13 October 2016

What would a CYBERCOM-NSA split mean?

http://www.c4isrnet.com/articles/what-would-a-cybercom-nsa-split-mean
By: Mark Pomerleau, October 10, 2016 
This is Part II of a four-part series on the underlying issues surrounding the potential split of the NSA and Cyber Command. 
Top decision-makers in the government continue to debate the merits of splitting the National Security Agency and US Cyber Command. If this divorce occurs, what would an independent CYBERCOM look like? 

A very particular set of skills 
One of the important issues surrounding the debate are skills and resources. The personnel at NSA have benefited from more than 50 years of expertise in signals intelligence collection and operation, making the marriage with CYBERCOM an attractive option. 
“There are some things that our force needs in the way of technical skills that are similar to NSA,” Lt. Gen. Kevin McLaughlin, deputy commander of CYBERCOM, said Sep. 20 at the Air Force Association’s Air, Space and Cyber Conference. “If we can use their training, we use it. We pay money to NSA, they provide those types of courses. If they have specific enabling capabilities, the capacity to build things that we would use, we have the ability to request that support.” 

However, these skills take a long time to learn and develop, and some don’t believe the current military architecture suits fostering these technical proficiencies. 
A former NSA worker, who spoke to C4ISRNET on background, believes the current framework is not serving the intelligence community — the NSA — or CYBERCOM as well. The skills necessary for the intelligence and technical know-how involved in cyber operations is far more intensive than what the current military billets and rotations allow for, the source said. 
Military analysts typically are trained in a particular skill set and are sent to a duty station, which usually lasts for about three years. When looking at cybersecurity and warfare, one must train analysis in normal mechanisms of intelligence and technical tradecraft of cyberwarfare, the former NSA worker added, noting that it is difficult to train someone to a high level of ability in three years. 

The NSA benefits from the civilian cadre of workers that don’t have to worry about cycling out, which, from a military and CYBERCOM perspective, means there is no continuity of operations, the source explained. There would have to be a change in authorities or the way people are billeted if the military wants to stand up CYBERCOM on its own to conduct the types of operations more independently than they currently are, relying on NSA’s personnel and tool sets. 

Part of the issue is that only men and women in uniform are allowed to conduct and generate effects under the constructs and laws of war. 

“Remember the law of armed conflict, it specifically prescribes what civilians and uniforms can do,” Adm. Mike Rogers, commander of CYBERCOM and director of the NSA, said during recent testimony in front of the Senate Armed Services Committee in September, responding to a question regarding the value of forming an elite, civilian-based cyber group in contrast to losing military personnel for failing to meet fitness tests. Rogers said this would depend on the mission given to this entity because there are some things in the law of armed conflict that civilians can't do. Rather, service members in uniform must perform certain tasks related to “application of force and capability” in this regard, he said. 

Robert Chesney, a law professor at the University of Texas, told C4ISRNET noted the issue of a scarcity of skill sets, such as hacking or cyber exploit reservoirs, should the organizations go their separate ways. If this scarcity exists on either side, it might be necessary to have the same set of individuals on a single target, he said, noting the dual-hat role — or what he termed as “toggling” between CYBERCOM and NSA roles. 

This toggling between the Title 10 — defense and war fighting authorities under the law — and Title 50 — covert and intelligence authorities — engenders an entirely new set of problems if the organizations split. Deconfliction could become an issue if done improperly, meaning CYBERCOM forces could interrupt or even disrupt collection and espionage activity being conducted by the NSA. 

The nature of cyberspace makes this issue appear trickier, as many cyber weapons are dual use, meaning the tool used to penetrate a network can also be used to cause effects. 

State Department Coordinator for Cyber Issues Christopher Painter told Congress in May that while he does not know what a cyber weapon is, he looks at a tool’s intended effects. 

“I think researchers will tell you they use malware … to try to protect our systems,” he added, highlighting how complicated the cyberspace arena can be. 

This dual use is exactly why it might make sense to continue the current course with CYBERCOM and NSA’s relationship, according to a former government official who dealt with numerous national security issues and spoke to C4ISRNET on condition of anonymity. Those that are gaining access to networks are often the ones that can deploy the effect, meaning they are also best postured to brief commanders and others as opposed to having two separate organizations doing each, which can cause a competition in the way of resources and personnel, the former official said. 

One CYBERCOM official recently said that the command is looking to develop “loud” cyber tools that can be attributed to the Department of Defense. 

“In the intelligence community, you never want to be caught, you want be low and slow, you never really want to be attributed. There’s a different paradigm from where you are at in the intelligence community,” CYBERCOM Executive Director Shawn Turskey said. “But there’s another space over here, where maybe you definitely want to be louder, where attribution is important to you and you actually want the adversary to know.” 



The reason for this being that joint force commanders might want their goals or objectives to be known in order to convey a message, according to an official at CYBERCOM who spoke to C4ISRNET on condition of anonymity. 

In addition to independent reliance on its own workforce with the requisite cyber skills, the command will also need its own independent resources and infrastructure. As CYBERCOM generates capacity and capability — it reached full operational capability in 2010, and its Cyber Mission Force is nearing initial operational capabilty at the end of September with full operational capability planned for the end of 2018 — it will make more sense to separate. 

