Since Cybercom was created a decade ago, it has been co-located with NSA at Fort Meade, Maryland, and shared a leader. At the time, this made sense to help the nascent command grow, relying on the personnel, expertise and infrastructure of the high-tech intelligence agency. The arrangement was initially expected to be temporary.

Severing the dual-hat has been one of the most hotly contested issues in cyber policy. Proponents believe the military can benefit from the unique intelligence insights and resources of NSA, leading to faster decision-making and operational outcomes. Opponents argue the roles of NSA director and Cybercom commander are too powerful for one person to hold and relying on the intelligence community’s tools — which are meant to stay undetected — for military activities poses risks to such espionage activity.

At the end of the first Trump administration, officials made a last ditch effort to sever the dual-hat, but it ultimately was not brought to fruition. Press reports prior to Trump’s inauguration for his second term indicated the administration wanted to end the dual-hat relationship.

There “is renewed speculation about the separation of the ‘dual-hat’ relationship between Cybecom and NSA, a construct that proves its value to our national security every minute of every day. This issue has been studied exhaustively but somehow there are still those who believe they know better,” Rep. Don Bacon, R-Neb., chairman of the House Armed Services Subcommittee on Cyber, Innovative Technologies and Information Systems, said in opening remarks during a hearing Friday. “I’ve spoken to my colleagues on this panel and our friends in the Senate, and on a bipartisan and bicameral basis, the Armed Services Committees are strongly opposed to ending the dual-hat relationship. I want to take this opportunity to make very clear to the Department’s leadership that if they believe they have allies on this issue who sit on the Pentagon’s congressional oversight panels, they do not.” 

Following the firing of Cybercom commander Gen. Timothy Haugh at the beginning of April, there was a feeling that the dismissal prepped the ground to split the dual-hat by nominating a civilian to lead NSA and a military officer to lead the command.

Bacon’s sentiment was shared by the subcommittee’s ranking member, Rep. Ro Khanna, D-Calif., on Friday.

“Let me reaffirm what you said about keeping our Cyber Command and NSA together. That is a bipartisan position, that is a position that we have discussed many times now, and people on this side of the aisle support you in that. It’s bicameral, it’s bipartisan. And you know, I just want to make that clear, because it keeps coming up and … because the support in the Congress is very strong for keeping the — those two departments together,” Khanna said at the hearing.

The issue was addressed on the Senate side over a month ago as well, with Sen. Mike Rounds, R-S.D., voicing support for the current arrangement.

“In wake of the various persistent cyber threats originating from the People’s Republic of China over the last two years, it is my firm conclusion that the importance of the dual-hat is as important today as it has ever been,” Rounds, chairman of the panel’s Cybersecurity Subcommittee, said during an April 9 hearing.

At that hearing, Lt. Gen. William Hartman, acting commander of Cybercom and director of NSA, told Rounds that the relationship between the two organizations allows the command to see what the adversary is doing.

“From my standpoint and senator, I’ve been sitting on the campus of the National Security Agency and Cybercom for most of the last 15 years. I’ve continued to see this partnership evolve. And our ability to execute increasingly more precise operations is fundamentally because the dual-hat allows me, in my current capacity, to move with the speed and agility and unity of effort that is required,” he said. “But it also forces leaders across the organization to collaborate, to do the hard work and to provide the best options for the national security of the country. That’s what I believe is the importance of the dual-hat, and that is really where I believe we’ve evolved.”

Concerned with the prospect of a premature split, in which Cybercom would not be ready to stand on its own, Congress has previously issued a prohibition on a breakup in leadership until certain metrics are met. They include, among others, that each organization have robust command-and-control systems for planning, deconflicting and executing military cyber operations and national intelligence operations — as well as ensuring tools and weapons used in cyber ops are sufficient for achieving required effects and that Cyber Command can acquire or develop these tools, weapons and accesses.

Gen. Dan Caine, chairman of the Joint Chiefs of Staff, told lawmakers at his confirmation hearing for the role in April that he believes the dual-hat should be maintained, agreeing with the findings of a 2022 study that found the role should be strengthened as well.

