Five Reasons Not to Split Cyber Command from the NSA Any Time Soon – If Ever

demchak

In the waning days of President Donald Trump’s administration, a group of outgoing political appointees unexpectedly pushed through the acting secretary of defense to the chairman of the Joint Chiefs of Staff a hotly disputed plan to split the U.S. Cyber Command from the National Security Agency (NSA). This idea is a contentious and recurring sparring point, emerging in greater public display with the second Obama term. Some argue that the split is a question of when, not if. The debate is likely to continue through into the Biden administration given the proposal’s inclusion in the 2017 National Defense Authorization Act and language creating a commission to study conditions for separation in drafts for the 2021 equivalent law.

Nonetheless, a divorce of this kind is the wrong long-term solution for both agencies and for the nation. Cutting up what’s known as the “dual hat” — an arrangement under which the same leader runs both Cyber Command and the NSA — fragments American “defend forward” capabilities when the nation needs them to be integrated the most. These capabilities allow Cyber Command in particular to operate outside of formal military networks to disrupt malicious attacks at their sources, and are deeply dependent on the closely combined skills of both organizations. The proposal risks reigniting turf battles between the intelligence and operations arms of the secretary of defense and mistakes the intertwined relationship between defense and offense in cybered conflict. Instead of simplistic organizational surgery, therefore, what’s needed is a longer-term plan incorporating Cyber Command and, especially, the capabilities of the National Security Agency into a resilient and adaptive whole-of-society cyber defense system.

 

 

Reasons to Avoid Recreating Silos

Reason 1: Scale of Adversaries

First, the scale of adversary cyber threats is unprecedented, prompting cyber commands not only in the United States but elsewhere to expand budgets and personnel. The latest attack, the so-called SolarWinds campaign, is only one of a legion of campaigns attacking the nation as well as its allies. The massive volume of systemic assaults against the United States and allies requires a matching scale of coordinated units with integrated knowledge and capability for action. Cybered conflict today involves countering adversaries that are operating at a scale and with a reach that is already overwhelming to the combined size of the dual-hatted unit, other federal civilian cyber entities, and the huge commercial cyber security community of the United States. Scale is needed to defeat scale when the battlefield is the interconnected cyberspace substrate underlying all modern national socio-technical-economic systems. Separating the two organizations means withdrawing the huge intelligence agency’s knowledge-generating and cyber security assets back to more traditional strategic national intelligence and defensive information-assurance missions, and away from the more offense-oriented but smaller Cyber Command. There is already a national shortage of people with advanced computer skills. These folks are now shared relatively readily between the joined organizations. A split would increase the competition for such talented employees just when collectively employing the limited set of “wizards” efficiently is essential. Splitting the dual-hat arrangement further weakens an already too small and fragmented U.S. national effort in cyber defense.

Reason 2: Speed in Trade-Off Decisions

Second, the split is likely to hand the speed advantage to adversaries. Unity of command has long been taken for granted as key to a faster decision in a crisis, even given the size of the organization. Having a single leader is even more important in cybered conflict, where offense and defense are inextricably linked, and the guidance of a shared boss helps ensure more speedy trade-off decisions. Weapons in cyber operations need to be tailored to cybered targets in ways more traditional weapons do not. That tailoring requires careful, highly responsive timing and constantly refreshed intelligence. Cyber defense requires a more in-depth understanding of corresponding offensive tools and operations than is required in conventional military forces. Executing cyber offense requires a similar knowledge of cyber defense. Exquisitely detailed intelligence therefore becomes exceptionally important to knowing whether the cyber tools have any discernible offense and defense effects, let alone those desired.

Having the two organizations share the same person as commander in the dual hat is far from what later critics might explain as a convenient, short-term nurturing arrangement for the infant Cyber Command. Rather, it is intended to achieve a longstanding military desire of having close and effective — and therefore accurate and rapid — integration of intelligence and operations. With a dual-hat arrangement, the single individual at the head of Cyber Command and the NSA can more effectively and quickly tailor demand signals to both planners and developers about the intelligence needs of operations against specific targets. Suboptimal speed in trade-off decision-making is certainly more likely if there are two peer organizational leaders viewing themselves as having two different missions.

Reason 3: Synergy in Innovative Shared Operations

Third, separating intelligence from operations as it was before the dual-hat arrangement cedes a critical synergy advantage to adversaries. In all conflict, having knowledge in advance is key to success, resilience, and innovation around future threats, and it is often found by accidental exchanges among colleagues or peers routinely working with each other. Unexpected information discoveries would be less readily shared if the two organizations split. Cyber Command’s operational interests would no longer be prominent in the intelligence analysts’ chain of command or field of view. The traditional distinctions between operations and intelligence concerns are likely to return, with less frequent shared daily practices marking the current operational teams.

To be clear, it is much easier to decouple two organizations than to integrate them — to destroy synergy than to create it. The evolution of a more integrated understanding of cyber operational needs has been a long, hard-fought success so far, and it is not guaranteed to survive a separation. There are always voices in favor of decoupling, irrespective of the overarching benefits. For example, an NSA colleague remarked in a private conversation several years ago that they thought the intelligence agency itself was becoming too “military” in its organization and short-term in its thinking under the dual-hat arrangement. Similarly, in 2016 the executive director of U.S. Cyber Command was quoted as saying, “As the United States Cyber Command, we need totally separate tools and infrastructure to conduct our operations.” If the organizations split, these opinions may gain more adherents and dominate collective efforts. The turf-reinforced bureaucratic divisions would return and the commonality of understanding developed over the past 10 years would wither. So would the spontaneous support in ideas, sacrifice, additional time, and innovative action. If the organizations are separated, the consequences are likely to be less agile, intuited, and innovative cyber operations in both organizations.

