Should NSA and CYBERCOM Split? The Legal and Policy Hurdles as They Developed Over the Past Year – Lawfare (blog)
In light of Michael Sulmeyers excellent recent piece on splitting NSA and CYBERCOM, which ran at War on the Rocks last week, I want to pull together some of the key legal and policy developments of the past year in a single narrative. My aim is to put them in context with each other in a way that will provide useful background for those new to this issue, while also putting a spotlight on the deconfliction-of-equities issue that the split proposal raises. My apologies that this is a longer-than-normal post (I did not have time to be shorter!).
1. July 2016 Reports of DOD frustration over pace of anti-ISIS cyber operations
In July 2016, the Washington Post (Ellen Nakashima & Missy Ryan) reported on CYBERCOMs efforts to disrupt the Islamic States online activities (internal communications, external propaganda, financing, etc.), emphasizing the view of DOD leadership that CYBERCOM was underperforming:
An unprecedented Pentagon cyber-offensive against the Islamic State has gotten off to a slow start, officials said, frustrating Pentagon leaders and threatening to undermine efforts to counter the militant groups sophisticated use of technology for recruiting, operations and propaganda.
But defense officials said the command is still working to put the right staff in place and has not yet developed a full suite of malware and other tools tailored to attack an adversary dramatically different from the nation-states Cybercom was created to fight.
Although officials declined to detail current operations, they said that cyberattacks occurring under the new task force might, for instance, disrupt a payment system, identify a communications platform used by Islamic State members and knock it out, or bring down Dabiq, the Islamic States online magazine.
The report is an excellent snapshot of several distinct challenges the military use of computer network operations can pose.
One such challenge is operational capacity. The story suggests that CYBERCOM simply did not have the right personnel and the right exploits on hand for this particular mission, at least at the start. Thats a problem that can be fixed, and the report details the steps DOD began taking in 2016 to do just that.
Another challenge is the need to have an effective process for deconfliction between intelligence-collection and operational-effect equities. As the article summarized the issue:
Whenever the military undertakes a cyber-operation to disrupt a network, the intelligence community may risk losing an opportunity to monitor communications on that network. So military cybersecurity officials have worked to better coordinate their target selection and operations with intelligence officials.
This is not a novel tension, in the abstract. For as long as there has been signals intelligence, there have been tensions of this kind. When one side has access to the others communications, there will always be tension between the temptation to exploit that access for operational effect (with the opportunity cost of risking loss of that access going forward as the enemy realizes it has been monitored) and the temptation to instead exploit it for indirect intelligence advantage (with the opportunity cost of forgoing direct operational advantage in at least some cases). World War II provides famous examples. And so one might fairly ask: is there anything really different about computer network operations, warranting special attention to the topic in this setting?
Perhaps. In this domain there is much more overlap between the means of collection and the means of carrying out a disruptive operations. Indeed, those means often will be the exact same: a particular exploit providing access to an enemy device, network, etc. It seems to me that this ensures that the tension between collection and operational equities will arise with greater frequency, and less room for workarounds, than in more familiar settings.
Having mentioned both the operational capacity concern and the competing-equities concern, now is a good time to emphasize the significance of the status-quo for NSA and CYBERCOM: the dual-hatted commander. Whereas more familiar, traditional scenarios involving tension between collection and operational equities usually involve distinct underlying institutions and commanders, the status quo with respect to computer network operations has always (well, the past seven years) involved the dual-hatting of NSAs director and CYBERCOMs commander.
This model in theory ensures that neither institution has a home-field advantage, and maximizes the chance that the key decisionmaker (yes, there can be important decisions both below and above the dual-hat, but the dual-hat is obviously in the key position) fully buys into and fully grasps the importance of each institutions mission.
Of course, it is possible that the dual-hat might tilt one direction to an unfair or undesirable degree. And it is possible that some might perceive such a tilt even when there isnt one. As 2016 wore on, questions of this kind began to appear in public, and by September the media was reporting that DNI Clapper and SecDef Carter both were in favor of splitting up the dual-hat. It was not the first time this topic had come up, to be sure; President Obama had considered ordering a split in 2013 (during the aftermath of the Snowden controversy), but had not taken that step at least in part out of concern about CYBERCOMs independent operational capacity. Now the idea appeared to have momentum.
A report from Ellen Nakashima in the Washington Post that same month suggested that this momentum was in part a product of CYBERCOMs operational maturation, but also in significant part driven by the perception that Admiral Rogers, the current dual-hat, favored collection equities to an undue extent:
Whether or not its true, the perception with Secretary Carter and [top aides] has become that the intelligence agency has been winning out at the expense of [cyber] war efforts, said one senior military official.
(See also this report by the New York Times, stating that frustration along these same lines contributed to the effort to get President Obama to remove Admiral Rogers in late 2016.)
The Washington Post report also highlighted concerns that splitting NSA and CYBERCOM at the leadership level might actually weaken rather than empower CYBERCOM, as NSA inevitably would become free to withhold from CYBERCOM at least some exploits or other forms of access so that sources would not be lost:
Cyber Commands mission, their primary focus, is to degrade or destroy, the former official said. NSAs is exploit [to gather intelligence] only. So without having one person as the leader for both, the bureaucratic walls will go up and youll find NSA not cooperating with Cyber Command to give them the information theyll need to be successful.
2. December 2016 Congress puts on the brakes
Against this backdrop, Congress intervened in late 2016 to slow down the Obama administrations move to split the dual-hat. Section 1642 of the NDAA FY17, enacted in late December, provides that NSA and CYBERCOM must continue to share a dual-hatted director/commander unless and until the Secretary of Defense and the Chairman of the Joint Chiefs of Staff jointly certify to certain Congressional committees (SASC & HASC; SSCI & HPSCI; and the Appropriations Committees) that separation will not pose unacceptable risks to CYBERCOMs effectiveness, and that the following six conditions are met:
(i) Robust operational infrastructure has been deployed that is sufficient to meet the unique cyber mission needs of the United States Cyber Command and the National Security Agency, respectively.
(ii) Robust command and control systems and processes have been established for planning, deconflicting, and executing military cyber operations.
(iii) The tools and weapons used in cyber operations are sufficient for achieving required effects.
(iv) Capabilities have been established to enable intelligence collection and operational preparation of the environment for cyber operations.
(v) Capabilities have been established to train cyber operations personnel, test cyber capabilities, and rehearse cyber missions.
(vi) The cyber mission force has achieved full operational capability.
Section 1642(b)(2)(C) (emphasis added). President Obamas signing statement criticized Congress for imposing this requirement, but did not include a claim that it was unconstitutional. It remains the law at this time.
3. Early 2017 Complications in the War Against the Islamic State
While lawmakers and policymakers wrestled with the pros and cons of splitting NSA and CYBERCOM, computer network operations against the Islamic State continued to accelerate.
Along the way, however, new problems emerged.
As Ellen Nakashima of the Washington Post reported in May 2017, CYBERCOM by late 2016 had encountered a new set of challenges in its enhanced effort to shut down ISIS sites and platforms: third-country effects.
A secret global operation by the Pentagon late last year to sabotage the Islamic States online videos and propaganda sparked fierce debate inside the government over whether it was necessary to notify countries that are home to computer hosting services used by the extremist group, including U.S. allies in Europe. Cybercom developed the campaign under pressure from then-Defense Secretary Ashton B. Carter, who wanted the command to raise its game against the Islamic State. But when the CIA, State Department and FBI got wind of the plan to conduct operations inside the borders of other countries without telling them, officials at the agencies immediately became concerned that the campaign could undermine cooperation with those countries on law enforcement, intelligence and counterterrorism. The issue took the Obama National Security Council weeks to address
This article highlights a third significant challenge associated with computer network operations: attacking the enemys online presence often requires, or at least risks, some degree of impact on servers located in other countries. Third-country impact involves both legal and policy challenges, and as the quote above illustrates it also brings into play otherwise-unrelated equities of other agencies. Thus, the competing-equities tension is not just a clash between collection and operational equities, but in some cases many others as well. The dual-hat command structure is primarily an answer only to the former, not the latter.
