In a recent analysis, the US Army War College’s Parameters journal has taken a hard look at America’s cyber incident response architecture, arguing that the absence of a designated lead agency and inconsistent coordination mechanisms left the country vulnerable to escalating cyber threats. The report’s authors examined three major cyberattacks — SolarWinds, Colonial Pipeline, and Change Healthcare — and concluded that “the fragmented US cybersecurity framework … undermines national resilience to cyber threats.”
The authors emphasized that while technical vulnerabilities often dominate cybersecurity discourse, governance failures were the true Achilles’ heel. “Characterized by overlapping jurisdictions, policy gaps, and varied guideline adherence,” they wrote, “the fragmented US cyber incident response led to the compromised handling of three of the most significant recent cyberattacks.”
The report traced the evolution of federal cyber response doctrine, beginning with Presidential Policy Directive-41 (PPD-41), which created the National Cyber Incident Response Plan (NCIRP). Under this framework, the Department of Homeland Security (DHS) leads asset response, the FBI leads threat response, and the Office of the Director of National Intelligence (ODNI) provides intelligence support. However, the authors noted that “no single federal agency possesses all the authorities, capabilities, and expertise to deal unilaterally with a significant cyber incident.”
Even when incidents met the threshold for forming a Cyber Unified Coordination Group (C-UCG), coordination faltered. In the SolarWinds breach, Russian actors infiltrated Orion software used by 18,000 customers — including the Department of State, DHS, and the National Nuclear Security Administration — yet the attack went undetected for nine months. “The volume of security issues being identified over the last month [has] outstripped the capacity of Engineering teams to resolve,” an internal SolarWinds document warned in September 2020.
The federal response was slow and disjointed. Although CISA issued an emergency directive and the National Security Council deemed the attack “significant,” the government failed to appoint a lead agency. “Once the C-UCG disbanded, no federal entity continued to coordinate the response and ensure compliance with mandatory statutes for cybersecurity,” the report explained. The newly created Office of the National Cyber Director (ONCD) remained vacant during the crisis, and state and local agencies had “limited or no access to federal response assets.”
The Colonial Pipeline ransomware attack in May 2021 further exposed systemic weaknesses. DarkSide, a Russian-based criminal group, used compromised VPN credentials to steal 100 gigabytes of data and shut down fuel distribution across the eastern United States. Colonial Pipeline paid a $4.4 million ransom, despite CISA guidance discouraging such payments. The Biden administration unexpectedly designated the Department of Energy as the lead agency, bypassing DHS and TSA, which traditionally oversee pipeline security. “There were no DOE representatives at that hearing, leaving their role and capability to lead a cyber response in question,” the authors noted.
Private sector autonomy has also complicated federal coordination. Colonial Pipeline declined CISA’s technical assistance and hired Mandiant instead. The report observed that “as a private company, Colonial Pipeline maintained the right to address the issue without assistance from the federal government,” likely to avoid scrutiny over noncompliance with cybersecurity standards. This dynamic, the authors argued, reflected a broader failure to enforce cyber hygiene and breach reporting across critical infrastructure sectors.
The Change Healthcare attack in 2024, which disrupted medical billing nationwide, underscored the stakes. The report warned that “the compromise and loss of personal private data from US citizens in cyberattacks has become a national security concern,” yet the US still lacked a “whole-of-government approach to incident response.”
Among the systemic failures identified were “[i]nadequate implementation of cybersecurity frameworks,” “[i]nadequate cyber hygiene enforcement,” “[o]verbroad access controls” and “[i]neffective incident response and “recovery plans in private industry.”
The Department of War, despite its homeland defense mandate under Title 32, was not activated in any of the three cases. The authors noted that “this failure likely stemmed from a lack of knowledge of the capabilities of or the process for engaging National Guard entities,” even though Guard units were conducting cyber exercises during the SolarWinds breach.
The report called for reform. “Successful incident response relies on a lead agency construct,” the authors wrote, urging policymakers to designate a clear federal authority, strengthen public-private coordination, and enforce compliance with cybersecurity standards.
Without these changes, they warned, “the nation’s ability to respond swiftly and effectively to cyber incidents” would remain compromised.
Top photo: DHS Deputy Secretary Troy Edgar swears-in Nick Anderson, Executive Assistant Director for CISA, in September 2025 (DHS/Wikimedia Commons)
,_at_DHS_HQ_in_Washington_D.C.on_September_2,_2025_-_2.jpg){kind=link}