Reason 4: Immutable Interdependence

Fourth, removing the dual hat would not improve the organizations’ ability to carry out their operations. The two organizations will still have to cooperate on cyber operations. Two separate hierarchies would have to agree on defense and offense trade-offs in priority of operations and budgets. Furthermore, in cybered conflict, defense is not effective without cyber security, and offense is not successful without intelligence. To the cybered fight, NSA brings cyber security as well as national intelligence. Cyber Command conducts defensive as well as offensive cyber operations. The operational overlaps in mission needs between NSA and Cyber Command are profound, and would be equally disrupted by splitting the two. Disputes are likely to be less easily resolved at lower levels due to the more thoroughly reinforced separated bureaucratic processes. Larger inter-organizational battles could begin in an accumulated multitude of smaller struggles across organizational barriers. Members of each organization will quickly learn how to avoid time-consuming interagency collaboration by demanding that time- or resource-diverting orders across organizational boundaries be, for example, “in writing and sent through the chain of command.”

This split would lose 10 years of lessons in operational offense-defense integration learned through the dual hat.

Reason 5: No Automatic Advantage

Fifth, there is no guarantee of any new advantage to be gained to compensate for what is lost. Neither the desired fragmentation of power by making two commanders from one nor Cyber Command’s potential decoupling from the NSA can ensure that the military unit alone will be more or less aggressive. The organizational evolutionary thread could go either way. Even without the dual-hat structure, laws and military lawyers will exist. They will ensure that each operational commander will be obliged to consider possibilities in surprises, unanticipated consequences, or harmful cascading events. Indeed, the interagency operations deconfliction process could be less favorable to Cyber Command’s desired operations when the NSA director becomes yet another external agency chief competing for authorization, priority, or resources. Conversely, it is possible that an uncoupled Cyber Command could push for operations to be more risk-acceptant. Cybered conflict is a nonstop, urgent struggle, and tactically aggressive cyber operations could prove irresistible if there are fewer old hands from the intel side to urge a wider, longer-term view. For example, an insider essay written in 2019 urged splitting the two organizations so that a separated Cyber Command freed of the intelligence agency’s secrecy-focused covert influence could more readily use an overt and deliberately attributable massive denial-of-service attack on an adversary target. There is no guarantee that more or less offensive operations will happen – or more advantages accrue – if an independent but still forming organization such as Cyber Command finds itself always negotiating with a sovereign NSA for its critical intelligence and cyber security support.

There’s Just Too Much Else to Do

For the United States, the worst choice is to split the NSA from the U.S. Cyber Command too soon, if at all. Both the NSA and Cyber Command are unique assets. The combination was, and continues to be, meant to solve an age-old problem of integration of intelligence with operations as rapidly and organically as possible. Separation of the two may at some point be desirable, but only if the country has a better plan for both agencies beyond “just go back to doing what you were doing” (NSA) and “you do you” (Cyber Command). In the meantime, such a choice stunts the forward learning, experimentation, and defense innovations such as the hunt forward teams supporting allies against state sponsored hackers. It will also distract policymakers, scholars, analysts, and practitioners from more critically needed research and thinking. The United States and its allies are headed into the most challenging era since World War II, facing the largest, most strategically coherent, technologically aggressive, and economically intrusive adversary this community has ever faced. This split and its debate can wait.

Better to find a whole-of-society cyber resilience plan than to rip apart what appears to be working. Such a plan unites government and the information and telecommunications sectors in operations to make America’s whole society effectively resilient to malicious cyber attacks, whether against critical infrastructure, companies, or communities. It is equally important for each of America’s allies. There is no guarantee of survival for democratic states in the coming exceptionally digitized and increasingly authoritarian world unless this minority community of consolidated democracies finds ways to closely cooperate in a cyber operational resilience alliance for collective defense.

The current focus needs to be on this larger societal defense and well-being challenge, not on separating a successful working arrangement in national cyber defense. Needed urgently is a long-term systemic and well-resourced plan that accommodates what each organization inside the government and outside in the technology private sector could bring to the table, what the entire country needs in terms of cyber defense and underlying digital transformation, and how to establish and maintain national resilience with allies as peers and the private sector inside a common democratic digital defense tent. As the global order is shifting, there is little enough time to create and implement a collective working cyber operational defense plan among democratic allies and their interdependent private sectors. Any serious attention or time spent in the United States on whether to split Cyber Command from the NSA right now or any time soon constitutes a distraction from much bigger and more urgent, systemic national challenges.

 

 

With degrees in engineering, economics, and comparative complex organization systems/political science, Chris C. Demchak is the Grace M. Hopper Chair of Cyber Security and Senior Cyber Scholar, Cyber and Innovation Policy Institute, U.S. Naval War College. In published articles, books, and current research on cyberspace as a global, insecure, complex, conflict-prone “substrate,” Demchak takes a socio-technical-economic systemic approach to comparative institutional/architectural evolution with emerging technologies, adversaries’ cyber/artificial intelligence/machine learning use in campaigns, virtual wargaming for strategic/operational organizational learning, and regional/national/enterprise-wide resilience against complex systems surprise. Her manuscript in-progress is titled Cyber Westphalia: Rise of Great Systems Conflict and Need for Democratic Collective Resilience. Her next manuscript is titled Cyber Commands: Organizing for Cybered Great Systems Conflict.

All ideas expressed here are those of the author and do not reflect the views of the United States Department of Defense, the Navy, or the U.S. Naval War College.

Image: U.S. Army Cyber Command