Should Cyber Command and the NSA Have Separate Leadership? How to Decide

Report Defense

Should Cyber Command and the NSA Have Separate Leadership? How to Decide

May 2, 2019 18 min read Download Report
Research Assistant, Center for National Defense
James is a research assistant in Heritage's Center for National Defense.

Summary

The elevation of U.S. Cyber Command in 2018 to a unified combatant command has reignited the debate over whether to terminate the dual-hat arrangement, wherein the Director of the National Security Agency (NSA) simultaneously serves as the Commander of U.S. Cyber Command. This debate over whether to end this arrangement has gone on for years now, with many believing that a split is both inevitable and necessary to improve the cybersecurity of the United States, while others maintain that splitting the organizations could either have a detrimental effect on cybersecurity or would result in multiple inefficiencies. This Backgrounder lays out the arguments for, and against, a split, with recommendations for a decision that is based solely on enhancing U.S. cyber operations.

Key Takeaways

Cyber Command has long relied heavily on the NSA for mission support, manpower, equipment, and know-how for the command’s military operations.

Cyber Command has developed since then, operationally and in manpower, and is now capable of more autonomy in its ability to conduct operations.

There is a debate on separating the two organizations, which operate under a single boss. The decision should be based solely on enhancing U.S. cyber operations.

The elevation of U.S. Cyber Command in 2018 to a unified combatant command has reignited the debate over whether to terminate the dual-hat arrangement, wherein the Director of the National Security Agency (NSA) simultaneously serves as the Commander of U.S. Cyber Command.

This debate over whether to end this arrangement has gone on for years now, with many believing that a split is both inevitable and necessary to improve the cybersecurity of the United States, while others maintain that splitting the organizations could either have a detrimental effect on cybersecurity or would result in multiple inefficiencies. Ultimately, this decision should be based solely on whether a split would actually enhance the cyber capabilities of the United States.

Evolution of U.S. Cyber Command and Its Relationship with the NSA

Since its inception, Cyber Command has had an incredibly close relationship with the National Security Agency. The organizations are both based at Fort Meade, Maryland, and Cyber Command historically depended on the NSA’s workforce, computer networks, and intelligence to operate. The two also share singular leadership. Under what has been coined the dual-hat arrangement, a four-star flag officer heads both the NSA and Cyber Command.REF

The evolution of Cyber Command, from a Joint Task Force in 1998, to a sub-unified command in 2009, and finally to a unified combatant command in 2018 coincides directly with the Department of Defense’s (DOD’s) increased focus on cyber defense over those two decades. By the mid-1990s, DOD officials had become increasingly concerned that adversaries were capable of disrupting U.S. military networks remotely, potentially affecting real-world operations.

In response, the officials created the Joint Task Force-Computer Network Defense (JTF-CND), the DOD’s first organization with authority to “direct operations on individual military service and DoD networks.”REF In 2000, all DOD cyber operations were combined under the Space Command (SPACECOM), and when Space Command was dissolved two years later, cyber operations were absorbed into the Strategic Command (STRATCOM). In 2009, on orders of Secretary of Defense Robert Gates, Cyber Command was established as a sub-unified command, and continued to operate under the supervision of STRATCOM.REF This elevation was in response to what the DOD considered a clear, persistent, and serious threat from foreign adversaries using cyberspace to attack the United States.REF

Since 1952, the NSA’s primary mission has been to clandestinely collect intelligence on actors outside the United States. It also supports U.S. military operations with equipment and intelligence. However, the military operations themselves, offensive and defensive alike, fall under the purview of Cyber Command:

USCYBERCOM plans, coordinates, integrates, synchronizes, and conducts activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full-spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries.REF

Besides having separate mission sets, the NSA and Cyber Command also operate under differing legal authorities. The NSA’s authority comes from its creation in Title 50 of the U.S. Code, which outlines proper procedures for conducting intelligence collection, espionage, and cyber surveillance operations against foreign powers.REF Cyber Command’s authority, specifically the authority for offensive cyber operations, comes from Title 10 of the U.S. Code, which outlines the role of U.S. Armed Forces.REF Title 50 does not give the NSA the authority to destroy or change an adversary’s information, to harm someone else’s network, or to seize control of an adversary’s computers in order to create any physical destruction. These actions fall under Title 10.REF However, the NSA can support a Title 10 military operation by providing intelligence, technology, and personnel. There is also no law precluding CYBERCOM from conducting a Title 50 operation.REF

