In a cyber-emergency, can you rely on the Department of Defense (DOD) to know exactly where its best cyber-response units are? A government watchdog doesn't think so.
The Government Accountability Office (GAO) said in a report this week that the Pentagon "does not have visibility" into where some of the National Guard's most prized cyber-response units are -- despite being required to by law.
According to the report, the DOD has "not maintained a database" that would "fully and quickly identify" units that could be deployed should the US fall victim to a cyberattack.
That's a problem, because the National Guard might be one of the best-equipped reserve military units to support the government in a time of cyber emergency. The report said that National Guard units are in a "unique position to recruit and retain individuals who have significant cyber expertise based on their full-time positions outside of the military and can coordinate with state authorities and critical infrastructure owners within their respective states".
So, knowing exactly what's at the Pentagon's disposal might be important in a time of crisis.
The watchdog report said that as a result there has yet to be a "tier 1" exercise, which involves national-level organizations and combatant commanders, in part because the National Guard had not been fully included.
One of the core criticisms for that reason was the Pentagon's tendency to exercise in a classified setting, which limited how other agencies would participate.
"In one example, Washington National Guard officials told us that utility personnel who had flown across the country to participate in a civil support exercise that the National Guard unit had invited them to participate in were not admitted into the classified exercise environment," the report read.
In a response, the Pentagon partially agreed with the findings, but a spokesperson when reached by email declined to comment further.
The watchdog's findings are the second set of prominent reports this year criticizing the effectiveness of the Pentagon during a cyberattack. In April, the watchdog said that the Pentagon did "not clearly define its roles and responsibilities for cyber incidents" because of conflicting rules governing who would take charge.
The DOD acknowledged the report's findings but didn't say when it would fix the problems.