If the National Security Agency (NSA) and US Cyber Command (Cybercom) were to split into two functionally separate entities as NSA/Cybercom director Adm. Michael Rogers recently recommended, such a split could reap significant benefits. The first would be in greater operational efficiency in command and control of the U.S. military cyber force (see NSA/Cybercom split, Part I for more). This article focuses on the second way in which splitting the NSA and Cybercom could be of great benefit to both organizations – improving operational transparency, oversight, and accountability.
Intelligence oversight, transparency, and accountability– all things which the American People always want more proof of, and Military and Intelligence planners must go out of their way proving if they want to remain chartered and credible in a post-Snowden security environment. As reported in part I, at the TechCruch conference in San Francisco recently, Secretary Carter stressed the differences in both organizations’ core missions, giving a window into not only his thinking, but how regulatory compliance and intelligence oversight could be strengthened. The NSA is a US Code Title 50 intelligence agency whose Federal Department is the Department of Defense; it serves a wide customer base, including other intelligence agencies, Geographic Combatant Commands (think: African Command, European Command, etc.), and various other government entities, like the U.S. Department of State. The NSA is responsible for research, analysis, technical developments, and the production of intelligence products. In short, the NSA tends to be stocked with academics and mathematicians – door-kickers, they are not. Contrastingly, Cybercom is a Title 10, operational military command, subordinate first to US Strategic Command, and then to the DoD. That distinction – between intelligence and military operations – is not mere lip service, and it does exist beyond just paper and planning documents. For one example, in the fall of 2015 the US Army stood up a new Military Occupational Specialty (MOS) – Cyber Operations Specialist – by transitioning a variety of intelligence professionals from across the force who had received ad-hoc training in cyber systems at some point in their intelligence careers. After further training and recasting of mission sets, Cyber Operations Specialists no longer fell under the Intelligence career field (considered a combat-support role) and were no longer eligible for assignment to the vast majority of Army units all around the globe. Rather, they were designated as Combat Arms (think: infantry or combat engineers, performing a direct combat role), were destined to serve in Cybercom and/or purely cyber-related missions, and fell under the command of a Combat Commander. As far as network warfare is concerned, these are the trigger-pullers. The Army’s move to create the new MOS was commensurate with its sister branches’ own internal reorganizations, unambiguously staffing and billeting their own dedicated cyber forces, pipelined strait to Cybercom, and responsible for defensive and offensive operations in the cyber battle space. Hence, were anyone to suggest that in 2016 NSA/Cybercom was the same set of personnel, putting their “NSA Hats” on for one minute, and then putting on their “Cybercom hats” the next, all while sitting at the same desk, doing the same work, then they would be widely missing the mark.
That separation between intelligence professionals and the military was reinforced and further made media headlines earlier this month when Republican Presidential Nominee Donald Trump described his first classified intelligence briefing, saying that he could tell (based on body language and non-verbal cues) that the intelligence briefers were unhappy that the Obama administration had previously followed courses of action diametrically opposite of the briefers’ recommendations. The statement was widely disputed, including by CIA director John Brennan, because it fundamentally mischaracterized the role that intelligence briefers play in military and foreign affairs. David Priess, a former intelligence briefer for President George W. Bush. concisely responded on CNN to Trump’s claims: “Intel briefers do not make policy recommendations. Period.”
That point is relevant for a discussion of separating an intelligence agency from a military operational unit: they have an inherent conflict of interest. Just as the bedrock of the American governmental checks and balances system is that our senior military leaders develop courses of action and our civilian leaders craft policy therefrom, so too is there a fundamental division of duties between Intelligence Professionals and military leaders. Intelligence Professionals provide the facts – the ground truth – and military leaders then weigh those facts when developing their possible courses of action. Just as Director Brennen pointed out that intelligence professionals, by virtue of their profession, would not make a recommendation to a civilian leader, they similarly would not, nor should they ever make policy recommendations to military leaders. This gets to the heart of the accountability and oversight problem risked by having NSA/Cybercom co-located, conjoined, and led by the same military General and director – how does the public trust that the military need for prudent risk and decisive action doesn’t eventually contaminate the objectivity of the intelligence vetting process, both sides slowly and subconsciously shaping facts according to the confirmation bias of the other?
Public trust in government officials, offices, and programs is taxing enough, even when their internal workings are considered a matter of public record and available for scrutiny. When a spy agency has to earn back the public trust…? Post-Snowden, the NSA developed a black eye and a trust deficit with the average American; unfortunately for the NSA, due to the necessarily-secret nature of its work, there’s no demonstrable, big-ticket, or obvious way to win that trust back. The NSA is not a major consumer electronics company that can go on a PR campaign, run advertisements, sponsor entertainment events, or make the late-night talk show circuit in order to make amends and repair its image. Even if its intelligence programs and products single-handedly stopped a major terrorist attack, they could never publicly disclose the details for security reasons. Therefore, there’s no way for Cybercom to not, by extension, in some way inherit the Public’s suspicion of the NSA. Granted, if the activities of both could remain clandestine forever, then perhaps Congress and the American People would espouse only a general suspicion or a localized, inarticulate unease about Cybercom. But secrecy is not possible in perpetuity. Eventually there will be another leak. Another insider threat like Snowden or Manning will violate their nondisclosure agreements, pilfer thousands of random classified documents, and hand them over to WikiLeaks. If not an insider, then it could be a botched offensive cyber operation about which a foreign adversary publicizes compelling evidence, naming and shaming Cybercom (the same way the United States in recent years has increasingly done to foreign actors) . Maybe worse would be if Cybercom botched a defensive operation which then publicly exposed gross incompetence or technical inferiority in the Command, or it led to the significant compromise of valuable data, loss of financial assets, or even loss of life. In any of those scenarios – open-source, reported on major news networks, and personally-damaging to millions – Cybercom would immediately run afoul of the NSA’s public trust deficit. The narrative would be “the NSA radically overstepped its boundaries by spying on Americans, and now Cybercom – which is just the NSA in sheep’s clothing – is up to the same old tricks.” The value of avoiding guilt by association is compelling enough alone to hasten an NSA/Cybercom split. The practical consequence of losing the public trust cannot be underestimated either. Just as the NSA underwent review by a specially-formed task force in 2013 due to the Snowden leaks, there’s no reason that Cybercom would not befall the same measures during an embarrassing breach or public display of incompetence. While scrutiny is not the issue itself, and indeed should be welcomed at all times by a sincere and good-faith federal agency, it is enhanced public attention and media outcry in tandem with task-force recommendations for broad sweeping changes that have the potential to force knee-jerk legislative and executive action against critical cyber capabilities. In the military, once you lose a capability or a tool due to abuse, there’s little likelihood it will ever be restored. Hence, The NSA and Cybercom should be split into two organizations. Cybercom deserves a clean slate and the American People a tabula rasa when judging its efficacy and its ability to perform its war-time mission within the boundaries of domestic and international law. Cyber warfare will remain a feature of modern conflict for generations to come, and as such the speed at which Cyber Command may be guided from its infancy into a fully-formed, mature organization for advancing American strategic objectives may prove decisive in maintaining cyber dominance vis-à-vis our adversaries both great and small in the decades to come.