Congress is set to authorize the elevation of US Cyber Command, taking it from under the purview of US Strategic Command and making it a fully unified combatant command.
In the finalized National Defense Authorization Act that passed House and Senate conference committees, the legislation authorizes the secretary of defense to establish a unified combatant command for cyber operations forces. Currently, CYBERCOM is a sub-unified command beneath STRATCOM, which oversees a bevy of areas from the nation’s nuclear capabilities to space and cyber.
What this designation means in practical terms is greater scope in global campaign planning, funding, authorities, personnel and policy, said Mackenzie Eaglen,
resident fellow in the Marilyn Ware Center for Security Studies at the American Enterprise Institute.
This elevation also makes cyber a core and priority mission for the Department of Defense, according to Eaglen.
While short-term change may be limited, changes over the long haul could be significant, she said, such as authorities given to the commander to conduct force planning on defensive operations, offensive operations and building concepts for tackling problems within the cyber domain.
However, the elevation might be more symbolic than real, according to Paul Rosenzweig, former assistant secretary for policy at the Department of Homeland Security. Since inception, the commander of STRATCOM has essentially delegated all cyber authority to the commander of CYBERCOM, he noted, adding that in practical terms, CYBERCOM was already functioning independently, albeit with a few additional signoffs and individuals in the chain of command.
In some ways, the elevation to a fully unified command, and thus away from STRATCOM, might be a reduction in the importance of cyber, Rosenzweig said. It signifies a normalization of cyber, much like airplanes or tanks, and not a strategic resource, he offered. In practice, the elevation means that the head of CYBERCOM will get a seat at the table and be able to ask for more money, more troops and more billeting, and he’ll likely get it, Rosenzweig added.
Also notable in the legislation is that while one measure is elevating the command, CYBERCOM's growth is still stunted as it's prohibited from separating from its parent organization, the US National Security Agency. The bill prevents the commander of these two organizations from being split until DoD certifies that severing this dual hat won’t pose any risks to military effectiveness.
In addition, Congress is mandating that the secretary of defense and the chairman of the Joint Chiefs of Staff must meet a set of criteria and assessments prior to severing the dual hat. These include, among others, that each organization can effectively carry out its mission independently and that each possess the necessary infrastructure, tools, personnel, command and control, and deconfliction capabilities. Lastly, the cyber mission force must reach full operational capability, slated for 2018, prior to severing the dual hat, the bill said.
Sen. John McCain, chairman of the Senate Armed Services Committee, has been a vehement opponent of severing the dual hat, which has reportedly been recommended to the president by the defense secretary and director of national intelligence.
“If a decision is prematurely made to separate NSA and Cyber Command, I will object to the confirmation of any individual nominated by the president to replace the director of the National Security Agency if that person is not also nominated to be the commander of Cyber Command,” he said during a September hearing.
For his part, Adm. Michael Rogers, who heads both organizations, has also said that while now is not the time to sever the dual hat, it will be inevitable in the future.
“I’ve been very public about saying I believe in the long run the right thing is to keep these two aligned, but to separate them. As Cyber Command, particularly, gains more capacity and more capability, the demand on Cyber Command’s time, resources and capabilities just continue to grow,” he said at the Intelligence & National Security Summit in Washington in September. “I just think you need two people, full time, focused on this, but even as we do that, you’re going need to keep these closely aligned.”
Many experts, including current and former government officials, agree that now might not be the time to sever this dual hat, as CYBERCOM is significantly reliant on the capabilities, personnel and infrastructure that NSA has to offer. This, despite their differing missions: NSA as an intelligence-gathering combatant command-supporting organization, and CYBERCOM as a war-fighting organization.