Cyber Command, the NSA, and Operating in Cyberspace: Time to End the Dual Hat
To publish this article, I had to submit it for review to three separate organizations: the U.S. Army Intelligence and Security Command, United States Cyber Command (my employer), and the National Security Agency (NSA). In total, it took just under two months to secure approval from all three organizations for public release, significantly longer than it took to actually write the article itself. And this is still substantially faster than Cyber Command’s process to review and approve actual cyberspace operations, a system subjected to similar redundancy and repetition.
The organizational inefficiency inherent to both processes is a consequence of the “dual hat” relationship between NSA and Cyber Command, which entrusts the command of both organizations to a single individual. The original motivation for the arrangement — which was always intended to be temporary — was to allow a nascent Cyber Command to benefit from NSA’s expertise, capabilities, and experience, which helped all of Cyber Command’s teams to achieve full operational capability last year. In practice, the relationship allows a single individual to weigh the oft-competing interests of NSA and Cyber Command, whose responsibilities in the cyber domain frequently overlap. The dual hat command relationship has been continually reviewed by presidential administrations since its inception, and experts have made competing arguments for both the dissolution and continuation of the arrangement.
While most of the arguments for ending the dual hat relationship have focused on the successful buildup of Cyber Command or the risk to NSA’s operations and capabilities, comparatively little attention has been given to how the organizational overlap with NSA affects Cyber Command’s pursuit of its missions. The interdependence between the two organizations has allowed Cyber Command to grow accustomed to virtually uninterrupted operational and logistical support from NSA offices. This deeply ingrained organizational reliance on NSA tradecraft and processes has fundamentally shaped the way the command approaches cyberspace operations. Specifically, by borrowing from NSA’s procedures and culture, Cyber Command has steadily become more risk-averse than befits an organization dedicated to offensive operations and imposing costs on adversaries. For Cyber Command to more effectively accomplish its mission, it should be separated from NSA sooner than planned. This will allow the command to better pursue the nation’s military objectives in cyberspace, including deterring potential adversaries from threatening critical national infrastructure.
Dual-hatting initially made sense because there is a fundamental similarity between the technical aspects of military cyberspace operations (Cyber Command’s domain) and intelligence-related computer network operations (what NSA does). Gen. Michael Hayden noted that offensive cyberspace operations and signals intelligence are technically indistinguishable from each other, citing this as reason for unifying the command of the two organizations responsible for each. A pressing need to develop a robust military cyberspace operations capability motivated the decision to attach Cyber Command to the fully developed and functional NSA.
However, though Cyber Command and NSA share technical similarities in their operations, they operate under distinct legal authorities for different purposes. NSA, with authority from Title 50 of the U.S. Code, is responsible for conducting signals intelligence collection, which involves accessing computer networks for the purpose of secretly gathering information from them. Conversely, Cyber Command primarily derives its authority from Title 10 and is responsible for conducting military computer network operations, which involves accessing computer networks for the purpose of creating noticeable effects on them. These effects, which are intended to support a specific military objective, are typically one of the “5 Ds”: deny, degrade, disrupt, deceive, or destroy. This subtle, yet important, distinction between the two organizations’ authorities and missions is critical to understanding the sometimes contentious relationship between Cyber Command and NSA. Cyber Command, in its earliest days, was essentially an organizational arm of NSA established to provide legality for conducting operations that NSA possessed the technical capability to execute, but not the legal authority. While some of Cyber Command’s recent operational successes against adversaries have made headlines, NSA’s operations have not — and that’s exactly how it ought to be.
The dual hat arrangement was never intended to be permanent. The guidance that President Barack Obama issued after signing the 2017 National Defense and Authorization Act clearly stated the commander in chief’s desire to see the two organizations separated. That NDAA established a specific set of criteria to terminate the dual hat relationship. A number of these criteria are easily quantifiable and have already been met, such as Cyber Command’s mission forces achieving full operational capability. Others, however, are more difficult to objectively assess, such as ensuring that “robust command and control systems and processes have been established for planning, deconflicting, and executing military cyber operations.” These are systems and capabilities that continue to be developed out by Cyber Command with significant influence and assistance from NSA.
Cyber Command’s current approach to conducting computer network operations focuses heavily on the review and approval process. In addition to ensuring legal compliance with the myriad authorities and orders pertaining to cyberspace operations, review processes focus on risk management. Strategic-level operations conducted by Cyber Command undergo exhaustive review and approval processes meant to minimize risk to tradecraft, capabilities, and security. Operational security is of critical importance to cyberspace operations, where the efficacy of a weapon system hinges upon its ability to operate secretly. In 2016, a hacking group known as the Shadow Brokers published cyber tools and capabilities that allegedly belonged to NSA, causing profound damage to the agency’s ability to conduct operations.
For every operation Cyber Command executes, joint leaders and operations planners must meticulously calculate and evaluate the risk associated with that particular operation. This is an exceedingly complicated task that requires detailed knowledge of the operations planning and approval process, in addition to technical familiarity with the underlying technologies associated with the operation. In developing this process, Cyber Command has relied heavily on the experience of NSA, using similar processes to ensure that risk is minimized. In so doing, Cyber Command has inadvertently patterned its own appetite for risk after NSA’s. But while NSA’s operations are conducted with scrupulous operational security, intelligence collection is not the primary mission of Cyber Command. In the words of Gen. Paul Nakasone, Cyber Command’s primary mission is to impose costs on adversaries who have acted in the cyberspace domain without fear of retaliation. Imposing cost implies inflicting noticeable damage to a target in a manner that would typically be considered too noisy, risky, or noticeable in signals intelligence operations.
