1. APPENDIX K – DSCA/DSCIR
   1. Table of Contents

APPENDIX K – DSCA/DSCIR

Directive-Type Memorandum 17-007 details the Department of Defense’s (DoD’s) approach to using defense coordinating elements (DCEs) or officers (DCOs) for cyber capabilities on a regional basis. Defense Support to Cyber Incident Response (DSCIR) is provided within the framework of Defense Support to Civil Authorities (DSCA) and may include direct, on-location support; remote support; or a combination of both. To protect, prevent, and mitigate great property damage and human suffering, DoD cyber teams are permitted to: (1) gain familiarity with critical infrastructure networks and systems; and (2) assist critical infrastructure owners or assets that are essential for the functioning of a society and economy.⁶⁹

Role of the DCE/DCO: The DCE/DCO will be the DoD representative and liaison to the federal lead agency in the disaster area and provide situational awareness to DoD agencies. The DCE/DCO also serves as liaison to senior leaders and state, local, and other federal agencies; validates the Resource Request Form; and accepts the mission assignment from the federal coordinating officer. DCEs/DCOs assist with receiving, staging, onward movement, and integration of units/personnel; recommend military resources to meet request requirements; forward mission assignments to United States Northern Command (USNORTHCOM); provide a link to the base support installation; coordinate administrative and logistical support to deployed military forces; control small DoD units and resources in the disaster area; and maintain accounting records for reimbursement (with U.S. Army Deputy Chief of Staff G-8 augmentation).

Charleston and Savannah would be covered by a DCE/DCO under Federal Emergency Management Agency Region IV, which consists of all eight of the southeastern states (Alabama, Florida, GA, Kentucky, Mississippi, North Carolina, SC, and Tennessee). The DCE/DCO’s mission is broad and encompasses support to any federal lead agency that is conducting homeland defense operations or DSCA support within the USNORTHCOM area of responsibility. Mainly, this DCE/DCO group is solely responsible for validating and processing requests for DoD assistance in coordination with and in support of the primary federal and state agencies. DHS is embedded in 10 of the critical infrastructure sectors.

Requesting DSCIR: When a request for DSCIR is received and approved, DCEs/DCOs will carry out DSCIR as directed in DoDD 3025.18 and DoDI 3025.21, Defense Support of Civilian Law Enforcement Agencies, and will be evaluated using C.A.R.R.L.L. (see section 4.2.4 of this report)⁷⁰. Legal documents, such as memoranda of understanding (MOUs), memoranda of agreement, nondisclosure agreements, or other appropriate legal documents requested by the DoD, must be signed and written acknowledgment and permission giving DoD access to provide support must be given before DSCIR is provided.⁷¹

⁶⁹ Work, Interim Policy and Guidance.

⁷⁰ Lynn, Defense Support to Civil Authorities (DSCA); and Department of Defense (DoD), Defense Support of Civilian Law Enforcement Agencies, DoD Instruction 3025.21 (Washington, DC: DoD, updated February 8, 2019).

⁷¹ Work, Interim Policy and Guidance.

Federal military commanders and DoD component heads and civilians may accept federal requests for DSCIR under immediate response authority in support of a cyber incident response.⁷² Industrial control systems and their supervisory control and data acquisition (SCADA) capabilities are often quite advanced, but are likely to run out of personnel and resources quickly. United States Strategic Command, USNORTHCOM, and United States Pacific Command commanders have the following responsibilities:

• Planning and executing DSCIR operations in coordination with the chairman of the Joint Chiefs of Staff (CJCS) and the combatant commanders;

• Incorporating DSCIR into joint training and exercise programs in coordination with the CJCS and in consultation with the appropriate federal departments and agencies and the National Guard;

• If they have been designated as the supported commander, coordinating with supporting DoD components to distribute all reimbursement for assistance received;

• If they have been designated as the supported commander, coordinating with the CJCS, the assistant secretary of defense for homeland defense and global security, and any supporting commands on military preparations and operations; and

• Informing the secretary of defense, through the CJCS and by the most expeditious means possible, of any actions taken to provide immediate response to save lives, prevent human suffering, or mitigate great property damage.⁷³

DoD recommendations: The DoD cyber team recommends the following to prepare and protect assets in the event of a major cyber incident.

When requesting DSCIR support, a civil authority must consider the following questions:

• Who at state level is the decision maker for requesting federal cyber support?

• Where can a DSCIR request be injected into the DoD enterprise?

• Should USNORTHCOM integrate DCOs/DCEs into the validation process or retain them at USNORTHCOM?

• How do supported combatant commands from USNORTHCOM ensure situational awareness and unity of effort when Title 10 forces are being employed?

• Would this scenario amount to a “significant cyber incident” (see definition below), therefore requiring the activation of the executive Unified Coordination Group and centralized control?

  • » “Significant cyber incident. A cyber incident that is (or group of related cyber incidents that together are) likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.”⁷⁴

⁷² Work, Interim Policy and Guidance.

⁷³ Work, Interim Policy and Guidance.

⁷⁴ Barack Obama, United States Cyber Incident Coordination, Presidential Policy Directive 41 (Washington, DC: The White House, July 26, 2016).

In addition, one must consider the following preparations to avoid or safely resolve a major cyber incident:

• Ensure teams possess a high level of expertise in the cybersecurity of traditional IT as well as operational technology (OT) systems;

• Assess force structure and team composition;

• Standardize critical infrastructure training and equipping; and

• Enhance expertise through exercises that integrate government, academia, and public and private sector cybersecurity professionals.

Table of Contents

• 1. FOREWORD
• 2. ACKNOWLEDGMENTS
• 3. INTRODUCTION - JACK VOLTAIC 3.0
• 4. JACK VOLTAIC RESEARCH METHODOLOGY
• 5. EXECUTION
• 6. FINDINGS
• 7. CONCLUSION
• APPENDIX A – ACRONYMS
• APPENDIX B – PARTNERS
• APPENDIX C – SCENARIO
• APPENDIX D – LAW/POLICY TABLETOP EXERCISE (TTX)
• APPENDIX E – LIVE-FIRE EXERCISE
• APPENDIX F – MILITARY TESTIMONIALS
• APPENDIX G – PRIVATE INDUSTRY TESTIMONIALS
• APPENDIX H – ALL HAZARDS ANALYSIS (AHA)
• APPENDIX I – CIRI FORT-TO-PORT DISRUPTION
• APPENDIX J – REQUIRED DELIVERY DATE (RDD) SIMULATION
• APPENDIX K – DSCA/DSCIR