In 2013, former President Barack Obama was close to ending the “dual-hat” leadership of both the National Security Agency and U.S. Cyber Command, only to be dissuaded by senior officials arguing the close integration with the NSA continued to be necessary for the maturation of the then only 4-year-old Cyber Command. Prior to leaving their posts in the Obama Administration, former Secretary of Defense Ashton Carter and former Director of National Intelligence James Clapper again argued for the clean separation of the NSA and Cyber Command.
In turn, Senator John McCain (R-AZ), the Chairman of the Senate Armed Services Committee, vehemently criticized the push to end the dual-hat leadership role on the eve of the incoming Trump Administration, saying “if a decision is prematurely made to separate NSA and Cyber Command I will object to the confirmation of any individual nominated by the president to replace the director of the National Security Agency if that person is not also nominated to be the commander of Cyber Command.” At the same time, Admiral Mike Rogers, the current head of both the NSA and Cyber Command, has pushed against separating the roles entirely at this point, but acknowledges that the split will take place eventually with the two continuing to work closely with one another.
It seems the disagreement is not necessarily over whether or not to ever split the country’s premier signals intelligence agency and its cyber warfare counterpart, but rather when the right time and under what circumstances would be the most practical in doing so. Why were the two coupled in the first place, why must they eventually be separated, and where are the points of tension that must be overcome to do so? These are the questions that must be addressed before the timing of separation can be determined.
John Dickson, a former Air Force intelligence officer and now a Principal at the Denim Group, says “the roles [of the NSA and Cyber Command] are fairly distinct. One is to collect, analyze, and disseminate intelligence to national command authorities and decision-makers. That is the NSA’s intelligence side. The other side is to protect and defend U.S. computing assets and networks – in certain instances critical infrastructure – and to conduct the offensive missions when called upon. That is Cyber Command’s role.”
However, General Michael Hayden, the former director of both the NSA and CIA, points out that “in the cyber domain the technical and operational aspects of defense, espionage, and cyberattack are frankly indistinguishable – they are all the same thing.” In order for the United States to “do more than just steal other countries’ secrets, but actually create effects,” according to Hayden, “it was a natural process to do it from Fort Meade,” where Cyber Command was set up alongside the well-equipped NSA headquarters. The NSA, established in 1952, already had a long history of technical expertise, including the necessary personnel, budget, and infrastructure needed to guide the growth of Cyber Command into maturation.
James Lewis, the Senior Vice President at the Center for Security and International Studies, points out, however, that “from a budget perspective, it doesn’t necessarily make sense to split them, but Cyber Command wants to show that it is independent and can stand on its own now.” Essentially, if both organizations require similar infrastructure and skill sets, there is a high risk of duplication if the organizations are separated, and thereby inefficient from a budgetary perspective.
Furthermore, as Dickson points out, “some of the programs co-mingle where they have the same people working two different sides of the mission. A separation means there will be two organizations that may or may not align.” For example, the most prominent operational distinction is the NSA’s desire for subtle espionage as opposed to Cyber Command’s propensity for disruptively loud, sometimes intentionally attributable, offensive operations for effects – perhaps even with physical consequences. Should Cyber Command seek to take on an offensive role against networks that are of interest to the NSA’s intelligence collection, it could potentially raise alarms and consequently cut the NSA’s ability to gather crucial information from them.
Similarly, while close cooperation is important to maintain the NSA’s ability to monitor systems without Cyber Command sabotaging them, intelligence provided by the NSA is also vital to Cyber Command being effective in its offensive role. Dickson points out that one reason the NSA and Cyber Command must be so tightly linked is that “absent very detailed intelligence, an attacker at Cyber Command is really just flailing around without knowing what is on the other end of an attack.”
For example, “through collection sources,” Dickson says “attackers can determine that there is a programmable logic controller in the Iranian nuclear facility in Natanz that controls the rotation speed of centrifuges. Cyber Command could then create a very sophisticated piece of malware that has the exploit for that Siemens controller as well as the payload.” Or, to use a more recent example, the Obama Administration was reportedly involved in sabotaging North Korea’s missile program through cyberspace. But to do so likely required extensive reconnaissance to adequately penetrate North Korean systems to find the necessary vectors of attack and custom design malware to disrupt their missile tests. It is likely these disruptive cyberattacks eventually alerted North Korean officials that their missile systems had been breached, potentially causing them to take measures to halt access. This is a common dilemma faced by all intelligence agencies and covert action programs – the potential sacrifice of passive intelligence collection for active effects.
However, high levels of cooperation between the NSA and Cyber Command are unlikely to change even if they formally split. Major General James Keffer, Chief of Staff at Cyber Command, notes that “NSA is also a combat support agency. So they support all the combatant commands and warfighters with the intelligence that these organizations need to plan and conduct the fight.” Keffer goes on to note that both organizations report to the Secretary of Defense, “so if there is a conflict, there is a process to raise those conflicts up the chain of command for decisions to be made as to whether to proceed with the NSA mission set or the Cyber Command mission set.” Therefore, it seems the two will likely to continue to work closely together even if Cyber Command becomes independently established.
Ultimately, the rationale for separating them is of a legal and policy nature. Hayden points out that while cyber espionage and cyberattack are not distinguishable operationally and technically, they are distinguishable in law and authority. The NSA is authorized to steal foreign intelligence, according to Hayden, but it “does not have the authority to destroy someone else’s information, to change someone else’s information, to harm someone else’s network, or to take control of someone else’s computers in order to create physical destruction. That is a warmaking Title 10 function. NSA has espionage-based Title 50 functions.” Although these distinctions are conceptually clear, in practice they have been blurred before. For example, NSA personnel have been dual-hatted to conduct offensive cyber operations on behalf of Cyber Command.
Rogers wants to structure Cyber Command like special operations forces, and give tactical-level commanders more license to deploy offensive cyber weapons. This decentralized tactical command it is likely to require an even more closely integrated operational relationship between intelligence officers and cyber warriors.
Ultimately, as Hayden maintains, “there will be people who will always push back, saying now is not the time.”
“But sooner or later, it is the time,” he adds. Cyber Command, according to Hayden, “has reached enough maturity that it can do it for itself,” and if the two are separated, “NSA can go all out with espionage and Cyber Command can go all out with its functions.”
Levi Maxey is a cyber and technology producer at The Cipher Brief. Follow him on Twitter @lemax13.