Over the past few months, numerous commentators have weighed in about the future of the National Security Agency-US Cyber Command (CYBERCOM) relationship. The impending retirement of Army Gen. Keith Alexander, who heads both organizations, and his top deputy, creates a logical opportunity to review the government’s cyber-related organizational chart.
Following months of revelations about the NSA’s intelligence collection activities in particular, policymakers and the public have become increasingly concerned about the organizations’ missions. Some argue the NSA and CYBERCOM should remain joined, others that they should split.
Proponents of the marriage, notably Alexander, cite complementary missions and synergies from “integrated operations, people and capabilities.” Others privately assert that dividing the organizations is premature and could hollow out the still-fledgling CYBERCOM.
Retired Adm. James Stavridis, former supreme allied commander of NATO, and Dave Weinstein, a strategic planner at CYBERCOM, worry that the current arrangement risks mudding legal waters by conflating CYBERCOM’s Title 10 authorities, which govern the armed forces, with the NSA’s Title 50 authorities, which apply to intelligence activities.
Michael Hayden, former NSA director, cites similar issues and asserts that running NSA alone is a full-time job.
This public debate should encompass an equally important question: How should CYBERCOM function in a conflict? Answering this requires sorting out its relationships with the other unified combatant commands.
CYBERCOM is actually a sub-unified command under US Strategic Command (STRATCOM), whose central mission is managing the nation’s strategic deterrent, along with a variety of space and C4ISR issues. In 2013, this arrangement seems an artifact of a time when cyber could be considered just another item in STRATCOM’s broader portfolio.
Regardless of what happens with the CYBERCOM-NSA relationship, CYBERCOM should be split from STRATCOM and elevated to a full unified combatant command. From a functional standpoint, the prospects for a stand-alone “cyberwar” are virtually nil. Cyber will assume a greater role in future conflicts, but is likely to complement kinetic means.
The adversaries in such conflicts, be they state or non-state actors, will have a physical presence within the area of responsibility of a regional combatant command. Even minimal requirements for CYBERCOM to respond through STRATCOM would create an extra layer of bureaucracy in a domain where responsiveness is essential.
In the strategic sense, the relationship between CYBERCOM and STRATCOM is potentially dangerous, given the latter’s nuclear deterrence mission. The use of Cold War analogies is something of a naughty indulgence for cyber analysts, given the disproportionately horrific nature of nuclear conflict. However, a debate from that era, described by Thomas Schelling in his 1966 treatise, “Arms and Influence,” is instructive.
With the advent of intercontinental ballistic missiles, planners were confronted with the question of where to establish missile silos. Most advocated locating them in remote areas, where a potential Soviet missile strike would cause few casualties.
Another school posited, somewhat facetiously, that placing silos near populous cities would generate the most stable outcome because a potential Soviet strike on urban areas would necessarily cause substantial casualties and rapid escalation, making nuclear war less likely overall.
Proponents of the former plan obviously won the day, creating a distinction between counterforce (i.e., attacks on nuclear systems) and counter-value (i.e., attacks on populations or economic potential) strikes.
In the cyber context, the dual-use nature of the Internet and communications systems means that disaggregating our means of attack from the systems we seek to protect is onerous and necessarily imperfect. Nevertheless, it is a useful exercise to ask: If certain systems are sure to be targeted in a conflict, what relationship should they have with those systems upon which a cyberattack would be intolerable?
Today, CYBERCOM is one of the most likely and attractive targets for a cyberattack. And given its sensitive nuclear mission, STRATCOM should be afforded the highest-level protection. However, an adversary who is aware of CYBERCOM’s subordination to STRATCOM might seek to target the latter’s networks in a low-end conflict as a way to hobble US cyber capabilities.
The US must reinforce the inviolability of its nuclear command-and-control systems. Redundant and surely offline, such communication links are probably fairly isolated from cyberattacks. But even a successful attack on unclassified networks associated with STRATCOM could slow decision-making during a time of crisis.
Regardless of whether NSA and CYBERCOM remain conjoined, the US should decouple CYBERCOM from STRATCOM and elevate the cyber-focused entity into a full unified combatant command. This will rationalize its relationship with regional combatant commands, and strengthen the firebreak between cyber and strategic systems.
Certain adversaries may still seek to target STRATCOM’s information systems, but this should be an explicit choice, not a cascading effect of unrelated action.
Rob Sheldon is a 2013-14 Mike Mansfield Fellow based in Tokyo. These views represent only those of the author, and not necessarily the Maureen and Mike Mansfield Foundation.