The National Security Agency is the nation’s digital spying organization. U.S. Cyber Command is a military unit focused on cyberwarfare. Does it make sense for one person to lead them both at the same time?
That has been the case since Cyber Command’s inception in 2009. But recently, Defense Secretary Ashton Carter and Director of National Intelligence James Clapper have been urging President Obama to divide the two leadership roles. The change, they say, would help Cyber Command become an independent fighting force that doesn’t require support from another agency – the NSA.
The NSA’s job is a defensive one, monitoring internet communications worldwide and gathering information to help the government understand what other countries are doing (or planning), and to resist foreign efforts to learn about what the U.S. is up to. By contrast, Cyber Command is a military unit, with a largely offensive mission. It is tasked with ensuring that the U.S. has unchallenged online superiority, able to shut down or disrupt the cyberoperations and networks of adversaries.
Clearly there are similarities that suggest the two agencies should cooperate and share knowledge. For example, the NSA needs to penetrate foreign networks to collect data. Cyber Command also needs to break into others’ computer systems, though for a very different purpose, such as shutting down an electric power grid. As a scholar of both information technology and management, I know that the key factor to consider in deciding on joint or separate leadership is not cooperation, but rather focus.
Given their respective offensive and defensive roles, separate leadership would be the best way to provide clear direction for each.
There are precedents for sharing – and splitting – leadership. There is, of course, the current situation, in which the NSA and Cyber Command are both headed by Navy Admiral Michael S. Rogers. In the military, this is often called a “dual-hat arrangement,” because one leader “wears two hats” by holding two posts at the same time.
A useful example from history is the evolution of the U.S. Army Air Corps. From its formation in 1926 to 1941, the Army Air Corps was primarily used to support ground troops, rather than as an offensive force in its own right. During that period, though, there was continuous debate about whether air and ground units would work better with separate leadership.
As World War II began and strategists’ understanding of the strength of airborne weapons developed, the groundwork was laid for separating ground and air power: In a 1941 administrative reorganization of the Army, the renamed Army Air Force became one of three independent commands. In 1947 the split was complete with the creation of the U.S. Air Force that we know today.
We do not want to wait until World War Cyber is upon us to resolve the debate this time. We need to have a fully functional fighting force capable of taking offensive action in the case of potential, and likely, cyberwarfare.
Both the NSA and Cyber Command use computers and computer networks. Both use – and seek to break – encryption software as well as tools to hack into networks, such as phishing methods, and various types of malware to extract information.
In the military there are plenty of examples of different units relying on similar tools. For instance, look at aircraft use. In addition to the Air Force, the Army, Navy, Marines and Coast Guard all use planes and helicopters. Some of those aircraft are even identical (or nearly so), such as the C-130 “Hercules” cargo plane and the UH-60 “Black Hawk” helicopter. Just because different groups use the same equipment does not mean they must share a single leader.
Determining relative priority
We can also take a lesson from the corporate world, where responsibilities vary widely. In a panel discussion that I led in May, questions to the audience revealed that in some companies, the head of cybersecurity defense efforts reports to the head of the information technology department. But in other cases the cybersecurity chief reported to the chief financial officer, or even to the head of the company’s legal department. Increasingly we are hearing that cybersecurity leaders report directly to the firm’s CEO.
The panel members viewed cybersecurity as an inherently cautious task, where evaluating risk is important. By contrast, information technology departments often push for rapid innovation and accelerating change. As a result of those conflicting goals, the panelists came to the consensus that those efforts should be managed separately.
Using similar logic, I believe that the NSA and Cyber Command should be under separate leadership, so each can pursue its mission with undivided focus and complete intensity. The NSA can gather intelligence. Cyber Command can defend our military networks and be ready to attack the systems of our enemies.