Despite having distinct responsibilities and legal authorities, Cyber Command and the NSA maintain a close, cooperative relationship. Earlier this year, General Paul Nakasone—the current Commander of Cyber Command and Director of the NSA—told Congress, “The National Security Agency is our most important partner; the strength of this relationship will remain critical to the defense of the nation. The Agency’s world-class expertise, technical capabilities, and accesses are crucial to USCYBERCOM’s success.”REF

Background and Recent Activity

The Edward Snowden controversy in 2011 brought the issue of splitting the NSA and Cyber Command to the forefront of public debate. Snowden, a former NSA sub-contractor, brought a number of accusations about abuses of civil liberties into the public square when he leaked documents he copied from the NSA. The controversy raised questions of cyber operations and civil liberties, and led many to question if it was wise to have both cyber collectors and warriors under the same leadership.

Prompted by this leak, the Obama Administration explored a number of options to prevent such a situation in the future. A separation of the people collecting cyber intelligence and those conducting cyberwarfare was seen as a way to prevent abuse, and the Administration pushed for splitting Cyber Command and the NSA.REF The Obama Administration also considered appointing a civilian as head of the NSA in an attempt to enhance civilian control over cyber and signals intelligence activities.REF At the time, the push for the split was largely a political one rather than a matter of military necessity or as a means of enhancing cyber security.

This push for the split led Members of Congress to act. Fearing that a premature split of the NSA and Cyber Command would endanger the cybersecurity of the country by adversely affecting operations, the late Senator John McCain (R–AZ) and others vowed to block an attempt by President Obama’s Defense Secretary Ash Carter and Director of National Intelligence James Clapper to separate the two organizations. Senator McCain argued that “given the very serious challenges we face in cyberspace,” it would be unwise to split the two “prematurely.”REF

Congress included criteria for a possible end to the dual-hat relationship in the 2017 National Defense Authorization Act (NDAA), seeking to set conditions and criteria that must be met before a split occurs. These conditions were predominantly aimed at ensuring that cyber operations and effectiveness are not affected and included requirements for the Administration to verify that the necessary infrastructure for the NSA and Cyber Command has been deployed, along with command and control systems for planning and deconflicting cyber operations. Another condition is that capabilities are up to the tasks required and that personnel are adequately trained for the missions they are being asked to execute. Lastly, the cyber mission force has to have achieved full operational capability.

General Nakasone, his predecessor Admiral Michael Rogers, and Senator McCain all voiced concerns that prematurely severing the dual-hat relationship could slow down cyber operations and jeopardize the country’s defenses.REF

Cyber Command Maturity and Development

On May 4, 2018, the Trump Administration, in a desire to “streamline command and control and demonstrate increased resolve against cyberspace threats,” elevated U.S. Cyber Command to a full unified combatant command. It joined the ranks of Pacific Command, Special Operations Command, and Strategic Command to become the newest and 10th Combatant Command.REF This elevation is significant because it consolidates the authorities for training and operations under a single commander. It is designed to streamline cyber operations.REF

Historically, Cyber Command has relied heavily on the NSA for mission support, with the NSA providing much of the manpower, equipment, and know-how for the command’s military operations.REF Both organizations’ missions required a similar set of tools and skills, and often both infrastructure and personnel are used for Title 10 and Title 50 operations. Many employees of Cyber Command and the NSA participated in the dual-hat arrangement, conducting intelligence work for the NSA and then “flipping their hat” to perform military operations when needed.REF

But Cyber Command has developed since then, both operationally and in manpower, and is now capable of a greater degree of autonomy in its ability to conduct operations. On May 17, 2018, Cyber Command reached full operating capacity earlier than anticipated, filling all of its 133 cyber mission forces, the units within Cyber Command responsible for conducting cyber operations.REF Now the focus has shifted to improving the readiness of the cyber forces, and General Nakasone points to the opening of the Integrated Cyber Center, which enhances command and control of cyber operations, and is in the first dedicated building for Cyber Command.

Cyber Command has also conducted cyber operations against adversaries, gaining valuable experience in the process. Cyber operations worked together with kinetic and other operations to degrade the Islamic State and work to erode its caliphate. Admiral Rogers credits that campaign with providing key experience for operationalizing cyberwarfare tools against extremist organizations as part of a larger strategy.

