U.S. President Donald Trump on Aug. 18 announced the elevation of the U.S. Cyber Command (USCYBERCOM/CyberCom) to a Unified Combatant Command. This brings American offensive and defensive cyber operations out of the implicit overview of the NSA and puts it on an equal footing — with major implications for the U.S. national cyber security posture.
A Unified Command is a structure that acknowledges an inter-relationship with another authority — in this case, primarily the U.S. National Security Agency (NSA). However, Trump’s statement adds, “The Secretary of Defense is examining the possibility of separating United States Cyber Command from the National Security Agency.” For the time being at least, both the NSA and Cyber Command will continue under the same leadership, currently Admiral Michael Rogers.
Rogers has always been against a separation. The United States Cyber Command was formed in 2009, sharing the resources, headquarters and commander with the NSA. It achieved operational capability in late 2010. The idea was that military hackers could learn from the NSA’s hackers. However, as indications of international cyber war have increased, the organizations’ objectives have diverged: the NSA’s fundamental purpose is to collect intelligence, while USCYBERCOM’s role is to achieve military objectives. Rogers fears that such military objectives, undertaken independently, could interfere with the process of intelligence gathering.
Trump, however, clearly feels that the time is ripe. “The elevation of United States Cyber Command demonstrates our increased resolve against cyberspace threats and will help reassure our allies and partners and deter our adversaries,” he said. “Through United States Cyber Command, we will tackle our cyberspace challenges in coordination with like-minded allies and partners as we strive to respond rapidly to evolving cyberspace security threats and opportunities globally.”
SecurityWeek spoke to a number of the cybersecurity firms that defend against the aggressive cyber-attacks from both criminals and nation states, to get their take on this development.
The overriding view is that this is a good step.
“First,” says Nathaniel Gleicher, head of cybersecurity strategy at Illumio and a former director for cybersecurity policy at The White House, “it is a recognition that cyber threats are more significant and serious than ever — responding to them requires coordinated decision-making across all branches of the military, and elevating USCYBERCOM creates a place for that to happen.”
Second, he added, “It recognizes that CyberCom’s capabilities have matured over the last eight years. The responsibilities of a unified combatant command are much more significant than those of a sub-unified command — and the consequences of mistakes are greater. Elevating CyberCom is a signal that DoD thinks it’s ready for the challenge.”
Ely Kahn, co-founder of Sqrrl and another former director of cybersecurity at The White House, sees it as a way of mitigating natural tensions between USCYBERCOM and the NSA. “A military commander may want to disrupt communications of an enemy leading up to or during an operation,” he explains. “This could lead to an intelligence professional losing a key source of information. By putting USCYBERCOM on equal footing as the NSA in terms of being a direct report to the SECDEF, it gives more balance to these opposing objectives when a debate arises.”
Elevating Cyber Command to a Unified Combatant Command will inevitably give it greater freedom of action while also attracting more skilled operatives. “I expect that we will see large increases to budget and staffing now, with a focus on recruiting the kind of top-level talent that the government has had some difficulty in acquiring previously,” suggests Nathan Wenzler, chief security strategist at AsTech. “But given the more autonomous nature of how U.S. Cyber Command will be able to operate, and to present itself as a more prestigious opportunity to serve one’s country, I believe it will have a much better chance to recruit that critical talent than other agencies have done up until this point.”
Chris Roberts, chief security architect at Acalvio, believes it is an important step in U.S. cyber operations. “Cyber Command arguably enables all of the other combatant commands that are in place,” he explains. “There’s a number of them that obviously cover all other aspects, so it seems ‘right’ to elevate cyber to its own UCC that can have influence/management and control over cyber operations as well as manpower, cybersecurity and IT and operational tech infrastructure requirements.”
One consistent view is that it is a good and necessary process — and if anything, none too soon. “Since North Korea attacked Sony in 2014, the United States has been plagued by constant, sophisticated cyber-attacks that have threatened our critical infrastructure, undermined our democracy, stolen from our banks and businesses, compromised the identities of our citizens and have locked out information away behind malicious encrypted code,” says Eric O’Neill, currently national security strategist with Carbon Black — but once an investigative specialist for the National Security Division of the FBI.
“For some time now I have preached that there are no hackers, there are only spies. The majority of successful breaches are driven by foreign cyber intelligence units — cyber spies from other nations — that use traditional espionage tactics in a digital environment to disable, steal, destroy and disrupt information. The United States has fallen far behind the curve in addressing the external cyber threat. I applaud the initiative in elevating the US Cyber Command.”
Paul Kurtz, co-founder and CEO of TruSTAR Technology and a former White House National Security Council staff member takes a similar view. “This decision affirms cyberspace as a new war domain,” he told SecurityWeek. “The timing is ripe to form this command given the growing severity of cyber-attacks. Adversaries have shown they are ready to use cyber weapons to handicap military readiness and response or to disrupt or destroy critical infrastructure in the U.S. This decision also signals our intent to continue developing cyber weapons, and our adversaries will take note. The government’s current ability to defend critical infrastructure is inherently limited and the private sector will need to step up sooner rather than later to exchange information about attacks underway to better defend ourselves.”
However, the elevation of Cyber Command is only considered a first step — the complete separation from the NSA with its own commander is considered an important next step.
“Cyber Command is responsible for coordinating and leading military network defense. Placing this effort in spy agencies like the CIA and NSA is no longer effective,” says O’Neill. “Indeed, how can we trust the NSA and CIA to defend us in the cyber war we are fighting when the agencies cannot defend their own attack tools? The breaches by the Shadow Brokers and the Vault-7 release to Wikileaks demonstrate that the US requires a better coordinated effort to defend against cyber-attacks.”
Gleicher adds, “As important as this decision is, I am watching for another change to CyberCom that has also long been in the works but was delayed last week. CyberCom is led by Admiral Rogers, the same official who also heads the National Security Agency. The other big change that is discussed alongside elevating USCYBERCOM is separating out these two commands — giving CyberCom its own leader. This is an important step,” he believes, “because the mission of the NSA is different from the mission of the military, and lumping them together under the same leader means that when those two missions conflict, one set of priorities has to win out over the other. As serious as the cyber threat is today, it’s past time that we had an independent voice inside the DoD advocating for cyber defense. CyberCom could be that voice, and I’m hopeful that last week’s announcement is only the first step, and command separation will follow.”
The last word comes from O’Neill. “Many Americans have forgotten the Cold War, fought with the Soviet Union over nuclear ambitions and military force projection across the globe. The truth is that the Cold War did not end with the fall of the USSR. Instead, the war multiplied to a strategic and tactical war in cyberspace. Russia, China, North Korea, Iran and other nation states have attacked the United states effortlessly and remorselessly over the last decade. Cyber-attacks are the perfect warfare. They hide behind a manufactured cloak of anonymity, deal in secrecy and disruption, and effortlessly steal information that improves the economics and policies of rival nations. The United States has long required a new approach to addressing the external cyber threat from military and spy agencies. Our civilian agencies could not carry the burden. I hope that the new Unified Cyber Command can take up the charge.”