When conducting offensive cyberspace operations, there are essentially two ways to acquire access to a target system: using credentials to masquerade as a legitimate user, and using a vulnerability to exploit a system. In a masquerade, an attacker uses valid credentials, such as a username and password, to log in to the target system as an authorized user. Masquerade attacks are usually difficult to detect because they rely on the system behaving the way it’s supposed to. Conversely, an exploit relies on the existence of a technical vulnerability that allows an attacker to gain unauthorized access to a system. Exploitation relies on a system functioning incorrectly, and is significantly more likely to produce alerts that can expose an attack.
To assess the risk associated with these types of operations, Cyber Command solicits approval from an array of staffs and reviewers. In part because Cyber Command has relied heavily on NSA training, support, and experience to establish these processes, exploitation operations — which by nature carry a greater risk of detection — are subject to increased standards of scrutiny. Likewise, operations that produce a noticeable effect, such as a denial-of-service attack, are typically viewed with aversion. This is detrimental to Cyber Command’s execution of its mission, as producing the desired outcomes against an adversary requires assuming more risk. In reality, the operations approval structure of Cyber Command is set up to prioritize the security of operations above all else, and is extremely risk-averse. Cyber Command’s mission is fundamentally different than NSA’s, and rather than copying approval processes used in intelligence operations, it ought to employ a structure more typical of a military command. However, as long as it relies on NSA tradecraft and expertise Cyber Command will continue to use a paradoxical operations process that is fundamentally opposed to the exact type of mission it is charged with conducting.
The review process for a Cyber Command operation also requires an equities review by a multitude of government, intelligence, and military stakeholders. The idea is that all relevant parties have an opportunity to address potential concerns with a proposed offensive cyberspace operation. While one of the principal original concerns with the dual hat arrangement was the potential for unfair prioritization of Cyber Command support requests to the NSA, the equities review process has instead created the opposite problem. Because Cyber Command depends so heavily on NSA logistical and operational support, it has essentially lent the agency de facto veto authority on offensive cyberspace operations: Cyber Command risks losing NSA-facilitated training, NSA-provided office space, and access to NSA’s signals intelligence data by bickering with NSA over who get a shot at a given targets. The responsibility of balancing the prioritization of the distinct missions of two different organizations should not be delegated to a single individual. Doing so inevitably privileges one mission at the other’s expense, and ultimately impedes overall progress for both.
The self-defeating nature of the dual hat also runs contrary to America’s increasingly risk-tolerant approach to countering adversary competition in cyberspace. Analysts have repeatedly advocated that the United States take a more proactive approach to cyberspace operations. The summary of the 2018 Department of Defense Cyber Strategy shifts toward a focus on “defending forward,” establishing a more aggressive stance in cyber operations through a policy of embracing constant forward contact. The strategy explicitly replaces the previous focus on risk mitigation and escalation control with a risk-acceptant commitment to “assertively defend our interests.” The strategy indicates that the Department of Defense will “accept and manage operational and programmatic risk in a deliberate manner that moves from a ‘zero defect’ culture to one that fosters agility and innovation.” The document acknowledges the risk inherent to the conduct of cyberspace operations, but ultimately accepts the possibility of operational failure as a necessary consequence of deterring adversary competition in cyberspace. Shifting to a more proactive stance with military cyberspace operations is not a provocative overreaction to malicious activity, nor does it reasonably stand to elicit an escalatory response from adversaries. Rather, shifting Cyber Command away from a risk-averse mindset is a recognition of an increasingly contested information environment in which the command is at serious risk of being outpaced and outplayed in its current state.
The missions of NSA and Cyber Command will continue to compete for priority and advocacy under the dual hat. The shaping effect of this relationship has diminished Cyber Command’s appetite for risk, and slowed the approval process for military cyberspace operations to a sluggish crawl. What takes adversaries mere minutes to do takes Cyber Command weeks, or even months. In the cyberspace domain, where windows of opportunity for an operation can be vanishingly small, Cyber Command’s review and approval processes need a paradigm shift. NSA has been instrumental to the development of Cyber Command, and the existence of the command, as well as its operational successes, are a credit to NSA’s diligent work to establish and support a military presence in cyberspace. However, as has been echoed by previous presidential administrations, the time has come to allow Cyber Command to stand on its own, and free NSA from the responsibility of nurturing a full-fledged combatant command in addition to pursuing its own mission.
With the 2020 elections fast approaching, the potential consequences are simply too significant to continue kicking this can down the road. The dual hat should be split by the end of the calendar year, if not sooner. Eliminating the dual hat is a critical step toward allowing both organizations to engage more fully with their missions and moving Cyber Command to a culture of greater risk acceptance.
Andrew Schoka is an active duty Army cyber operations officer assigned to U.S. Cyber Command at Fort Meade, Maryland. He is a Distinguished Military Graduate of Virginia Tech with a bachelor’s degree in systems engineering. The views and opinions expressed in this paper are those of the author alone and do not necessarily reflect the official policy or position of the U.S. Department of Defense, U.S. Cyber Command, or any agency of the U.S. government.
Image: U.S. Army photo