DOD's cyber strategy lacks organization, manpower and funds, GAO says

Despite recent efforts to shore up its approach to cybersecurity, the Defense Department is behind the game, lacking the ability to meet current threats and the means to keep pace with future threats, the General Accounting Office concludes in a new report.

The report, released July 25, states that DOD’s decentralized approach to cybersecurity, including a lack of unified policy, is a major contributor to its network vulnerabilities.

While the DOD is proactively addressing the issues, including the establishment of U.S. Cyber Command to integrate operations, department officials admit that they have no single publication to completely address their cyberspace operations; there are insufficient discussions on the topic and no timetable for updating their existing doctrines or decision-making process.

Furthermore, the department’s cyber workforce is “undersized and unprepared to meet the current threat, which is projected to increase significantly over time,” the report states. Compounding the problem is that the department has not created a funding strategy to address its cyber security issues.

GAO also found that DOD’s newly developed personnel reporting structure for a unified approach to cybersecurity is vague enough to be potentially inadequate.

“It remains unclear whether these [cybersecurity] gaps will be addressed, since DOD has not conducted a more comprehensive department-wide assessment of cyber-related capability gaps or established an implementation plan or funding strategy to resolve any gaps that may be identified,” GAO said.

Although DOD’s cyber defense activities have been around for a while, its push toward a unified approach is new. Recently, GCN reported that DOD and the Homeland Security Department are working together to protect cyberspace, under an evolving plan in which DHS has primary responsibility for civilian networks.

Deputy Defense Secretary William Lynn also announced July 14 the department’s new strategy for defending U.S computer networks, saying, “it is only one part of the department’s first-ever Strategy for Operating in Cyberspace.”



About the Author

Kathleen Hickey is a freelance writer for GCN.

Reader Comments

Fri, Jul 29, 2011

So far, from here at least, looks like business as usual. Everybody wants to do it THEIR way, and official guidance from on high is filed and forgotten.

Wed, Jul 27, 2011 earth

Given the difference between cyber-security and war, given the continual need for cyber-security inside the boundaries of the US, given the continually graded response necessary to attacks and given the long term training needed to be minimally sufficient, cyber-security should probably be in the law enforcement realm instead of the DOD. Consider the problem with posse contaminous if the attacker is within the bounds of the US.
True the DOD’s cyber capabilities need to be secure but that does not mean they should take the lead.

Wed, Jul 27, 2011

Big problem with this story. The GAO audit was completed more than a year ago. Declassification issues prevented it from being released until now. Any story about it should note that fact.

Wed, Jul 27, 2011

the government keeps stating the shortage of cybersecurity workers, where are the job postings or recruitment activities? I havent seen them

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above