When I departed the Defense Department last month, I delighted in receiving a now-traditional farewell gift: a photoshopped magazine cover with fake headline zingers about cyber policy topics. The largest headline, dead center, parodied my participation in at least three separate studies on the future of U.S. Cyber Command: “Is it time to elevate? Maybe now? How about now?” So, the president’s announcement last Friday to elevate Cyber Command to a unified combatant command was a welcome one for me, and no doubt for many former colleagues. But, far more importantly, it is a positive step for the United States and its international partners — one that reflects growing, global threats in cyberspace.
Though long-in-coming, the move is no surprise. Congress, growing impatient last year, directed in legislation that the President establish a unified combatant command for cyber operations. Nor is elevation, as Michael Sulmeyer has written, that big a change in how Cyber Command will do business. But there is still plenty to unpack on the specific decisions the Defense Department and White House announced on Friday.
Elevation grants Cyber Command all the typical responsibilities of a combatant command, such as managing its forces and being prepared to conduct operations during crises. Unlike most operational commands, however, Cyber Command will have additional authorities for training and equipping cyber forces. These authorities are usually reserved for the military services, with notable exceptions like U.S. Special Operations Command and, increasingly, U.S. Cyber Command. The memorandum from the president to the secretary of defense, for example, directs that Cyber Command have “Joint Force Trainer” and “Joint Force Provider” responsibilities. This gives the command a stronger hand in standardizing the training of cyber forces being built by the Army, Navy, Air Force, Marine Corps, and Coast Guard, and determining how those forces will be allocated across a wide range of global cyber threats.
There are several reasons for the administration to make this move. It signals to international partners, who face increasing cyber threats, that the Department of Defense will prioritize efforts to build defense and resilience together. It shows that the United States is investing in its cyber capabilities, which could, if messaged effectively, contribute to the forthcoming deterrence strategy directed in the administration’s executive order on cyber–security. It streamlines the operational chain of command, which makes day-to-day staff work more efficient, even if it doesn’t significantly affect the Defense Department’s speed in responding to cyber-attacks. And conveniently, it fits nicely within Secretary of Defense Jim Mattis’ narrative on the “changing character of war,” showing that the Department of Defense is taking steps to adapt to evolving global threats and emerging technologies.
In reality, the greatest practical impact may be that an elevated Cyber Command is better positioned to fight successfully for resources inside the Defense Department. Cyber Command will no longer be subordinate to U.S. Strategic Command, which means cyber-security interests will be more competitive against other priorities like maintaining the nuclear deterrent or defending against weapons of mass destruction. This might seem like a petty bureaucratic point, but having an equal seat at the table can make a big difference in the fight for dollars. This could help draw focus on underfunded challenges like identifying and fixing vulnerabilities in weapons systems and control systems upon which the U.S. military and allied military forces rely.
The biggest wild card was whether the Trump administration would concurrently announce a plan, or at least an intention, for ending the “dual hat” arrangement, under which the same individual serves as both the commander of U.S. Cyber Command and the director of the National Security Agency. The White House release said only that the Secretary of Defense “is examining the possibility” and will announce recommendations at a later date. The Obama administration wanted to end the dual hat in 2016, but, as other have recently explained, Congress nixed that possibility by legislating extensive pre-conditions for a split.
At this point, I find it unlikely the dual hat will split before October 2018, when the military is expected to meet one of those congressional pre-conditions — that cyber forces are fully capable of conducting their missions. While there is always the possibility of accelerating that plan, that would derail a timeline for which the Defense Department has held the military services steadfastly accountable for years, and for which it has invested huge resources to meet. And some of the other Congressional pre-conditions, such as those directing more operational tools and infrastructure, could require resources that aren’t even budgeted yet.
The administration’s announcement was also notably silent on the topic of additional authority for Cyber Command to acquire equipment specifically for the purpose of conducting cyber operations. Congress authorized Cyber Command in 2016 to spend $75 million per year for five years, but most experts believe the command will need a larger, more permanent authority. For now, moving cautiously was a wise move. The command has just started scratching the surface of its existing authority, and it is better to learn from experience and optimize a future request to Congress a few years from now. While the most obvious model is Special Operations Command, which has significant power to acquire equipment for its forces, the comparison only goes so far. For example, cyber operations likely require an even greater use of commercial, off-the-shelf products.
Finally, the president’s announcement did not identify who will be nominated to fulfill the role of commander of the elevated command. This announcement will need to follow in the near term, since Adm. Michael S. Rogers, the current commander of Cyber Command, would need to be re-nominated to serve in the new role. Although many expect him to continue, perhaps through October 2018 when cyber forces reach full operational capability, cyber watchers will be looking with interest on whether reports will prove true that Army Lt. Gen. Mayville will take the reins instead.
And what are the global implications of elevation? First, the move demonstrates U.S. seriousness in an area where NATO and partners in Europe, Asia, and the Middle East have been looking for leadership. Cyber defense issues have steadily moved to the forefront of bilateral and multilateral defense dialogues, and the command’s elevation will breathe new life into key partnerships. Meanwhile, the move is unlikely to trigger major changes by other states in cyber-space, many of whom have already been modernizing and building their own cyber organizations (see, for example, Germany’s establishment of a cyber command in April and China’s Strategic Support Force). Still, some may perceive or assert that this change signals a greater aggressiveness by the United States in cyber-space. This is unwarranted, but is a reminder the United States has more to gain than to lose by working to articulate norms of responsible behavior and, more broadly, foster international efforts to prevent destabilizing activity in cyber-space.
The many internal studies of Cyber Command’s future over the last five years have taken significant energy. Now that the decision is finally made, the focus will turn to implementation — with dozens of practical questions for the department to answer in the next one to five years. What will Cyber Command look like when fully stood up? How will the relationship evolve between Cyber Command and the regional combatant commands like U.S. Central Command and U.S. Pacific Command? (Cybercom “owns” the cyber forces and has a broad picture of cyber threats around the world, but regional combatant commands are protective of their responsibility and authority in their geographic regions.) When and how will the Defense Department satisfy Congress that it has met the conditions for terminating the dual hat without undermining national security? Above all, will last Friday’s announcement help the United States get further ahead of the expansive threats it faces in cyberspace? The answers to these questions may well be just as important as the decision announced Friday.
Kate Charlet is the Program Director for Technology & International Affairs at the Carnegie Endowment for International Peace. She worked as a civil servant on cyber policy issues for five years in the Office of the Secretary of Defense, most recently as Acting Deputy Assistant Secretary of Defense for Cyber Policy. The views expressed here are her own and do not represent the U.S. Government. Follow her at @KateCharlet.