Navy Adm. Michael S. Rogers, the commander of U.S. Cyber Command,
the director of the National Security Agency and chief of the Central Security Service
Language in the 2017 National Defense Authorization Act called for the elevation of U.S. Cyber Command’s status and the end of the “dual-hat” role for its leader.
The head of the National Security Agency and Cyber Command may soon be two different jobs and the Defense Department will have a new “joint unified command.”
Changes to the relatively new Cyber Command, established in 2009, come as the nation reels from allegations that Russian electronic spies interfered in last year’s presidential election, which followed a series of high-profile hacks of sensitive government and commercial data.
Lawmakers and pundits alike are complaining that the nation lacks a strong national policy to thwart the network intrusions.
While there was some opposition to separating Cybercom and the NSA’s leadership, the reaction to the proposal was largely positive.
“We should discontinue the dual-hat arrangement which I helped design when I was undersecretary of defense for intelligence seven years ago,” Director of National Intelligence James Clapper testified before the Senate Armed Services Committee prior to leaving office. “This isn’t purely a military issue. I don’t think this is in the NSA’s or the [intelligence community’s] best interest to continue the dual-hat set up.”
Another section of the law, however, called for the secretary of defense and chairman of the Joint Chiefs of Staff to both certify that ending the dual-hat arrangement “will not pose risks to the military effectiveness of Cybercom that are unacceptable to the national security interests of the United States.”
While President Barack Obama signed the law, he noted that he was opposed to Congress managing what should be a role of the executive branch.
“Congress should leave decisions about the establishment of combatant commands to the executive branch and should not place unnecessary and bureaucratic administrative burdens and conditions on ending the dual-hat arrangement at a time when the speed and nature of cyber threats requires agility in making decisions about how best to organize and manage the nation’s cyber capabilities,” he wrote.
Nevertheless, he supported the move because Secretary of Defense Ashton Carter and Clapper agreed that it was for the best.
“While the dual-hat arrangement was once appropriate in order to enable a fledgling Cybercom to leverage NSA’s advanced capabilities and expertise, Cybercom has since matured and the current construct should be replaced through a deliberate, conditions-based approach to separating the organizations,” he wrote.
The administration stressed that it wanted to maintain the benefits that synergy brought to the arrangement.
Marine Corps Gen. James Mattis, during his Senate Armed Services Committee confirmation hearing, said, “Philosophically, I am OK with it,” but expressed some reservations.
“I’ve got to look at the break out to see which duties stay in which place because the way they are set up now, it may not break apart quite as well,” Mattis said.
Sen. Angus King, I-Maine, said, “The worst result would be to create a new unified combatant command and leave remnants of the function in other places so that you ended up with duplication.”
Mattis said he had the same concern.
“We are going to look at and if we go down that road make sure they are fit for function,” Mattis added.
Marcel Lettre II, undersecretary of defense for intelligence, said at the hearing that the dual-hat role was put into place when Cyber Command was established “to ensure clear command responsibility and authority and growing capabilities essential to our unity of effort for cyber operations.”
The hearing was called in the wake of the Russian hacking allegations.
Lettre said the military was improving its ability to defend itself. “We also continue to mature our cyber mission forces, which this fall reached initial operating capability, or IOC, status. This force is providing cyber capability to execute our three missions in cyber space. We are building new capabilities and new tools for the cyber mission force to use.”
As Cybercom becomes more elevated in the military, questions remain on just how involved the armed services should be in thwarting major attacks on the homeland. If the Air Force is tasked with preventing an air-based attack on the continental United States, why wouldn’t the Defense Department be on the front lines if a nation-state launching a cyber attack on the nation’s electric grid? pundits have asked.
A Center for Strategic and International Studies cyber policy task force report noted that the military now has three primary missions: defend the military’s networks and systems; provide offensive cyber support to regional military commands; and defend the nation from a cyber attack of significant consequences.
How it can carry out the latter is a policy question that has yet to be worked out, the report said.
“One of the challenges the next president will have to consider is how military cyber forces can be used to defend U.S. critical infrastructure from a significant cyber attack. This will require decisions on thresholds for ‘significant attack,’ deconfliction of any Department of Defense role with [The Department of Homeland Security] and the FBI, and establishing priorities for cyber defense,” the report said.
Headquarters of the NSA at Fort Meade, Maryland
Lettre said in the hearing that the government needs to continue to develop and define its national cyber policy framework, which includes the evolution of all dimensions of deterrence posture: the ability to deny the adversary their objectives; impose costs and to ensure the nation has a reliable infrastructure to ensure the multi-domain mission.
SASC Chairman Sen. John McCain, R-Ariz., in the hearing decried the lack of a national policy that clarifies these missions.
“What seems clear is that our adversaries have reached a common conclusion: that the reward for attacking America in cyberspace outweighs the risk. For years, cyber attacks on our nation have been met with indecision and inaction. Our nation has had no policy, and thus no strategy, for cyber deterrence.”
Daniel Goure, vice president of the Lexington Institute, an Arlington, Virginia-based think tank, applauded the possible end of the dual-hat role, and agreed that clear policies are needed.
“Someone needs to be in charge of each. Some things are falling through the cracks: such as we don’t write doctrine in any particular way. We don’t know where the boundaries are. We are still struggling over authorities well past the time when we should be if this is in fact a domain of warfare,” he said in an interview.
Peter W. Singer, strategist for the New America Foundation, said separating the NSA from Cyber Command is long overdue. He likened it to a baseball team where the general manager and the manager, two different roles in the organization, were the same person. Except in this case, the manager is actually a basketball coach. “The roles are really that different,” he contended.
Goure said the head of this joint activity for the past month has probably been preoccupied with nothing other than the Russian hacking problem.
“That’s perhaps what he should be doing on the NSA side, but damn well not on the Cyber Command side,” he said. “Splitting the two up is going to be really important and hopefully useful,” he added.
The newly elevated joint unified command should be out providing coordinated capability to major commands. It should bring offensive cyber to the table, not just at the operational or tactical level, but the strategic level, Goure said. It should be going after military systems, the enemies’ command and control in a “very serious way.” The new command should “marry up” electronic warfare and signals intelligence as well, he added.
As for defending the homeland, Cybercom may carry out tasks that have heretofore been domestic such as supporting civil agencies, which has been the purview of DHS.
“Given the limitations and funding authorities, [DHS] has not done horribly,” but at the end of the day, its duty to protect dot.gov websites has a notoriously spotty record, with major breaches such as the Office of Personnel Management hack in 2015 that compromised the personal data of up to 18 million federal workers and others, Goure said.
“There are some legal aspects to walk through as far as Cybercom becoming involved in domestic network defense, but there are ways to work it out,” Goure said.
Both Singer and Goure agreed that the two entities probably will not be physically separated. Cybercom is more than likely to remain at Fort Meade, Maryland, where the military has invested billions of dollars in infrastructure, and the region has taken on a reputation as being an East Coast version of Silicon Valley.
Goure said synergy between the military and the intelligence community can continue there. Despite the field’s reputation as one where its personnel spend all their time on computers, there is still a great deal of face-to-face collaboration occurring.
Since cyberspace is being called its own operational domain some strategists have floated the idea of a fifth service: Army, Air Force, Navy, Marines and Cyber Force.
Singer doesn’t think it will go that far, but Cybercom may eventually be on par with Special Operations Command, where it is not formally another service, but has a great deal of independence and its own budget.
Its personnel, like SOCOM, would be pulled from other services, and they would be drawn into a separate culture and community with its own special skill sets, training, criteria for promotions and so on.
“It would be an operational command but a quasi-service,” he said.Photos: Defense Dept., NSA