Lt. Gen. Kevin McLaughlin, deputy commander of CYBERCOM, explained that as the command grows, so will its independent military — or Title 10 — capabilities. 

“As we grow, the department has a very conscious plan to build more independent, called Title 10, DoD capacities we promote because there is a need to have some independent military capabilities in this area,” he said. “Over time our dependency and interaction I think with NSA … you’ll see that move more to the rear. And I think you’ll see the National Security Agency, as we mature, just become a combat support agency in support of our joint command like they already support other combatant commands around the world.” 

In terms of the specific Title 10 capabilities, the command could be looking to increase, McLaughlin told C4ISRNET. These might include bolstering the readiness and experience of the force, an independent training range and material capability “to defend networks at scale, and it’s the material capability that would empower the cyber force,” he said. 

He specified this is not at the expense of Title 50 capabilities because “our requirements go up there to DoD process to get a requirement validated and funded.” 

“Our respective responsibilities are not such that one grows while the other diminishes,” CYBERCOM spokesman Col. Daniel J.W. King told C4ISRNET in an email. “We have separate mission sets and capabilities, but our missions and capabilities are mutually supportive and that would not change in an elevation scenario. U.S. Cyber Command and the National Security Agency are and will remain strong partners.” 

King added that NSA and CYBERCOM are “distinctly different in mission, responsibilities, authorities, and organizational alignment. NSA provides unique technical intelligence support for USCYBERCOM's cyber mission force teams. USCYBERCOM provides information that NSA can integrate with other intelligence in fulfilling their mission.” 

The last two NSA directors, Michael Hayden and Keith Alexander — the latter of who was CYBERCOM’s first commander — declined to comment for this article. 



Highlighting Title 10 capabilities 

Separating CYBERCOM and the NSA could make CYBERCOM a Title 10, military war fighting organization, setting it up for greater successes in the future. Frank Cilluffo, associate vice president and director at the Center for Cyber and Homeland Security at George Washington University, has proposed a model similar to Joint Special Operations Command in the cyber domain. JSOC is the hyper-elite force subunified of Special Operations Command responsible for such feats as the Osama bin Laden raid. 

“A Cyber JSOC … would gather the crucial players, then weigh their inputs and whatever competing interests and concerns may be in play. Just as JSOC draws uponCIA assets and input for kinetic purposes, so Cyber JSOC would use NSA assets and input to achieve U.S. cyber ends and goals,” Cilluffo wrote in an April op-ed

“Best known for its manhunting operations, JSOC synchronizes and integrates military and intelligence components to learn and strike quickly,” his op-ed read. “In Iraq, JSOC’s special operators skillfully executed a ‘decapitation strategy’ against al Qaeda’s leaders, key facilitators and senior operatives. In Afghanistan, they wielded ‘an array of enablers’ such as drones and attack helicopters to accomplish their tasks.” 

Such a cyber military organization or construct “integrates war fighting and war planning. … It actually enhances the Title 10 authorities because many would argue that you don’t want to compromise sources, methods and intelligence capabilities to engage in using cyber as a means of response,” he told C4ISRNET in a recent interview. “Right now I don’t think there’s visibility across … the community that steals secrets for a living. … I think the role that cyber is playing in conflict and war fighting is so great today that the Title 10 implications are becoming more, if not, are more significant” than Title 50. 

“I actually feel we’ve got to … peel off CYBERCOM from NSA,” he said. “If you fight, you fight to win. So does that mean we might be losing some of our intel capability? Maybe.” But, he said, this might create a need to enhance the war fighting capability. 

What’s next? 

The former government official, who spoke to C4ISRNET on background, said a fully independent CYBERCOM would likely look similar to what it does now, though an independent CYBERCOM would likely rely on its own infrastructure as opposed to that of the NSA. 

A fully separate CYBERCOM would be able to pull together other intelligence agency information — as it provides support to the military when needed — and would be focused more on top-line targets, according to the former NSA worker who also spoke to C4ISRNET on background. If CYBERCOM were not tied to NSA's priorities, it would be more flexible in doing what is necessary from a cyber-effects standpoint as opposed to what it currently does in supporting the NSA and being involved in cyber contingency planning. 

The former NSA worker said the fight against the Islamic State group is a good example of the lack of flexibility. The counter-ISIS effort has received criticism that it hasn't been fully effective in its effort because the command was stood up to fight a more sophisticated, nation-state adversary as opposed to a militant group with sometimes unorthodox capability sets. 

CYBERCOM needs to stand on its own and build its own infrastructure, the source continued, noting that CYBERCOM might die if it fully separates from the NSA. The NSA can support the command, the source added, but CYBERCOM should not be wholly reliant on the agency. 

NSA’s marriage is too close to CYBERCOM, the source said, citing the lack of flexibility as a war fighting organization and reliance on NSA capabilities, as the military billeting process, for which roles and assignments can change frequently, does not fall in line with the technical training need in cyberspace. 

While a fully independent CYBERCOM would need to rely on its own personnel, resources and infrastructure, a fully independent NSA could focus on being more of a support arm to the military and national security agencies. More on this in Part III.

No comments: