In 2008, the U.S. military suffered the most significant breach of its classified computer networks when an infected flash drive was inserted into a laptop at a base in the Middle East, and the response was, in a word, confusion.
Various military and civilian organizations — the U.S. military’s Central and Strategic commands, the uniformed services, the Defense Information Systems Agency — put out directions on how to contain the damage, military officials said.
“None of it was coordinated,” said Davi D’Agostino, a director on defense issues for the Government Accountability Office. “Some of it was conflicting. Some was immediate. Some came weeks later. It was a very messy spaghetti chart.”
The lack of operational clarity “significantly slowed” the department’s response to the incident, the GAO found in a report issued Monday, co-authored by D’Agostino, that faulted the Pentagon’s lack of clear lines of control over cyber operations. That means the risk of damage by the adversary, a foreign intelligence service, likely was greater, military officials said.
The report used the response to the 2008 incident, known as Operation Buckshot Yankee, which Deputy Defense Secretary William J. Lynn last summer revealed publicly, as an illustration of the need to devise a joint doctrine for cyber operations. Without it, the report warned, “DOD networks and our country’s critical infrastructure can be disrupted, compromised, or damaged by a relatively unsophisticated adversary.”
The 2008 incident resulted in new policies constraining the use of removable media such as flash drives in classified networks.
But the underlying problem of who should lead the response to a cyber incident has not been solved, concluded the report, a classified version of which was completed in May 2010.
The Pentagon was aware of the report, said Lt. Col. April Cunningham, a spokeswoman. She pointed to the department’s recently released strategy for operating in cyberspace as an example of improved efforts at coordination. GAO said it is still awaiting a “joint doctrine” that spells out the lines of control.
Last year, the Pentagon launched U.S. Cyber Command at Fort Meade to facilitate the command and control of cyber operations. But there is still a lack of clarity over whether the uniformed services should report to Cyber Command or the geographic combatant commands in cyber operations, the GAO concluded.
“Establishing a cyber command is an evolving process,” said Rep. Jim Langevin (D-R.I.), one of the lawmakers who requested the report. “However, this report points out our shortcomings in putting together a command structure that can efficiently close vulnerabilities across military services and agencies.”