“In today’s complex world, we need someone in uniform who can look across the services in combatant commands and make objective recommendations to the [Defense] Department’s civilian leadership about where to allocate forces throughout the world and where to apportion risk to achieve maximum benefit for our nation. And the person best postured to do that is the Chairman of the Joint Chiefs of Staff.”
That was Defense Secretary Ash Carter, speaking on April 5 at the Center for Strategic and International Studies (CSIS) and laying out the first item on his list of needed Pentagon structural reforms to update the 30-year-old Goldwater-Nichols Act to meet the challenges of the 21st century.
Also on Carter’s to-do list:
*Raising cyber to be a separate command, but keeping the separate regional combatant commanders;
*Reducing the number of four-star officer billets;
*Integrating logistics, intelligence, and planning, now done separately by the joint staff, combatant commands, and subordinate commands;
*Expanding credit for joint service and reducing time served in joint posts from three to two years;
*And finally, cut acquisition time, to include reducing the size of the 35-member Defense Acquisition Board.
It’s an impressive list for the last months of an administration and a daring step to take during an election period when partisanship is bitter. But as Carter pointed out, both the Senate and House Armed Services Committees, led by Republicans, have been working on the same subjects, and it is not out of the question that implementation of some of his proposals will be made part of the fiscal 2017 Defense Authorization Act.
Expanding the role of the Joint Chief’s Chairman has been, as Carter put it, his way to solve “the problem not just of inter-regional integration, but of regional functional integration.”
He pointed out that dealing with the Islamic State not only involves Central Command, Africa Command, and European Command, but also cyber which currently falls under a sub-unit of Strategic Command. With each Command requesting assets to meet its own threats, Carter said, “You’ve got to divide up the pie somehow, but once you’ve done that you may need to make sure the slices are able to work together and you haven’t artificially created barriers.”
He then admitted, “Today, the reality is I look to [Joint Chiefs Chairman Gen.] Joe Dunford for that every day anyway,” showing that the current proposal is Carter’s attempt to “clarify and strengthen” that existing role.
Perhaps the next most important change was Carter’s emphasis on the growing part cyber plays in all Defense Department operations. He pointed out his plan to increase cyber investment $35 billion over the next five years and that in cyberspace, “technology has given us great strengths and great opportunities, but also some vulnerabilities that adversaries are eager to exploit.”
U.S Cyber Command, located alongside the National Security Agency (NSA) at Fort Meade, Md., is currently considered a sub-unified command under Strategic Command. It has a budget of $466 million and 963 full-time employees, both military and civilian, working at its headquarters, plus another 409 contract personnel. The military components represent all the services, including the Coast Guard, and consist of active, National Guard, and reservist personnel.
The same day that Carter was speaking at CSIS, Navy Adm. Michael Rogers, director of the National Security Agency and also commander of the U.S. Cyber Command testified before the Senate Armed Services Committee.
When the question came up about raising cyber to a separate command, the panel chairman, Sen. John McCain (R-Ariz.), announced it was his intention and that of his ranking Democrat, Sen. Jack Reed (D-R.I.) to include such a proposal in the Defense Authorization Bill.
Rogers, who indicated he favored raising Cyber Command’s status, said such a designation “would allow us to be faster, which would generate better mission outcomes.” He also said it would enable him or his successors to have a direct say in “budget prioritization, strategy and policy…[and] that cyber needs to be a part of that direct process.”
He also updated his plan for building the cyber mission force, which calls for some 133 teams to be operational by September 30, 2018. Of that number, 13 will be National Mission Teams that will defend the U.S. against significant cyber attacks; 68 will be Cyber Protection Teams that defend priority Defense Department networks and systems against key threats; 27 Combat Mission Teams that support Combatant Commands by integrating cyber into their operational and contingency plans; and 25 Support Teams that provide analysis and plans to aid the other teams.
“We have 27 teams that are fully operational and 68 that have attained initial operational capability,” Rogers told the Senate panel, adding that “even teams that are not fully operational, some 100 are contributing to our cyberspace efforts.
The Joint Force Headquarters for the Department of Defense Information Networks (JFHQ-DoDIN) at Fort Meade has “made great strides toward its goal of leading the day-to-day defense of the Department’s data and networks,” Rogers said.
Imitating private cyber companies, the Pentagon has introduced a “bug bounty” program to get vetted hackers to probe DoD systems for vulnerabilities. Partnering with HackerOne, the Defense Department will hold its initial bounty pilot program on Monday, April 18 and have it run through Thursday, May 12.
Rogers told the Senate panel that state-sponsored and criminal elements in cyberspace “make our government, our institutions, and our people spend far more on defense than the actors themselves spend on their efforts to penetrate our systems.”
Put in Cold War terms, it reflects the competition between defense against incoming nuclear warheads that is always going to cost more than offensive tactics to overcome those defenses.
As a result, Rogers said, thinking has begun to shift from preparing offensive actions to fight “a [cyber] war to also providing decision makers with options to deter and forestall a conflict before it begins.” These new options for deterrence might include “particularly hardened command and control networks” to protect communication nodes and “autonomous countermeasures to cyber attacks,” that would react without human activation.
Air Force Chief of Staff Mark A. Welsh III, has said when it comes to cyber, “Someday we will be doing precision air drop of data in the cyber domain. We will be doing armed escort of data in the cyber domain. We will have to provide cyber superiority in a particular region of that domain to operate there.”
When the House and Senate Armed Services Committees start their markups of the fiscal 2017 Defense Authorization Bill, don’t be surprised if most of Secretary Carter’s reforms are included in the chairmen’s proposed measures.