OODA Loop

Understand tomorrow, today.

Time to Separate CYBERCOM Or Get Off the Pot

Archive, OODA Original, Security and Resiliency / by

Recent reporting suggests that President Biden is considering finally splitting control of the U.S. Cyber Command (CYBERCOM) the National Security Agency (NSA), a long held contentious issue since CYBERCOM was established in 2009 and put under the Director of the NSA to lead under a “dual hat” arrangement.  Ostensibly, the purpose of this fusion was to temporarily help CYBERCOM get up and running with an experienced leader in such matters at the helm. It also gave the NSA Director a fourth general star, as combatant commands are led with this senior rank.  If the NSA Director position wasn’t already powerful and commanding a substantial part of the U.S. intelligence budget (not to mention whatever “black budget” money it receives), he is now equal in stature to other combatant commanders. This is not the first time a president has considered finally dividing the roles.  President Trump also looked into splitting control in 2020, a proposal that was ultimately rejected because Congress didn’t feel that CYBERCOM had “met the conditions to do so required by law,” according to one prominent news outlet.  Suffice to say, the debate is as old as CYBERCOM itself, and fundamentally comes down to missions:  foreign intelligence collection versus warfighting.

Supporters of maintaining the dual-hat structure immediately point out that such a fusion makes operational sense. After all, NSA is the premier technical intelligence wing of the U.S. government, it falls under the Department of Defense (DoD) and can seamlessly support CYBERCOM in its operational missions.  It further makes sense that the individual in charge of both organizations can presumably quickly divert and allocate resources as needed, a benefit in a domain where activity transpires in nanoseconds.  It also presumes that such a position would facilitate collaboration and coordination between intelligence and military function areas, which has been known to be stymied and stove-piped on occasions.  There is the assumption that with both organizations taking orders from the same tip of the pyramid they will “play nice,” sharing resources and knowledge, and essentially have one large integrated sandbox in which both share as equals.

But anyone knowing the fierce competition between government agencies, especially when it comes to budgeting, is fully aware that reality is not as rose-colored as idyllic glasses might try to make them appear to be.  The Government Accountability Office (GAO) produced a report in 2017 exploring the nature of this unusual relationship, and while it did not provide a final recommendation, it did provide pros and cons with respect to the arrangement’s impact on DoD.  One important finding of the GAO report was the potential of CYBERCOM to be reliant on NSA for its technical acumen, rather than build and develop its own.  While one could argue that was only true at the new command’s inception, there is little publicly accessible literature to say that this situation has changed, and if so, when.  If it still exists, then it would suggest that someone wants the dependence to continue, and if it doesn’t, then the strength of that argument defending the need to keep the dual-hat role is weakened.  A second pro cited ease of deconfliction, which while beneficial, is hardly a significant justification with maintaining the status quo as other intel agencies deconflict their technical operations without the need of the same individual heading both organizations (NSA and the Central Intelligence Agency come to mind).  This should be no different.


OODA Loop Sponsor

For critics, the argument that one individual should not have control over the two premier intelligence and military cyber organizations is a legitimate matter for debate.  That would be an awful lot of authority in one individual’s hands with little oversight. There is also the concern that CYBERCOM could use some of the more specialized and stealthy NSA tools, risking their exposure.  While many CYBERCOM missions may remain quiet, those that are known do not appear to have required the use of such advanced weaponry, suggesting that NSA would not risk lending their more sophisticated tools without rigorous review of a CYBERCOM operation However, the bigger concern is the blurring of lanes of road and operational responsibilities that fall into the mutually supporting authorities of the Title 10/Title 50 debate, as well as usurping of fiscal allocation come budget time.  By the very nature of their primary responsibilities, both NSA and CYBERCOM represent both sides of that debate, and instead of clarifying their roles, continued dual-hatting and fusion of these two organizations only further muddies these.

While some have worried that the military may have been trying to acquire capabilities outside its natural area of responsibility, the current dual-hatted NSA/CYBERCOM structure positions NSA to conduct missions that probably should be given to CYBERCOM.  On paper, it would make sense that NSA gain illicit access into a target system to pass along to CYBERCOM to execute an attack.  The question of the extent that this is done remains inconclusive.  For a lesser value target, this transaction may occur, but for a high-value one of great tactical, operational, or strategic significance, NSA would likely carry through the operation start to finish. Certainly, any time that this line can be blurred is justification for keeping the dual-hatted status quo in place.

