The chief of U.S. Cyber Command understands that policies and official strategies are important to the governance of the military's cyber arm, but administrative activities are taking a back seat to operational needs.
In an April 5 hearing before the Senate Armed Services Committee, Adm. Mike Rogers, CYBERCOM commander and director of the National Security Agency, told lawmakers that his focus is on boosting the military's capacity to ward off threats, partnering with the right allies and potentially empowering the cyber agency by elevating it to a combatant command.
Currently, CYBERCOM is subordinate to U.S. Strategic Command. The debate over whether to launch CYBERCOM as a combatant command – which would give it additional powers in decision-making, weapons-buying and more – has been ongoing since the agency's genesis in 2009.
The standalone command designation "would allow us to be faster, which would generate better mission outcomes," Rogers said. "I would also argue that the department's processes of budget prioritization, strategy and policy are all generally structured to enable direct combatant commander input into those process. That's what they're optimized for. I believe that cyber needs to be a part of that direct process."
The aforementioned mission focus was central and recurrent in Rogers' testimony before the committee, during which lawmakers repeatedly asked about governance and policy issues – which are still hazy across the White House, the Office of the Secretary of Defense and the combatant commands. Rogers instead emphasized the need for greater operational capability within CYBERCOM to carry out those missions.
"Look, even as we're trying to get to the broader issues you all are raising – much of which are outside our immediate mission set – our mission is to generate capability and capacity and be ready to go as those broader issues are raised," Rogers said. "I don't want to wait for everything to fall into place. We don't have time to wait."
Rogers said he's "focused like a laser" on fortifying specific areas of cyber defense, including critical infrastructure and deterrence, both areas where he said he's carving out dedicated teams and resources.
But to do that, Rogers said the agency needs to broaden the command's cyber capacity to fight off the myriad attacks coming at Defense Department assets. He acknowledged that infrastructure at U.S. military bases has been a cyber target, and his top concerns include Russia, China, Iran, North Korea and non-nation state actors.
However, he added that he is encouraged by progress at the command – progress that soon will be run up the chain of command to OSD in regular readiness reports, as other parts of the military provide.
"We've spent the last six months on how to define readiness in the cyber arena, down to the individual team level. Using the same mechanics used to assess readiness across DoD, we can provide decision-makers a true picture of, 'here's what this force is really capable of doing,'" Rogers said, noting that he's already conducted two trial assessments with a third coming this summer. "By the end of September we will provide to DoD on a quarterly basis, by team, here's where we are on readiness."