Cybersecurity

Pentagon faces slew of cyber challenges in new year

The U.S. military is facing a host of challenges as it seeks to cultivate and expand cyber operations in the new year.

The expected departure of National Security Agency (NSA) Director Mike Rogers this spring has spawned a fresh challenge for the Trump administration. The White House must find someone to replace him who can helm not only the NSA, but also U.S. Cyber Command, the Pentagon’s young offensive cyber unit that became more powerful last year after the president elevated it to a full combatant command.

Complicating matters, the Pentagon is currently mulling whether and how to split the two agencies, a decision widely viewed as inevitable but which some have worried could have negative consequences if done too swiftly.

Rogers’s tenure has been a rocky one, plagued by continuous intelligence leaks and reports of low morale amid a sometimes-unpopular reorganization. Still, he remains in high regard among some, who acknowledge the high stakes of a job that requires balancing two distinct but related missions.

Rogers took over for Keith Alexander at NSA in 2014 as the intelligence agency continued to face intense public scrutiny over former contractor Edward Snowden’s disclosures.

More recently, the agency has been forced to contend with embarrassing leaks of its hacking tools by the “Shadow Brokers” group.

In the dual-hat role, Rogers is also responsible for helming Cyber Command, which was born out of the NSA headquarters at Fort Meade, Md., in 2009.

“Having somebody that has that ability to understand the technical capabilities of the work … but can still do the public outreach part — it’s tough to find someone that can do both of those,” said Steve Bucci, a former Army officer and cybersecurity expert at the right-leaning Heritage Foundation.

“You generally need somebody with that technical background to understand the issues well, because it’s not a normal military command,” Bucci added. “The group gets pretty small.”

The cyber unit has seen its status grow over the years, capped by President Trump’s decision in August to officially elevate it to a full combatant command.

“The elevation of United States Cyber Command demonstrates our increased resolve against cyberspace threats and will help reassure our allies and partners and deter our adversaries,” Trump said at the time.

The move triggered a Pentagon review of whether to split the dual-hat leadership of NSA and Cyber Command, which would effectively separate the government’s intelligence functions from its war-fighting cyber operations.

Some say Rogers’s departure will create the perfect opportunity for the administration to move forward on splitting the two bodies by naming a successor at the NSA and a different commander for Cyber Command.

“In a large part, this is the chance for something that’s long overdue, which is to separate the two jobs. What we’ve seen over the past few years is that the enormity of each job is so much,” said Michael Sulmeyer, director of the cybersecurity project at Harvard’s Belfer Center.

“This is particularly unique because of not just the importance of what each of these organizations do, but the fact that there have been frustrations and shortcomings on both sides,” added Sulmeyer, who served as director for plans and operations for cyber policy in the Office of the Secretary of Defense.

“Change needs to happen,” he said.

Pentagon officials said last year that Defense Secretary James Mattis would recommend a flag or general officer to lead Cyber Command. That individual would also serve as head of NSA before any decision was made on the split.

Some lawmakers on Capitol Hill, meanwhile, have sought to pump the breaks on the split, raising concerns about the potential effects if it’s done prematurely.

Annual defense policy legislation passed in November requires Mattis to update lawmakers by May on the progress toward a decision on the split. Among a slew of requirements imposed by Congress, the Pentagon is required to demonstrate that the termination of the dual-hat arrangement will not pose risks to national security.

“It’s still early to tell about whether NSA and Cyber Command should be split. That’s something that is probably a ways down the road. We need to make sure that everything is up and running the way it should as its own combatant command,” Rep. Jim Langevin (D-R.I.), ranking member of the Armed Services subcommittee overseeing Cyber Command, told The Hill on Tuesday.

“Once that’s all clear, the next step would be answering that question.”

More broadly, lawmakers have expressed frustration with the lack of comprehensive cyber war policy from the Trump administration, much like they did with the Obama administration. They inserted language into the defense bill requiring the president to set forth a national cyber policy addressing the use of offensive cyber capabilities.

Despite signing the defense bill, Trump objected to both provisions.

The military’s cyber operations are poised to receive more attention in coming years, as adversaries increasingly look to the cyber realm to target U.S. interests. The Pentagon hopes to have a 6,200-person-strong Cyber Mission Force fully operational by September 2018.

Former officials have acknowledged Cyber Command’s shortcomings. Former Defense Secretary Ash Carter revealed in October that he had been “largely disappointed” in Cyber Command’s effectiveness against the Islamic State in Iraq and Syria, writing that offensive cyber operations against the group “never really produced any effective cyber weapons or techniques.”

Sulmeyer said that, going forward, the command needs to be laser-focused on preparing the force to “fight tonight.”

“The priority until recently has been on defense and defending military networks,” Sulmeyer said. “From a planning perspective, from a mission perspective, from a personnel training perspective, it’s important to have the defense but eventually we’ve got to take the fight to the adversary.”

Like agencies across the federal government, Cyber Command and NSA will both face the challenge of recruiting and retaining savvy personnel to fill critical technical roles going forward.

Part of that effort will inevitably involve a concerted effort to keep up morale, which has been a key challenge for Rogers at NSA. The Washington Post reported earlier this month that large numbers of agency employees had left since 2015 in search of jobs in the private sector.

Multiple news outlets have reported that Rogers told agency employees on Friday he will resign in the spring, though the NSA declined to comment on the developments.

Trump is expected to nominate a successor, who is subject to Senate confirmation, in the coming weeks. Atop the list of Rogers’s rumored replacements is Lt. Gen. Paul Nakasone, currently the commander of U.S. Army Cyber Command.

Nakasone, who assumed that post in 2016, has made recruiting new personnel to Army cyber roles a priority, recently unveiling a pilot program to fill existing gaps in the force.

“Whoever gets those jobs, it’s a pretty difficult lift,” said Bucci. “It’s a heck of a lot of work.”