Earlier this month Adm. Michael Rogers, Director of the National Security Agency (NSA) and head of US Cyber Command (Cybercom), addressed the Senate Armed Service Committee’s third hearing on Encryption, where he reiterated his previous support for splitting the NSA and Cybercom into two functionally separate entities. Adm. Roger’s recommendation would leave the position of Director of the NSA to be filled for the first time by a civilian, while Cybercom would grow into its own Unified Combatant Command, fully independent of its current parent organization, US Strategic Command. Secretary of Defense Ash Carter, speaking at the TechCruch Conference in San Francisco, meanwhile refused advocating for or against such a split, instead choosing to address the rationale behind Adm. Roger’s recommendation, citing the differing mission sets assigned to the agency and the command. The most notable public opposition came from Senate Armed Service Committee Chairman John McCain, who promised to block any such move. Senator McCain’s objections were primarily procedural and not substantive (i.e., he was upset he learned about the recommendation almost second-hand at the hearing, instead of by official channels). There are indeed several good reasons to consider splitting the two organizations, and one in particular which Senator McCain should be at home championing in the military: greater operational efficiency.
According to Rear Adm. Dwight Shepard, director of cyberspace operations for Northern Command and NORAD, one of the biggest concerns behind considering an NSA/Cybercom split has been Command and Control (C2) inefficiency. As it stands, the ideal scenario for a conjoined NSA/Cybercom was greater collaboration, regularly shared advances in vulnerability research, and reduced manpower needs by consolidating administrative functions; pragmatically speaking, co-locating Cybercom with NSA was the fastest way for it to reach initial operational capability. Critics however can just as easily spin those same conditions and arrive at their own prognostication: co-location means reduced innovation due to dual-hatting and group-think, shared research budgets never really afford or satisfy each organization’s unique development needs, and consolidating administrative functions creates a network of single points of failure. The argument goes that in reality, two organizations conjoined is no longer a pragmatic business model – it’s inefficient and unprepared to grow into the organization the DoD needs tomorrow, much less what will be needed 10 years from now.
The strength of the argument for or against promoting Cybercom to its own Unified Combatant Command depends on just how much of the DoD’s vast cyber workforce is determined to be in need of “unifying.” For example, currently each Geographic Combatant Command (GCC) – European Command, African Command, Pacific Command, etc. – has their own unique mission set which requires technical knowledge, language assets, orders of battle, supporting intelligence data, etc. tailor-made for that environment. Cyber leaders would be hard pressed to attempt absorbing all of those capabilities from around the world, and across all the branches of services under the aegis of one centralized Command. The devil is certainly in the details, because there are numerous ways to divide up offensive and defensive responsibilities – according to the geographic area, or according to the types of infrastructure we prioritize defending; yet another is by what battlefield effects Cybercom wants to keep in its arsenal alone, and what its willing to trust the individual military Branch’s Cyber components to use unsupervised if ordered by the GCC. That balance of authority is a very real question within our government, and multiple competing scenarios are possible in which the tactical needs of the GCC for a battle today could be at odds with the ‘big-picture’ Cybercom-driven needs conducting a cyberwar tomorrow.
Commendably, the DoD is focusing on the right issue by continually modifying and adjusting the cyber force structure, trying to strike just that right balance between de/centralization. Senior defense planners are fully aware that cyberspace moves at the speed of light, while the rest of the DoD does not. The Departments of the Armed Forces are by and large, designed conventionally along vertical lines of communication, with most decisions at the top and little input from the actual weapon systems operator. Because Cyberspace as a domain of war is still being charted, it may ultimately benefit from eschewing extant doctrinal models in favor of entirely different organizational structures which play to its unique characteristics. Secretary Carter has recognized previously the need to adapt and adopt until arriving at just the right C2 model in his own work on Command and Control of Nuclear War, and again in Crisis Stability and Nuclear War. He certainly understands that grafting on an extant conventional C2 doctrine developed by and for another domain of warfare may not be appropriate for optimizing cyberspace operations. Cybercom may, for example, need to grow into a Flatter Organization, or into a “Flatarchy” similar to what is practiced among many of the Special Operations Forces (SOF) communities within the DoD. SOF units tend to be populated by highly-dedicated professionals who willingly self-invest hundreds of hours maintaining their skills and their edge over the competition; they tend to view themselves as teammates and not boss/subordinates; they prize adaptability and agility solving novel problems with very little guidance; and as a flatarchy, they seek input from all their members. In other words, they display many of the same traits so highly prized in Silicon Valley that make bay-area tech firms into global leaders. Thus, splitting the NSA off and allowing Cybercom to incubate as its own Command could allow it to follow the tech start-up instincts of its civilian counterparts, growing into the lean, nimble organization any civilian tech entrepreneur would already be running it as.
Striking the right balance is truly key, for if the NSA and Cybercom were to split, the pendulum could swing too far the other way, bringing on negative repercussions. Even if the military found just the right model for optimized C2 functions, there would still be the issue of stocking sufficient numbers of operators for those C2 structures to command. Admittedly, there truly is a shortage of talented cyber operations personnel willing to commit to the military, so dividing them among two separate organizations runs the risk of diluting the talent pool without fundamentally addressing the origin of the talent shortage in the first place. To grow the numbers needed to stock two separate organizations, the DoD would have to address two problems: attracting cyber professionals who were “made” in their civilian youth, long before the military tried to recruit them, and then second retaining those personnel whose cyber capabilities were primarily built after joining the military. Serving in the US military is not an attractive option for most to begin with – approximately only half of 1% of the entire US population has been on active military duty at any given time since 9/11, leaving the talent pool highly restricted. Attracting talent currently means finding someone who is good at math and science, thinks in computer code, and is willing to invest tremendous personal time maintaining cutting-edge skills; yet somehow that same recruit must also be one who doesn’t mind the lack of freedom associated with military life. Those same issues again arise retaining cyber talent. The circumstance facing most highly-skilled Soldiers when considering transitioning from the military back to civilian life, is that if they get out, they stand the chance of making 2x-3x more money than what the DoD can pay, and they can enjoy many of the freedoms which the Uniform Code of Military Justice actively denies to service members: freedom of speech, freedom of movement, freedom of appearance, freedom of employment, freedom of physical exercise, freedom of health care, etc. Hence, if the NSA and Cybercom were to split and more cyber talent need be recruited, then the DoD would have to either fundamentally classify and treat cyber operators differently from General Issue Soldiers (as Secretary Carter suggested earlier this year), or it would have to offer them a truly unprecedented compensation package. In a time of austere budgets and a federal government still under the cap of Sequestration more than five years after the 2011 Budget Control Act’s passage, the prospect of throwing more money at cyber recruits than what Silicon Valley startups could offer seems dim and unlikely. In sum then, an NSA/Cybercom split could truly be worthwhile based on the increased efficiency in Command and Control, yet the DoD would have to fundamentally reimagine what “military” service to the country looks like and what balance to strike between mission sets, de/centralized structures, and lateral-entry policy issues in order to build a credible, sustainable cyber force for the future.