Defense Civil Support: DOD Needs to Identify National Guard's Cyber Capabilities and Address Challenges in Its Exercises
Highlights
What GAO Found
National Guard units have developed capabilities that could be used, if requested and approved, to support civil authorities in a cyber incident; however, the Department of Defense (DOD) does not have visibility of all National Guard units' capabilities for this support. GAO found three types of cyber capabilities that exist in National Guard units:
Communications directorates : These organizations operate and maintain the National Guard's information network.
Computer network defense teams : These teams protect National Guard information systems, could serve as first responders for states' cyber emergencies, and provide surge capacity to national capabilities.
Cyber units : These teams are to conduct cyberspace operations.
However, DOD does not have visibility of all National Guard units' cyber capabilities because the department has not maintained a database that identifies the National Guard units' cyber-related emergency response capabilities, as required by law. Without such a database to fully and quickly identify National Guard cyber capabilities, DOD may not have timely access to these capabilities when requested by civil authorities during a cyber incident.
DOD has conducted or participated in exercises to support civil authorities in a cyber incident or to test the responses to simulated attacks on cyber infrastructure owned by civil authorities, but has experienced several challenges that it has not addressed. These challenges include limited participant access because of a classified exercise environment, limited inclusion of other federal agencies and critical infrastructure owners, and inadequate incorporation of joint physical-cyber scenarios. In addition to these challenges, DOD has not identified and conducted a “tier 1” exercise—an exercise involving national-level organizations and combatant commanders and staff in highly complex environments. A DOD cyber strategy planning document states, and DOD officials agreed, that such an exercise is needed to help prepare forces in the event of a disaster with physical and cyber effects. Until DOD identifies and conducts a tier 1 exercise, DOD will miss an opportunity to fully test response plans, evaluate response capabilities, assess the clarity of established roles and responsibilities, and address the challenges DOD has experienced in prior exercises. The table below shows selected DOD-conducted exercises.
Selected DOD Exercises Designed to Support Civil Authorities During or After a Cyber Incident
Exercise title |
Exercise host |
Fiscal year |
Cyber civil-support objective |
Cyber Guard 15 |
U.S. Cyber Command |
2015 |
Test DOD participation in a response to a cyberattack of significant consequence against U.S. critical infrastructure. |
Cyber Shield 2015 |
Army National Guard |
2015 |
Train and evaluate U.S. Army National Guard computer network defense teams in a civil-support scenario. |
Vista Host II |
North American Aerospace Defense Command and U.S. Northern Command |
2015 |
Examine planning assumptions, potential resource requirements, and roles and responsibilities associated with cyber-related defense support to civil authorities operations. |
Source: GAO analysis of DOD documentation | GAO-16-574
Why GAO Did This Study
The DOD 2015 Cyber Strategy reported that a cyber attack could present a significant risk to U.S. national security. House Report 114-102 included a provision that GAO assess DOD's plans for providing support to civil authorities for a domestic cyber incident.
This report assesses whether (1) the National Guard has developed and DOD has visibility over capabilities that could support civil authorities in a cyber incident; and (2) DOD has conducted and participated in exercises to support civil authorities in cyber incidents and any challenges it faced. To conduct this review, GAO examined DOD and National Guard reports, policies, and guidance and interviewed officials about the National Guard's capabilities in defense support to civil authorities. GAO also reviewed after-action reports and interviewed DOD officials about exercise planning.
Recommendations
GAO recommends that DOD maintain a database that identifies National Guard cyber capabilities, conduct a tier 1 exercise to prepare its forces in the event of a disaster with cyber effects, and address challenges from prior exercises. DOD partially concurred with the recommendations, stating that current mechanisms and exercises are sufficient to address the issues highlighted in the report. GAO believes that the mechanisms and exercises, in their current formats, are not sufficient and continues to believe the recommendations are valid, as described in the report.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Department of Defense | To ensure that decision makers have immediate visibility into all capabilities of the National Guard that could support civil authorities in a cyber incident, the Secretary of Defense should maintain a database that can fully and quickly identify the cyber capabilities that the National Guard in the 50 states, three territories, and the District of Columbia have and could be used--if requested and approved--to support civil authorities in a cyber incident. |
Since the issuance of our report, DOD - through the National Guard Bureau - has increased its visibility of National Guard capabilities that could support civil authorities in a cyber incident. For example, in planning to support the 2020 elections, the National Guard Bureau participated in an exercise where it briefed DOD and DHS officials on the types of National Guard cyber units that exist in each state-including the units identified in our report. We believe that DOD has demonstrated progress in identifying National Guard capabilities that could support civil authorities in the event of a cyber incident-and that this greater visibility has met the intent of our recommendation.
|
Department of Defense | To better prepare DOD to support civil authorities in a cyber incident, the Secretary of Defense should direct the Deputy Assistant Secretary of Defense for Cyber Policy, the Chief of the National Guard Bureau, the Commander of U.S. Northern Command, and the Commander of U.S. Cyber Command to conduct a tier 1 exercise that will improve DOD's planning efforts to support civil authorities in a cyber incident. Such an exercise should also address challenges from prior exercises, such as limited participant access to exercise environment, inclusion of other federal agencies and private-sector cybersecurity vendors, and incorporation of emergency or disaster scenarios concurrent to cyber incidents. |
Since we issued the report, DOD has undertaken a number of table-top exercises to better prepare DOD leaders at multiple levels - including the Office of the Secretary of Defense, Joint Staff, National Guard Bureaus, U.S. Northern Command, U.S. Indo-Pacific Command, and U.S. Cyber Command - to support civil authorities in a cyber incident. These exercises have enabled the department to consider legal authorities, policies, military orders, command and control process, and gaps and seams in coordination and synchronization. We believe that these exercises-along with other exercises that the combatant commands participate in regularly (including those listed in our report) -demonstrated that DOD has made progress in preparing the department to support civil authorities in the event of a cyber incident-and that these exercises meet the intent of our recommendation.
|