New assistant secretary of defense position signifies maturation of cyber within the department
The cyber enterprise within the Department of Defense has been on a long road from the Pentagon’s adoption of computers to its creation of the Internet to the establishment of U.S. Cyber Command in 2010 as the primary organization to conduct digital warfighting for the military.
As cyber has become a ubiquitous part of society, so too is it an integral part of military operations. Congress, in the fiscal 2023 annual defense policy bill, directed the creation of a new position within the Office of the Secretary of Defense to oversee all of cyber policy — the assistant secretary of defense for cyber policy — elevating the role of cyber, which sources and officials noted signifies the importance and maturity of digital capabilities within DOD.
“It’s the maturation of cyber,” Sen. Mike Rounds, R-S.D., the ranking member on the Senate Armed Services Subcommittee on Cybersecurity, told DefenseScoop in an interview. “We put it at the assistant secretary level because you will never have another confrontation, worldwide confrontation, without first having a cyber event.”
Rep. Morgan Luttrell, R-Texas, a member of the House Armed Services Committee, said these types of threats have increased and told DefenseScoop “we have to stay aggressive.”
Previously, cyber and cyber policy oversight within the Pentagon was spread too thin, according those interviewed.
“When we were talking with the folks responsible for this portfolio, we wanted to know how are you handling that huge portfolio of threats. They said, ‘Well, with regard to cyber, we delegate it,’” Rounds said. “That convinced us that it was necessary to take a look at cyber and make that a separate area of study and a separate area of responsibility with the appropriate authorities.”
The assistant secretary of defense for space policy had been overseeing cyber — serving as the principal cyber adviser to the secretary of defense — as well as nuclear, counter-WMD, space and missile defense policy, a huge portfolio. Additionally, there was a deputy assistant secretary of defense for cyber policy.
This created the need to move cyber out and provide a new office with the bandwidth to focus on these issues and consolidating all the various roles.
“Cyber needed to be pulled out from space. It’s the fastest changing domain of warfighting right now and it needs specific focus,” Mark Montgomery, senior director of the Foundation for Defense of Democracies’ Center on Cyber and Technology Innovation and former executive director of the congressionally mandated Cyberspace Solarium Commission, said in an interview.
Within the hierarchy of defense officials and offices at the Pentagon, ASDs, as they’re known, fall beneath undersecretaries, which are just below the secretary and deputy secretary roles.
“I think it’s very significant and I think it’s necessary … In the [Pentagon] function follows form. Nothing significant happens without the DASD behind it and nothing important can be done without an ASD behind it,” Tom Wingfield, a senior international and defense researcher in RAND’s Department of Defense and Political Sciences and the deputy assistant secretary of defense for cyber policy from 2019 to 2021, said in an interview. “I think this is absolutely the right direction for cyber to be moving within the building and within the department.”
Others pointed to the fact it took over a year to officially create the office and nominate an official to lead it, drawing congressional ire.
Michael Sulmeyer, currently the principal cyber adviser for the Department of the Army, was nominated for the ASD role in March and the office was officially created later that month.
The Senate Armed Services Committee favorably passed Sulmeyer’s nomination to the full Senate by voice vote at the start of a hearing July 30, following his July 11 confirmation hearing. He could be confirmed by the full Senate later this week ahead of Congress’ August recess.
Shadow service secretary?
Some interviewed noted that the new position puts a civilian official on par with the commander of Cybercom. Cybercom is atypical within the DOD as a combatant command with service-like authorities such as acquisition and setting training standards for the services. In fact, officials have maintained that Special Operations Command, which also possesses these qualities, was the template for the organization.
Congress modeled the ASD for Cyber Policy position off the Socom and ASD for Special Operations and Low-Intensity Conflict relationship, creating what some deemed a shadow service secretary.
“The committee intends for the Assistant Secretary of Defense for Cyber Policy to provide service secretary-like functions for U.S. Cyber Command, mirroring the current relationship that exists between Special Operations Command and the ASD for Special Operations and Low Intensity Conflict,” Sen. Jack Reed, D-R.I., chairman of the Senate Armed Services Committee, said at Sulmeyer’s confirmation hearing. “It will be important for your office to not only support Cybercom’s growth, but also to maintain strong civilian control and oversight of the command.”
As a warfighting organization, Cybercom is constantly in the fight while also having to focus on administrative tasks such as budgeting, resourcing, acquisition and manpower. While some sources didn’t totally agree with the shadow service-like secretary analogy, most agreed that this higher level of oversight would help to unburden Cybercom, which earlier this year received enhanced authorities allowing the command to be in direct control and management of planning, programming, budgeting and execution of the resources to maintain the cyber mission force, known as enhanced budget control.
“We’ve seen a lot of maturation in terms of the authorities that Cybercom has been granted. You need that corresponding credible civilian oversight to make sure that those authorities are being leveraged in appropriate ways,” Erica Lonergan, an assistant professor in the School of International and Public Affairs at Columbia University, said in an interview. “Some of the enumerated roles and responsibilities of the new ASD position are things like overseeing the budget, overseeing how Cybercom is using its new EBC authorities and things like that.”
