According to the Government Accountability Office, the most glaring danger to the protection of Defense Department networks is not the array of evolving cyber threats, but the vulnerability posed by unorganized documentation on its cyber efforts.

Much of DoD's cyber documentation is incomplete and outdated, and definitions involving threat and retaliation strategies are inconsistent, the GAO says in a July 25 report. 

"While DoD assesses that at least 16 DoD joint publications discuss cyberspace-related topics and eight mention 'cyberspace operations,' U.S. Joint Forces Command has concluded that none contained a sufficient discussion of cyberspace operations," the report adds.

Current documentation also falls short in clearly defining the roles of cybersecurity professionals. The report suggests there are likely duplicate positions--citing 18 different positions across documents.

"Because career paths and skill sets are scattered across various career identifiers, the military services and commands vary in their scope and definitions of what constitutes cyber personnel," says the report, which warns this could cause confusion in planning for adequate types and numbers of personnel.

The report recommends DoD establish a deadline by which it officially announces whether or not it will draft a departmentwide joint cyberspace publication which would consolidate and update current joint publications--something the department told GAO it plans to pursue but has taken no action on, according to GAO.  

While the DoD has done some restructuring, such as the establishment of the U.S. Cyber Command, report authors note that "it is too early to tell if these changes will help DOD better address cybersecurity threats."

To address this unknown factor, GAO has suggested the department review its overall structure for addressing cyberthreats. In the report, GAO asks that DoD examine how it assigns command and control responsibilities and determine how it identifies and acts to mitigate key capability gaps involving cyberspace operations.

In addressing a recent "computer infection" on a network shared by Strategic Command and a geographic combatant command, STRATCOMM reported that command and control authorites were unclear.

"Without complete and clearly articulated guidance on command and control responsibilities that is well communicated and practiced with key stakeholders, DoD will have difficulty in achieving command and control of its cyber forces globally and in building unity of effort for carrying out cyberspace operations," say report authors.

DoD concurred with all of GAO's recommendations.

For more:
- see GAO-11-75 (.pdf)

Related Articles:
United States and India agree to share cyber threat information
Lynn: Norms for offensive cyber action are not different from kinetic
DoD CIO duties not going to Cyber Command