Russia hack requires new cybersecurity paradigm
As the full extent of the damage of Russia’s hack into private sector and government computer systems continues to be investigated – with the recent revelations that Russian cyber operators may have stolen the source code for pervasive Microsoft products – there has been little effort to bring various stakeholders together to determine what long-term and strategic technical and policy solutions are needed.
There are various options to pursue, including decoupling the leadership and organizational structures of the National Security Agency (NSA) and U.S. Cyber Command (USCC), which we have already advocated as a prudent, albeit contentious step.
We recognize that there are valid concerns about the timing of such a move, including from congressional leaders who have highlighted the dangers of doing so during an unprecedented cybersecurity crisis. We do not disagree that the rash implementation of such a split could cause significant harm to ongoing national security efforts. But we believe that this moment presents an opportunity for a deliberate path to splitting the two agencies’ leadership that will enhance not only each organization’s abilities to conduct their missions but also cybersecurity and cyber operations efforts writ large.
Such a path requires concerted efforts across both executive agencies and congressional overseers over the next few months to develop, execute and manage processes in three distinct areas: internal decoupling, interagency coordination and rigorous oversight. Clearly defining the necessary outcomes and the processes that will lead to them will minimize mission disruption, enhance national security outcomes and avoid the can-kicking on an NSA-USCC split that has characterized the dialogue over the past decade.
The process for the internal decoupling of NSA and USCC should focus on the most critical issues and personnel impacted. General Paul Nakasone – like his predecessors, dual-hatted as both the NSA director and USCC commander – should be tasked with developing a list of the 3-5 most critical challenges that will arise because of the split in consultation with critical stakeholders both in and out of the government. This private/public collaboration has the potential to deliver better and quicker outcomes than current studies on splitting the hats — which seem to be largely confined within the walls of Ft. Meade and the Pentagon, and to classified channels. This approach also implicitly recognizes that the split between the two agencies will have ramifications far beyond the bounds of Ft. Meade.
Decoupling the personnel pools associated with NSA and USCC is a challenge that can also yield powerful lessons for the intelligence community’s joint duty program if it correctly focuses on transforming USCC’s dependency on NSA personnel into a mutually beneficial symbiosis. Recognizing that immediate removal of NSA personnel from USCC’s workforce could come at a significant cost, USCC leadership should identify the most critical NSA personnel detailed to or otherwise supporting USCC and charge them with developing a plan to inculcate their necessary knowledge and experience into the USCC structure. Rather than being permanently converted to USCC, these personnel should face a hard 2-3-year timeframe to transition their functions to their full-time USCC counterparts.
The lessons learned in time-bound knowledge transfer could aid joint duty officers across the community in making not only operational impact but also institutional evolution through their rotations. Building this type of institutional knowledge around highly technical concepts in the cyber domain could provide the technological equivalent of the Goldwater-Nichols Act that some have called for.
Separating the leadership of NSA and USCC will remove a conflict of interest between conducting intelligence collection on and conducting offensive operations against adversary nodes in cyberspace but will require significant reforms to interagency processes. Responding to advanced persistent threats (APTs) in cyberspace requires speed of action, something that recently-released after-action reports of the counter-ISIS cyber operation Glowing Symphony highlight as starkly lacking. In conjunction with the decoupling of the hats and in the shadow of the SolarWinds and Microsoft hacks, the incoming administration should commission an interagency effort to rework the cyber operations process. Unlike current processes, which were long opaque even to Congress, this process should be transparent and clarify ambiguity on key questions in cyber operations, including sovereignty in cyberspace and the thresholds for use of force in response to cyber operations. Such reforms could enhance international norms while addressing concerns regarding decreased agility and coordination that could be associated with decoupling NSA and USCC leadership.
To assuage existing concerns, Congress could authorize a bipartisan commission charged to examine how the Russia attack unfolded and provide policy recommendations to help both agencies to come out of the split more effective than they were under a single hat. A more controversial proposal would be to create separate cybersecurity-related oversight committees in both the House and Senate, similar to the intelligence committees created in the 1970s in the aftermath of Watergate. This would require wresting oversight of the different departments and agencies currently involved in the cybersecurity mission from existing committees.
Viewing the SolarWinds and Microsoft hacks as an impediment to deeper reform in the cybersecurity mission – including splitting the NSA and USCC leadership – is a short-sighted and costly mistake. While these attacks do not constitute the dreaded “cyber 9/11,” they are worrisome and indicate the depth of existing gaps and vulnerabilities that adversaries will seek to exploit. Focusing on the most significant issues required to lay the groundwork for the leadership split, combined with additional measures from Congress, will drive a much-needed revolutionary change in the way the U.S. tackles the cybersecurity challenge. Kicking the can down the road until a perfect solution for the split is available will stymie the growth of our cybersecurity capabilities.
Adam Maruyama is a national security professional with more than 15 years of experience in cyber operations, cybersecurity and counterterrorism. He served in numerous warzones and co-led the drafting of the 2018 National Strategy to Counterterrorism. Adam currently manages cybersecurity software deployments for a number of federal customers.
Javed Ali is a Towsley Policymaker in Residence at the University of Michigan’s Gerald R. Ford School of Public Policy and has over 20 years professional experience in Washington, D.C. on national security issues, including senior roles at the Federal Bureau of Investigation, Office of the Director of National Intelligence and National Security Council.