“The Dual-Hat arrangement provides the ability to look across both organizations and has empowered both USCYBERCOM and NSA to fulfill their missions better than each could do alone. It promotes agility and enables intelligence to be operationalized rapidly,” he wrote in response to advance policy questions from senators. “It also facilitates relationships with key foreign allies and partners in part because the corresponding foreign organizations with signals intelligence (SIGINT) and cyber operations missions are fully integrated, operating under a Dual-Hat leadership structure. The span of control, does however, place a burden on one leader.”

Ahead of his own confirmation hearing in January, Secretary of Defense Pete Hegseth wrote to senators that he would “bring these debates to conclusion, consult with Congress, and make final recommendation for the way ahead.”

The post Members of Congress vow not to split Cyber Command, NSA appeared first on DefenseScoop.

Hunt-forward operations involve physically sending defensively oriented cyber protection teams from the U.S. military’s Cyber National Mission Force (CNMF) to foreign nations at their invitation to look for malicious activity on their networks. These operations are mutually beneficial, officials have said, because they help bolster the security of partner nations and provide Cybercom — and by extension, the United States — advance notice of adversary tactics, allowing the U.S. to harden systems at home against these observed threats.

In responses to lawmakers’ advance policy questions ahead of his confirmation hearing before the Senate Armed Services Committee Tuesday, retired Lt. Gen. Dan Caine stated that Cybercom hunt-forward missions in the U.S. Southern Command area of responsibility discovered Chinese Communist Party malware on multiple foreign partner networks.

Southcom’s area of responsibility includes the landmass of Central and South America and adjacent waters and the Caribbean Sea. It encompasses 31 countries, 12 dependencies and “areas of special sovereignty,” according to the command.

These hunt-forward operations are conducted at the invitation of host nations. Details about specific countries where Cybercom conducts these ops are highly sensitive, and permission of the host government must be gained before public disclosure.

It’s no secret that China has interests in South American nations and Beijing has deployed cyber capabilities for a variety of malicious activities.

Cybercom did not confirm or deny the assertion by Caine, noting in a statement it routinely assists partners that request support in securing their cyber posture against foreign malicious activity across all geographic areas of responsibility.

“This strengthens our Allies’ and Partners’ cybersecurity posture, and makes it more difficult for foreign adversaries to threaten all of us. USCYBERCOM’s core mission is to defend the nation in cyberspace. By policy and for operational security, we do not discuss cyber operations, plans or intelligence. No operation will be publicly disclosed without the partner nation’s consent,” a Cybercom spokesperson said of hunt forward operations.

Cybercom conducted its first hunt-forward operations in Latin America a couple of years ago. Officials have stated in the past that the CNMF conducts about two dozen defend-forward operations per year with foreign partners on foreign government networks to hunt and find Chinese, Russian and Iranian threats, among others.

In written congressional testimony last year, Cybercom commander Gen. Timothy Haugh noted that CNMF deployed 22 times to 17 nations for hunt-forward ops, with active operations occurring simultaneously in all geographic commands for the first time. Those activities led to the public release of more than 90 malware samples for analysis by host nations’ cybersecurity community.

“Such disclosures can make billions of Internet users around the world safer on-line, and frustrate the military and intelligence operations of authoritarian regimes,” he wrote.

Hunt-forward operations were credited with mitigating the effects of Russian cyber ops against Ukraine during its 2022 invasion. Cybercom sent personnel to Ukraine ahead of the invasion and helped harden their networks.

Caine also addressed, in his policy question responses, the hotly contested debate about the dual-hat arrangement in which the commander of Cybercom is also the director of the National Security Agency. Proponents believe the military can benefit from the unique intelligence insights and resources of NSA, leading to faster decision-making and operational outcomes. Opponents argue the roles are too powerful for one person to hold and relying on the intelligence community’s tools — which are meant to stay undetected — for military activities poses risks to such espionage activity.

Caine told lawmakers he believes the dual-hat should be maintained, agreeing with the findings of a 2022 study that found the role should be strengthened as well.

“The Dual-Hat arrangement provides the ability to look across both organizations and has empowered both USCYBERCOM and NSA to fulfill their missions better than each could do alone. It promotes agility and enables intelligence to be operationalized rapidly,” he wrote. “It also facilitates relationships with key foreign allies and partners in part because the corresponding foreign organizations with signals intelligence (SIGINT) and cyber operations missions are fully integrated, operating under a Dual-Hat leadership structure. The span of control, does however, place a burden on one leader.”

Ahead of his own confirmation hearing in January, Secretary of Defense Pete Hegseth wrote to senators that he would “bring these debates to conclusion, consult with Congress, and make final recommendation for the way ahead.”

At the end of the first Trump administration, officials made a last ditch effort to sever the dual-hat, but it ultimately was not brought to fruition. Press reports prior to Trump’s inauguration for his second term indicated the administration wants to end the dual-hat relationship.

The post Cybercom discovered Chinese malware in South American nations — Joint Chiefs chairman nominee appeared first on DefenseScoop.

The Senate earlier this year passed a provision as part of its version of the annual defense policy bill, that would have directed the secretary of defense to establish a new organization to support the requirements of U.S. Cyber Command along with other combatant commands, military departments and agencies. However, in the conference report for the reconciled version of the fiscal 2024 National Defense Authorization Act, House and Senate conferees noted that they took the provision out.

“The conferees agree that intelligence support to the planning and execution of cyber operations conducted below the level of armed conflict, for preparation of the operational environment, and at each level of operational art — strategic, operational, and tactical — must be substantially improved. The conferees believe that the causes of, and solutions to, this requirement are complex,” the report states. “The conferees are not prepared at this time to dictate a specific organizational solution, but expect the Secretary of Defense to generate and implement one.”

For years, dating back to when Cybercom was created, there have been talks about building the capability and capacity for developing organic cyber intelligence within the U.S. military. Relatedly, as cyber has grown in importance, there have been increasing discussions at the Defense Intelligence Agency regarding what constitutes foundational cyber intelligence.

Lawmakers are concerned because, of more than two dozen agencies that focus on intelligence, there isn’t a direct line out of Cybercom’s intelligence shop that focuses on nation-state threats from a military angle. For example, the military intelligence apparatus has very specific knowledge of adversary systems and specifications, but that’s not always the case in cyberspace.

The conference report notes that as a still maturing organization, Cybercom must improve its ability to define and articulate requirements for intelligence support, noting it’s likely the command will still require assistance from the Defense Intelligence Agency and the National Security Agency. The command is co-located and shares a leader with the NSA.

Moreover, the document suggests that the cyber mission force — the personnel each military service provides to Cybercom to conduct cyber operations — does not possess sufficient deep technical expertise nor adequate access to data to generate the required level of analysis organically.

“At the strategic and operational level, there is a clear need for improved foundational intelligence. The conferees are concerned that the Department of Defense will continue to fail to address this persistent shortfall without a legislative mandate and the creation of an organizational element dedicated to the task,” the report states.

“A significant portion of the target systems analysis support that is currently lacking could be provided under a decentralized, federated model based on cooperative teaming among the existing service intelligence centers (and the Department’s foreign material acquisition and human intelligence components). This would obviate the need to establish a new, separate center dedicated to the cyber domain, but making a coalition work effectively on a sustained basis could prove to be very challenging without a committed leadership entity. The conferees urge the Secretary to devise an effective and sustainable organizational solution,” according to the report.

Enduring dual-hat relationship?

The report notes that vital network and systems engineering analysis support for Cybercom likely can only be achieved through NSA partnership. However, NSA’s national intelligence mission and budget cannot be further burdened with the level of tailored support required for military operations, according to conferees.

Rather, the secretary of defense should provide funding for Cybercom, separate from the national intelligence budget, to acquire and sustain the required technical analytical capability and capacity. This should be done in stages, lawmakers say, beginning with a small-scale pilot to develop a practical model that can be replicated.

They also note that the administration reported another favorable review for the dual-hat arrangement, where Cybercom and NSA share a boss and are co-located.

The report notes that the foregoing assessment suggests that this partnership should be extended, with the Pentagon’s independent funding responsibilities clearly delineated.

“Accordingly, the conferees urge the Secretary of Defense to develop an organization, and provide funding, personnel, and a management plan for the intelligence collection and analysis necessary to support the missions of Cyber Command and the other combatant commands in the disciplines of foundational intelligence, target systems analysis, and network and systems engineering analysis,” the document says.

