While it was wall-to-wall Charlottesville coverage on the cable networks, with a side of Steve Bannon Friday, the White House made a major announcement with serious implications for national security. The president has formally approved the Pentagon’s proposal to elevate the U.S. Cyber Command from a subordinate unified command under control of the U.S. Strategic Command to a unified command in its own right.
creating cybercom
CYBERCOM was born in the first year of the Obama Administration, after two Army computer experts (one of whom, Col. John “Buck” Surdu, I worked with when I was a contractor at the U.S. Army Research, Development, and Engineering Command) wrote that the varying degrees to which each of the services were addressing cyber capabilities indicated a need for a joint command. Secretary of Defense Robert Gates soon directed CYBERCOM’s creation.
The network and supercomputer infrastructure necessary to do such computing-intensive work already existed at the NSA, so that’s where the new command was created. Because strategic requirements always outnumber strategic assets, concerns that the NSA would deny CYBERCOM’s operators access to these assets kept the two in an unlikely marriage.
Officials first discussed a divorce in 2013, but the president ultimately decided that the split could wait. The topic resurfaced several times, but each time, the Pentagon kicked the can down the road.
Last fall, Congress amended the law establishing the responsibilities of the DoD’s chief information officer; the FY 2017 NDAA added language that the CIO “has the responsibilities for policy, oversight, and guidance for the architecture and programs related to the networking and cyber defense architecture of the Department.” That language reignited the discussion again, and Secretary of Defense James Mattis directed a new examination of the concept in February.
split would remove confusion
“In connection with this elevation,” the president’s statement said, “the Secretary of Defense is examining the possibility of separating United States Cyber Command from the National Security Agency. He will announce recommendations on this matter at a later date.” It’s hard to see how CYBERCOM will be able to function as a full-fledged unified command while still remaining under NSA’s wing.
Since CYBERCOM’s creation, the director of the NSA, currently Navy Adm. Michael S. Rogers, has been “dual-hatted” as its commander. Once the move is formalized, the president will need to nominate a four-star general or flag officer to command the new organization.
The dual-hat nature of the director/commander in the NSA/CYBERCOM partnership has led to occasional confusion in the press, and consequently in both our our adversaries and our allies. The NSA is responsible for signals intelligence and cryptology, while CYBERCOM is responsible for defending the government’s computer networks against attack — and since a 2015 directive from then-Secretary of Defense Ashton Carter, for undertaking offensive operations in cyberspace to weaken adversaries’ computer networks and counter online recruiting efforts by non-state actors like ISIS and al Qaeda.
But as a colleague who ran public affairs for CYBERCOM in its early days once told me, it was often difficult for reporters to realize that when the incumbent spoke in his capacity as CYBERCOM’s commanding general, he needed to be quoted as such. He was the same person, but there were things he could say as CYBERCOM CG that he could never say as NSA director, and vice versa. Reporters often confused in which capacity he was speaking.
That seems like a semantic dance to many people, but the distinction had serious policy implications. As Washington Post cybersecurity reporter Ellen Nakashima wrote last fall, “[Secretary of Defense Ashton] Carter has brought Cyber Command into the fight against the Islamic State and wants it to act openly, like other military commands, rather than as the annex of a highly secretive spy agency.”
Splitting the two organizations will finally remove the confusion.