The outgoing commander of U.S. Cyber Command told lawmakers Tuesday that the “whole of government” approach federal officials have advocated for years as the best way to defend the nation against cyber attacks suffers from at least one serious problem: It doesn’t move particularly quickly, at least as it’s designed today.
Adm. Michael Rogers, set to retire this spring, said the relationships between the FBI, Homeland Security Department and Defense Department have now matured to the point where each organization understands its roles and responsibilities. The persistent difficulty, he said, is coordinating them to respond rapidly.
“How do we integrate those capabilities into a tighter whole that’s really optimized to execute at the day-to-day level? As I look to the future, that’s where I’d like to see us focus our efforts,” he told the Senate Armed Services Committee. “Right now, the time it takes to deploy capability, the time it takes to coordinate a response across multiple organizations — when those well-meaning and hard-working organizations exist in separate structures — that’s not optimized for speed. So to me, the biggest challenge is how to integrate this more at an execution level. There’s an ongoing dialogue about what’s the right way ahead, and there’s no lack of opinions on this topic.”
Rogers did not venture his own opinion, saying it would be inappropriate to offer policy advice considering his limited role as an operational commander.
Understand progress being made in the evolving cyber scorecard. Download our free Expert Edition: Cyber Exposure in DoD.
However, lawmakers have repeatedly pressed the past two administrations to cohere around a single opinion on that topic and several other issues relating to cyber defense.
Last October, the committee briefly considered a subpoena after the White House declined to allow its cybersecurity coordinator to testify at a hearing on agency roles and responsibilities for cyber defense. It took two years of congressional pressure before DoD delivered an updated strategy to deter foreign adversaries in cyberspace, and Capitol Hill is still waiting for a separate, legally-mandated report from DoD on what constitutes a foreign cyber attack and how the military would respond if it saw one. That report is now eight months overdue.
Sen. Jeanne Shaheen (D-N.H.) was among several members who expressed deep frustration at what they perceived as a failure on the part of the executive branch to construct a credible organizational structure for defending against and deterring cyber attacks.
“The concern I have is who’s in charge? Unless there’s somebody who’s responsible for coordinating activities between what Homeland is doing, what DoD is doing, what the White House is doing, nobody’s going to be in charge,” she said. “It seems to me that’s the challenge we have right now.”
Sen. Bill Nelson (D-Fla.), ranking member on the Senate Armed Services Committee’s new cybersecurity subcommittee, said he and Sen. Mike Rounds (R-S.D), the panel’s chairman, have concluded that DoD faces similar coordination problems internally.
“We think the public sectors in the Department of Defense are woefully unprepared and split and segmented and not coordinated to be able to handle what is now one of the greatest threats to our national security: The cyber attacks that constantly come. And we feel that about the private sector community as well,” he said.
Nelson and other senators expressed dismay Thursday that U.S. Cyber Command has not actively moved to “engage” or “disrupt” Russian government-backed organizations that attempted to interfere in the 2016 presidential election, and who are widely believed to be planning similar campaigns for the 2018 midterm cycle.
Rogers said his teams would need explicit authority from the president, through the Secretary of Defense, to undertake such an action.
“The challenge for us is we have this thing called the law, and the legal framework right now shapes what DoD can and cannot do,” he said. “I’d need a policy decision that indicates that there are specific directions to do that. I would then be tasked to tee up some specific options, and I’d rather not go into specifics of any of that, but they would be reviewed by the chain of command. The secretary would ultimately make a recommendation to the president, and then based on that, we’d be given specific direction and specific authority.”
Whatever alterations Congress might consider for the future of U.S. Cyber Command’s legal authorities, it is already undergoing a period of significant change and working to implement several added responsibilities.
Last fall, for the first time, it used new acquisition authorities Congress granted it to procure $500,000 in IT research services, and other new “service-like” functions will soon give it the responsibility to submit its own budget proposals and program recommendations in its newly-defined role as a provider and trainer of military forces.
Those forces include 133 Cyber Mission Force teams, which Rogers said are likely to reach full operational capability as early as June, several months ahead of the previously-announced September 2018 deadline. By the end of December, those teams were 82 percent staffed.
And within the next five years, CYBERCOM expects to deploy teams of roughly 40 people to global combatant commands around the world to integrate its own work with the operational missions of the other COCOMs. Like the CMF, the new “Cyber Operations-Integrated Planning Elements” will be administered by the military services, but ultimately report to CYBERCOM.
To accommodate its growing headquarters workforce, Rogers said his command will likely ask Congress later this year for funding to construct a new headquarters facility at Fort Meade, Maryland. Currently, employees are scattered across 10 buildings owned or leased by the National Security Agency throughout a 50 square mile area around Washington, D.C.
“No other combatant commander confronts such an obstacle, which makes efficient and effective staff function challenging. In an operating environment where seconds matter, we require a headquarters that facilitates staff and partner integration, information flow, and rapid decision making,” Rogers said in written testimony.