The bad news in a more general governmental context is that "DoD has been characterize as one of the best-prepared federal agencies to defend against cybersecurity threats." Without serious changes it may not keep that lead. Or, at least, may not be able to make the leap into competence from its current status as best of a bad lot among government agencies.
Even for an organization with the budget and security awareness of DoD, the prospect of having to keep pace with the steady increase in threats from smaller countries and stateless terror organizations is "daunting," GAO concluded.
The risk is more than just losing blueprints to top secret weapons systems. National power and IT infrastructures could be disrupted, attacks on financial-services companies or exchanges could damage the economy, attacks on flight-control systems could put aircraft in danger.
The overall picture the GAO paints is of fragmented military organization with no clear direction or goal to pursue in cybersecurity. The problem begins at so fundamental a level within the military, in fact, that the GAO's recommendations for fixing it also sound unfocused or at least far too basic. They begin more like a tutor recommending a high school senior repeat middle-school math before trying for acceptance to the Ivy League:
The first recommendation is that DoD create a schedule and series of deadlines under which it will standardize the publications describing its doctrine and practice of cyberwar – meaning all the policy and instructional material for all four services have to be retooled to the point they don't actively conflict with each other.
Then all those non-conflicting doctrines have to be propagated through the rest of all four organizations in manuals and training guides, which are the real medium through which knowledge filters through a giant organization that is fundamentally more comfortable with doing things than talking about how to do them.
The second recommendation asks DoD to "clarify command and control relationships regarding cyberspace operations" and create another timeline defining who is responsible for making sure which balls are not dropped.
Telling the managers of any organization they have to figure out who's in charge and tell the uber-bosses after they figure it out is pretty serious criticism. If the uber-bosses haven't appointed a leader, and can't even tell by examination who is supposed to be in charge, there aren't a lot of ways to argue the place was being adequately managed.
For an organization as pathologically hierarchical as the military, it is as damning a criticism as it is possible to offer to say not only that the leaders are not leaders, but that there's no way to tell how long it might take to figure out who those leaders should be or what steps they should take to damp down the chaos.
Sandia National Labs.