GAO: Pentagon Needs Clear Line of Control in Cyber EffortsJuly 29, 2011

 

A new report by the Government Accountability Office (GAO), the investigative arm of Congress, found that the Department of Defense (DoD) lacked a coherent operational strategy to react to cyber attacks, according to an article in The Washington Post.

The report analyzed a 2008 attack on classified U.S. military computer networks when an infected flash drive was inadvertently attached to a laptop database in the Middle East. Several departments — both military and civilian — reacted and provided instructions on how to contain the damage. The results: confusion.

“None of it was coordinated,” said David D'Agostino, the director on defense issues for the GAO.  “Some of it was conflicting. Some was immediate. Some came weeks later. It was a very messy spaghetti chart.” In the end, this lack of operational focus led to an inadequate response. The report criticized the Pentagon's lack of clear lines of control over its cyber operations, according to the Post.

The 2008 incident, known as Operation Buckshot Yankee, led Deputy Defense Secretary William J. Lynn to use it to highlight why the department urgently needed a joint doctrine for cyber operations. Without such a coherent effort, the report warned, “DoD networks and our country's critical infrastructure can be disrupted, compromised or damage by relatively unsophisticated adversary.”

While the 2008 incident led to a new set of policies on how flash drives can be used on unclassified networks, the underlying problem of the operational hierarchy has not been solved, the report concluded. A Pentagon spokesperson noted that the department recently released a strategy for operating in cyberspace and continues to try to improve its coordination. But the GAO said it was still waiting for the clear lines of control to be spelled out.

“Establishing a cyber command is an evolving process,” Rep. Jim Langevin, a Democrat from Rhode Island, told the Post. “However, this report points out our shortcomings in putting together a command structure that can efficiently close vulnerabilities across military services and agencies.”