Following years of effort and billions of dollars’ worth of research and planning, the nation finally has a fully operational force of cyberwarriors at U.S. Cyber Command. Yet, as those troops confront adversaries around the world, there’s uncertainty across government about how to best make use of them.
While lawmakers push the Trump administration to exact revenge for years of cyberattacks on U.S. targets, a quiet but constant tug of war is raging between the intelligence community and the military over the future of government-backed hacking operations.
Congress, the White House and the nation’s spy agencies all have something at stake, but the tension is perhaps most intensely felt at the National Security Agency, which serves as a partner agency to U.S. Cyber Command. The NSA is not the only intel agency challenged by the warfare unit’s increasingly influential role: The CIA, the FBI and the Pentagon’s other intelligence agencies are also trying to shape Cyber Command’s future. Each agency understands offensive hacking in its own way, and that dissonance only intensifies the debate, according to current and former U.S. officials.
CyberScoop spoke with 13 current and former U.S. intelligence officials, three lawmakers and dozens of congressional aides for this story. Some chose to speak only on condition of anonymity to discuss the opinions circulating in government about who should be managing covert offensive cyber-operations that cross the line of everyday digital espionage.
The chief question is: If the U.S. is going to strike back at foreign targets in cyberspace, when should the soldiers or the spies lead the charge? Things may now finally be leaning in favor of the military after the intelligence community dominated for more than a decade, sources say. The U.S. has engaged in cyber-espionage since at least the 1990s, and there are historic cases of allied intelligence agencies launching offensive, destructive-style cyberattacks dating back to at least 2011.
Since then, both the Obama and Trump administrations have made decisions allowing Cyber Command to escape NSA’s shadow. And yet at the same time, the government appears to be desperately avoiding an all out cyber conflict with Russia or any other entity aside from ISIS.
An analyst for the U.S. government described the changing dynamic by saying: “NSA went into this thinking that they were going to be the top dog. Now they are paranoid that they may have eaten a massive tapeworm instead.”
Pressure to use Cyber Command’s full capabilities only increases as more stories surface of interference in U.S. networks by Russian, Chinese and other foreign hacking groups. Any decision to expand the military’s use of cyberwarriors will be a pivotal point in the relationship between the nation’s spies and the Pentagon, further drawing the bureaucratic boundary that separates stealthy digital espionage activities from more overt cyberwarfare operations.
The rise of the ‘gray zone’
Founded in 2009, the Fort Meade, Maryland-based Cyber Command was created through the leadership of then-NSA Director Gen. Keith Alexander. Some of its architects believe it was supposed to be a collaborative extension of NSA, but it has gained stature and influence far beyond what Alexander might have intended, insiders say.
Alexander, through a spokesperson, declined to comment for this story.
Today, U.S. Cyber Command is currently in the process of becoming a unified combatant command on par with the likes of Strategic Command (STRATCOM), which handles the nuclear program, or Special Operations Command (SOCOM), which handles high-profile combat operations. In less than a year, Cyber Command could also gain additional power through a separation from NSA that would call for a new and separate leadership structure, ending the current “dual hat” arrangement for the NSA director.
The elevation process and potential formal split from NSA could eventually give Cyber Command more leeway to plan and recommend cyberattacks, with a direct line to the White House. Launching these types of cyberattacks usually requires direct presidential approval, and the authority flows through NSA leadership. But that may too change.
In a congressional hearing Feb. 27, the current head of NSA and Cyber Command, Adm. Mike Rogers, acknowledged that there’s an ongoing “policy discussion” about giving Cyber Command more authority. Lawmakers needled him over the Trump’s administration’s lackluster response to Russian meddling in the 2016 presidential election. His responses were cagey, but he had a reason.
Cyber Command is quite limited in what operations it can pursue because, among other reasons, it is designated as a combat force that operates under Title 10 of the U.S. Code. That law dictates that such a unit can only operate within the confines of a declared war zone — a statue complicated by the internet’s global reach. The intelligence community, like the NSA and CIA, operate under Title 50, which permits them to conduct espionage in nearly any foreign country, a condition that’s especially advantageous when exploiting computers spread around the world.
How Title 10 exactly applies to cyberspace remains an open-ended question, former U.S. intelligence officials say. Some academics have described the current situation where military-backed cyberattacks occur as a sort of legal “gray zone.” That description is driven by the fact that the international Rules of Engagement for cyberwarfare remains largely undefined.
Even so, Secretary of Defense James Mattis has become a leading voice lobbying the White House to at least give Cyber Command more flexibility.
“[Mattis] has been very aggressive in articulating this concerns him, that there’s an ongoing discussion at the moment, that I hope is going to come to a way ahead in the near term,” Rogers recently told lawmakers.
It’s unclear exactly which additional authorities Mattis is seeking.
Cyber Command was recently granted the ability to foward deploy its forces to combatant commands across the world, sources told CyberScoop. Previously, so-called Cyber Mission Force teams would only be assigned to U.S. bases, like Fort Meade. Now they can be located within other combatant commands like U.S. Central Command, integrating with the military on physical front lines. This follows in line with the SOCOM model, which allows elite military personnel to be quickly grouped and deployed rapidly to accomplish very specific objectives.
