Seven years after the Defense Department first created a dedicated command to handle cyber issues, political stars seem to be aligning in a way that would elevate U.S. Cyber Command to the highest levels of DoD’s organizational structure.
Sen. John McCain (R-Ariz.), the chairman of the Senate Armed Services Committee, said Tuesday that he and Sen. Jack Reed (D-R.I.), the committee’s ranking member, will be pushing, via this year’s markup of the annual Defense authorization bill to make CYBERCOM a full unified combatant command.
Since 2009, when the command was first created, it has been a subordinate part of U.S. Strategic Command, one of three functional combatant commands in DoD’s unified command plan.
Asked by several senators during a Tuesday hearing whether Cyber Command is ready to become the fourth, Adm. Mike Rogers, CYBERCOM’s current commander, responded with a repeated and unequivocal “yes.”
Insight by Exterro: Capt. John Henry, operations officer of the USCG Cyber Command, discusses how the Command prepares for and responds to cyber incidents. Justin Tolman, forensic subject matter expert at Exterro, will provide an industry perspective.
“When we think about what should elevate something to the level of a combatant command, the questions are whether this function rises to a global level, and whether it’s of sufficient priority to merit coordination across the entire department,” Rogers said. “The other issue we’d be addressing is one of speed. A combatant commander designation would allow us to be faster, which would generate better mission outcomes. I would also argue that the department’s processes of budget prioritization, strategy and policy are all generally structured to enable direct combatant commander input into those processes. That’s what they’re optimized for. I believe that cyber needs to be a part of that direct process.”
Until now, DoD officials have been reticent to make the case that CYBERCOM should be elevated to a full combatant command, since the department’s cyber capabilities are still in their nascent stages compared to the existing functional commands, which are in charge of coordinating well-understood functions across the military with decades of learning behind them. Those include U.S. Special Operations Command, U.S. Transportation Command and U.S. Strategic Command.
But a senior defense official said Secretary of Defense Ash Carter is open to the idea.
In a Tuesday speech in which the secretary outlined several broader ideas about how to adjust the Defense Department’s bureaucracy 30 years after the Goldwater-Nichols Act, Carter said DoD needs to adjust its unified command plan in one way or another to account for cyber’s growing role in modern warfare, and making CYBERCOM a combatant command is among the options.
“In the fight against ISIL, I’ve given Cyber Command what’s really its first wartime assignment, and we’re going to see how that works out,” Carter said at the Center for Strategic and International Studies. “What that means is interrupting their ability to command and control their forces, their ability to plot against us or our friends and allies, interrupting their ability to pay people. All of those things are things we can do through cyber, but all of those things are happening in U.S. Central Command, the geographic combatant command. That makes things more complicated, because we’re increasingly finding that our problems cross geographical boundaries and the functional boundaries we have now.”
Since Cyber Command was first created, it’s been co-located with the National Security Agency at Fort Meade, Maryland, and a four-star military officer has served as the commander and director, respectively, of both organizations.
After a review in 2013 following the Edward Snowden leaks, the Obama administration determined that the existing relationship continued to make sense. But several lawmakers still believe the two organizations are too much for any one leader to manage, considering that one is an intelligence-gathering apparatus and the other is primarily geared toward defending the military and the broader American public from cyber attacks.
“I’m finding it harder and harder to justify you holding two jobs, given the complexity,” Sen. Angus King (I-Maine) told Rogers. “This arrangement was created in 2009, which in technological terms is a century ago. I understand the need for a relationship between NSA and Cyber Command. But particularly if we move in the direction of setting up Cyber Command as its own independent combatant command, to have the same person trying to run those two agencies — I just think that’s impractical and almost impossible.”
Not quite impossible, Rogers argued.
“I’ve been doing it for two years,” he said. “My recommendation has been, for right now, we need to leave the position dual-hatted. Part of that comes from the very premise on which we built Cyber Command, when we said to ourselves that we were going to maximize the technological investments that the nation’s already made in NSA in terms of infrastructure and capability. Because of that, we didn’t have a huge military construction program to build Cyber Command. In many ways, we’ve very tightly aligned these two organizations. In the long run, the best course of action is probably to put both organizations in a position where they’re capable of executing their mission in a complementary but more separate way. But we’re just not ready to do that today.”
Rogers acknowledged though that if Cyber Command is promoted to full combatant command status, its growth and newfound independence will make some of the efficiencies it enjoys because of its tight connections to the NSA less relevant.
Most of CYBERCOM’s growth, to-date, has come through the three types of offensive and defensive teams the military services have been building on its behalf since 2013.
Eventually, there will be 133 such teams made up of 6,200 people. As of now, 123 are in place, although only 27 have reached full operational capability. Another 68 have been deemed to have attained initial operating capability.
The command is aiming for a workforce made up of about 80 percent uniformed military and 20 percent civilian.
Rogers said the organization has not had any major difficulties in recruiting or retention thus far, but his biggest concerns are on the civilian side of the workforce, partially because of a loss of confidence in government service created by civilian furloughs during sequestration in 2013.
“The same things that lead a young man or woman in our nation to decide they want to pick up a rifle and take on that challenge leads men and women to decide they want to put on a uniform and pick up a keyboard,” he said. “The area that I’ve told the team we probably need to take a greater look at is on the civilian side of this, because our vision is you’ve got to create a workforce that is both active and reserve military as well as civilian. While we’re meeting our targets right now on the civilian side, there’s a couple skill sets already where I think I’m going to have to come back to Congress to ask for different processes or options that would make things more attractive to civilians, particularly for some very high-end skills that represent a small number of people, but of incredible valuable for us.”
Rogers wasn’t able to offer a precise figure on the number of contractors working for Cyber Command, but he estimated that part of the workforce is currently about 25 percent as large as the 5,000 military and government civilians currently working for CYBERCOM.
“I’m a little bit leery of becoming overly reliant on contractors. Why? Because I try to remind people cyber is a domain in which we conduct a wide range of military operations, and in accordance with the Law of Armed Conflict, those operations need to be conducted by military personnel,” he said. “I’m not trying to minimize the role of contractors, I just try to remind our team that we’ve got to step back and ask ourselves what’s the right allocation.”