DOD needs to get a handle on Guard's cyber skills, GAO says

A report says the department lacks visibility into National Guard units' cyber capabilities, which could provide significant help in the event of a domestic attack.

Military leaders, including Defense Secretary Ash Carter, have touted National Guard members as a “huge treasure” in the Defense Department’s cybersecurity efforts, particularly because many of them work in the cyber field in their civilian jobs and bring some impressive skills to the service.

Guard units, for example, could assist civilian agencies in the event of a cyberattack, something Guard cyber teams worked on—along with the Army, Reserve and Marine Corps—during the Cyber Shield 2016 exercise earlier this year.

The problem is keeping tabs on everyone available, according to a Government Accountability Report released recently. The report says that, “DOD does not have visibility of all National Guard units' cyber capabilities because the department has not maintained a database that identifies the National Guard units' cyber-related emergency response capabilities, as required by law.”

The shortcoming could limit the Guard’s participation in an emergency, GAO said, citing three cyber capabilities the Guard possesses:

Communications directorates that operate and maintain the Guard's information network.

Computer network defense teams that protect Guard information systems and which could function as the first responders for states' cyber emergencies and support national capabilities.

Cyber units that conduct cyberspace operations.

The White House has promoted both a whole-of-government and whole-of-nation approach toward deterring and responding to cyber threats and attacks. And the military has conducted exercises to simulate a unified response to an attack on domestic infrastructure in support of civil authorities, GOA said.

Other factors also have contributed to limited participation, including the classified nature of some exercises, limited inclusion of other federal agencies and infrastructure owners and insufficient use of scenarios that incorporate physical-cyber scenarios.

GAO recommended that DOD develop a database that keeps track of the Guard’s cyber capabilities. The report also said DOD needs to identify and conduct a tier 1 exercise—one that involves national organizations and combatant commanders and staff in complex environments—in order “to prepare its forces in the event of a disaster with cyber effects.” Such an exercise would allow DOD and other organizations to gain a good assessment of their response plans and responsibilities, and compare the results to previous exercises.

The report says DOD officials have agreed that identifying a tier 1 attack and conducting such a test is necessary.