Cyber wrap special: two heads are better than one
21 Sep 2016|

There’s a debate going on in the US at the moment that isn’t attracting much commentary here. While it’s a touch arcane, it’s worthy of public discussion. The question is the organisational arrangement for America’s cyber security, cyber offence and signals intelligence capabilities.

The Pentagon and the US intelligence community are in the blue corner, urging President Obama to split military Cyber Command functions away from the intelligence gathering National Security Agency. Senator John McCain, chairman of the Senate Armed Services Committee, is in the red corner, pledging to thwart any attempt to split the two bodies.

Not unusually, Senator McCain has a strong view. His opening statement at a hearing on national security encryption and cyber matters didn’t mince words:

‘Here we go again: another major policy matter has apparently been decided with no consultation whatsoever between the White House or the Department of Defense with this committee. I urge Secretary Carter to provide this committee and the Congress the details of this plan and his reasoning for supporting it. And I hope he will explain what has changed since the last time the administration rejected this idea in 2013…I would remind them that this committee does not take well to being stonewalled while their colleagues in the administration leak information to the press.’

Apart from the Washington beltway shenanigans on public display here, there are some substantive issues underpinning the spat. The organisation split was first discussed in public three years ago, in the wake of the Edward Snowden leaks. The Director of the NSA (DIRNSA) wears two hats; as well as being in charge of the signals intelligence (‘sigint’) gathering function, he has command of the military computer network activities that fall under the Cyber Command.

That command function sits properly under military control because computer network attack can be used to deliver lethal force—in principle, if not to date in practice—through attacks on systems controlling infrastructure where physical harm could result. And, as I’ve argued previously, the military use of cyberattacks is useful as an adjunct to ‘kinetic’ activities in the physical world, by disrupting the ability of adversaries to work out what’s going on and respond in a timely way.

But there’s no requirement for sigint to be under military control. DIRNSA’s counterparts in the ‘five eyes’ intelligence community, including our own Australian Signals Directorate, are all civilians. That doesn’t seem to hinder those agencies from fulfilling their roles, including sigint support to the military. And it’s that military support role that provides an argument for a split. During the 2013 debate, the Director of the Cyber Statecraft Initiative at the Atlantic Council argued that there’s an inherent conflict of interest in having the same person oversee sigint support to the military and command its cyber forces:

‘Imagine if the commander of US Pacific Command were the leading source of information on the Chinese military threat, had the ear of Congress on China policy, ran covert military operations against China, and could decide what information on China was classified. This perverse concentration of power is similar to where the United States has found itself on cyber policy.’

That’d be a strong argument if supporting military cyber operations was all the NSA does. But there’s much more to its role, and I think the rest of its portfolio provides an even better rationale for a civilian Director.

Modern sigint intrudes into civil society through the monitoring of domestic communications, especially in support of counter-terrorism investigations. Those activities came to the fore with the Snowden leaks, which also revealed the (dis)function of the relevant civilian oversight mechanisms. There’s something disquieting about the military presiding over activities that impinge on the civil population and which have civilian oversight.

In 2013 the Obama administration decided against a split, arguing on the grounds of efficiency; ‘without the dual-hat arrangement, elaborate procedures would have to be put in place to ensure that effective coordination continued and avoid creating duplicative capabilities in each organisation’. That argument reflects the historical relationship between sigint and cyber.

The sigint agencies were pulled into cyberspace early on because of the convergence of communication and computer technologies, which saw communications travelling on computer networks as well as ‘traditional’ telecommunication channels. The lure of communications ‘data at rest’ (like emails sitting on computers), which removed the need for real time interception of signals, was too much to resist. The sigint folks started to develop the tools and techniques required to exploit cyberspace.

In that sense there’s a natural synergy between sigint and military cyber operations. Whatever the organisational structure, an exchange of skills and expertise between the two is almost inevitable, and colocation makes sense. But there’s no obvious reason for both functions to be headed by the same person. Making DIRNSA a civilian position would make for better governance, and Cyber Command could properly remain a military position. We’re not privy to why the Obama administration has changed its mind in the past three years, but I think they’ve got it right this time.