22 July 2017

Cutting Cyber Command’s Umbilical Cord to the NSA

GENERAL MICHAEL HAYDEN

Despite the many logistical and operational challenges of a transition, many acknowledge that U.S. Cyber Command must eventually separate from the National Security Agency. According to news reports, the Trump Administration is now finalizing plans to separate Cyber Command from its parent organization, the National Security Agency. While the details of the reorganization are still being worked out, an official decision could be announced in the coming weeks. In March, The Cipher Brief spoke with General Michael Hayden, former director of both the NSA and CIA, about how Cyber Command came about, the different roles and authorities between the NSA and Cyber Command, and why they must eventually be separated.

The Cipher Brief: How did U.S. Cyber Command come to be and what strategic role does it play in cyberspace?

Michael Hayden: I was the first commander of a Cyber Command-like entity. We called it Joint Functional Component Command Net Warfare (JFCCNW). I took authority for that in early 2005 and worked with General James Cartwright, who at the time was commander of Strategic Command. The idea is simply this: in the cyber domain the technical and operational aspects of defense, espionage, and cyberattack are frankly indistinguishable – they are all the same thing.

As the United States moved forward, it wanted to do more than just steal other countries’ secrets, but actually create effects. To do this in and through the cyber domain, it was a natural process to do it from Fort Meade, because again, operationally and technologically cyber espionage is not distinguishable from cyberattack.

However, while it is not distinguishable operationally and technically, it is distinguishable in law, and it is distinguishable in authority. So although we could do it at the NSA in practice, the NSA is not allowed to do it. So what we had to do was create another entity that could make use of the expertise and technology at the NSA, but would operate under different authorities. And that was JFCCNW, and eventually Cyber Command.

TCB: What is the purpose of the dual-hat leadership role and has it been effective in accomplishing that purpose?

MH: The purpose of the dual hat has to do with the same reasons mentioned before, so having one guy responsible for both the NSA and Cyber Command makes sense. The difference between the two is simply an act of will – what is it that you want to do and do you have the authority to do it? If the NSA has the technology and expertise, it just made a great deal of sense at that time to, one, put the new cyberattack entity at Fort Meade, and, two, put it under the director of the NSA.

Now we knew all along that at some point the cyberattack entity was going to get to a level of maturity that it would actually be constrained, be limited, by being under the director of the NSA, whose primary job is fundamentally intelligence, not attack. It was a question of maturity. When did the cyberattack entity – first JFCCNW, then later Cyber Command – have enough maturity that it no longer had to be reliant on NSA that the NSA director had to be commander of it.

When that is exactly is open to argument. There will be people who will always push back, saying now is not the time. But sooner or later, it is the time and I’m comfortable enough that they can do it now, and let the command grow at its own pace, just like any other military command, while not having this umbilical cord to the director of the NSA.

TCB: You mentioned the legality aspect earlier. Could you speak to the different legal frameworks the NSA and Cyber Command operate under?

MH: NSA is authorized to steal other people’s information, and in doing that it is authorized some authority to manipulate their network so that they don’t get caught. The NSA does not have the authority to destroy someone else’s information, to change someone else’s information, to harm someone else’s network, or to take control of someone else’s computers in order to create physical destruction. That is a warmaking Title 10 function. NSA has espionage-based Title 50 functions. Congressionally, the NSA comes under the oversight of the Intelligence committees, whereas Cyber Command comes under the congressional oversight of the Armed Services committees. All of that is pretty clean and logical.

TCB: What would the impact of a separation have on both organizations?

MH: It will presume that for most of the things on which Cyber Command had been relying on NSA, the Command now has reached enough maturity that it can do it for itself. So rather than dual-hatting people in the Tailored Access Operations – who do espionage – and letting them do the Title 10 functions as needed on order, now the Command begins to build up its own capacity. Admiral Mike Rogers [head of Cyber Command and NSA Director] has talked about building well over a hundred cyberattack teams. They wouldn’t have to rely on the workforce of the NSA performing a different function under different authorities. So the command is just growing in capability.

But as I pointed out, these are different missions. So it is probably not unfair to conclude that neither the NSA or Cyber Command can be all you want them to be if you keep them together, because keeping them together creates the necessity for compromises between them. Whereas if you separate them, NSA can go all out with espionage and Cyber Command can go all out with its functions.

TCB: What needs to happen before a complete split between the NSA and Cyber Command takes place?

MH: Well because [Senate Armed Services Committee Chairman] John McCain [R-AZ] has directed that they not separate until Congress has approved, they are going to have to go to Congress and say here is what we are going to do, here is why, and this is why it is a good idea. They are going to have to get Congress, at a minimum, not to object.

TCB: Do you think a complete separation will eventually occur? How long could it take?

MH: Yes, it will occur. As smart people sit down and build up a big plan, lay it out on a chart, and create a transition program, they could do it in nine to 12 months.

No comments: