Four years after its inception, the time has come to elevate U.S. Cyber Command to the status of a full unified combatant command, its outgoing chief said Wednesday.
Gen. Keith Alexander, the commander of Cyber Command and the director of the National Security Agency, said the growth of CYBERCOM since 2010, including the development of its cyber mission teams, shows it has now reached a level of maturity that he called a “tipping point.”
Alexander, who has led the command since its inception and will retire within the next few months, said it’s likely that within the next year, DoD will extract CYBERCOM from its parent command, U.S. Strategic Command, and turn it into a unified command all its own.
“Why a unified command? Command and control, directly from the President and the Secretary [of Defense], directly to that commander,” Alexander told the House Armed Services Committee. “In cyberspace, that speed is going to be absolutely important. And I think as we add more teams and more complexity, STRATCOM’s ability to actually play in this will continue to go down.”
Obama nominated Adm. Mike Rogers, the Navy’s commander of the U.S. Fleet Cyber Command, to replace Alexander. Rogers testified before the Senate Armed Services Committee Tuesday for his nomination hearing.
Turning CYBERCOM into the nation’s 10th combatant command always has been one option as the White House and DoD considered the longer-term vision for the organization. But when it was first created as a sub-unified command of STRATCOM four years ago, Defense leaders wanted to take a slower start while they decided on a permanent structure.
The options included making it into a more traditional combatant command organized in a similar fashion to Strategic Command itself, or giving it specialized authorities, similar to those held by Special Operations Command.
“We believe that the SOCOM model is where you need to go,” Alexander said. “That gives us the training and some of the acquisition authorities ,specifically over the cyber lane. So it’s SOCOM- like.”
Not a favored approach yet
Another option the department had been considering over the past several years was to place all of the military’s cyber forces in a separate, newly-created military service, based on the military’s understanding that cyber is its own domain of warfare in the modern era.
But Alexander said a new cyber service is not DoD’s favored approach at the moment.
“I think for at least the next several years, we need to have an integrated cyber capability that goes into the services,” he said. “I think that in places like Iraq, if we were to embed cyber capabilities at the brigade level, which we will need to do, you need to have service participation in that, not a separate service with external people coming in, but an embedded, organic capability to that brigade itself. But they need to be trained to a standard. So it’s analogous to the way the cryptologic system works. We have cryptologists who go down to brigades who are trained to a certain level. We have them in the air and we have them at sea. All of them are trained together, and they act as one system, but they have them by service. So I think the next correct step would be go to a unified cause and then see if it makes sense to take the step beyond that. And I think that kind of a deliberate approach makes sure we don’t go too far and then have to collapse back.”
Alexander said the military services and Cyber Command are making steady progress toward building the cyber mission teams it announced that it planned to stand up two years ago.
DoD intends to have 133 teams up and running by 2016, some with responsibilities for defending DoD’s own networks, some tasked with protecting the nation’s critical infrastructure, and some attached to DoD’s global combatant commands with responsibilities for offensive operations.
“One of the good parts about Cyber Command being at NSA is that the training of our forces is going extremely well. We’ve trained almost 900 people. We have 900 more, roughly, in training right now. By the end of this year, that means we’ll have 1,800 trained and ready personnel and teams that cover everything from our cyber protection teams all the way up to the national mission force,” Alexander said. “And those personnel from across all the services are being trained to the same standards we set at NSA. And it’s the same for the Guard and the Reserve.”
Personnel oversight too stratified
At the same time, there are challenges with regard to building and retaining the non-uniformed cyber workforce at NSA and CYBERCOM, including not only pay disparities with the private sector, but also a discordant group of personnel systems within government.
Alexander said that while 85 percent of the civilians in the two organizations he directs fall under the Consolidated Cryptologic Program, another 12 percent fall under the Information Systems Security Program, and a handful of others are governed by other hiring and personnel authorities managed by the Air Force and the Military Intelligence Program.
“What this means is that when personnel actions come, you deal with four different folks,” he said. “For promotions and for raises and for everything, you’re working through four different programs, so you don’t have an equal setting and an equal footing. This really came through on the furloughs. It was a big issue because 85 percent of the force was in, the rest were out. Nobody wants to then go over to one of those other billets because they feel like they’d be at risk. That’s not a way to set up a team, so I think we need to fix that.”