To Split or Not to Split: The Future of CYBERCOM’s Relationship with NSA

By Emma Kohse, Chris Mirasola
Wednesday, April 12, 2017, 1:03 PM

U.S. Cyber Command (CYBERCOM) is the U.S. armed forces command charged with offensive and defensive cyber operations. Since 2010, it has coexisted with NSA as two organizations under one director. It is simultaneously embedded within U.S. Strategic Command (STRATCOM), a functional (i.e., non-geographic) command with broader responsibility for detecting and deterring strategic attacks against the United States. Both arrangements are likely coming to an end in the near future.

In a move set up by the 2017 National Defense Authorization Act (NDAA), CYBERCOM will be elevated from a sub-unified command under STRATCOM to a fully independent unified combatant command. The 2017 NDAA also maintains a more hotly contested opportunity for CYBERCOM to be split from the NSA as early as October 2018.

Below is a brief primer on those two impending issues.


The Debate over Splitting CYBERCOM from NSA

Defense Secretary Jim Mattis’s deputy principal cyber advisor, Maj. Gen. Burke “Ed” Wilson, recently said that he is “99 percent sure we’ll elevate [CYBERCOM to a full combatant command] and do it fairly quickly.”

Cutting the “umbilical cord” from NSA may be a longer process, but momentum seems strong within the new administration. In the 2017 NDAA, Congress mandated that CYBERCOM's Cyber Mission Force (CMF), a dedicated cyber unit of consisting of 133 teams, must reach full operational capacity (FOC) before the dual-hat leadership arrangement can be terminated. FOC is achieved when a command has the institutional capability and expertise to independently carry out any mission within its ambit of responsibility. CMF reached initial operational capability—a  threshold level of capability to accomplish mission objectives—last October and is on track to reach FOC by the end of fiscal year 2018. Once the Secretary of Defense and the Chairman of the Joint Chiefs of Staff determine that the separation “will not pose risks to the military effectiveness” of CYBERCOM, the president may decide to initiate the split.

CYBERCOM was created as a sub-unified command within U.S. Strategic Command in 2009, absorbing the Joint Task Force for Global Network Operations and the Joint Functional Component Command for Network Warfare. Its mission has both defensive and offensive components. Per a Department of Defense fact sheet:

USCYBERCOM plans, coordinates, integrates, synchronizes, and conducts activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full-spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries.

The decision to locate CYBERCOM at the NSA headquarters in Fort Meade was a logical choice at the command’s inception. NSA ensured that CYBERCOM had the necessary resources, infrastructure, and expertise with signals intelligence to develop its own capabilities. Though CYBERCOM’s mission is distinct from that of NSA, many of the tools needed to conduct cyber operations are virtually the same as those necessary for cyber surveillance and espionage. As former NSA Director General Michael Hayden puts it, “in the cyber domain the technical and operational aspects of defense, espionage, and cyberattack are frankly indistinguishable.” Moreover, similar skillsets are required for NSA and CYBERCOM activities, and personnel with the appropriate levels of expertise are reportedly in short supply.     

Despite significant technological overlap, NSA and CYBERCOM largely operate under different legal authorities. NSA’s authority to conduct espionage, including cyber surveillance, comes from Title 50 of the U.S. code, while CYBERCOM would typically take offensive action pursuant to Title 10 authorities. General Hayden explains: “NSA does not have the authority to destroy someone else’s information, to change someone else’s information, to harm someone else’s network, or to take control of someone else’s computers in order to create physical destruction,” as these actions constitute “a warmaking Title 10 function.” However, NSA personnel may conduct intelligence gathering to support a Title 10 military operation, and existing law does not preclude CYBERCOM from conducting a Title 50 operation. Dual-hatting personnel between the two organizations, as has become common practice, further muddies the unclear line between Title 10 and Title 50 authorizations. Though this close coordination has benefits, there are concerns about mission distortion. A presidential panel convened by President Obama to evaluate the NSA after the Snowden leaks reported a “pressing need to clarify the distinction between the combat and intelligence collection missions,” and recommended appointing separate heads to remedy this line-blurring problem.

Supporters of the split also point to other potential advantages. The creation of a fully independent command dedicated to cyber operations denotes a level of seriousness and dedication to the development of U.S. cyber capabilities appropriate for an era in which cyber offense and defense are critical to U.S. national security interests. For some in the government, the slow pace at which CYBERCOM has developed effective offensive tools has been a source of frustration, particularly as the military tackles threats like ISIS. Some predict that an independent CYBERCOM would be better positioned to aggressively, and sometimes more openly, pursue its mission, particularly for situations in which military and intelligence goals may be unaligned. For example, it might be of strategic benefit that a Title 10 action be attributable to the United States, whereas for intelligence purposes, avoiding detection for the same action is essential. In addition, a commander dedicated solely to cyber military operations may be able to advocate more effectively for resources and personnel than would be possible in a dual-hatted role, and CYBERCOM has struggled with resource constraints under current joint leadership. The separation could also allow CYBERCOM-dedicated personnel to specialize and develop advanced cyber capabilities. Finally, there is the simple fact that leading either of these organizations alone is a more than fulltime job and it is untenable to expect a single person to accomplish both simultaneously.