In fact, Cybercom commander Gen. Timothy Haugh in April noted that the combination of the new authorities and the new ASD role puts the Defense Department’s enterprise in a position to realize the next generation of digital capabilities.
“I think the assistant secretary of defense does unburden Cyber Command from having to be the lead advocate inside the department,” Montgomery said.
For Congress, the office provides a focal point to coalesce various areas into a cohesive vision.
“It provides us with an opportunity to actually be able to acquire the weapons systems on a more timely basis. And second of all, it allows us the ability to put the manpower in place and to train the manpower more quickly. You need both. You need not only the tools, but you got to have the educational requirements in place as well,” Rounds said. “I’ve watched the development of Cybercom over the last decade. They’ve become more sophisticated and clearly more capable. Now, as we mature those weapons systems and those defensive capabilities, it’s important that we be able to acquire the necessary resources as quickly as possible. This is our opportunity with the assistant secretary position to elevate that, to get the decisions made as quickly as possible.”
Oversight and bureaucracy
Some indicated that it will be natural for there to be growing pains with the new position given anytime new bureaucracy is established, it creates new channels for reporting and oversight.
“Whenever you are creating a new office or structure within the Department of Defense, there are going to be growing pains. There’s no way around that,” Emerson Brooking, director of strategy and resident senior fellow at the Digital Forensic Research Lab of the Atlantic Council Technology Programs, said in an interview.
Brooking, who was also one of the authors of the 2023 DOD Cyber Strategy, added that the new budget control authorities for Cybercom come with oversight expectations from Congress and those must be routed through the proper bureaucratic lanes.
“It can’t just be Congress direct to Cybercom. It’s not good for civilian control and it’s not really the best situation for Cybercom to be in either because decisions being made may lack adequate context or top cover, which can be provided if they’re routed properly through OSD Policy with clear oversight of the secretary and his representatives,” he said.
Others noted that there will also likely have to be several deputy assistant secretary positions added beneath the ASD to handle a variety of cyber areas. Wingfield said the ASD will need a variety of so-called DASDs to be fully effective.
“Right now, it’s really a shoestring effort. Whether it takes more people from policy, or more focus from inside the building, the idea of deciding what DASDs are needed inside cyber policy — do you need one for cyber, do you need one for information and the fight that would cause was with the special operations community? Do you need one for electronic warfare? Do you need one for emerging technologies?” he said. “You can imagine different portfolios of DASDs within that would be the natural evolution beyond the minimal state we’re at now with just the former DASD of cyber policy and the [principal cyber adviser].”
Given all that cyber touches right now, it’ll be important for the new position to also seek to ingrate cyber into other areas and domains within DOD.
Moreover, there are tight linkages between electronic warfare and cyber as well as the information domain and cyber.
Sulmeyer, in a questionnaire from senators ahead of his confirmation hearing, acknowledged the new office has responsibilities for certain electronic warfare topics that relate closely to cyber, and he committed to working with officials to discuss additional duties and responsibilities. He also noted that information operations are often complementary to cyber operations and promised to examine how the current assigned responsibilities have evolved and how they align against current and future threats.
Sulmeyer will be entering the office at a critical time for cyber within the department as calls for an independent military service focused exclusively on cyber grow louder, given the incongruencies of the way each service presents forces to Cybercom and readiness issues associated with those forces. There are currently identical provisions that have passed both armed services committees in each chamber of Congress directing an independent study on the matter.
“Indeed, the first challenge you will face is meeting the personnel manning and retention goals for our Cyber Mission Forces. The Defense Department faces significant difficulties in training and retaining personnel for key positions requiring special skills,” Reed said at Sulmeyer’s confirmation hearing. “In order to mature the cyber force and advance our nation’s capabilities to conduct cyber operations, the military services must provide qualified and trained personnel to Cybercom on time and at the beginning of their tours.”
Sulmeyer told senators in his questionnaire that he will prioritize the evaluation of force generation models to determine the most effective and efficient approaches to “build combat power and sustained readiness to defend the nation from cyber threats,” vowing to work closely with Haugh on executing the command’s service-like authorities.
Many agreed that Sulmeyer is the right person at the right time for the role. Previously, he served as director for plans and operations for cyber policy in the Office of the Secretary of Defense, before departing government to head the Cybersecurity Project at the Harvard Kennedy School’s Belfer Center. He then came back to the Biden-Harris administration to serve as a special assistant to the president and senior director of cyber policy at the National Security Council, and senior adviser to Paul Nakasone — the most recent commander of Cybercom — before transitioning to his current role as principal cyber adviser for the Army.
Rounds noted that Congress wanted a cyber expert to be the inaugural ASD for Cyber Policy given the importance of the role and cyber in the DOD, adding that Sulmeyer “fits that bill perfectly at this stage of the game.”
Moreover, his vantage of a service principal cyber adviser best postures him to understand the ins-and-outs of cyber issues within the department.
“Sulmeyer is the right guy. Having a guy come from a service PCA role means he really understands the acquisition challenges cyber command is facing,” Montgomery said. “There’s no one better positioned than a serving service PCA to be the first assistant secretary, because all the shortfalls, all these challenges are ones he’s dealing with on a micro level, on a single service level, that he’ll now have to deal with on a macro level across all the services.”