4 August 2017

Should NSA and CYBERCOM Split? The Legal and Policy Hurdles as They Developed Over the Past Year

By Robert Chesney

In light of Michael Sulmeyer’s excellent recent piece on splitting NSA and CYBERCOM, which ran at War on the Rocks last week, I want to pull together some of the key legal and policy developments of the past year in a single narrative. My aim is to put them in context with each other in a way that will provide useful background for those new to this issue, while also putting a spotlight on the deconfliction-of-equities issue that the split proposal raises. My apologies that this is a longer-than-normal post (I did not have time to be shorter!). 

1. July 2016 – Reports of DOD frustration over pace of anti-ISIS cyber operations

In July 2016, the Washington Post (Ellen Nakashima & Missy Ryan) reported on CYBERCOM’s efforts to disrupt the Islamic State’s online activities (internal communications, external propaganda, financing, etc.), emphasizing the view of DOD leadership that CYBERCOM was underperforming:

An unprecedented Pentagon cyber-offensive against the Islamic State has gotten off to a slow start, officials said, frustrating Pentagon leaders and threatening to undermine efforts to counter the militant group’s sophisticated use of technology for recruiting, operations and propaganda. …

But defense officials said the command is still working to put the right staff in place and has not yet developed a full suite of malware and other tools tailored to attack an adversary dramatically different from the nation-states Cybercom was created to fight. …

Although officials declined to detail current operations, they said that cyberattacks occurring under the new task force might, for instance, disrupt a payment system, identify a communications platform used by Islamic State members and knock it out, or bring down Dabiq, the Islamic State’s online magazine. …

The report is an excellent snapshot of several distinct challenges the military use of computer network operations can pose. 

One such challenge is operational capacity. The story suggests that CYBERCOM simply did not have the right personnel and the right exploits on hand for this particular mission, at least at the start. That’s a problem that can be fixed, and the report details the steps DOD began taking in 2016 to do just that.

Another challenge is the need to have an effective process for deconfliction between intelligence-collection and operational-effect equities. As the article summarized the issue:

Whenever the military undertakes a cyber-operation to disrupt a network, the intelligence community may risk losing an opportunity to monitor communications on that network. So military cybersecurity officials have worked to better coordinate their target selection and operations with intelligence officials.

This is not a novel tension, in the abstract. For as long as there has been signals intelligence, there have been tensions of this kind. When one side has access to the other’s communications, there will always be tension between the temptation to exploit that access for operational effect (with the opportunity cost of risking loss of that access going forward as the enemy realizes it has been monitored) and the temptation to instead exploit it for indirect intelligence advantage (with the opportunity cost of forgoing direct operational advantage in at least some cases). World War II provides famous examples. And so one might fairly ask: is there anything really different about computer network operations, warranting special attention to the topic in this setting?

Perhaps. In this domain there is much more overlap between the means of collection and the means of carrying out a disruptive operations. Indeed, those means often will be the exact same: a particular exploit providing access to an enemy device, network, etc. It seems to me that this ensures that the tension between collection and operational equities will arise with greater frequency, and less room for workarounds, than in more familiar settings. 

Having mentioned both the operational capacity concern and the competing-equities concern, now is a good time to emphasize the significance of the status-quo for NSA and CYBERCOM: the dual-hatted commander. Whereas more familiar, traditional scenarios involving tension between collection and operational equities usually involve distinct underlying institutions and commanders, the status quo with respect to computer network operations has always (well, the past seven years) involved the dual-hatting of NSA’s director and CYBERCOM’s commander. 

This model in theory ensures that neither institution has a home-field advantage, and maximizes the chance that the key decisionmaker (yes, there can be important decisions both below and above the dual-hat, but the dual-hat is obviously in the key position) fully buys into and fully grasps the importance of each institution’s mission. 

Of course, it is possible that the dual-hat might tilt one direction to an unfair or undesirable degree. And it is possible that some might perceive such a tilt even when there isn’t one. As 2016 wore on, questions of this kind began to appear in public, and by September the media was reporting that DNI Clapper and SecDef Carter both were in favor of splitting up the dual-hat. It was not the first time this topic had come up, to be sure; President Obama had considered ordering a split in 2013 (during the aftermath of the Snowden controversy), but had not taken that step at least in part out of concern about CYBERCOM’s independent operational capacity. Now the idea appeared to have momentum. 