That decision could open the door for new opportunities to hack enemy networks, but it does not necessarily provide Cyber Command with any additional license to independently launch attacks.
When military leaders push to do more with hackers, they usually meet some form of resistance from Pentagon lawyers.
A recent operation underscores the complexities surrounding Cyber Command’s ability to run offensive operations in the gray zone.
According to prior reporting by the Washington Post, the Obama administration angered the German government when Cyber Command hacked into a server hosting ISIS propaganda that was located in Germany. Though the terrorist group is most active in the Middle East, the group’s digital content is sometimes hosted by shared systems located inside allied countries and not war zones. The Pentagon reportedly notified its German counterparts of the counterterrorism mission to remove ISIS material, but the hacking still upset a wary ally.
The debate about what checks and balances should exist to control the use of offensive cyber operations is especially important due to the fragile nature of the internet. With militaries looking to disrupt each other through the world wide web, innocent users will inevitably be caught up in the chaos.
In 2016, a single distributed denial of service (DDoS) attack against Dyn, a internet gateway company, knocked out dozens of major internet retailers; leading to millions of dollars in lost revenue. That attack was later attributed to several American university students; a group obviously far less equipped than a conventional army.
New spin on an old fight
While ambiguity may surround the legal framework for military-led cyberattacks, how these missions affect the intelligence community’s own computer spying efforts poses another difficult proposition.
It’s not one that’s been easily handled in the past.
“This tug of war is not a new one,” described Rhea Siers, a 30-year NSA veteran who during her time at the agency worked in multiple administrative roles. “Collecting intelligence versus taking out the target has been a key tactical and strategic discussion between the military and intelligence agencies for decades — first about SIGINT [Signal Intelligence], now about cyber-operations as well.”
With Cyber Command in the spotlight, some military leaders have pushed for permission to “engage the enemy” online more often, a U.S. official told CyberScoop. But there are U.S. intelligence officials who still worry about what Cyber Command’s rise will mean for espionage missions.
In short, spies fear that their more covert digital intrusions will be negatively impacted by a spike in “louder,” purposefully disruptive cyberattacks from military operators, who are usually more interested in immediate outcomes. The concern stems from the issue of parallel discovery — where both a spy agency and military unit are hiding in the same compromised network, allowing the detection of one attacker to expose the other.
“There is an inherent conflict between military-like cyber operations and clandestine espionage operations,” explained Jason Kichen, a former intelligence officer who was focused on computer hacking strategy. “Sometimes the military’s needs to gain their own access can put the already present espionage-focused access at risk.”
Historically, NSA’s relationship to Cyber Command has generally tended to be collaborative. The partnership is complicated because each organization is responsible for a unique mission that’s sometimes drastically different yet requires nearly identical tools and talent — both of which are finite.
The clashes can be over which hacking tools are used, who should be handling them and whom they should be used against.
At the moment, the NSA is the government’s primary collector of information about software vulnerabilities that can be exploited by hackers. That title is held closely and with pride.
“A lot of what we ran into during the Obama administration involved the IC bucking at plans strung up by Cyber Command because they worried about intel gain-loss,” said Eric Rosenbach, former Pentagon chief of staff to Defense Secretary Ashton Carter. “The missions of Cyber Command and NSA should be complimentary, but too often they are competitive and collide with one another.”
Nearly everyone who spoke to CyberScoop said that the unified combatant command’s rise under the Trump administration will inevitably challenge the NSA’s franchise on software vulnerabilities and other hacking tools. Until recently, the intelligence community usually has taken the lead in helping decide whether to deploy some of the government’s elite hacking capabilities, according to two former U.S. senior defense officials.
But that hegemony is now increasingly challenged by a younger, military-minded Cyber Command that’s pushing for changes to the status quo.
“NSA has had a major role in this space since at least 1997, when [then-Secretary of Defense William] Cohen assigned them the mission to develop offensive techniques,” said Jason Healey, a former director for Cyber Infrastructure Protection at the White House from 2003 to 2005. “Twenty years on, they’re used to ruling the roost, especially since they’ve been not just developing but using offensive capabilities since 2005. Losing [some] of those responsibilities was always going to sting and meet bureaucratic resistance.”
Untangling the policy knot
Empowering Cyber Command appears to have bipartisan support. Multiple current and former defense officials are pushing for a win after years of apparent stagnation. And multiple former officials who worked in past administrations told CyberScoop, in general terms, that they welcomed changes that could help Cyber Command contribute to national security.
Creating the tools and policies that give Cyber Command independence from other U.S. intelligence or defense agencies has helped solve some bureaucratic issues. But not all of them.
In recent months, aides for the House Armed Services Committee and Senate Armed Services Committee have been meeting with government “working groups” to stop the military and intelligence community from butting heads. With people in the room representing both sides’ interests, lawmakers hope to quell any problems that have come with impending changes to the hierarchy.
