The National Defense Authorization Act, which goes to the House rules committee today and Wednesday, could reshape the structure and management of the U.S. Cyber Command.
Repeatedly, the bill expresses concern at USCYBERCOM’s reliance on the National Security Agency. The same person — NSA Director Gen. Keith Alexander — currently oversees NSA and USCYBERCOM simultaneously. In addition, USCYBERCOM relies on NSA for warfighting infrastructure, management and personnel.
If enacted, the act would require a report filed within 300 days assessing whether the relationships between the two agencies enhance or hinder USCYBERCOM’s mandate — to defend the military’s networks and organize its cyberresources.
Within 60 days of that report being filed, the defense secretary and director of national intelligence would have to submit their suggestions. By this time next year, USCYBERCOM could look quite different.
The Defense Science Board, a panel of civilian experts that advises the Defense Department on all matters defense (research, engineering, acquisitions, etc.), would handle the initial report.
Alexander has been the only USCYBERCOM commander since its 2010 inception, assuming the responsibilities five years into his tenure as NSA director. At the time, Alexander discussed building a cyberforce of more than 6,200 experts. But according to comments in April from Ken Bray, a Pentagon intelligence official, USCYBERCOM needs 3,700 more cyberexperts to get there.
“We’re not even halfway there yet on trying to get to the vision of what is a proper cyberforce to adequately give capability to the national command authorities … and defend the nation,” he told Defense News.
Which is why the board would also investigate, according to the bill, “the ability of the Department of Defense to train and develop, through professional assignment, individuals with the appropriate subject-matter expertise and management experience to support” both USCYBERCOM and NSA.
A late 2012 memo — signed by two dozen military experts and sent to Deputy Defense Secretary Ashton Carter — said DOD’s cybertraining methods were outdated and inadequate. Currently, under an August 2004 DOD directive, information security experts must receive specific certificates that have been criticized for lacking the necessary hands-on training.
The memo — which Federal Times reported on — quoted a U.S. Army chief warrant officer assigned to U.S. Army Cyber: “One of the biggest threats to the DOD networks is the inability of DOD security professionals to secure the networks. Many of these security professionals have the required certifications but no understanding how to truly secure the DOD networks and make poor decisions resulting in vulnerable networks.”
Even DOD Chief Information Officer Teri Takai has said in recent months, “We have never said that our policies and procedures, as it relates to IA certification and qualification, are completely up to date.”
To gauge the inadequacy of network protection, the bill would also require the defense secretary to compile a report of all DOD network breaches in the 21st century for the congressional defense committees. Specifically, it asks for details on intrusions that compromised information on research and development initiatives related to weapons and information systems.
The bill reads: “Such report shall include a description of the critical program information that was compromised, the source of each network that was compromised, the systems or developmental activities that were compromised, and the suspected origin of each cyberintrusion.”
For all the potential changes, though, the bill is not devaluing USCYBERCOM. It includes all of President Barack Obama’s budget requests for cyber-related efforts, including $68 million for USCYBERCOM research and development.