In 2016, Congress provided metrics that needed to be met so that the split could occur.  Then in 2022, General Nakasone, the individual currently wearing both hats, testified that CYBERCOM and NSA were still working to meet those metrics.  These included requirements that each organization have robust command and control systems for planning, deconflict with one another where appropriate, and execute military cyber operations and national intelligence operations as well as ensure that the tools and weapons used in cyber operations were sufficient for achieving required effects. After six years, it does beg the question if there is an urgency to get this done. If there is no appetite for separating the two organizations, then why the need for both?  It would certainly seem more logical for a separate, dedicated military offensive branch to be a part of the NSA – already a DoD component – to assume the activities into which CYBERCOM is still apparently trying to grow.  Based on the metrics stated above, NSA already has fulfilled those capabilities.  So, why the need for an entirely separate command?

Recently, the U.S. Senate put forth a bill that would require annual briefings on the relationship between CYBERCOM and the NSA, with concerns being expressed how a dual-hatted leadership impacts either organization.  These annual reports would presumably cover important areas such as the division and sharing of resources, how operational risk is being managed, assessments of the operating environment, and the operational effects resulting from the relationship between CYBERCOM and NSA. These reports could be very valuable if CYBERCOM and NSA are separated and under the helm of two different leaders and budget lines.  There is a better chance of showing where the organizations are working well together, and where they are not.  Problem areas can be more easily identified, and fiscal, material, and human resources reallocated accordingly and fairly.

It’s time to either split these organizations or fully merge them into one.  The latter would certainly make more sense on all fronts and may even prove more a cost-benefit as it would reduce operational responsibilities, overlapping missions, and unnecessary redundancies. But if the United States is going to keep CYBERCOM, then it needs to stand alone and apart from NSA, and its commander given the full authorities under 10 U.S. Code § 164 as any other combatant commander in using NSA assets to suit its operational needs.  This would properly make NSA an intelligence support element, remove the four-star designation from its director, and make it accountable for its activities in supporting CYBERCOM as any command.

If the United States is serious about CYBERCOM, it’s time to let it stand on its own.  Thirteen years being mentored by NSA should have helped fulfill their organizational and mission requirements, provide expertise of the operating environment, and understand adversary tactics, techniques, and procedures.  And now with new acquisition authority to purchase additional capabilities, it is headed down the path of self-reliance.  Keeping the dual-hat structure doesn’t make CYBERCOM a stronger partner, it just makes it a dependent one.

Related Reading:

Explore OODA Research and Analysis

Use OODA Loop to improve your decision making in any competitive endeavor. Explore OODA Loop

Decision Intelligence

The greatest determinant of your success will be the quality of your decisions. We examine frameworks for understanding and reducing risk while enabling opportunities. Topics include Black Swans, Gray Rhinos, Foresight, Strategy, Stratigames, Business Intelligence and Intelligent Enterprises. Leadership in the modern age is also a key topic in this domain. Explore Decision Intelligence

Disruptive/Exponential Technology

We track the rapidly changing world of technology with a focus on what leaders need to know to improve decision-making. The future of tech is being created now and we provide insights that enable optimized action based on the future of tech. We provide deep insights into Artificial Intelligence, Machine Learning, Cloud Computing, Quantum Computing, Security Technology, Space Technology. Explore Disruptive/Exponential Tech

Security and Resiliency

Security and resiliency topics include geopolitical and cyber risk, cyber conflict, cyber diplomacy, cybersecurity, nation state conflict, non-nation state conflict, global health, international crime, supply chain and terrorism. Explore Security and Resiliency

Community

The OODA community includes a broad group of decision-makers, analysts, entrepreneurs, government leaders and tech creators. Interact with and learn from your peers via online monthly meetings, OODA Salons, the OODAcast, in-person conferences and an online forum. For the most sensitive discussions interact with executive leaders via a closed Wickr channel. The community also has access to a member only video library. Explore The OODA Community

About Emilio Iasiello

Emilio Iasiello has nearly 20 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in such peer-reviewed journals as Parameters, Journal of Strategic Security, the Georgetown Journal of International Affairs, and the Cyber Defense Review, among others. All comments and opinions expressed are solely his own.