WASHINGTON — To former Defense Secretary Leon Panetta, the threat of cyberattack was a potential Pearl Harbor and 9/11 rolled into one, an event terrorists or foreign adversaries could create, he said, to “paralyze the nation.”
Defense Secretary Chuck Hagel’s rhetoric is cooler, but still he calls the threat of computer network attacks nothing less than “the greatest threat to our security.”
Over the last year, both secretaries have considered pulling the military command responsible for countering such threats — U.S. Cyber Command — out from under U.S. Strategic Command and making it a unified combatant command. That would put CYBERCOM on equal footing with the six regional combatant commands, as well as functional unified commands established to oversee special operations, nuclear deterrence operations and global transportation.
Many experts say the move would make sense, cementing cyber warfare as a focal point of the Defense Department’s 21st-century national security responsibilities. Supporters say the new unified command would become an integral part of global operations, as Special Operations Command has done since its activation in 1987.
Others suggest that once the current wave of cyber enthusiasm passes, a top-level Cyber Command could lose steam and end up like U.S. Space Command. It was created in 1985 amid planning for the Strategic Defense Initiative, and disestablished in 2002 when, as one expert said, “it turned out as a domain, space isn’t as cool as we thought.”
For now, Chairmen of the Joint Chiefs of Staff Gen. Martin Dempsey seems to be on the side of the naysayers, recently telling the Senate Armed Services committee that while an independent CYBERCOM might make sense in several years, “we just aren’t there yet.”
Hagel’s take on the matter, and ultimately President Barack Obama’s, will trump Dempsey’s opinion, however, and the Pentagon said the matter is still under review.
“On a number of occasions the Secretary and the Chairman have discussed their concerns about the growth of cyber threats and the need to ensure DoD is organized, trained and equipped to address these threats,” Pentagon spokesman Lt. Col. Damien Pickart said in a written statement to Stars and Stripes. “While the Joint Staff has been examining different command options, including maintaining the status quo, the Secretary has not made a decision at this time on whether to recommend a change to the President.”
The cost of elevating Cyber Command is one of the questions Hagel and the Pentagon brass must weigh carefully, said Jason Healey, a former Air Force cyber warrior and director of the Cyber Statecraft Initiative at the Atlantic Council, a Washington think tank.
“With sequestration and the military pulling back in so many areas, how do you justify it?” Healey said. “The amount of senior leader attention and budget that would go into creating another command is highly questionable.”
Before any move to set up a unified CYBERCOM, Congress wants to know the costs in advance, legislators told the Pentagon in the 2013 National Defense Authorization Act. Even a modest cost could be swimming against the tide, with budgets contracting and fresh memories of another unified combatant command — U.S. Joint Forces Command, with a nearly $1 billion yearly budget — eliminated in 2011 as a cost-saving measure.
Healey, a founding member of the U.S. military’s first joint cyberwarfare command in the late 1990s — a precursor to the current Cyber Command — said there may be a dawning realization that creating a large new bureaucracy won’t solve the Pentagon’s most basic cyber problem: sloppy and incomplete defenses across the many networks of the sprawling department.
“Since 1998, we’ve changed command structures every three years or so but, but we suffer the same problems as [we did] then,” he said.
But another cyber expert said it’s a “natural step,”to promote Cyber Command to a unified combatant command. Previous attempts to establish a joint cyber operations command haven’t been fully satisfactory, possibly because the commands haven’t held enough power, said James Lewis, senior fellow at the Center for Strategic and International studies.
“The United States typically has to experiment with different structures to park a new function; sometimes it’s in a service, and sometimes it’s a command,” he said. “Cyber is going through that right now as we figure out how to organize ourselves.”
One of the factors holding up the elevation of Cyber Command could be its current close association the National Security Agency, charged with foreign electronic spying. Both agencies are led by Army Gen. Keith Alexander, and based at Fort Meade, Md.
The close association with the NSA gives Cyber Command a “black magic” aura and makes it harder to explain its straightforward, though often classified, military role to Congress and some in the private sector, said John Bumgarner, chief technical officer at the U.S. Cyber Consequences Unit, a nonprofit research organization, as well as a former Army cyberwarrior attached to special operations command.
Congress has similar misgivings. In the 2013 defense spending bill, it singled out the uncertain lines between the military and intelligence communities when it comes to cyber. Congress said it wanted an explanation from the Pentagon of “how a single individual could serve as a commander of a combatant command that conducts overt, though clandestine, cyber operations under Title 10, United States Code, and serve as the head of an element of the intelligence community that conducts covert cyber operations under the National Security Act of 1947.”
Several observers who asked not to be named said that while the Pentagon values the utility of having CYBERCOM attached to an agency with the capabilities of the NSA, many in Congress are uncomfortable with the arrangement. The elevation — and potential separation of the two entities — may occur after Alexander’s retirement.
“The pressure certainly exists to have this as an independent command, perhaps within the next year,” a Washington analyst said. “But a lot of this could depend on who is in charge, who is in office, and what the structure is.”
Ian Wallace, a visiting fellow in cybersecurity at the Brookings Institution, a Washington think tank, said cyber is likely to be elevated in coming years, but that there would remain a number of crucial issues to sort out.
How would the service branches and the other combatant commands operate together with the newly elevated CYBERCOM? What level of capability will the new command have, and how much of the various services’ current cyber capability will it pull under its wing?
What ties the questions together, said Wallace, a former cybersecurity official for the United Kingdom’s Ministry of Defense, is that they would be easier to answer if CYBERCOM were promoted to an independent command.
“It would be more efficient to have those discussions with a strong combatant commander at the center than to have them as a sub-unified command,” he said.