The chairman of the Senate Armed Services Committee said Tuesday that he would block any effort by the Obama administration to bifurcate the leadership of the National Security Agency and U.S. Cyber Command, saying the move would be premature and lacked any input from Congress.
Sen. John McCain (R-Ariz.) was angered by recent media reports in which anonymous sources indicated the administration was likely to name separate leaders for the NSA and CYBERCOM by the end of President Obama’s term, ending a seven-year arrangement in which a single four-star military officer directed both organizations and coordinated their cyber capabilities.
“Here we go again. Another major policy matter has apparently been decided with no consultation whatsoever between the White House and the Department of Defense with this committee,” McCain said at a hearing Tuesday morning. “I urge [Defense secretary Ashton] Carter to provide the details of this plan and his reasoning for supporting it. I hope he’ll explain what has changed since the last time the administration rejected this idea in 2013.”
The White House had considered ending the “dual-hat” arrangement following investigations into intelligence leaks by former NSA contractor Edward Snowden, but ultimately decided against it, saying in a statement two years ago that without the close relationship, “elaborate procedures would have to be put in place to ensure that effective coordination continued and avoid creating duplicative capabilities in each organization.”
Insight by Carahsoft: Explore use cases for edge computing and approaches for taking advantage of it by downloading this exclusive e-book.
Asked about the issue during an appearance at a technology conference in San Francisco on Tuesday, Carter emphasized that no final decision had been made, but acknowledged the administration was once again examining its original decision to place the organizations under one commander and co-locate their headquarters at Fort Meade, Maryland.
“The fundamental reason for that arrangement was the fact that there just haven’t been enough good people to go around and populate these two missions,” he said. “It has worked very well, but it’s not necessarily the right approach in the long run. And it’s not just a matter of the leadership — we’re asking ourselves questions about what’s the right mix of people between military, civilians, contractors, and how do we get people who can come in and out? It’s basically a management question, and it needs to be resolved in such a way that we can do these two related missions to the standard that the American people expect of us. Good people are a finite resource, so we’re going to try to manage around the people.”
Adm. Michael Rogers, the current NSA director and CYBERCOM commander is evidently not among the DoD officials who are advocating for a split. Asked by McCain whether it was still his best professional military advice that the dual-hatted arrangement be kept as-is, he responded in one word, “Yes,” without elaborating.
Congress has also been examining organizational changes to U.S. Cyber Command, although none of the current legislative proposals involve severing its tight relationship with NSA. Instead, the Senate’s version of this year’s National Defense Authorization Act would elevate CYBERCOM to a full unified combatant command. Currently, it is a subordinate organization within U.S. Strategic Command.
Even if the executive branch has the legal authority to separate the leadership of NSA and Cyber Command, McCain said he would use Senate rules to block any nominee the Obama Administration puts forward unless that person continues to wear both hats, saying he was troubled that the deliberations were happening without input from Congress.
“And while I’m sure the phrase ‘pre-decisional’ is written somewhere in our witnesses’ briefing papers, I would remind them that this committee does not take well to being stonewalled while their colleagues in the administration leak information to the press,” he said. “Even if this decision has not been made, our witnesses should still be able to provide substantive analysis on the consequences of separating the dual hat for our national security and for taxpayers. Let me be very clear: I do not believe rushing to separate the dual hat in the final months of an administration is appropriate.”
Separately, McCain chastised the administration for what he views as a failure to send Congress a comprehensive strategy for responding to attacks by foreign nations in cyberspace, particularly China and Russia.
In particular, he pressed Rogers and Marcel Lettre, the undersecretary of Defense for intelligence on whether DoD had a plan to respond to reports that Russian hackers had penetrated election systems in at least two states; both witnesses declined even to attribute the attacks to a foreign government, citing an ongoing investigation by the FBI and Homeland Security Department.
“These are activities that the government is taking quite seriously, but in this particular instance we’re intending to rely on the results of the investigation,” Lettre said.
“I’m asking whether we have a policy, and the answer is ‘No,’” McCain retorted. “Do you believe there’s a legislative solution that would address some of these challenges?”
Lettre said he would advise against that, saying “new legal and regulatory approaches are not as productive as a dialogue that seeks cooperation and collaboration with the private sector.”
“I agree,” McCain said. “But unless there is a policy about what the United States’ actions will be in the case of a cyber threat or an actual attack, you’re going to see legislation. Right now there is no policy you can describe to me as to what we would do. There’s a vacuum there. If you don’t act, I guarantee you that the Congress will act.”
The issue of election systems arose again later in the hearing, when Sen. Richard Blumenthal (D-Conn.) asked whether they should be formally designated as a sector of U.S. critical infrastructure.
“Our financial system and our utilities are critical — I think our system of choosing our leaders is no less so,” he said. “Even though these systems operate at the state and local level, they are driven by some kind of computer collection of information, so they’re vulnerable at some point in the chain and they’re largely unprotected right now.”
Rogers sidestepped Blumenthal’s question a bit, responding only that recent high-profile cyber intrusions highlight the need “to think about data in a different way.”
An exasperated McCain interrupted the questioning.
“But admiral, this is about the selection of our leaders, our system of government. There should be no discussion about this. If you attack that, and you succeed, you’ve destroyed democracy. Why are we equivocating on this?”
Rogers did not endorse the idea of treating elections systems as critical infrastructure, but said the matter was worthy of discussion.
“What are the key data-driven decisions that tend to shape us as a nation? You’ll come to a very different conclusion about an election structure than if you think the critical things are primary industry,” he said. “Thinking about data leads us to a different set of conclusions, and the election system is a good example of that.”