Others, however, have argued that the benefits of shared infrastructure and dual-hatting NSA and CYBERCOM employees outweigh any gains from separation. Even assuming CMF reaches FOC by October 2018, there are questions about the additional resources, financing, and capabilities that would need to come online such that CYBERCOM could be weaned off of its reliance on NSA. Some key players, including Senator John McCain, argue that it would be foolish to separate organizations that must be closely coordinated to ensure success. The NSA has the advantage of over 50 years of experience with signals intelligence, which will continue to be the foundation for seven-year-old CYBERCOM’s operations even after the separation. Furthermore, it takes far longer than the typical three-year military billet to develop the expertise needed to conduct cyber operations. In addition, dividing responsibility between two wholly separate cyber-focused entities increases the risk that they will work at cross-purposes.


Steps Towards a Unified, Separate CYBERCOM

Notwithstanding these concerns, separating NSA from CYBERCOM has become more a question of when rather than if. As mentioned above, the 2017 NDAA establishes that CYBERCOM will be elevated to a unified combatant command. Taken together, these changes may increase the risk of disruption to CYBERCOM’s mission effectiveness. As such, military leaders can learn from the formation and dismantling of past functional combatant commands as they plan for both elevating and separating CYBERCOM from STRATCOM and NSA.

One such functional unified combatant command is U.S. Special Operations Command (SOCOM), which Congress created in 1987. SOCOM is tasked with synchronizing and carrying out Special Operations (e.g., hostage rescues, counterinsurgency actions) in support of missions in global combatant commands. It was created after Congressional and DoD investigations determined that a clearer organizational focus and chain of command—as well as dedicated funding—were needed for special operations in low-intensity conflicts.

Frank Cilluffo of George Washington University has recommended that CYBERCOM adopt a collaborative operations style similar to that employed by Joint Strategic Operations Command (JSOC)—a subunified division of SOCOM responsible for quick, high-profile strikes like the mission to capture or kill Osama bin-Laden. Like JSOC, CYBERCOM would draw on intelligence assets (i.e., from NSA) to quickly harmonize and implement cyber operations. Ideally, this model of collaborative operations would preserve the important relationship that has developed between NSA and CYBERCOM while allowing each to pursue a distinct mission set.

Even if a collaborative model, similar to JSOC, is adopted, the potential for redundant responsibilities—which has led to the downfall of past COCOMs—would still loom large. U.S. Strategic Command, for example, has a broad set of capacities, including “tailored nuclear, space, cyberspace, global strike, joint electronic warfare, missile defense, and intelligence capabilities.” While formal responsibility for cyberspace may be removed, preventing overlap between these two commands will likely be difficult. If not adequately deconflicted, one could imagine CYBERCOM being reintegrated into STRATCOM just as U.S. Space Command was rolled into STRATCOM in 2002 to facilitate integrated command for “C4ISR” (command, control, communications, computers, intelligence, surveillance, and reconnaissance). Does a “C3ISR” model make sense for STRATCOM? After all, cyber, just like military space capacities, is fundamental to U.S. command and control.

Expansive mandates, unsupported by commanders of existing COCOMs, have also proved fatal to functional combatant commands. U.S. Strike Command, later U.S Readiness Command, was tasked with providing a reserve of general purpose forces, training reserve forces, developing joint doctrine, and planning for contingency operations. It was then expanded to include planning for operations in the Middle East, sub-Saharan Africa, and Southern Asia. Criticized for becoming a “world-wide General Purpose Forces Command,” it was disbanded in 1986 to allow for a more narrowly-tailored command—SOCOM. This bears out a central lesson that General Duane Cassidy, the first commander of U.S. Transportation Command (TransCom), derived from TransCom’s success: it is essential to have (1) buy-in from leadership of the other combatant commands and (2) support from civilian leadership.

Though the debate over CYBERCOM’s independence and institutional design will no doubt continue, a complete separation now seems inevitable. While CYBERCOM’s shift away from reliance on NSA will be necessarily gradual, General Hayden estimates the transition could be achieved in as little as nine months. This means that a fully independent CYBERCOM—with all its potential benefits and liabilities—could be just a few years away.