Meanwhile, a sobering reality about the utility of cyberattacks on Islamic State communications began to become clear: the effects often did not last. This was the thrust of an important piece by David Sanger and Eric Schmitt in the New York Times in June 2017:
[S]ince they began training their arsenal of cyberweapons on internet use by the Islamic State, the results have been a consistent disappointment, American officials say. [It] has become clear that recruitment efforts and communications hubs reappear almost as quickly as they are torn down. In general, there was some sense of disappointment in the overall ability for cyberoperations to land a major blow against ISIS," or the Islamic State, said Joshua Geltzer, who was the senior director for counterterrorism at the National Security Council until March. "This is just much harder in practice than people think..."
This suggested that the military equities that some felt had been undervalued by Admiral Rogers in the past were less weighty than proponents had assumed. Nonetheless, momentum towards separationand concern that the dual-hat unduly favors collection equitiescontinues.
In mid-July, reports emerged that the Pentagon had submitted to the Trump administration a plan for effectuating the split, with some of the accompanying commentary continuing to advance the argument that NSA holds CYBERCOM back to an improper extent:
The goal, [unnamed U.S. officials] said, is to give U.S. Cyber Command more autonomy, freeing it from any constraints that stem from working alongside the NSA, which is responsible for monitoring and collecting telephone, internet and other intelligence data from around the world a responsibility that can sometimes clash with military operations against enemy forces.
Meanwhile, however, Congress is in the midst of producing the next NDAA, and it may impose a further hurdleone that wont prevent the split, but may well slow it down considerably.
4. Congress reengages
In mid-July, the House passed H.R. 2810, which includes a section addressing the potential NSA/CYBERCOM split. Section 1655 requires the SecDef to provide SASC, HASC, SSCI, and HPSCI with a report on DODs progress in addressing the issues that must be certified to Congress before NSA and CYBERCOM may be split (under the terms of section 1642 of NDAA FY17). That report must address:
(1) Metrics and milestones for meeting the conditions described in subsection (b)(2)(C) of such section 1642.
(2) Identification of any challenges to meeting such conditions.
(3) Identification of entities or persons requiring additional resources as a result of any decision to terminate the dual-hat arrangement.
(4) Identification of any updates to statutory authorities needed as a result of any decision to terminate the dual-hat arrangement.
Meanwhile, the Senates NDAAFY18 draft (S.1519) has begun its trek through that chamber, and it includes a requirement (section 1627) that the commander of CYBERCOM report to SASC and HASC on the costs associated with meeting the conditions needed to enable NSA and CYBERCOM to split. As the SASC Committee Report accompanying the bill explains:
The committee believes any decision to separate Cyber Command and the National Security Agency should be conditions-based. The committee also believes that the funding associated with separating the dual-hat arrangement will be a multiyear sustained effort. The committee notes that the fiscal year 2018 budget request failed to include the funding necessary to resource the separation of the dual-hat arrangement. The committee looks to Cyber Command to estimate the funding required to meet the conditions identified in section 1642(b) of the National Defense Authorization Act for Fiscal Year 2017 (Public Law 114328) and intends to closely monitor future budget submissions and the cost, schedule, and performance of key cyber programs to ensure that Cyber Command is appropriately resourced prior to any decision to end the dual-hat arrangement.
5. What is the bottom line in light of all this?
* The statutory obstacles to a split of the dual-hat, from the current NDAA, are not onerous. The certifications required by section 1642 of NDAA FY17 can be dealt with easily enough given the high level of generality with which they are framed, once the political will is there to carry out the separation. It sounds as if the will is there, and that the only real hurdle is specifying something realistic in terms of the requirement that the cyber mission force reach full operational capacity.
* Deconfliction and Competing-Equities Tensions remain a significant issue that needs to be addressed very carefully. Yes, section 1642 of NDAA FY17 requires a certification on deconfliction, but as just noted the requirement is framed at a high-level of generality. People need to focus on the fact that a main driver of the effort to split NSA and CYBERCOM has been the perception that Admiral Rogers gives collection equities too much weightbut that he may well have been quite right to do so. And people also need to focus on the converse risk: that NSA might pull back on cooperation with CYBERCOM to an undesirable degree, post-split, in order to preserve the means of its collection. All of this can be managed, and its not obvious that the current dual-hat solution is the only way to do it. But there needs to be a credible process of some kind, if not the dual-hat. Its not clear that the certification requirement under section 1642 actually will compel sufficient consideration of this issue.
