The oh-so-understated "DoD Faces Challenges in Its Cyber Activities" (PDF) released July 25, is the GAO's answer to questions Congress began sending it in 2008 in an effort to get an evaluation of DoD's abilities more realistic than reports the Pentagon put out while clearly not taking the threat seriously.
Pentagon brass are taking it seriously now, GAO reported, especially since Pentagon got its act together to create a coherent statement of policy called the National Military Strategy for Cyberspace Operations, which was published in 2006.
In the five years since, the Pentagon has thrown tremendous resources into preparing for cyberwar, but has not been successful in catching up to the level of current threat or made progress in preparing for future threats, the GAO report concluded.
"According to DoD, a large number of intelligence agencies and foreign militaries are actively trying to penetrate our military networks. These networks are scanned millions of times a day and probed thousands of times a day. Over the past several years, DoD has experienced damaging penetration to these networks...[including] blueprints of weapons systems that have already been compromised," the report said.
The creation of a centralized U.S. Cyber Command to integrate online efforts of all four services was a big step forward, but fissures between the services and even within the cyber command make it hard to come up with timetables to update policies, response plans and technology roadmaps.
The number of service people working online has ballooned, as has the budget for cyber security and cyberwar systems. Both are still far too small even maintain a secure posture online, let alone catch up to the neglect of the past, the report concluded.
The Pentagon's rigid and traditional reporting structure is one culprit.
Even with a semi-independent Cyber Command to direct the Pentagon's overall effort the four services have such distinct priorities, lines of command and priorities that it's often difficult to know who is in charge of what, who really has the authority to make decisions that affect more than one fiefdom and whose job it is to make sure critical projects aren't left half finished or, worse, completed, but in a way that does no good to anyone.
Sandia National Labs.