchronization, coordination and deconfliction processes,” the auditors found.
These challenges “coupled with the tempo of cyberspace operations, require an approach that is more centralized and comprehensive” to make sure the CMF teams get what they need to be effective in combat.
Since the Goldwater-Nichols Act overhauled the structure of the U.S. military in the 1980s, the four services have been responsible for providing combatant commanders with forces that are trained and equipped. Air Force units assigned to a geographical combatant command like Centcom, for example, arrive with their pilots trained and their own planes.
But in the new global domain of cyberspace, that role left the services out of step with Cybercom and with one another, the auditors found.
“Service components continued to use component-specific approaches and strategies to develop offensive capabilities that aligned to traditional component specific mission areas, rather than unify capabilities development to support” the CMF.
Auditors blamed that failure on the new command’s lack of needed powers. It “did not have appropriate authorities to effectively oversee and direct offensive capability development.”
You can read the IG report below.