And have the signals-intelligence agency report directly to the Director of National Intelligence.
The lack of conclusive “upstream” intelligence about Russia’s long-running, recently discovered “digital espionage” effort suggests a need to rethink how the U.S. is organized to meet cyber threats — and in particular, the “dual-hat” leadership of the National Security Agency and U.S. Cyber Command.
To be sure, the United States has worked to improve its national security focus on cybersecurity in recent years, spurred by Russian efforts to interfere in the 2016 election and recognition that more adversaries can and will want to use offensive cyber methods and tools. These efforts include strategy documents, executive orders, and legislation — yet more work remains to be done. Insights about the SolarWinds attack underscore a number of cybersecurity gaps and vulnerabilities that were exploited. These include shortcomings in virtual supply chains from the private sector to the government, incomplete information-sharing between and within both these sectors, and the limitations of federal cyber threat detection measures like the Department of Homeland Security’s Einstein program.
The next step should be acting on a long-debated proposal to split the job of leading the NSA and CYBERCOM. On Dec. 19, officials with the lame-duck Trump administration sent the Joint Chiefs of Staff a plan to do so. The plan would need the defense secretary and Joint Chiefs Chairman to certify that it meets Congressional requirements; it is not clear whether they will do so before the next administration begins.
Critics of splitting the job note that the two agencies enjoy a very close relationship, sharing people, expertise, resources, and even a physical campus. Separate organizations with different chains of command would develop this level of integration and collaboration slowly, if ever.
But from our vantage point as former professionals with significant experience and insights on how national security reforms have unfolded since 9/11, we believe the nation could be served by the split. Such a move would have a rough precedent in the 2004 Intelligence Reform and Terrorism Prevention Act, which established the Office of the Director of National Intelligence and created the Director of National Intelligence (DNI) position. The law allowed the Central Intelligence Agency to retain its authorities and responsibilities, but its director was no longer forced to lead both an operational agency and the entire U.S. intelligence community.
Splitting up the leadership of NSA and CYBERCOM could allow the latter commander to fully focus on the organization’s attention on training, equipping, and organizing military forces to conduct the full spectrum of operations to support national security priorities. It could also eliminate potential conflicts of interest in which the CYBERCOM would advocate conducting warfare against a cyber target (i.e., taking it down) while the NSA would be more interested in collecting intelligence from it (i.e., leaving it up but subverting it). Such decisions would be elevated to an interagency forum such as the National Security Council, where competing equities could be debated in a rigorous manner.
We would also advocate for moving the NSA from its organizational home in the Defense Department. It should be led by a Presidentially-appointed, Senate-confirmed civilian who reports to the DNI. Such a move would improve NSA’s existing authorities and capabilities, place it under the intelligence umbrella for which it’s best suited, and improve its ability to serve national-level and military-specific intelligence requirements.
Javed Ali is a Towsley Policymaker in Residence at the Gerald R. Ford School of Public Policy at the University of Michigan. He previously had over 20 years professional experience in Washington, DC on national security issues, to include senior roles at the Federal Bureau of Investigation, Office of the Director of National Intelligence, and National Security Council.
Adam Maruyama is a national security professional with more than 15 years of experience in cyber operations, cybersecurity, and counterterrorism. He served in numerous warzones and co-led the drafting of the 2018 National Strategy to Counterterrorism. Adam currently manages cybersecurity software deployments for a number of federal customers.