Shaking Up the Top of Cyber Command

By Jason Healey

Jason Healey is a Cipher Brief Cyber Advisor and Senior Research Scholar at Columbia University’s School for International and Public Affairs, and Visiting Scholar at the Hoover Institution at Stanford University, specializing in cyber conflict and risk. He started his career as a U.S. Air Force intelligence officer, before moving to cyber response and policy jobs at the White House and Goldman Sachs. Healey was founding director for cyber issues at the Atlantic Council where he remains a Senior Fellow and is the editor of the first history of conflict in cyberspace, A Fierce Domain: Cyber Conflict, 1986 to 2012. He is on the DEF CON review board and served on the Defense Science Board task force on cyber deterrence.

As I have previously written, U.S. Cyber Command has grown up, and its elevation to a unified combatant command will soon be complete. The focus can now switch to a far more critical issue: splitting the “dual-hat” arrangement where the same uniformed officer is both Director of NSA and Commander of Cyber Command.

The strengths of the dual-hat have been compelling since the Joint Functional Component Command—Network Warfare (JFCC-NW) of 2005.  As General Hayden described the situation:

“As the United States moved forward, it wanted to do more than just steal other countries’ secrets, but actually create effects. To do this in and through the cyber domain, it was a natural process to do it from Fort Meade, because again, operationally and technologically, cyber espionage is not distinguishable from cyber attack. However, while it is not distinguishable operationally and technically, it is distinguishable in law, and it is distinguishable in authority. So although we could do it at the NSA in practice, the NSA is not allowed to do it. So what we had to do was create another entity that could make use of the expertise and technology at the NSA, but would operate under different authorities. And that was JFCC-NW, and eventually Cyber Command.”

The Director of NSA already had trained teams, advanced capabilities, and secret accesses into adversary networks; the obvious step ever since has been for the director to “lend” those to Cyber Command for offensive purposes as well. At some point, Cyber Command would have enough capability to split off and no longer rely so completely on NSA. The current holder of both hats, Admiral Michael Rogers, believes, “the right answer in the long term is to separate the two.” The Obama Administration thought this time had come, writing to Congress in December 2016 that “While the dual-hat arrangement was once appropriate in order to enable a fledgling CYBERCOM to leverage NSA’s advanced capabilities and expertise, CYBERCOM has since matured.”

But the Trump Administration does not think Cyber Command is yet mature enough. Though it itself directed the elevation of Cyber Command, the administration also wrote that the Secretary of Defense is “examining the possibility of separating” NSA and Cyber Command. Congress agrees, as the most recent National Defense Authorization Act “requires the Secretary of Defense and the Chairman of the Joint Chiefs of Staff to certify” to multiple committees that a “split will not pose unacceptable risks to the military effectiveness of Cyber Command.”

However, most of the debate so far conflates two critical issues: intertwined teams and capabilities and a dual-hat leader. That is, the leadership could be divided well before the splitting of the teams and capabilities.

The most obvious reason to split the leadership first was given by the Obama Administration in 2016, when it stated, “the two organizations should have separate leaders who are able to devote themselves to each organization’s respective mission and responsibilities.” Two large bureaucracies is one too many for anyone, even our most senior officers, to manage well.

Yet this most obvious reason is not the most compelling.

Imagine if the commander of U.S. Pacific Command were the leading source of information on the Chinese military and intelligence threat, tampered with U.S. products being sold in China, ran the best-funded China-oriented bureaucracy, was involved in extensive and intrusive intelligence operations against China, conducted military planning and teamed to conduct covert operations in China, and – most importantly – could decide what information on China was classified or not.

This concentration of power is not the American way and yet is analogous to just how cyber policy is conducted now in the U.S. government even though cyberspace is perhaps at least as important to U.S. national security and economy as China. We long ago decided that “professionalization” of our intelligence officers means they do not engage in making policy – then centralized nearly all military and espionage cyber power in the same two hands.

The president deserves to have multiple, independent voices advising on cyberspace; all the better if they disagree. The United States gains tremendous national power through the internet, one of the most transformative inventions to come from human minds since Gutenberg, and some caution and friction is justified. No single officer should ever again run directly oversee military and espionage operations.

Accordingly, there are several pressing recommendations for Congress and the Executive Branch, in two main categories.

First, the U.S. government must more strongly push the role of countering influence and information operations. Whether it is North Korea releasing emails of Sony or Russia influencing elections in the United States or of allies, our adversaries realize our weakness – indeed, helplessness. As I testified earlier this year:

“Treating these as “cyber” events misses what makes them unique and brings the wrong set of experts to the table. Frankly, we would have better equipped to handle these challenges in the 1990s when forward-looking officers created doctrines, organizations, and operating concepts around information operations, not just cyber. Even though the military is not the best choice of government agency to respond to other nations seeking to influence or undermine the U.S. system of government, their capabilities might be built up most quickly. The Cyber Mission Force already has area-studies specialists working alongside cyber subject matter experts. A new set of Cyber Influence Teams could be trained and folded into this structure to provide a more integrated capability to deal with influence events.”

Such capabilities might also be developed in the regional commands, which often have more subject matter experts, but the idea of building Cyber Influence Teams of experts watching for adversary influence campaigns executed through cyber operations, is the same.

In addition to such bottom-up moves, the Pentagon should institute top-down changes as well. A move, though controversial, in this direction is the language in a draft of the National Defense Authorization Act to create a Chief Information Warfare Officer in the Pentagon “to assume responsibility for all matters relating to the information environment of the DoD, including cybersecurity and cyberwarfare, space and space launch systems, electronic warfare, and the electromagnetic spectrum.”

Second, the Trump Administration must work with the relevant committees in Congress to split the leadership of NSA and Cyber Command as soon as possible. A larger split involving the capabilities can come later, in a second phase. This will require complex agreements as both leaders fight over shared resources. Thoughtful critics will argue that since the split is coming soon anyhow, it is surely better to wait and handle the leadership and capabilities split simultaneously. But the split has seemed imminent for years and in fact may never come, so waiting is no longer the smartest option, and these agreements can be included in the already-ordered process of escalating Cyber Command.

The administration will have to convince Congress this “will not pose unacceptable risks to the military effectiveness of Cyber Command.” If NSA is not overly jealous of its resources, and Congress can be persuaded of this, then perhaps this is not insurmountable. There is also an argument that it will improve the advice to the president and National Security Council, who will now have two voices, two opinions, two perspectives on cyber operations.

Sometimes, two heads – and two hats – are better than one.

Tagged with:

Related Articles

Search

Close