The post Lawmakers nix proposal to create military cyber intelligence capability appeared first on DefenseScoop.

“Fracturing the current USCYBERCOM-NSA command arrangement would degrade flexibility, adaptability, and speed of action now provided through close and interconnected processes; ultimately impacting mission outcomes,” Lt. Gen. Timothy Haugh wrote to members of the Senate Armed Services Committee in a questionnaire as part of his confirmation process.

The phrase “dual hat” refers to Cybercom and NSA sharing a boss. When Cybercom was first created a decade ago, it was co-located with NSA at Fort Meade, Maryland to help the nascent command grow, relying on the personnel, expertise and infrastructure of the NSA. The arrangement was initially expected to be temporary.

Opponents say the dual-hat arrangement is too much work for a single person and relying on the intelligence community’s tools — which are meant to stay undetected — for military activities poses risks to such espionage activity.

Haugh said the demands of each position are effectively managed and aren’t excessive for one individual.  

There has been a burgeoning consensus in Washington that the two organizations have grown closer and might never split as officials have maintained the critical intelligence NSA provides helps feed Cybercom’s operations. Haugh noted in his confirmation hearing before the Senate Intelligence Committee July 12 that “the overlap between activities in cyberspace and within signals intelligence, those things are inextricably linked.”  

To date, many officials — including the findings of a conducted by a Defense Department and intelligence community steering group, led by former Chairman of the Joint Chiefs Joseph Dunford — have simply noted that the dual-hat arrangement is in the best interest of the United States.

However, Haugh, who is currently Cybercom’s deputy commander, went further, telling lawmakers that severing NSA and Cyber Command leadership would be problematic.

“The signals intelligence and cyber operating environments substantially overlap. Eliminating the dual hat would reduce relevant visibility and understanding across both mission sets, increasing risk to intelligence sources and operational activities,” Haugh wrote. “It would reduce the speed and effectiveness of cybersecurity collaboration in the protection of National Security Systems (NSS), the [DOD Information Network], and the [defense industrial base] by slowing and complicating information sharing and work with overlapping partners. Finally, ending the dual hat would complicate relationships with Allies and partners that conduct their own signals intelligence and cyberspace operations.”

Haugh told senators Thursday during his confirmation hearing before the Senate Armed Services Committee that having worked on each side of both organizations, “how we partner and be able to take the guidance from a single leader becomes effective in our response so we can move with the speed and agility today” — and it “would be very difficult to replicate [that] in a different configuration.”

‘Call balls and strikes’

One of the biggest arguments for keeping the current arrangement is having a single person at the top of both organizations that has oversight over the operations and activities of each.

Given the sensitivities and competing interests involved between espionage — which aims to burrow into systems and avoid detection for continued intel collection — and warfighting — which involves disrupting or destroying systems — some have argued for the need of a single person to weigh in on these equities.

“I think if you did not have a dual-hat arrangement … you would have two separate bureaucracies who would clash on a daily basis about the use of the tools, about the coordination of efforts, about the protection of their own silos,” Sen. Mike Rounds, R-S.D., ranking member of the Senate Armed Services Subcommittee on Cybersecurity, has said. “I think you have to have a person on top who can call balls and strikes between the two separate organizations.”

This so-called intelligence gain/loss, some argue, is essentially why there needs to be a single person in charge of each organization, rather than risk reducing speed of action and oversight by splitting leadership roles and adding more bureaucracy.

“This is perhaps the most critical advantage of the dual hat — a single decision maker, responsible and accountable for the mission outcomes of both organizations, is best equipped to protect critical intelligence equities while executing national priorities, as directed. It ensures fully informed tradeoff decisions are made under accountability to both the Secretary of Defense and Director of National Intelligence,” Haugh wrote.

“The most positive aspect of the dual hat is the ability of a single decision maker, responsible for the separate and distinct mission outcomes of both organizations, to allocate resources, set priorities, and execute complementary actions to produce critical outcomes for the nation. It ensures that a single, fully informed decision maker is able to protect our nation’s most sensitive signals intelligence equities and ensure both organizations are aligned with the nation’s priorities,” he added.

