Declassified documents reveal scope of Defense Department’s cyber strategy

The Pentagon has declassified several confidential documents that reveal a lack of authority in Cyber Command that experts say may hamper the nascent cyber force.

Admiral Michael Rogers, head of Cyber Command and director of the National Security Agency (NSA), takes part in a conference in Washington last October.

Yuri Gripas/Reuters/File

January 22, 2016

More than two dozen declassified Pentagon documents revealed details about the role of Cyber Command, the Defense Department's still-forming unit tasked with defending the country's digital domain. 

Though initially established to consolidate the military's digital operations, Cyber Command does not serve as a full-scale Defense Department command. Positioned under the wing of US Strategic Command, tasked with minding the US military’s nuclear arsenal, Cyber Command appears to have little authority to execute its mission without oversight from other command units.

In fact, several experts who have reviewed the documents say Cyber Command's lower rank compared to other units such as Central Command, which oversees operations in the Middle East, could actually undermine the country's ability to confront growing threats in cyberspace. 

Podcast: Intel's Chris Young on why the US needs a Cyber National Guard

"[Cyber Command] has far too many layers of bureaucracy and management to ever truly leverage cyber capabilities effectively," said Robert M. Lee, chief executive officer Dragos Security, and a former US Air Force cyber officer. “If you go look in the org chart, there’s about 16 layers between the actual person doing the operation and any given level of improvement."

Specifically, Mr. Lee said Cyber Command relies too heavily on the National Security Agency. Its director, Adm. Michael Rogers, also leads Cyber Command. 

"Everything that Cyber Command wants to be able to do right now, a significant portion of it is enabled by the operations that the NSA does," said Lee, adding that Cyber Command depends upon the NSA for most of its intelligence collection. "The direct tie creates a culture where Cyber Command can ultimately underperform."

Since its formation in 2010, Cyber Command has faced numerous setbacks. It fell far short of its goal to recruit 6,000 people by 2016, adding just 1,000 information security experts from a base of 2,000 by last spring. In the Defense Department's budget for fiscal year 2016, Cyber Command's budget fell by 7 percent, from $509 million to $463 million. That budget is dwarfed by even the smallest US military service – the Marines – given just over $25 billion to conduct their operations last year. 

Despite that, Cyber Command leaders still aim to create a 133-team cybermission force by 2018, which would include groups that assist on the offensive and defensive sides of cybersecurity, providing support to the Defense Department’s combatant commands, and defending the Pentagon’s internal networks and the public against significant cyber attacks. 

The planned expansion of Cyber Command, first established around the time of the Stuxnet attack on Iran's Natanz nuclear facility, comes with the US facing the growing threat of cyberattacks and digital espionage. But despite the threat ramping up, Cyber Command chief Admiral Rogers has not suggested that the military elevate the nascent force.

"You have some advocating, 'Is cyber so different, so specialized, so unique, so not well understood that it requires a very centralized, focused, unique construct to how we generate capacity and knowledge?' " Rogers said at an event at the Atlantic Council, a Washington think tank, on Thursday, according to reports in Defense Systems. "There are some who make that argument. I am not one of those."

Rogers said Cyber Command would focus on protecting systems and platforms this year as it moves toward larger personnel increases in 2018, drawing upon the US military's current capabilities and leadership in the Army, Navy, Air Force, and Marines. But some experts say that Cyber Command will continue to face conflicts of interest with Rogers also leading the NSA. 

"The fact that NSA and Cyber Command are led by the same person creates a natural conflict between the agencies' respective intelligence and military missions," said Dave Weinstein, a cybersecurity fellow with New America, a Washington think tank. "Nine times out of 10, NSA’s institutional clout is going to give them a decisive advantage at Fort Meade and downtown."

Despite that, he said the release of the 27 documents, some of which were acquired through Freedom of Information Act requests made by the George Washington University’s National Security Archive, could help Congress address some of the challenges the organization faces, including recruiting and a lack of authority.

“Cybercom’s lack of authority to conduct its mission is partly attributed to a general lack of understanding about its mission," said Mr. Weinstein. "Lifting the veil a bit could go a long way toward normalizing the way we think about military cyberspace operations — both domestically and internationally."