Cyber Command Should Get More Acquisition Authority

US Cyber Command boss Adm. Michael Rogers and retired Gen. Michael Hayden, a former NSA director, speak at AFA's Air, Space & Cyber Conference in National Harbor, Md., on Sept. 20, 2017. Staff photo by Mike Tsukamoto.

US Cyber Command commander and NSA Director Adm. Michael Rogers believes preparing the US against cyber attack shouldn’t focus solely on networks, but rather on a combination of networks, platforms, weapon systems, and data.

“As we’re trying to build a future for us” within the DOD, Rogers said, “We’re very focused on those areas increasingly.” And in that focus is an outward vision of defense.

For example, Rogers told attendees of ASC17 he’s been working with the Department of Homeland Security on a series of projects aimed at “critical infrastructure” improvements. In other fronts, industry is increasingly interested and initiating relationships in solving both DOD’s military problems and in developing civilian capabilities it could later monetize. Such relationships, however, are sometimes problematic.

“You can’t think of information sharing as just the government offering insights … It’s gotta work both ways,” Rogers said. “‘What I need knowledge of is your network configuration, your network activity, and I need to get a sense of where’s your most critical information,” Rogers said he tells private sector partners.

But Rogers’ hands are somewhat held back in his ability to venture outside certain boundaries in seeking the information he says is significant in creating defense mechanisms.

“There are certain things only governments can do,” said Michael Hayden, a retired USAF general and former NSA director, speaking alongside Rogers and reinforcing that limitation. “A lot of [Rogers’] capacities right now are limited by policy.”

If the relatively young, seven-year-old Cyber Command becomes more independent—perhaps “separate from the National Security Agency”—it should be allowed to “jump over” traditional acquisitions processes, added Hayden, who openly argued in May that CYBERCOM should be cut away from the NSA, while testifying to the Senate Armed Services Committee. He pleaded his case alongside Lt. Gen. James Clapper, former director of national intelligence and Adm. James Stavridis, former boss of US European Command.

Independence of that sort allows for quicker decision-making fostered by faster information analysis, with less pipelines through with to travel.

While the power status of the command is holding steady, however, Hayden argued traditional definitions in the relationship between government and industry may need a wash. That doesn’t necessarily mean DOD should allow information to flow more smoothly in and out of its branches, or that security clearances or access to classified information should get easier to earn.

“It means redefining what we mean by ‘security clearances,’ redefining what we mean by ‘classified information,’” Hayden said.

Looking ahead, Rogers said arriving at a cybersecure endpoint is “not the right mindset we should be in.” He added, “Given the rate of change here, you gotta get used to the idea that the goal line keeps evolving and changing.”