It is unclear when Haugh might be confirmed and take over for the retiring Gen. Paul Nakasone because Alabama Republican Sen. Tommy Tuberville has put a blanket hold on senior military officer confirmations in protest of the DOD’s abortion policies.

The post Cybercom-NSA nominee argues severing dual hat would be ‘time consuming, more complex and less effective’ appeared first on DefenseScoop.

The so-called dual-hat arrangement is one of the most hotly debated within the cyber world. Since Cybercom was created a decade ago, it has been co-located with NSA at Fort Meade, Maryland and shared a leader. At the time, this made sense to help the command grow, relying on the personnel, expertise and infrastructure of the NSA. The arrangement was always thought to be temporary, however, with proponents saying the military can benefit from the unique intelligence insights and resources of NSA, leading to faster decision-making and operational outcomes. Opponents argue the roles are too powerful for one person to hold and relying on the intelligence community’s tools — which are meant to stay undetected — for military activities poses risks to such espionage activity.

But as time has gone on, there seems to be recognition among some policymakers that the current arrangement is a net positive for national security.

“I’ve been one of the staunchest opponents of changing the dual-hat relationship. I continue to support the current dual-hat arrangement,” Rep. Jim Langevin, D-R.I., told DefenseScoop in an interview. “As I look at the relationship between Cyber Command and NSA, I don’t see a problem that is solved by splitting the dual hat. In fact, I think the dual-hat arrangement benefits both organizations and provides the infrastructure and expertise that helps both Cyber Command and NSA achieve success in their individual missions.”

Langevin, who chairs the House Armed Services Subcommittee on Cyber, Innovative Technologies, and Information Systems and is retiring this year, noted that he does not see the benefit of splitting the two organizations.

On the Senate side, another key lawmaker has voiced support for the synergies the two organizations foster.

“I personally am in favor of that. I was not to begin with. But after looking at this now for four years, I think if you did not have a dual-hat arrangement, similar to what Gen. Nakasone works in today, it means you would have two separate bureaucracies who would clash on a daily basis about the use of the tools, about the coordination of efforts, about the protection of their own silos,” Sen. Mike Rounds, R-S.D., ranking member of the Senate Armed Services Subcommittee on Cybersecurity, told DefenseScoop on the sidelines of the Politico Defense Summit Wednesday. “I think you have to have a person on top who can call balls and strikes between the two separate organizations.”

Rounds had previously said that this relationship fosters greater speed within the government to close cyber gaps in a highly dynamic environment.

“They have demonstrated that the dual-hat relationship of Cybercom and NSA has facilitated effective use of intelligence and cyber operations, both in support of military operations and the defense of the entire nation,” Rounds said during a panel discussion at the annual AUSA conference in October. “This [has] broken down stovepipes between the two organizations that now allow operations to be more effective and to be executed in a timely manner. And I can’t overestimate how critical it is that we recognize the need for speed when it comes to dealing with our adversaries.”

These sentiments have also been shared by the current director of NSA and commander of Cybercom, Gen. Paul Nakasone.

“My best military advice as it was when I first came to the job and after three-plus years in it, is the fact that through elections, through problems with Iran, through ransomware and now with Russia-Ukraine, what the dual hat has allowed us to do is been able to take and be able to focus efforts from the National Security Agency and U.S. Cyber Command on very, very difficult problems: influence, ransomware, strategic competition, in one domain, in cyberspace,” he told the House Armed Services Committee in March, noting that ultimately this is a policy decision. “We both operate there and being able to have action, being able to unity effort and being able to have agility is what the dual [hat] has been able to allow me to do over the past three-plus years.”

Several years ago, in response to rumors a split was imminent, lawmakers felt such a decision was premature and Cyber Command was not ready to stand alone. As such, Congress outlined a series of metrics for the Pentagon to meet in the fiscal 2016 National Defense Authorization Act. Those metrics were then tweaked in the 2017 policy bill adding more restrictions necessary to split the dual hat. They included that each organization have robust command-and-control systems for planning, deconflicting and executing military cyber operations and national intelligence operations — as well as ensuring tools and weapons used in cyber ops are sufficient for achieving required effects. It also sought to ensure that Cybercom can acquire or develop these tools, weapons and accesses.

Nakasone told Congress earlier this year that his organizations are still working toward that.

