In a situation where the US is attacked, the Defense Dept. would support Homeland Security, which would be the civilian agency leading the effort -- that much is clear.
But officials found that from there, it gets murky.
The problem stems from two sets of conflicting rules set out by two military divisions, and how they assist civil efforts to recover from a cyberattack. The US Northern Command says it would be the support civil command during an attack, whereas the US Central Command says it would be responsible.
"This absence has caused uncertainty about who in DOD would respond to support civil authorities in a cyber incident and how they would coordinate and conduct such a response," said the report.
According to the report, much of the confusion stems from the dual-status commander, who will be the ranking officer with authority over federal military and National Guard forces.
Case in point: a recent exercise "highlighted uncertainty" as to the responsibilities of the dual-status commander overseeing the response effort to a cyberattack. Officials at the US Northern Command told GAO officials that the commander didn't even have tactical control of cyber units that reported to US Cyber Command.
Because of that, the cyber units weren't even able to "log onto the network of the private entity that was used in the exercise."
The lack of clarity has the GAO concerned.
"The gap, and the uncertainty that results, could hinder the timeliness or effectiveness of critical Defense Dept. support to civil authorities during cyber-related emergencies," said the report's conclusion.
The report said that the Defense Dept. "cannot reasonably ensure" that it'll be able to effectively support civil agencies during a cyberattack, simply because of the bureaucracy involved.
Pentagon chiefs acknowledged the report but did not outline when it would fix the problems. As of January, the department didn't have an estimate to GAO officials for when the guidance will be finalized.