Splitting NSA, CyberCom Now Could Reduce Military Access to Intelligence, Milley Says

Army Gen. Mark A. Milley, chairman of the Joint Chiefs of Staff, speaks during a Harvard National Security Fellows Virtual Meeting at the Pentagon, May 7, 2020.

Army Gen. Mark A. Milley, chairman of the Joint Chiefs of Staff, speaks during a Harvard National Security Fellows Virtual Meeting at the Pentagon, May 7, 2020. Navy / Petty Officer 1st Class Carlos M. Vazquez II

The Joint Chiefs chairman says the organizations have not yet worked out how to keep the data flowing after the long-awaited split.

Despite years of waiting and a last-minute push by Trump administration officials in December to separate NSA from Cyber Command, the criteria for separating the two has not yet been met, the chairman of the Joint Chiefs of Staff says. 

“For us in the military, the signals intelligence we get from the NSA is...unbelievably good,” Gen. Mark Milley told reporters last Wednesday aboard a Defense Department aircraft. “It’s among the most valuable pieces of intelligence we get on a daily basis. The last thing we want to do is anything that would cause harm to...the production and dissemination of that information. So we want to make sure we do it right, slow, step by step. You can’t miss a beat with this thing.”

Said Milley: “We established some organizational criteria that had to happen in order for it to split. Those criteria aren’t met yet.” 

Under the 2017 National Defense Authorization Act, the approval of the Joint Chiefs chairman, along with that of the defense secretary, is necessary to separate the two agencies. The 2020 authorization act specified that such approval should only come when Cyber Command’s Cyber Mission Force has demonstrated that it can execute “national-level missions through cyberspace, including deterrence and disruption of adversary cyber activity, Defense of the Department of Defense Information Network; and support for other combatant commands, including targeting of adversary military assets.”

Under a “dual-hat” arrangement, one person serves as the head of both Cyber Command, a unified combatant command; and of the NSA, the intelligence agency that collects signals data (essentially digital and electronic intelligence) on foreign entities to inform the broader U.S. intelligence community and protects key U.S. entities from cyber attacks. 

Since virtually every modern U.S. military operation contains some cyber element, Cyber Command plays a key role in U.S. military activity across the globe. The NSA, as an intelligence agency, plays the lead role in helping the government understand who is attacking U.S. networks and tracking down adversaries in cyberspace (in addition to finding intelligence on foreign adversaries.) But unlike the CIA or the FBI, the NSA is headed by a career military officer under the dual-hat arrangement. That means that whoever holds that job has a unique view into every U.S. military operation taking place as well as the digital comings and goings of U.S. adversaries around the world and the vulnerabilities of U.S. networks. 

That dual-hat arrangement has been a sore spot for some for years and remains an issue of some controversy. Academics and cyber practitioners have urged a swift end to it, arguing that it puts the NSA and Cyber Command at odds, since Cyber Command may be in a position to remove a cyber target that the NSA wants to keep to continue intelligence collection, among other reasons. 

So what is taking so long? Persistent concerns that if Cyber Command were split from the NSA, Cyber Command wouldn’t be able to stand on its own. 

As Michael Sulmeyer, currently the senior director for cyber with the National Security Council, wrote in 2017: “When Cyber Command needs NSA support, the fact that it’s the same person in charge of both organizations can break what might otherwise be a log-jam. Splitting the dual-hat could result in the NSA isolating itself and refocusing on its own core missions (the collection of signals intelligence and providing information assurance) while minimizing its support to Cyber Command.” (Sulmeyer was serving as the Cyber Project director for Harvard’s Belfer Center at the time of the writing.)