The Evolution of CYBERCOM
(Excerpted from GAO-17-512)
But is it the right fit? Although DOD has no official position on the merits of CYBERCOM’s dual-hat leadership arrangement, officials we spoke with noted some advantages and disadvantages. For example, some told us that the arrangement improved coordination and collaboration between NSA and CYBERCOM, and allowed both organizations to elevate critical issues and receive quicker decisions from a single leader. On the other hand, some were concerned that CYBERCOM’s needs and priorities might receive preferential treatment from NSA over other combatant commands—given the single leader. Additionally, having one person head both organizations may result in such broad responsibilities that it limits effective leadership, particularly considering the growing number and sophistication of cyberattacks. DOD has been considering separating NSA and CYBERCOM’s dual-hat leadership, but—as of October 2017—it has not announced whether it plans to do so. Should DOD decide to terminate this dual leadership, there are strategies that could maintain some of its advantages. For example, DOD could formalize agreements between NSA and CYBERCOM to continue collaborating on issues of mutual interest. It could also continue to develop more independent capabilities for CYBERCOM so that it will be less reliant upon NSA’s tools and infrastructure. Implementing cybersecurity guidance DOD's progress towards implementing key cybersecurity guidance varies. DOD implemented the key cybersecurity elements of its Cloud Computing Strategy and made progress implementing a number of tasks related to its 2015 Cyber Strategy and Cybersecurity Campaign. However, DOD closed tasks that support its Cyber Strategy before they were fully implemented. For example, it closed a task that required completing cyber risk assessments on 136 weapon systems prior to performing all of the assessments. The Department also lacks a timeframe and process for monitoring the implementation of its Cybersecurity Campaign objective to conduct operational risk assessments for its cybersecurity readiness. To find out more about CYBERCOM’s leadership, as well as how its cybersecurity strategy is progressing, check out our full report.- Questions on the content of this post? Contact Joseph Kirschbaum at KirschbaumJ@gao.gov.
- Comments on GAO’s WatchBlog? Contact blog@gao.gov.
GAO's mission is to provide Congress with fact-based, nonpartisan information that can help improve federal government performance and ensure accountability for the benefit of the American people. GAO launched its WatchBlog in January, 2014, as part of its continuing effort to reach its audiences—Congress and the American people—where they are currently looking for information.
The blog format allows GAO to provide a little more context about its work than it can offer on its other social media platforms. Posts will tie GAO work to current events and the news; show how GAO’s work is affecting agencies or legislation; highlight reports, testimonies, and issue areas where GAO does work; and provide information about GAO itself, among other things.
Please send any feedback on GAO's WatchBlog to blog@gao.gov.