Several aides told CyberScoop that the people representing Cyber Command have grown increasingly frustrated in these recent meetings. The representatives told the committees that the unit’s growth has been curbed by a reluctant bureaucracy that’s continuing to voice skepticism about scaling up hacking operations beyond the intelligence community.
In one meeting held in mid-February, Rogers’ Combined Action Group (CAG) held a meeting with congressional staffers, military academics and other officials from Fort Meade to discuss some of the issues. The gathering’s purpose was not necessarily to come up with immediate solutions, but to flesh out each side’s concerns that have come with Cyber Command’s maturation. Insights from the nearly eight-hour-long meeting were later provided to Rogers, who used them to prepare for a congressional hearing.
In that Capitol Hill appearance, Rogers maintained that Cyber Command should eventually be split from NSA, which would give it more autonomy.
President Donald Trump recently nominated Army Cyber Commander Gen. Paul Nakasone to be the combined leader of NSA and Cyber Command. Nakasone is a well-respected military leader with a history of working in cybersecurity-focused positions. However, he is not a career intelligence official.
Nakasone has been heralded for his time in service by former superiors, including Rosenbach and Alexander. He is widely considered one of the most experienced generals in managing military-led hacking operations.
The congressmen with perhaps the most experience dealing with NSA told CyberScoop that managing some of the conflicting equities between the two brotherly organizations will almost entirely fall on Nakasone.
“It’s really going to be up to leadership, they’re responsible for making sure it goes right,” said Rep. Dutch Ruppersberger, D-Md. “You need to have the right leader to negotiate these things, to listen to both sides and figure it out … If we don’t have good leadership for this position then it can be bad.”
Managing the tug of war in government represents just one of many challenges for the NSA director.
“That’s a very, very tough job,” he continued. “With everything that’s gone on recently, maybe one of the most difficult [jobs] in government.”
Michael Sulmeyer, a former cybersecurity policy adviser in the Office of the Secretary of Defense, said he believed Nakasone would make it a “fair fight.” Sulmeyer told CyberScoop that Cyber Command’s development may have been stunted by the dual-hat leadership arrangement, which he contends had benefited the intelligence community more.
“In the past, the IC would usually win these internal arguments … the resolution process requires consulting with the leaders of each organization. So it was a really circular, you could efficient way of dealing with it. But certainly slanted,” Rosenbach explained.
Nakasone recently told lawmakers that he planned to provide a recommendation within 90 days of being confirmed to Mattis about whether or not to split Cyber Command from NSA. Rogers, his predecessor, has said a split is inevitable. CyberScoop previously reported that Director of National Intelligence Dan Coats preferred keeping the dual hat in place for the immediate future.
In a brief interview with CyberScoop following a public speaking appearance in D.C., current White House Cybersecurity Coordinator Rob Joyce said he believed Cyber Command should be separated from NSA as it becomes more capable. He provided no timeline, but said that some predictable “friction” would likely follow a split as the two organization readjust to a new relationship. “That’s only normal,” Joyce described.
Fighting into the future
Lawmakers are generally unsure by how Cyber Command’s evolution will pan out. But several expect a bumpy road forward.
“There’s always going to be that rub between the operators and the intel collectors. I think that’s very true right now just because probably NSA is much more mature organization and certainly CIA also weighs in as well and they want to err towards protecting their capabilities,” said Congressman Jim Langevin, D-R.I.. “I certainly get that. But sometimes they can be over-protective and it slows things down. Maybe we’re missing out on opportunities to make a [cyberwarfare] operation more effective.”
Sen. Mike Rounds, R-S.D., the chairman of the Senate Armed Services cybersecurity subcommittee, told CyberScoop that he has also been involved in helping to ensure that Cyber Command’s elevation to a unified combatant command happens quickly and in a well-managed fashion.
“After listening to a lot of discussion internally, I think we’re moving in the right direction by separating the hats,” Rounds, said in an interview with CyberScoop following a congressional hearing. “Those folks operating under Title 50 really want to be deep in and not be discovered. At the same time, under Title 10 and what we would want in terms of persistence, you have to be able to show ourselves every once in awhile and that we are actually doing things in cyber to deter those who are causing the problems. It may easier to do using two hats rather than a dual hat.”
Whether the current system disproportionately handicaps Cyber Command remains a tough question to answer.
“The benefit of having a dual-hat between NSA and U.S. Cyber Command is clear — you have one person who can make a fully informed decision about the tradeoffs between the potential capability loss associated with using an intelligence asset to conduct an offensive cyber-operation,” explained Jamil Jaffer, former senior counsel to the House Intelligence Committee.
With Nakasone set to take the helm of both Cyber Command and NSA later this month following his expected confirmation, the debate will be immediately in front of him.
“Many have raised concerns that such an arrangement is a one-way ratchet and doesn’t full account for all equities,” Jaffer said. “What can be said for certain is that if you split the current dual-hat arrangement, you’re going to be teeing up a lot more debates for the National Security Council to have on individual operations and that is likely to be its own can of worms. After all, fighting a war by committee is hardly a good way to go.”