* Section 1627 of NDAA FY18, if it is enacted as SASC has proposed, will be a more serious hurdle. Budgets matter, and it is likely that the correct answer to the budget question posed by that section will involve a substantial need. That money then needs to be found and appropriated. Probably it should be and no doubt it will be. But it will take time for all this to grind out. Possibly this delay would track the time needed in any event to produce a credible claim that the cyber mission force has reached full operational capacity.
Originally posted here:
Should NSA and CYBERCOM Split? The Legal and Policy Hurdles as They Developed Over the Past Year - Lawfare (blog)
- CISA, NSA, and Partners Issue Annual Report on Top Exploited Vulnerabilities - HSToday - December 5th, 2024 [December 5th, 2024]
- Where Will The Top Amateurs at NSA Yamaha Land After the Team Closes? - Vurbmoto - December 5th, 2024 [December 5th, 2024]
- CISA, NSA, FBI and International Partners Publish Guide for Protecting Communications Infrastructure - HSToday - December 5th, 2024 [December 5th, 2024]
- Main players backing Syrian government have been weakened by other conflicts, NSA Sullivan says - NBC News - December 5th, 2024 [December 5th, 2024]
- Trump's incoming NSA Mike Waltz wants US to dance cheek-to-check with India - The Times of India - November 14th, 2024 [November 14th, 2024]
- What Trump's NSA Nominee Said On India's Pivotal Role In The 21st Century - NDTV - November 14th, 2024 [November 14th, 2024]
- Exclusive: Nakasone on exploding pagers, life after the NSA and another possible government job - The Record from Recorded Future News - November 14th, 2024 [November 14th, 2024]
- FBI, CISA, and NSA reveal most exploited vulnerabilities of 2023 - BleepingComputer - November 14th, 2024 [November 14th, 2024]
- CISA, NSA, and Partners Issue Annual Report on Top Exploited Vulnerabilities - National Security Agency - November 14th, 2024 [November 14th, 2024]
- 6 Principles of Operational Technology Cybersecurity released by joint NSA initiative - Security Intelligence - November 14th, 2024 [November 14th, 2024]
- It's official FBI, CISA, and NSA reveal the most exploited vulnerabilities of 2023 - TechRadar - November 14th, 2024 [November 14th, 2024]
- Donald Trump picks Mike Waltz as US NSA: What it means for China and India - The Times of India - November 14th, 2024 [November 14th, 2024]
- Who is Mike Waltz, Donald Trump's new NSA pick? What are his ties to India Caucus? - Firstpost - November 14th, 2024 [November 14th, 2024]
- NSA should not oversee the management of national facilities RexDanquah - Citi Sports Online - November 14th, 2024 [November 14th, 2024]
- Trudeaus NSA admits to leaking secret intel alleging Indias interference to Washington Post - Firstpost - October 31st, 2024 [October 31st, 2024]
- White House dials NSA Ajit Doval: Here's what happened in the call - The Economic Times - October 31st, 2024 [October 31st, 2024]
- NSA Doval Stresses Need For Stable Indo-Pacific In Phone Call With US Counterpart Sullivan - News18 - October 31st, 2024 [October 31st, 2024]
- Director-General of NSA calls for continued support from government - GhanaWeb - October 21st, 2024 [October 21st, 2024]
- 5G Non Standalone Nsa Architecture Market to Reach USD 240.0 - openPR - October 21st, 2024 [October 21st, 2024]
- NSA meets with Minister Muir and DAERA to discuss industry concerns - Meat Management - October 21st, 2024 [October 21st, 2024]
- NSA cyber chief: Espionage is now Russias focus for cyberattacks on Ukraine - The Record from Recorded Future News - October 11th, 2024 [October 11th, 2024]
- NSA Investigating If Chinese Hackers Breached US Telecoms - Yahoo Finance - October 11th, 2024 [October 11th, 2024]
- NSA Issues Updated Guidance on Russian SVR Cyber Operations - National Security Agency - October 11th, 2024 [October 11th, 2024]
- News - Honoring the Stars and Stripes: NSA Philadelphia Hosts Dignified Flag Disposal Ceremony - DVIDS - October 11th, 2024 [October 11th, 2024]
- NSA's Program for Nursing Mothers in the Workplace Considered a Model for USG - National Security Agency - October 11th, 2024 [October 11th, 2024]
- NSA investigating hack of three major telecommunications companies - Baltimore Sun - October 11th, 2024 [October 11th, 2024]
- Honoring the Stars and Stripes: NSA Philadelphia Hosts Dignified Flag Disposal Ceremony [Image 8 of 8] - DVIDS - October 11th, 2024 [October 11th, 2024]
- NSA Hiring Over a Thousand in the Next Year - ClearanceJobs - October 4th, 2024 [October 4th, 2024]
- What Its Really Like to Work at NSA - National Security Agency - October 4th, 2024 [October 4th, 2024]
- US Elections: Former NSA John Bolton Claims Both Harris And Trump Do Not Qualify To Be President | NewsX Exclusive - NewsX - October 4th, 2024 [October 4th, 2024]
- Honoring the fallen: Bells toll for Americas heroes at NSA Mechanicsburg - American Military News - October 4th, 2024 [October 4th, 2024]
- How often should you turn off your phone? Heres what the NSA says - PCWorld - October 4th, 2024 [October 4th, 2024]
- NSA and Allies Issue Advisory about PRC-Linked Actors and Botnet Operations - HSToday - September 28th, 2024 [September 28th, 2024]
- NSA warns that Active Directory is an "exceptionally large and difficult to defend" attack surface - The Stack - September 28th, 2024 [September 28th, 2024]
- News - Honoring the Fallen: Bells Toll for Americas Heroes at NSA Mechanicsburg - DVIDS - September 28th, 2024 [September 28th, 2024]
- National Storage Affiliates Trust (NYSE:NSA) Given Average Recommendation of "Reduce" by Brokerages - MarketBeat - September 28th, 2024 [September 28th, 2024]
- Lack of Standard Stadiums: NSA boss sacked, facilities closed - What has been said and done so far - GhanaWeb - September 21st, 2024 [September 21st, 2024]
- NSA and Allies Issue Advisory about PRC-Linked Actors and Botnet Operations - National Security Agency - September 21st, 2024 [September 21st, 2024]
- UTEP Establishes Collaboration with DoD, NSA to Help Enhance U.S. Semiconductor Workforce - The University of Texas at El Paso - September 21st, 2024 [September 21st, 2024]
- The NSA advises you to turn off your phone once a week - here's why - ZDNet - September 21st, 2024 [September 21st, 2024]
- NSA Publishes Cyber Advisory on China-Linked Threat Actors - Executive Gov - September 21st, 2024 [September 21st, 2024]
- Former NSA Director Nakasone opens new institute at Vanderbilt to train right type of leader - Washington Times - September 21st, 2024 [September 21st, 2024]
- ACR lauds legislation that would fine insurers for delayed NSA payments - AuntMinnie - September 16th, 2024 [September 16th, 2024]
- NSA threatens lawsuit over election rigging allegation, demands apology - Pulse Nigeria - September 16th, 2024 [September 16th, 2024]
- NSA explains its work with private sector on election security and fighting foreign cyber threats - Washington Times - September 16th, 2024 [September 16th, 2024]
- NSA to debut podcast to boost public awareness of classified missions - Nextgov/FCW - August 31st, 2024 [August 31st, 2024]
- In Beijing, Bidens NSA Calls Out Chinas Destablising Actions, Openly Supports Philippines - Hindustan Times - August 31st, 2024 [August 31st, 2024]
- Why the NSA advises you to turn off your phone once a week - ZDNet - August 31st, 2024 [August 31st, 2024]
- Getting into rhythm: NSA places high expectations on themselves for 2024 - Suffolk News-Herald - August 31st, 2024 [August 31st, 2024]
- NSA readying podcast to share untold stories of codebreakers missions - Washington Times - August 31st, 2024 [August 31st, 2024]
- Trump govt stopped aid to Pakistan over ISI's 'undeniable complicity' with terrorists: Ex-US NSA - Hindustan Times - August 31st, 2024 [August 31st, 2024]
- Top NSA researcher tapped to lead Pentagons UAP investigation hub - DefenseScoop - August 27th, 2024 [August 27th, 2024]
- NSA Releases Guide to Combat Living Off the Land Attacks - Infosecurity Magazine - August 27th, 2024 [August 27th, 2024]
- With a little help from the National Archives, NSA finally releases Grace Hopper lecture. Watch it here. - MuckRock - August 27th, 2024 [August 27th, 2024]
- Trump administration NSA H.R. McMaster says there was "inconsistency" in foreign policy - CBS News - August 25th, 2024 [August 25th, 2024]
- 'Putin exploited Trump's ego and insecurities': Former NSA in new book - The Times of India - August 25th, 2024 [August 25th, 2024]
- NSA calls for urgent Government action on illegal sheep imports - Meat Management - August 14th, 2024 [August 14th, 2024]
- Sheikh Hasina Resignation LIVE Updates: Ex Bangladesh PM Sheikh Hasina Meets NSA Ajit Doval At Hindon Airbase - NDTV - August 5th, 2024 [August 5th, 2024]
- NSA Claims It Cant Watch an Important Tape It Recorded in the 1980s - Gizmodo - July 17th, 2024 [July 17th, 2024]
- Letter to NSA Sullivan Requesting Assessment of Information Russia Has Shared with the PRC on U.S. Weapons Capabilities in Ukraine - Select Committee... - July 17th, 2024 [July 17th, 2024]
- The NSA Is Defeated By A 1950s Tape Recorder. Can You Help Them? - Hackaday - July 17th, 2024 [July 17th, 2024]
- Letter to NSA on Microsoft's Billion Dollar Partnership with UAE Firm G42 - Select Committee on the CCP | - July 17th, 2024 [July 17th, 2024]
- NSA Fast Pitch World Series kicks off with Skills Competition & Heavy Hitters Camp, featuring College World Series Champions from the University... - July 17th, 2024 [July 17th, 2024]
- NSA contractor bilked government for hundreds of hours she never worked - Washington Times - July 6th, 2024 [July 6th, 2024]
- Signals intelligence has become a cyber-activity - The Economist - July 6th, 2024 [July 6th, 2024]
- OpenAI adds former NSA chief to its board - CNBC - June 15th, 2024 [June 15th, 2024]
- Former head of NSA joins OpenAI board - The Verge - June 15th, 2024 [June 15th, 2024]
- Former NSA Head Joins OpenAI Board and Safety Committee - RetailWire - June 15th, 2024 [June 15th, 2024]
- Former NSA head joins OpenAI board and safety committee - TechCrunch - June 15th, 2024 [June 15th, 2024]
- OpenAI Appoints Cybersecurity Expert And Retired US Army Genera With NSA Pedigree To Board, Enhancing AI ... - Benzinga - June 15th, 2024 [June 15th, 2024]
- Former NSA head Paul Nakasone to helm national security institute at Vanderbilt - The Record from Recorded Future News - May 15th, 2024 [May 15th, 2024]
- US is still chasing down pieces of Chinese hacking operation, NSA official says - The Record from Recorded Future News - March 18th, 2024 [March 18th, 2024]
- 6 CISO Takeaways from the NSA's Zero-Trust Guidance - Dark Reading - March 18th, 2024 [March 18th, 2024]
- St. John's M.S. in Cyber and Information Security Earns Key NSA Validation - St John's University News - March 18th, 2024 [March 18th, 2024]
- Senate votes to confirm Lt. Gen. Timothy Haugh to lead CYBERCOM and NSA/CSS - United States Cyber Command - December 23rd, 2023 [December 23rd, 2023]
- NSA Highlights AI, Partnerships in 2023 Cyber Review - MeriTalk - December 23rd, 2023 [December 23rd, 2023]
- NSA Publishes 2023 Cybersecurity Year in Review - National Security Agency - December 23rd, 2023 [December 23rd, 2023]
- Senate votes to confirm Lt. Gen. Timothy Haugh to lead CYBERCOM and NSA/CSS - National Security Agency - December 23rd, 2023 [December 23rd, 2023]
- NSA Reiterates Achievements in AI & Defense Against Russia, China in 2023 Cybersecurity Review - Executive Gov - December 23rd, 2023 [December 23rd, 2023]
- NSA appoints new Cyber Command head | SC Media - SC Media - December 23rd, 2023 [December 23rd, 2023]