A report from Ellen Nakashima in the Washington Post that same month suggested that this momentum was in part a product of CYBERCOM’s operational maturation, but also in significant part driven by the perception that Admiral Rogers, the current dual-hat, favored collection equities to an undue extent:

“Whether or not it’s true, the perception with Secretary Carter and [top aides] has become that the intelligence agency has been winning out at the expense of [cyber] war efforts,” said one senior military official….

(See also this report by the New York Times, stating that frustration along these same lines contributed to the effort to get President Obama to remove Admiral Rogers in late 2016.)

The Washington Post report also highlighted concerns that splitting NSA and CYBERCOM at the leadership level might actually weaken rather than empower CYBERCOM, as NSA inevitably would become free to withhold from CYBERCOM at least some exploits or other forms of access so that sources would not be lost:

“Cyber Command’s mission, their primary focus, is to degrade or destroy,” the former official said. “NSA’s is exploit [to gather intelligence] only. So without having one person as the leader for both, the bureaucratic walls will go up and you’ll find NSA not cooperating with Cyber Command to give them the information they’ll need to be successful.”

2. December 2016 – Congress puts on the brakes

Against this backdrop, Congress intervened in late 2016 to slow down the Obama administration’s move to split the dual-hat. Section 1642 of the NDAA FY’17, enacted in late December, provides that NSA and CYBERCOM must continue to share a dual-hatted director/commander unless and until the Secretary of Defense and the Chairman of the Joint Chiefs of Staff jointly certify to certain Congressional committees (SASC & HASC; SSCI & HPSCI; and the Appropriations Committees) that separation will not pose “unacceptable” risks to CYBERCOM’s effectiveness, and that the following six conditions are met:

(i) Robust operational infrastructure has been deployed that is sufficient to meet the unique cyber mission needs of the United States Cyber Command and the National Security Agency, respectively.

(ii) Robust command and control systems and processes have been established for planning, deconflicting, and executing military cyber operations.

(iii) The tools and weapons used in cyber operations are sufficient for achieving required effects.

(iv) Capabilities have been established to enable intelligence collection and operational preparation of the environment for cyber operations.

(v) Capabilities have been established to train cyber operations personnel, test cyber capabilities, and rehearse cyber missions.

(vi) The cyber mission force has achieved full operational capability.

Section 1642(b)(2)(C) (emphasis added). President Obama’s signing statement criticized Congress for imposing this requirement, but did not include a claim that it was unconstitutional. It remains the law at this time.

3. Early 2017 – Complications in the War Against the Islamic State

While lawmakers and policymakers wrestled with the pros and cons of splitting NSA and CYBERCOM, computer network operations against the Islamic State continued to accelerate. 

Along the way, however, new problems emerged.

As Ellen Nakashima of the Washington Post reported in May 2017, CYBERCOM by late 2016 had encountered a new set of challenges in its enhanced effort to shut down ISIS sites and platforms: third-country effects.

“A secret global operation by the Pentagon late last year to sabotage the Islamic State’s online videos and propaganda sparked fierce debate inside the government over whether it was necessary to notify countries that are home to computer hosting services used by the extremist group, including U.S. allies in Europe. … Cybercom developed the campaign under pressure from then-Defense Secretary Ashton B. Carter, who wanted the command to raise its game against the Islamic State. But when the CIA, State Department and FBI got wind of the plan to conduct operations inside the borders of other countries without telling them, officials at the agencies immediately became concerned that the campaign could undermine cooperation with those countries on law enforcement, intelligence and counterterrorism. The issue took the Obama National Security Council weeks to address…

This article highlights a third significant challenge associated with computer network operations: attacking the enemy’s online presence often requires, or at least risks, some degree of impact on servers located in other countries. Third-country impact involves both legal and policy challenges, and as the quote above illustrates it also brings into play otherwise-unrelated equities of other agencies. Thus, the competing-equities tension is not just a clash between collection and operational equities, but in some cases many others as well. The dual-hat command structure is primarily an answer only to the former, not the latter. 

Meanwhile, a sobering reality about the utility of cyberattacks on Islamic State communications began to become clear: the effects often did not last. This was the thrust of an important piece by David Sanger and Eric Schmitt in the New York Times in June 2017:

[S]ince they began training their arsenal of cyberweapons on …internet use by the Islamic State, the results have been a consistent disappointment, American officials say. … [It] has become clear that recruitment efforts and communications hubs reappear almost as quickly as they are torn down. … “In general, there was some sense of disappointment in the overall ability for cyberoperations to land a major blow against ISIS," or the Islamic State, said Joshua Geltzer, who was the senior director for counterterrorism at the National Security Council until March. "This is just much harder in practice than people think..." 

