Separating NSA and CYBERCOM? Be Careful When Reading the GAO Report

The Government Accountability Office last week published a report that, among other things, weighs in on the pros and cons of the NSA/CYBERCOM “dual-hat” system (pursuant to which the director of the NSA/CSS and commander of CYBERCOM are the same person). The report deserves attention but also some criticism and context. Here’s a bit of all three.

1. What is the “dual-hat” issue?

If you are new to the dual-hat issue, or if you have not closely followed developments of the past year, please read this recent post for an introduction and overview.

2. What was GAO’s bottom line? Did it recommend keeping or abolishing the dual hat?

Neither. The report does not purport to answer that question. It is, instead, no more and no less than an attempt to convey the Defense Department perspective (and only the DOD perspective) on the pros and cons of keeping the dual-hat structure (as well as identifying some mitigation steps).

3. What method did GAO use to determine DOD’s perspective?

GAO did three things:

1. It reviewed documents previously generated by CYBERCOM and by the Joint Staff to educate their own leadership on the pros and cons.

2. It sent out questionnaires to various DOD components (with relevant responses received from CYBERCOM, six combatant commands, four combat support agencies, and three offices within the Office of the Secretary of Defense, plus a collective response for the Defense Department produced by DOD’s chief information officer); and

3. It conducted interviews with personnel from CYBERCOM, the Defense Department's chief information officer, and NSA/CSS.

4. Anything wrong with that methodology?

Not if your goal is to convey only the Defense Department’s perspective. And to be fair, that was GAO’s stated goal. But this approach is problematic.

One of the issues driving the dual-hat debate involves the tension that arises between intelligence-collection equities (which NSA would be inclined to favor) and disruption equities (which CYBERCOM would be inclined to favor), in the scenario in which access to enemy-controlled system could be used for either purpose. As a result, the intelligence community has a stake in this question. GAO should have reached out for input from the Office of the Director of National Intelligence in particular (it also is odd that GAO included only NSA in one of the three methods mentioned above).

GAO might respond that its terms of reference were DOD-specific. That’s clearly true for certain other parts of the GAO report in question, dealing with other topics. It’s less clearly the case with the dual-hat portion of the report. But even if it is, it does not follow that GAO could not include in its report any reference to possibly competing perspectives from the intelligence community. Indeed, I would go further and say it was a big mistake not to do so, for it was perfectly foreseeable that this report would be taken by many (especially the media) as conveying a general assessment of the dual-hat issue rather than just a DOD-specific summary of opinions, no matter how many caveats are given.

5. Fine, but it is what it is. So let’s look at what GAO actually reported, starting with the three “pros” favoring preservation of the dual-hat arrangement. The first one asserts that the dual hat promotes coordination and collaboration between NSA and CYBERCOM. Comments?

At bottom, this is a claim that having a common boss makes it relatively easy to collaborate when it comes to developing exploits and sorting out when and how they are used. That makes sense and is consistent with conventional wisdom on the dual-hat situation.

6. The second “pro” is about how the dual hat solves the deconfliction challenge mentioned above, but what’s really interesting here is what the report implies about how that challenge would otherwise have to be managed.

As already noted, the need to deconflict when collection and disruption equities compete is a big part of this story. Here, GAO acknowledges that the status quo provides a ready-made solution. So far, so good. What is really interesting, though, is the comment GAO then makes regarding what would happen in such cases of tension in the absence of the dual hat.

Tellingly, the report observes that, in that case, deconfliction issues would have to be taken “to the Secretary of Defense and/or Director of National Intelligence for resolution…” (emphasis added). I love the use of “and/or” in that sentence. It perfectly captures a critical point: Absent a dual hat, there has to be a new deconfliction system, yet the lead contenders for that role each have a dog in the fight.

Let me expand on that a bit.

Assume we decide to end the dual-hat system, without first settling on a new deconfliction system. What then? In that case, CYBERCOM usually will win over NSA. Why? Think about it. NSA wants to use existing access to keep collecting, but CYBERCOM wants to use it to disrupt the platform. If NSA barrels ahead with its preference, nothing really changes; the target remains operational and the enemy is none the wiser, hopefully. But if CYBERCOM barrels ahead with its preference, in most instances that will shut down the target (or at least make clear to the enemy that the target has been penetrated); no more collection at that point. NSA will lose such battles, except when DIRNSA manages to see the issue coming and gets someone over CYBERCOM’s head to make it back off.

