As our inevitable descent into digital anarchy looms large, there is some comfort to be taken in the fact that powerful, well-funded entities like the Department of Defense are there to provide protection and security. Psych!
According to a report released on Monday by the United States Government Accountability Office (GAO), the Pentagon doesn’t have a properly defined chain of command when it comes to “cyber incidents.” The GAO, which is the federal government’s biggest watchdog, found that the roles and responsibilities for how to support civilian leaders are mighty unclear.
Essentially, the Department of Defense has plans in place—officially called the Defense Support of Civil Authorities—that dictate how military forces can be used for domestic events like natural and man-made disasters. But it has no such guidelines for cyber attacks.
“Various guidance documents are inconsistent on which combatant command would be designated the supported command and have primary responsibility for supporting civil authorities during a cyber incident,” the report said. One plan, for example, says that US Northern Command—tasked with defending the country and its national interests—would be in charge. A different plan, however, tasks the US Cyber Command with the same responsibility.
Another major problem is the absence of a dual-status commander (i.e. someone who controls both federal military and National Guard forces). This problem played out in real time last year during a simulation of a massive cyber attack: the dual-status commander didn’t have full control over some cyber units which were then unable to perform their extremely important jobs.
In response to the findings, the Department of Defense noted in the report that it “concurs” with the recommendations. It also promises that these issues will be “addressed.” (It outlined some cyber security tactics in a 2015 report, where it noted that “partnership[s]” were very important.)
According to the GAO report, however, as of this January, “DOD had not begun efforts to issue or update guidance and did not have an estimate on when the guidance will be finalized.” Oh. (When reached by email, a spokeswoman for the Department had no additional comment.)
But according to Joseph Kirschbaum, the director for defense capabilities and management at the GAO, ill-preparedness for digital threats is a relatively common governmental problem.
“We have indeed found similar kinds of gaps in agency plans as we found in the most recent report,” Kirschbaum told Gizmodo in an email. “Just about everything in cyberspace is also constantly evolving, which further complicates planning.”
So the Pentagon is having trouble because the internet is complicated and stuff. Some excuse.