Expert Commentary

Keeping Cyber Command and NSA Integrated Operationally

John Dickson
Principal, Denim Group

There as been discussion of a separation between the National Security Agency and U.S. Cyber Command for a while, only for the change in administrations to cause brief hesitation. Now that the Trump administration is in full swing, it is time to revisit the prospect of a split between the country’s premier signals intelligence agency, and the its relatively new cyber warfare command. The Cipher Brief spoke with John Dickson, a former Air Force intelligence officer and Principal at the Denim Group, about how the NSA and Cyber Command must work closely with each other at an operational level to achieve their missions, and why a complete separation could affect this.

The Cipher Brief: What are the different operational roles of the NSA and U.S. Cyber Command?

John Dickson: The roles are fairly distinct. One is to collect, analyze, and disseminate intelligence to national command authorities and decision-makers. That is the NSA’s intelligence side. The other side is to protect and defend U.S. computing assets and networks – in certain instances critical infrastructure – and to conduct the offensive missions when called upon. That is Cyber Command’s role.

The reason the NSA and Cyber Command need to be so tightly linked is that absent very detailed intelligence, an attacker at Cyber Command is really just flailing around without knowing what is on the other end of an attack. For instance, during the Stuxnet operation against Iran, if the attackers didn’t know about the Siemens programmable logic controller, the payload would have been completely ineffective.

TCB: So you’re saying a successful Cyber Command mission requires strong cooperation between intelligence and cyberattack roles?

JD: Yes. The corporate and government worlds have become parallel in this regard. Almost all the major successful attacks have some nontechnical contextual assistance. There are many attacks that are entirely technical exploitations – someone scans the internet for an open port and compromises a technical vulnerability to gain root access in the system. However, intelligence can enhance and make those attacks much more effective. So instead of sitting there and randomly poking in the dark, attackers use context to be more efficient, or quick, in their attack in order to get in and out.

One of the security truisms in the world is that you don’t want disclose information to make it easy for attackers. So on a server or web application, you don’t ever want to kick back an error message, because it will tell the attacker what software is running, allowing them to determine which exploits they can leverage against it.

The same is true in what the commercial world calls “pretexting,” meaning to gather nontechnical intelligence on the target in order to make that attack much more efficient and effective. To government, this is essentially human and signals intelligence collection for social engineering. It adds precision, effectiveness and speed. Through collection sources, for example, attackers can determine that there is a Siemens programmable logic controller in the Iranian nuclear facility in Natanz that controls the rotation speed of centrifuges. Cyber Command could then create a very sophisticated piece of malware that has the exploit for that Siemens controller and as well as the payload. They wouldn’t want to enter the system and try every single controller out there, as it would probably set off alarms before they figure out which system is the one they actually want.

As an attacker, you want to accomplish your mission with the least amount of resistance and detection. Usually they install a rootkit in order to not be detected and they use covert channels in order to exfiltrate data. But the more time it takes to discover what is on the inside of a network increases the likelihood of detection substantially.  That is always in the attacker’s mindset. By having tighter and better intelligence – either though pretexting, human or signals intelligence, or open source information gathering – attackers can have a much more precise attack, meaning they are going to be more stealthy while inside networks and more likely to create the desired effect. 

TCB: How are the NSA and Cyber Command cooperating, for example, against ISIS?

JD: The NSA is charged with gathering intelligence on fighters’ whereabouts and information from their communications. Cyber Command, on the other hand, is responsible for disrupting communications and command and control frameworks. Talking about denial of service attacks, or disruptive attacks through cyberspace, gets into the classified environment pretty quickly. But I would suspect those tools are probably in the purview of Cyber Command.

TCB: What is the rationale behind elevating Cyber Command to a unified combatant command, rather than keeping it under Strategic Command? Why did they still keep the dual-hat leadership after this?

JD: It essentially gives Cyber Command certain authorities to conduct war by elevating their status within the different military commands. It also justifies having a four-star general, which is more inside baseball for the Pentagon. Officially within the spectrum of major military commands that exist at a joint and unified level, it certainly elevates the status of Cyber Command.

As far as the dual-hatted leadership role, that has been debated. The leadership split was heavily considered in the Obama Administration, but it is uncertain where that stands with the Trump Administration. Admiral Mike Rogers, the current head of both the NSA and Cyber Command, did meet with President Donald Trump before he took office and that probably doesn’t hurt his case for maintaining the dual-hatted leadership.

TCB: At the budgetary and personnel levels, what kind of impact could a separation have for both Cyber Command and the NSA?

JD: For starters, they would then have two different budgeting processes, which runs the risk of duplication. But ultimately, the budgeting aspect is where the rubber meets the road – it is where pulling the NSA and Cyber Command apart will be continue to be difficult, even if they can overcome the operational challenges. Some of the programs co-mingle where they have the same people working two different sides of the mission. A separation means there will be two organizations that may or may not align. Right now they answer to the same person, and if a more streamlined budget is a priority, it is an argument for keeping the NSA and Cyber Command together.

TCB: If there are good operational and budgetary reasons in keeping the two organizations linked, why do you think the topic of separating them has come up?

JD: The argument of tightness between the NSA and Cyber Command is important, but, regardless of whatever operational efficiencies that exist in Fort Meade, there is a public policy and perception issue that needs to be contended with. Looking from an outside view, the reputation of the NSA has suffered following the leaks from Edward Snowden in 2013. Rather than thinking of the NSA as an organization that stops terrorist attacks, many see them as a mass surveillance apparatus that shouldn’t be trusted. So if nothing else, the split of the NSA and Cyber Command might help perceptions a little bit, as right now there is so much aggrandizement of power and resources that it gives off perceptions that make people suspicious. The privacy implications of NSA surveillance do erode the United States’ moral high ground, and a separation between the NSA and Cyber Command could potentially restore its credibility. It’s ultimately about a restoration of trust with the people they serve. 

The Author is John Dickson

John Dickson is a Principal at the Denim Group. He is a former Air Force intelligence officer with a strong background in electronic warfare and technology, and was part of the early efforts to defend Air Force networks. He was a member of the air combat targeting cell during Operation DESERT STORM operating out of Incirlik Air Base, Turkey. Dickson subsequently served in the Air Force Information Warfare Center (AFIWC) and was a member of the Air Force Computer Emergency Response Team... Read More

Learn more about The Cipher's Network here