This suggested that the military equities that some felt had been undervalued by Admiral Rogers in the past were less weighty than proponents had assumed. Nonetheless, momentum towards separation—and concern that the dual-hat unduly favors collection equities—continues.

In mid-July, reports emerged that the Pentagon had submitted to the Trump administration a plan for effectuating the split, with some of the accompanying commentary continuing to advance the argument that NSA holds CYBERCOM back to an improper extent:

The goal, [unnamed U.S. officials] said, is to give U.S. Cyber Command more autonomy, freeing it from any constraints that stem from working alongside the NSA, which is responsible for monitoring and collecting telephone, internet and other intelligence data from around the world — a responsibility that can sometimes clash with military operations against enemy forces.

Meanwhile, however, Congress is in the midst of producing the next NDAA, and it may impose a further hurdle—one that won’t prevent the split, but may well slow it down considerably.

4. Congress reengages

In mid-July, the House passed H.R. 2810, which includes a section addressing the potential NSA/CYBERCOM split. Section 1655 requires the SecDef to provide SASC, HASC, SSCI, and HPSCI with a report on DOD’s progress in addressing the issues that must be certified to Congress before NSA and CYBERCOM may be split (under the terms of section 1642 of NDAA FY’17). That report must address:

(1) Metrics and milestones for meeting the conditions described in subsection (b)(2)(C) of such section 1642.

(2) Identification of any challenges to meeting such conditions.

(3) Identification of entities or persons requiring additional resources as a result of any decision to terminate the dual-hat arrangement.

(4) Identification of any updates to statutory authorities needed as a result of any decision to terminate the dual-hat arrangement.

Meanwhile, the Senate’s NDAAFY’18 draft (S.1519) has begun its trek through that chamber, and it includes a requirement (section 1627) that the commander of CYBERCOM report to SASC and HASC on the costs associated with meeting the conditions needed to enable NSA and CYBERCOM to split. As the SASC Committee Report accompanying the bill explains:

The committee believes any decision to separate Cyber Command and the National Security Agency should be conditions-based. The committee also believes that the funding associated with separating the ‘‘dual-hat arrangement’’ will be a multiyear sustained effort. The committee notes that the fiscal year 2018 budget request failed to include the funding necessary to resource the separation of the ‘‘dual-hat arrangement.’’ The committee looks to Cyber Command to estimate the funding required to meet the conditions identified in section 1642(b) of the National Defense Authorization Act for Fiscal Year 2017 (Public Law 114–328) and intends to closely monitor future budget submissions and the cost, schedule, and performance of key cyber programs to ensure that Cyber Command is appropriately resourced prior to any decision to end the ‘‘dual-hat arrangement.’’

5. What is the bottom line in light of all this?

* The statutory obstacles to a split of the dual-hat, from the current NDAA, are not onerous. The certifications required by section 1642 of NDAA FY’17 can be dealt with easily enough given the high level of generality with which they are framed, once the political will is there to carry out the separation. It sounds as if the will is there, and that the only real hurdle is specifying something realistic in terms of the requirement that the cyber mission force reach “full operational capacity.” 

* Deconfliction and Competing-Equities Tensions remain a significant issue that needs to be addressed very carefully. Yes, section 1642 of NDAA FY’17 requires a certification on deconfliction, but as just noted the requirement is framed at a high-level of generality. People need to focus on the fact that a main driver of the effort to split NSA and CYBERCOM has been the perception that Admiral Rogers gives collection equities too much weight—but that he may well have been quite right to do so. And people also need to focus on the converse risk: that NSA might pull back on cooperation with CYBERCOM to an undesirable degree, post-split, in order to preserve the means of its collection. All of this can be managed, and it’s not obvious that the current dual-hat solution is the only way to do it. But there needs to be a credible process of some kind, if not the dual-hat. It’s not clear that the certification requirement under section 1642 actually will compel sufficient consideration of this issue. 

* Section 1627 of NDAA FY’18, if it is enacted as SASC has proposed, will be a more serious hurdle. Budgets matter, and it is likely that the correct answer to the budget question posed by that section will involve a substantial need. That money then needs to be found and appropriated. Probably it should be and no doubt it will be. But it will take time for all this to grind out. Possibly this delay would track the time needed in any event to produce a credible claim that the cyber mission force has reached full operational capacity.

No comments: