Senate bill to require annual briefing on NSA-CYBERCOM relationship

Inside U.S. Cyber Command at Fort Meade, Maryland. (Josef Cole / DOD / U.S. Cyber Command)

A Senate committee wants annual briefings on the relationship between U.S. Cyber Command and the National Security Agency, which are currently co-located and have shared resources.

The provision is found in the Senate Armed Services Committee’s version of the fiscal 2023 National Defense Authorization Act, which passed the committee June 16, but language wasn’t released until July 18.

When Cyber Command was initially being built, the Department of Defense co-located it with the NSA as a means to help it grow, relying on the expertise, staff and even tools and infrastructure of the spy agency to get it off and running. The two still share a boss and are co-located, which is referred to as the dual hat.

However, the arrangement has been understood that it would be temporary given the inherently different missions of each organization and potential undue risk to each: NSA charged with foreign intelligence and the Department of Defense with war fighting. Opponents of the arrangement cite the outsized power of one person leading both organizations and relying on intelligence infrastructure and tools, which are meant to stay undetected, for military activity, which typically isn’t, poses risks to such espionage activity.

Those in favor of keeping the arrangement argue that Cyber Command benefits from the tight intelligence linkage and also still isn’t ready to stand on its own.

In a report accompanying the bill, the SASC notes it is “aware that concerns have been raised about whether the dual hat leadership arrangement … adversely impacts either organization. The committee believes that over the last few years, the dual hat leadership arrangement has demonstrated improved effectiveness both in support of military operations and in defense of the Nation. The committee understands that in the cyber domain success depends on speed, agility, and unity of effort, all of which are enhanced with the dual hat relationship.”

Moreover, the committee notes its understanding that having a single individual in charge of both organizations allows them to allocate resources, assess and mitigate risk to provide unity of effort in operations.

“The committee believes that the dual hat relationship ensures a strategic alignment between these organizations and is essential to the Nation’s success in strategic competition,” it said in the report.

In the 2016 annual defense policy bill, Congress outlined a series of metrics for the Pentagon to meet in order to split the two organizations. Those metrics were then tweaked in the 2017 policy bill adding more restrictions necessary to split the dual hat. They included that each organization have robust command and control systems for planning, deconflicting and executing military cyber operations and national intelligence operations as well as ensuring tools and weapons used in cyber operations are sufficient for achieving required effects. It also sought to ensure that Cyber Command can acquire or develop these tools, weapons, and accesses.

Gen. Paul Nakasone, who leads both organizations, testified before Congress in March that his organizations are still working towards meeting those metrics.

He said Cyber Command and NSA’s requirements continue to grow and that dependencies between the two entities, such as shared infrastructure, have decreased.

The briefing to the committee required by the bill, which must still be approved by the full Senate and then reconciled with the House version, must include:

  • the resources, authorities, activities, missions, facilities and personnel used to conduct the relevant missions at the NSA as well as the cyber offense and defense missions of Cyber Command;
  • the processes used to manage risk, balance tradeoffs and work with partners to execute operations;
  • an assessment of the operating environment and the continuous need to balance tradeoffs to meet mission necessity and effectiveness, and;
  • an assessment of the operational effects resulting from the relationship between the NSA and Cyber Command, including a list of specific operations conducted over the previous year that were enabled by or benefited from the relationship.