Rounds noted that he is in favor of maintaining the current dual-hat relationship, adding that opponents might say it would depend on the person at the top — meaning if the head of both organizations is someone that can’t handle both roles, then it would be problematic.

“My only response is, is that if you can’t then you’re going to end up with … [multiple] individuals who will have to sit down and work it out rather than one individual calling balls and strikes,” he said. “You want a committee doing this and with all the delays that go into a committee discussion, or do you want an individual respected and find the right individual who can be respected by both organizations and move in a more timely fashion?”

Langevin noted that splitting the roles could make things cumbersome and prevent the cyber mission force from being able to operate with the agility it needs.

Moreover, he said he is optimistic the ongoing review by the Director of National Intelligence and the Secretary of Defense, reported earlier this year, will come to the same conclusion as him that this arrangement should remain in place. 

The Record reported that former chairman of the Joint Chiefs of Staff Joseph Dunford is leading an intergovernmental group to examine the dual-hat arrangement and make a recommendation to the Biden administration.

The post Key lawmakers in favor of keeping ‘dual hat’ arrangement between Cybercom and NSA appeared first on DefenseScoop.

The provision is found in the Senate Armed Services Committee’s version of the fiscal 2023 National Defense Authorization Act, which passed the committee June 16, but language wasn’t released until July 18.

When Cyber Command was initially being built, the Department of Defense co-located it with the NSA as a means to help it grow, relying on the expertise, staff and even tools and infrastructure of the spy agency to get it off and running. The two still share a boss and are co-located, which is referred to as the dual hat.

However, the arrangement has been understood that it would be temporary given the inherently different missions of each organization and potential undue risk to each: NSA charged with foreign intelligence and the Department of Defense with war fighting. Opponents of the arrangement cite the outsized power of one person leading both organizations and relying on intelligence infrastructure and tools, which are meant to stay undetected, for military activity, which typically isn’t, poses risks to such espionage activity.

Those in favor of keeping the arrangement argue that Cyber Command benefits from the tight intelligence linkage and also still isn’t ready to stand on its own.

In a report accompanying the bill, the SASC notes it is “aware that concerns have been raised about whether the dual hat leadership arrangement … adversely impacts either organization. The committee believes that over the last few years, the dual hat leadership arrangement has demonstrated improved effectiveness both in support of military operations and in defense of the Nation. The committee understands that in the cyber domain success depends on speed, agility, and unity of effort, all of which are enhanced with the dual hat relationship.”

Moreover, the committee notes its understanding that having a single individual in charge of both organizations allows them to allocate resources, assess and mitigate risk to provide unity of effort in operations.

“The committee believes that the dual hat relationship ensures a strategic alignment between these organizations and is essential to the Nation’s success in strategic competition,” it said in the report.

In the 2016 annual defense policy bill, Congress outlined a series of metrics for the Pentagon to meet in order to split the two organizations. Those metrics were then tweaked in the 2017 policy bill adding more restrictions necessary to split the dual hat. They included that each organization have robust command and control systems for planning, deconflicting and executing military cyber operations and national intelligence operations as well as ensuring tools and weapons used in cyber operations are sufficient for achieving required effects. It also sought to ensure that Cyber Command can acquire or develop these tools, weapons, and accesses.

Gen. Paul Nakasone, who leads both organizations, testified before Congress in March that his organizations are still working towards meeting those metrics.

He said Cyber Command and NSA’s requirements continue to grow and that dependencies between the two entities, such as shared infrastructure, have decreased.

The briefing to the committee required by the bill, which must still be approved by the full Senate and then reconciled with the House version, must include:

• the resources, authorities, activities, missions, facilities and personnel used to conduct the relevant missions at the NSA as well as the cyber offense and defense missions of Cyber Command;
• the processes used to manage risk, balance tradeoffs and work with partners to execute operations;
• an assessment of the operating environment and the continuous need to balance tradeoffs to meet mission necessity and effectiveness, and;
• an assessment of the operational effects resulting from the relationship between the NSA and Cyber Command, including a list of specific operations conducted over the previous year that were enabled by or benefited from the relationship.

The post Senate bill to require annual briefing on NSA-CYBERCOM relationship appeared first on DefenseScoop.