The Defense Department needs to clarify and further define how certain U.S. defense agencies and combatant commands — including the nation’s top cyberwarfare unit, U.S. Cyber Command — should interact with private sector companies and civilian agencies, according to a recent report by the Government Accountability Office (GAO).
The GAO outlined deficiencies in a report by the Pentagon that sought to establish roles and responsibilities for some of these defense organizations when they respond to data breaches. GAO contends that the Defense Department’s “Section 1648 report” leaves out several key details that would sufficiently answer questions about collaboration with businesses as well as training requirements for operators.
DOD has reportedly agreed with some of GAO’s criticism. Recent major data breaches affecting U.S. corporations, including Deloitte and Equifax, have spurred questions about whether the Pentagon should take on a greater role in defending the private sector from intrusions.
“DOD was supposed to develop [a] comprehensive plan for CYBERCOM to support civil authorities in responding to cyberattacks. DOD has rigorous requirements for what plans should look like, and this didn’t match. Instead, the information DOD provided tended to be more complete at higher, general levels and less complete where more detail as was actually required,” explained Joseph Kirschbaum, director of GAO’s Defense Capabilities and Management office.
Kirschbaum continued, “everyone understands and accepts the concepts of coordination and cooperation among federal, state, and local governments and the private sector. But this is still a different operational model than what DOD usually trains to for its normal missions outside the U.S. So it requires constant attention for DOD to ensure that the right people are getting the right training and that there are enough of them in DOD to make a difference.”
The Department of Homeland Security is currently understood to be the primary federal agency that interacts with the private sector when data breaches occur. The military is limited by Congress in its ability to work with American businesses to stop hackers. In broad strokes, this line — between what role the military, intelligence community or DHS plays in stopping digital attacks aimed at the U.S. economy — can appear blurred at times.
The overarching policy framework that guide such interactions is known as PPD-41. The sweeping directive was introduced by the Obama administration. There’s been no clear-cut signal yet to suggest the Trump administration will rescind PPD-41.
The report comes as U.S. Cyber Command is in the process of being elevated to a full, unified combatant command — a designation that will provide it with additional operational authorities, potential funding and direct access to senior leadership at the Pentagon.
Kirschbaum explained that the status upgrade for U.S. Cyber Command may ultimately help organize the DOD’s various cybersecurity efforts even while disagreements continue about who should be in charge in certain scenarios — “the elevation process if done correctly [can] assist in settling many issues,” he said.
“Disagreement still exists among officials in the department regarding whether NORTHCOM and PACOM (as the geographic combatant commands) or CYBERCOM, which according to command officials maintains the department’s existing inventory of cyberspace command and control capabilities, is the supported command in a cyber incident requiring civil support,” the GAO report reads. “DOD officials acknowledged to us that there are a number of planning and guidance documents that need to be updated to clarify roles and responsibilities”
It’s possible that some federal outfits like U.S. Cyber Command possess their own private or informal coordination practices with U.S. companies. But GAO is unaware if such policies do in fact exist.
“There is indeed the possibility that informal coordination or mechanisms for coordination are being used at the combatant commands,” Kirschbaum said. “This is done a lot for the ‘traditional’ civil support mission (like hurricane response) at NORTHCOM, for example. But is much less well understood for cyber. So we are looking for common understanding of this so that the commands (and other DOD entities, as appropriate) can do more.”
The U.S. government is still in the process of establishing a comprehensive policy doctrine for cyberspace. The White House is at the moment working on a national security strategy for the Trump administration, for example, which will include cybersecurity considerations. An exact timeframe for this strategy’s unveiling has yet to be announced.
Thomas Bossert, Trump’s homeland security adviser, has said that the new strategy will in part replace some of the now outdated plans set in motion under the Obama administration.
Within the DOD, similar work is ongoing in order to “figure out the difference between traditional support to civil authorities for a physical disaster or other event and what kinds of assistance (or DOD expertise) might be necessary to support civil authorities for cyber incidents,” said Kirschbaum.
“In practical terms, DOD is working on finding that line and making it clear when one command (NORTHCOM) would have the DOD lead and when another (CYBERCOM) should be the DOD lead,” Kirschbaum summarized.