Cybersecurity and Deterrence
Ending the “Dual-Hat” Arrangement for NSA and Cyber Command?
President Trump’s recent move to install a set of lame-duck “acting” officials atop the Pentagon (that is, officials who have neither been nominated to hold these offices on a permanent basis nor put forward for Senate confirmation) continues to spawn major policy changes. The latest? An eleventh-hour push to end the “dual-hat” arrangement pursuant to which the Director of the National Security Agency also serves as the Commander of U.S. Cyber Command. Whether and when to take that step has been the subject of discussion for many years, and is subject to certain “certification” requirements imposed by Congress a few years ago. Few expected to see a push to resolve it now. But here we are, and here’s what you need to know.
1. Background: Why does the “dual-hat” arrangement exist, and why is there a debate about ending it?
For a thumbnail sketch of how Cyber Command came to be co-located with NSA, and jointly commanded by NSA’s Director, see Mike Sulmeyer’s 2017 War on the Rocks post addressing this issue ( and note that, subsequent to Mike’s article, Cyber Command became a combatant command in its own right, separating from its prior status as a sub-unified command within U.S. Strategic Command). The idea boiled down to this: in order to accelerate Cyber Command’s development, it was collocated with the NSA (and not just in the physical sense, but with shared personnel, tools, and infrastructure). The “dual-hatted” leadership model followed naturally from that intertwined structure.
The assumption in the early days was that, of course, one day Cyber Command and the NSA would separate. The idea all along had been to incubate Cyber Command, not to develop a novel hybrid model that would be sustained indefinitely. After all, few at the time anticipated that the intertwined institutional relationship might actually be optimal for a world like ours today, in which great power competition manifests in the form of constant adversarial cyber-domain activity below the level of armed conflict (with the lines separating espionage, covert action, and military activity much less apparent than in conventional physical spaces). Most observers assumed that Cyber Command eventually would break off on its own, once it developed sufficient personnel, accesses, and other operational capabilities of its own (and capacities to replenish these things on a sustained basis).
Experience with the dual-hat arrangement in the thick of the war with the Islamic State (in particular, the perception in some quarters that Admiral Mike Rogers as the dual Director/Commander unduly favored NSA intelligence collection equities over Cyber Command operational equities) resulted in pressure to make that move sooner rather than later, as I explained in this summer 2017 Lawfare piece.
Congress ultimately intervened, with members of the Senate and House Armed Services in particular concerned that a precipitous separation might leave us with a Cyber Command not quite ready for prime time. Accordingly, in late 2016, Congress used the National Defense Authorization Act process to impose benchmarks on the separation decision, ones that both the Secretary of Defense and the Chairman of the Joint Chiefs of Staff must certify have been met before separation lawfully can occur.
2. Let’s have a look at those statutory preconditions.
Section 1642 of the NDAA FY17 provides that separation cannot occur unless and until both the Secretary of Defense and the Chairman of the Joint Chiefs together certify that separation will not impose an “unacceptable” risk to Cyber Command’s operational effectiveness and that six more-specific conditions have been met:
(i) Robust operational infrastructure has been deployed that is sufficient to meet the unique cyber mission needs of the United States Cyber Command and the National Security Agency, respectively.
(ii) Robust command and control systems and processes have been established for planning, deconflicting, and executing military cyber operations.
(iii) The tools and weapons used in cyber operations are sufficient for achieving required effects.
(iv) Capabilities have been established to enable intelligence collection and operational preparation of the environment for cyber operations.
(v) Capabilities have been established to train cyber operations personnel, test cyber capabilities, and rehearse cyber missions.
(vi) The cyber mission force has achieved full operational capability.