Another example was the operation against Russia, known as the Russia Small Group, to defend the U.S. midterm elections in 2018. Cyber Command and the NSA worked together along with other combatant commands, the Department of Homeland Security, and the FBI to secure the elections.REF Both of these operations against different targets demonstrated Cyber Command’s successes in supporting broader objectives, as well as its ability to operate.

Arguments for Ending the Dual-Hat Arrangement

There are three key concerns that stem from the dual-hat arrangement.REF The first is concern about unfair prioritization of requests for support. Whichever organization or mission set is favored by the commander could get special attention to the detriment of the other. If, for example, the Director/Commander favors the NSA and values the collection of signals intelligence over the execution of a cyber operation, Cyber Command could lose out to the NSA, or vice versa.

The second involves the ability of a single commander to manage two large organizations. Skeptics of the dual-hat arrangement wonder if one individual is really able manage the two large organizations, especially as Cyber Command continues to grow. This broad span of control could have a detrimental impact on organization management.

The third concern is the increased potential for exposure of NSA tools and operations. Maintaining the secrecy of the NSA’s cyber tools is one of the highest priorities of the organization. Because the NSA shares its hacking tools with Cyber Command, the frequency of use for these tools has increased, leading to a correlating increased chance of release. This does not necessarily stem from the dual-hat relationship, but more from Cyber Command’s close relationship with the NSA for support.

Some have also criticized the effect the close relationship has had on Cyber Command’s operational development and culture. The NSA tends to be a more risk-averse organization, as the maintenance of access to intelligence sources requires a certain degree of caution. Since Cyber Command developed within the NSA, many of the processes for approving operations are based on a similar risk assessment as the NSA uses, but critics worry that this inhibits the ability of Cyber Command to deter adversaries. Cyberwarfare is an enterprise where aggressive and rapid actions are often necessary to be effective.REF Ending the dual-hat relationship is one suggestion for allowing Cyber Command to develop its own operating culture that will better suit its mission set.

Arguments for Keeping the Dual-Hat Arrangement

DOD officials say that the benefits of the dual-hat arrangement include a close and collaborative relationship, a faster decision-making process, and more efficient resource allocation.REF A closer look shows some compelling arguments to leave the two organizations dual-hatted.

A Single Commander Can Play Referee. The dual-hat arrangement leads to faster decision making because one person is ultimately responsible for both missions.REF If there is a conflict between the two organizations, a single boss can make the call quickly on which course to take. This is especially important when the intelligence collectors and the cyber warriors are using the same access point in an adversary’s network. If each organization had its own leader, a request would potentially go all the way to the Secretary of Defense and National Security Council to resolve a conflict, adding time to the decision-making process. Additionally, both organizations may be encouraged to become more protective of their particular mission set, as leaders would seek to maximize the effectiveness of their particular mission set. A single commander has responsibility for both mission sets, and would therefore be more likely to seek balance between the two.

Cyber Intelligence Collection and Warfare Are Different Missions, But Related. Unlike traditional military activities where intelligence and operations are very different, cyberspace is an area where the two functions are very closely related. Both collecting intelligence and conducting cyberwarfare requires accessing the networks of the intended target in the same way. This means that Cyber Command can utilize network access provided by the NSA and vice versa. According to General Hayden, “in the cyber domain the technical and operational aspects of defense, espionage, and cyberattack are frankly indistinguishable—they are all the same thing.”REF The skills required to create these various effects vary, but they are all related. When the two organizations operate together, they can take advantage of network access and work in tandem with one another, using their resources more efficiently. General Nakasone said, “My experience is that the dual-hat arrangement has enabled the operationally close partnership between USCYBERCOM and the NSA, which benefits both in the accomplishment of their respective missions.”REF

Typically in an organizational restructuring when an organization is divided to allow its components to better focus on disparate missions, it reflects a recognition that missions have grown to the point where they need increased specialization and attention. This happens frequently in the commercial sector, where for example, a larger corporation, such as IBM or SAIC, spins off a unit to focus on a particular business sector. It often signifies a desire to increase the attention paid to a particular area.

In the case of the NSA and Cyber Command, however, that way of thinking may be faulty. Although the NSA focuses on intelligence, and Cyber Command focuses on offensive and defensive cyber operations, counterintuitively, it may be that cleaving NSA/Cyber Command via separate commanders, no matter which compensating enhancements are provided, will ultimately result in two less-viable organizations.

