via The Washington Post
In 2008, the U.S. military suffered the most significant breach of its classified computer networks when an infected flash drive was inserted into a laptop at a base in the Middle East, and the response was, in a word, confusion.
Various military and civilian organizations — the U.S. military’s Central and Strategic commands, the uniformed services, the Defense Information Systems Agency — put out directions on how to contain the damage, military officials said.
“None of it was coordinated,” said Davi D’Agostino, a director on defense issues for the Government Accountability Office. “Some of it was conflicting. Some was immediate. Some came weeks later. It was a very messy spaghetti chart.”
The lack of operational clarity “significantly slowed” the department’s response to the incident, the GAO found in a report issued Monday, co-authored by D’Agostino, that faulted the Pentagon’s lack of clear lines of control over cyber operations. That means that the risk of damage by the adversary — a foreign intelligence service — likely was greater, military officials said.
The report used the response to the 2008 incident, known as Operation Buckshot Yankee, which Defense Secretary William J. Lynn last summer revealed publicly, as an illustration of the need to devise a joint doctrine for cyber operations. Without it, the report warned, “DOD networks and our country’s critical infrastructure can be disrupted, compromised, or damaged by a relatively unsophisticated adversary.”
The 2008 incident resulted in new policies constraining the use of removable media such as flash drives in classified networks.
But the underlying problem of who should lead the response to a cyber incident has not been solved, concluded the report, a classified version of which was completed in May 2010