The next year, in Section 1648 of the NDAA FY18, Congress added a requirement of a one-time report describing the Defense Department’s progress towards these conditions. Then, in late 2019, Section 1636 of the NDAA FY20 tightened the aforementioned list of required certifications by altering the terms of items (iii) and (vi), as follows:
(iii) The tools, weapons, and accesses used in and available for military cyber operations are sufficient for achieving required effects and United States Cyber Command is capable of acquiring or developing such tools, weapons, and accesses;
(vi) The cyber mission force has achieved full operational capability and has demonstrated the capacity to execute the cyber missions of the Department, including the following:
(I) Execution of national-level missions through cyberspace, including deterrence and disruption of adversary cyber activity;
(II) Defense of the Department of Defense Information Network; and
(III) Support for other combatant commands, including targeting of adversary military assets.
In the same statute, Congress imposed a detailed biannual briefing requirement, pursuant to which both the Secretary of Defense and the Director of National Intelligence must give updates on the NSA/Cyber Command relationship.
Those are the rules that govern today. A provision in the pending NDAA for Fiscal Year 2021 (Section 1732) if enacted would require DoD to produce a study of “the operational planning and deconfliction policies and processes that govern cyber operations of the Department of Defense,” including requirements to address, among other things, “intelligence gain-loss decisions made by Cyber Command.” It would not, however, change the statutory certifications required before separation can occur.
3. So, have those certifications been issued?
No, not yet. Until a few days ago, in fact, this just did not seem to be on anyone’s radar.
But this past Friday, an alarmed Chairman of the House Armed Services Committee, Adam Smith (D-Wash.) sent letters both to Acting Secretary of Defense Miller and to Chairman of the Joint Chiefs of Staff General Mark Milley expressing “profound concern about reports that the Department is unilaterally seeking to end the dual-hat relationship … without consulting Congress or meeting the conditions required by law.” An article early Saturday afternoon by C4ISRNET’s Mark Pomerleau expanded on things, describing an effort by the lame-duck Trump administration to end the dual-hat arrangement, and indicating that the request had been put forward by Acting Secretary Miller to Chairman Milley. A few hours later, Katie Bo Williams reported for Defense One that Acting Secretary Miller himself has not yet formally approved the proposal (which presumably means he has not actually signed the requisite certifications) but almost certainly will do so. At any rate, all agree that the only question now is whether General Milley will cooperate in issuing the aforementioned certifications.
4. What else can I read to understand the pros and cons of separation?
I think you’ll find my summer 2017 Lawfare piece (the one I cite above, concerning Cyber Command and the Islamic State) helpful on this question. You might also check out this analysis from James Di Pane at Heritage. There are many others. For now, let me sum up the stakes in very general terms.
Arguments in favor of separation include the idea that the responsibilities of the two organizations are far too sweeping and complex to justify a single commander/director; that Cyber Command will never reach full maturity so long as it remains in a position to fall back on NSA infrastructure, tools, etc.; that the dual-hat arrangement results in too much emphasis on NSA collection equities in comparison to Cyber Command operational equities; and (hat tip to Dmitri Alperovitch on this one) that greater institutional separation will provide cleaner signaling to adversaries regarding U.S. intentions in instances in which adversaries detect cyber activities and can attribute them correctly (thus minimizing the risk of dangerous errors on their part, similar to how it might matter to U.S. analysts whether a Russian breach is conducted by the SVR rather than the GRU).
Arguments against separation emphasize the idea that it is optimal to have an institutionally-integrated ability to toggle between Title 10 (military) and Title 50 (intelligence) authorities; that having the dual-hat commander with a full commitment to both organizations guarantees the existence of a deconfliction process; and that Cyber Command might yet be too limited in its independent capabilities to justify formal separation at this point.
From an outsider's perspective, it’s nigh-impossible to form a strong opinion on how best to balance these considerations. Much depends on what additional/future steps might be taken to compensate for the pros and cons of either approach.
Of course, that’s precisely why Congress has imposed conditions on the separation decision. Alas, it’s now clear that Congress should have insisted as well on receiving far more frequent briefings—and documentation—on the status of DoD’s progress with respect to each of the certifications.
5. Could a separation decision be unwound without undue costs?
Probably so. There is not much time left on the calendar before the Inauguration. The Biden administration likely could suspend implementation of a separation order before much of consequence has occurred, should it be so inclined.