In 2008, the U.S. military suffered the most significant breach of its classified computer networks when an infected flash drive was inserted into a laptop at a base in the Middle East, and the response was, in a word, confusion.
Various military and civilian organizations — the U.S. military’s Central and Strategic commands, the uniformed services, the Defense Information Systems Agency -- put out directions on how to contain the damage, military officials said.
“None of it was coordinated,” said Davi D’Agostino, a director on defense issues for the Government Accountability Office. “Some of it was conflicting. Some was immediate. Some came weeks later. It was a very messy spaghetti chart.”
The lack of operational clarity “significantly slowed” the department’s response to the incident, the GAO found in a report issued Monday, co-authored by D’Agostino, that faulted the Pentagon’s lack of clear lines of control over cyber operations. That means that the risk of damage by the adversary — a foreign intelligence service — likely was greater, military officials said.
The report used the response to the 2008 incident, known as Operation Buckshot Yankee, which Defense Secretary William J. Lynn last summer revealed publicly, as an illustration of the need to devise a joint doctrine for cyber operations. Without it, the report warned, “DOD networks and our country’s critical infrastructure can be disrupted, compromised, or damaged by a relatively unsophisticated adversary.”
The 2008 incident resulted in new policies constraining the use of removable media such as flash drives in classified networks.
But the underlying problem of who should lead the response to a cyber incident has not been solved, concluded the report, a classified version of which was completed in May 2010.
The Pentagon was aware of the report, said spokeswoman Lt. Col. April Cunningham. She pointed to the department’s recently released strategy for operating in cyberspace as an example of improved efforts at coordination. GAO said it is still awaiting a “joint doctrine” that spells out the lines of control.
Last year, the Pentagon launched U.S. Cyber Command at Fort Meade, Md., to facilitate the command and control of cyber operations. But there is still a lack of clarity over whether the uniformed services should report to Cyber Command or the geographic combatant commands in cyber operations, the GAO concluded.
“Establishing a cyber command is an evolving process,” said Rep. James Langevin (D-R.I.), one of the lawmakers who requested the report. “However, this report points out our shortcomings in putting together a command structure that can efficiently close vulnerabilities across military services and agencies.”
Earlier this year, the Pentagon tested cyber command and control models as part of U.S. Pacific Command’s Terminal Fury war game. Disagreements over who should be in control undermined their effectiveness, military officials said.
Stewart A. Baker, a former National Security Agency general counsel, said, “The most strategic thinking has to be done at NSA and Cyber Command, but a lot of the tactical day-to-day defense has to be done by people on the scene, which means the combatant commands. Each has a pretty big stake in an effective defense.”