NSA and Cyber Command Pull from the Same Talent Pool. The NSA and Cyber Command operate jointly in many instances. Not only do they both hire the same type of employee, but a number of employees work for both organizations simultaneously, changing fluidly depending on the situation. Ending the dual-hat arrangement could result in personnel being forced to choose to work for either Cyber Command or the NSA, leading to personnel issues within both. Cyber Command still relies on NSA personnel for its command staff, even though it now operates independently of Strategic Command.REF

This would be challenging under most circumstances, but is especially a problem given the challenges that the NSA and Cyber Command have with attracting and retaining top tech talent.REF Additionally, cyber talent takes years to cultivate, meaning that the recruits filling the ranks would be less capable than their more experienced counterparts. Lieutenant General Stephen Fogarty, Commander of Army Cyber Command, testified before the Senate Armed Services Subcommittees on Cybersecurity and Personnel that the average operator can spend fully half of his or her six-year enlistment in training.REF

Recent reporting shows that the U.S. government is struggling to attract and retain top cyber talent due to stiff competition from the private sector. The government has difficulty competing with the high salaries and swift onboarding processes large companies can offer. Cyber Command has outlined a series of initiatives to help improve talent recruitment and retention, including keeping close relationships with universities, increased pay scales, and retention bonuses. But the government may not be able to fill the necessary manpower demand it would create by splitting the organizations.REF

The NSA and Cyber Command also share personnel because of the relative scarcity of cyber talent in the public sector. Despite Cyber Command’s Cyber Mission Force teams filling all of its 6,200 billets, recent Senate testimony revealed lawmakers’ concern about a “shortage of cyber-capable personnel.”REF As Cyber Command grows more independent of the NSA, Cyber Command will need to ensure its own robust workforce of coders, developers, and operators, as well as support staff and administrators.REF General Nakasone says that hiring and retaining qualified personnel is the biggest challenge facing Cyber Command.REF This makes the efficiency of scarce resources essential for the command, and sharing personnel is key to that efficiency.

Recommendations

The Administration and Congress should:

  • Re-evaluate the military necessity of splitting the NSA and Cyber Command, and should not assume that terminating the dual-hat arrangement is inevitable. Large organizational shifts should not be made for their own sake, and sometimes the change itself can have unintended negative consequences. Given the demands on cyber-capable personnel and the intertwined nature of cyber espionage and warfare, there are plausible arguments for leaving the two organizations under the same leadership and infrastructure. A split would mean a large recruiting push for cyber personnel who may not be available. The benefits for cyber operations and the cybersecurity of the U.S. should be proven.
  • Refine the criteria used to decide whether a split is in the best interest of the United States. If a split is ultimately pursued, the Administration should fully plan for what that would entail and share that plan with the congressional Armed Services and Intelligence Committees. This plan should involve the anticipated costs, both for personnel and infrastructure, and have a timeline. Support from Congress will be essential in making such a large change successful, and an understanding of the resources required will help Congress to provide that support.
  • Continue to develop Cyber Command’s capacity and readiness to increase its ability to operate independently of the NSA. Regardless of the ultimate outcome of the leadership and dual-hat situation, Cyber Command should continue to grow and mature into a premier cyberwarfare organization to enhance the offensive and defensive cyber operations of the United States. By improving its internal ability to operate, it will require the NSA’s hacking tools less often, reducing the risk of those tools being discovered by adversaries and losing their effectiveness.

Conclusion

There are compelling arguments for both sides of the dual-hat question. The decision for ending or continuing the dual-hat arrangement should ultimately be based on what will enhance the cybersecurity of the United States, and it must protect the close relationship between the NSA and Cyber Command. Today, the logical course of action is to maintain the dual-hat arrangement. When and if that changes, a clear plan with the necessary resources should be developed and made available to Congress to ensure that both organizations receive the resources they need.

—James Di Pane is Research Assistant in the Center for National Defense, of the Kathryn and Shelby Cullom Davis Institute for National Security and Foreign Policy, at The Heritage Foundation. The author thanks Will Thatcher, who contributed to this Backgrounder while he was a member of The Heritage Foundation’s Young Leaders Program.

Authors

James Di Pane

Research Assistant, Center for National Defense