U.S. Air Force



Should CYBERCOM Split From the NSA?

On December 23, 2016, Congress passed the National Defense Authorization Act for Fiscal Year 2017. This in itself is nothing extraordinary. What came as a shock was the news that US Cyber Command (CYBERCOM) would be elevated to the unified command plan (UCP) as the fourth functional combatant command, pending review of CYBERCOM’s efficacy by the Pentagon of course. The National Defense Authorization Act allocates $75 million a year to CYBERCOM for upkeep of current facilities, training of personnel, acquisition of hardware, and development and deployment of new programs.

Since its inception in 2009, CYBERCOM has occupied a unique position within the Department of Defense. On one hand, it was a subordinate combatant command of US Strategic Command (STRATCOM), the same command responsible for military affairs in space and the nuclear arsenal. On the other hand, it has been and is still headed by the director of the National Security Agency, an intelligence organization separate from the conventional military hierarchy.

CYBERCOM’s elevation is important for three reasons. First, as a part of the UCP (Unified Command Plan), the combatant commander (CCDR), Admiral Mike Rogers, can directly appeal to the Secretary of Defense (SECDEF) and the President (POTUS). Second, Admiral Rogers has a seat at the table so to speak regarding budgeting decisions. Finally, the elevation of CYBERCOM into the UCP is symbolic. It is a signal of intent for both domestic and international audiences and indicates that the US considers cyber security a major aspect of national security and that it will continue to invest in its cyber capabilities in the future.

As significant as this elevation is, this is actually just the first step on the road to an independent CYBERCOM. Recall my mention of the NSA. There have been voices calling for the end of the dual-hat arrangement, most notably former President Obama, and these voices are growing louder. After all, if CYBERCOM can stand alone as a combatant command, perhaps it is ready to stand apart from the NSA. Ending the dual-hat arrangement would mean that Admiral Rogers would most likely lead CYBERCOM while a new director for the NSA is chosen, possibly a civilian, but that is a discussion for another time.

Initially, the dual-hat arrangement made sense. Simply put, CYBERCOM was a fetus incapable of surviving on its own without the constant nourishment of its mother and this arrangement was the umbilical cord. As a fledgling command, CYBERCOM lacked the funding, personnel, hardware, and leadership to operate effectively so command was given to Lt. General Alexander as a means of quickly bringing CYBERCOM to operational status.

Some are afraid that splitting the two organizations will lead to needless rivalry, competition for resources and authority, and a decline in overall cooperation between the two organizations. So why are others encouraging a split? Like many issues in the DOD, it’s complicated and cannot be adequately covered in the length of one article, but those who advocate for the end of the dual-hat arrangement come generally in three flavors.

The first group maintains that CYBERCOM is mature enough to act without NSA input. These individuals argue that with adequate funding, CYBERCOM possesses the leadership and the groundwork for programs needed to operate independently. They seem to be in the minority. Even Admiral Rogers believes that CYBERCOM and the NSA should split eventually, but he stated explicitly that now is not that time.

The second group advocates for the split on functional grounds. The NSA is an intelligence agency that focuses on signals intelligence (SIGINT). CYBERCOM is a military organization with the mission to protect DOD information networks and conduct operations in cyberspace. Saying all operations done in cyberspace are the same is like saying that a firecracker, pistol, and cruise missile are the same because they are based on the same medium: gunpowder. A split is necessary to highlight the different functions of CYBERCOM and the NSA.

The final group seeks a split based on legal motives. CYBERCOM, and all military branches, take their authority from Title 10 of the federal regulations. Title 10 is what outlines the conditions and appropriate conducts of war; it tells the US military what powers it has and does not have.

The NSA is not a strictly military agency despite the fact that an admiral is its current director. Instead, as an intelligence agency, it gathers its authority from Title 50, the part of the federal regulations dealing in national defense and intelligence. The basic argument is that no individual should have command over so much of national security; that’s too much power concentrated into one man. Having a clear separation of legal authority will keep both organizations more accountable.

Most experts in Washington are of the opinion that CYBERCOM needs its independence. The question is now a matter of time and method. When will CYBERCOM be mature enough to stand on its own legs? How will we know? What can we do to make the transition as smooth as possible? The elevation of CYBERCOM and its likely separation from the NSA will mark a new age in cyber security, recognition of its place as a combat discipline by the most powerful nation in the world.