Senate bill will require annual briefing on NSA-CYBERCOM relationship

Written by Marc Pomerleau

A Senate committee wants annual briefings on the relationship between US Cyber ​​Command and the National Security Agency, which are currently co-located and have shared resources.

The provision is found in the Senate Armed Services Committee’s version of the National Defense Authorization Act for Fiscal Year 2023, which was passed by the committee on June 16, but the language was only released. July 18.

During the initial construction of Cyber ​​Command, the Department of Defense co-located with the NSA as a way to help it grow, relying on the spy agency’s expertise, personnel, and even tools and infrastructure to get it up and running. Both always share a boss and are co-locatedwhich is called the double hat.

However, it was understood that the arrangement would be temporary given the inherently different missions of each organization and the potential undue risk for each: the NSA in charge of foreign intelligence and the Department of Defense of war. Opponents of the arrangement cite the inordinate power of one person heading both organizations and relying on intelligence infrastructure and tools, which are meant to remain undetected, as military activity, which does not is generally not, presents risks for such spying activity.

Those in favor of keeping the arrangement argue that Cyber ​​Command benefits from the close intelligence link and is still not ready to stand on its own.

In a report accompanying the bill, the SASC notes that it is “aware that concerns have been raised about whether the dual-hatted leadership arrangement…has a negative impact on either organization . The committee believes that over the past several years, the two-hatted leadership arrangement has demonstrated increased effectiveness both in support of military operations and in defense of the Nation. The committee understands that in the cyber domain, success depends on speed, agility and unity of effort, all of which are enhanced by the double hat relationship.

Further, the committee notes that it understands that having one person responsible for both organizations allows them to allocate resources, assess and mitigate risks to ensure unity of effort in operations.

“The committee believes that the two-hat relationship ensures strategic alignment between these organizations and is critical to the Nation’s success in strategic competition,” he said in the report.

In the 2016 Annual Defense Policy Bill, Congress set out a series of parameters that the Pentagon must meet in order to split the two organizations. These measures were subsequently modified in the Bill 2017 adding more restrictions necessary to divide the double hat. They understood that every organization has robust command and control systems to plan, resolve and execute military cyber operations and national intelligence operations, as well as to ensure that the tools and weapons used in cyber operations are sufficient to achieve the effects required. It was also intended to ensure that Cyber ​​Command could acquire or develop these tools, weapons and access.

General Paul Nakasone, who leads the two organizations, told Congress in March that his organizations were still striving to meet those parameters.

He said Cyber ​​Command and NSA requirements continue to grow and dependencies between the two entities, such as shared infrastructure, have diminished.

The committee briefing required by the bill, which still needs to be approved by the full Senate and then reconciled with the House version, should include:

  • the resources, authorities, activities, missions, facilities and personnel used to carry out relevant NSA missions as well as cyber defense and Cyber ​​Command defense missions;
  • the processes used to manage risks, balance trade-offs and work with partners to execute operations;
  • an assessment of the operating environment and the continued need to balance trade-offs to meet mission necessity and effectiveness, and;
  • an assessment of the operational effects resulting from the relationship between the NSA and Cyber ​​​​Command, including a list of specific operations conducted during the previous year that were enabled by or benefited from the relationship.

Norman D. Briggs