Sounds like we would need a formal system to replace the dual hat for deconfliction then. But what would that look like? If the solution is to charge the director of national intelligence with making the call, CYBERCOM probably won’t be happy. If the solution instead is to charge the secretary of defense (or USD(I) or the like), NSA (and DNI) probably won’t be happy. If the solution instead is to convene a committee of some kind with stakeholders from both sides—and that committee works by majority vote—then the same problem arises (unless you find some third-party player, such as the national security adviser, to ensure there is not a tie and that the intelligence community and military have equal voting power).

The point being: This issue needs serious attention. I don’t doubt that a decent solution can be developed, but care must be taken lest we stumble into the default scenario mentioned above.

7. The third “pro” involves the efficient allocation of resources, but it’s really about the idea that NSA makes CYBERCOM possible—and that reminds us that the dual hat isn’t going away soon.

The third pro noted by GAO is that the dual hat facilitates NSA and CYBERCOM sharing operational infrastructure (translated: hacking tools, accesses, staging servers, personnel, etc.), as well as the infrastructure for training. Of course, it’s pretty much a one-way street; this traditionally is all about NSA sharing its expertise with CYBERCOM as it has stood up. Legislation currently forbids separation of the dual hat until the Defense Department can certify that CYBERCOM is truly ready to operate independently. That’s supposed to be the case by September next year, but of course it’s one thing to say it and quite another to achieve it.

8. Turning now to the “cons,” GAO introduces the idea that the dual hat may give CYBERCOM an unfair advantage over other commands.

This one was phrased very carefully. Without saying that this problem already exists, GAO says that CYBERCOM thinks that other commands are worried that the dual hat may in the future unduly favor CYBERCOM requests for NSA support over the requests that come from other military commands. This is an interesting twist on the more familiar concern that military equities in general will trump collection equities. This is military-vs.-military instead. At any rate, again note that it is framed as speculation rather than a current observation. That might be politeness, or it might really be purely speculative. You really can’t tell from the GAO report (see my last point below, on whether any of the reports observations have strong evidentiary foundations).

9. The second con GAO lists is a bombshell: The dual hat creates “[i]ncreased potential for exposure of NSA/CSS tools and operations.”

Wow. In an almost cavalier way, the GAO report links the dual-hat issue directly to the fierce, ongoing debate over the security of NSA’s tools, a topic that goes to the heart of NSA’s mission. Because of the importance of that latter debate, GAO’s assertion will constitute a heavy thumb on the scale in favor of separating the dual hat, if it catches on. Time will tell if it will. For now, let’s just take a closer look at the claim.

First, here is what GAO says on the subject:

The dual-hat command structure has led to a high-level of CYBERCOM dependence on NSA/CSS tools and infrastructure. According to NSA/CSS officials, the agency shares its tools and tactics for gaining access to networks with a number of U.S. government agencies, but CYBERCOM’s dependence on and use of the tools and accesses is particularly prevalent. CYBERCOM’s dependence on NSA/CSS tolls increases the potential that the tools could be exposed.”

Let’s parse the two claims here.

Does the dual hat create CYBERCOM dependence on NSA, as the first sentence indicates? I think that has things backwards. As noted in the prior “con,” CYBERCOM badly needed NSA at first and still needs it to no small extent. That’s not caused by the dual hat. It is caused by lack of capacity. The dual hat has been part of the solution to that need. Perhaps DOD meant to convey a different point: that keeping the status quo has become a crutch that prevents CYBERCOM from pressing faster to build its own capacities. That makes more sense.

Does CYBERCOM use of NSA tools and accesses (i.e., exploits and penetrations) increase the risk of their exposure? Put that way, the answer must be yes. Every instance of use of any exploit or access creates an opportunity for others to discover it, and so the risk must go up each time (you might say each use increases the “exposure surface”). But note that we’ve just put the question in a non-nuanced way, without any attempt to quantify the degree of increase in the risk, let alone to place it in context with off-setting benefits or with reference to mitigation strategies for this problem. All that emerges from the GAO report is the bottom line: CYBERCOM relies on NSA tools ostensibly because of the dual hat, and therefore the dual hat increases the risk of those tools getting loose. Any suggestion that a policy exacerbates that risk is bound to draw attention.

The possibility of loose NSA tools has become a flash point for debate, in a manner that threatens for better or worse to create new limits on the ability of NSA to develop or keep certain capacities (particularly knowledge of zero-day vulnerabilities). NSA received a substantial black eye when a Russian intelligence agency the “mysterious” entity identifying itself as the Shadowbrokers somehow acquired a cache of NSA-created exploits and then began dumping them publicly—especially after one of those exploits was used in connection with WannaCry and NotPetya. Both WannaCry and NotPetya received a vast amount of media attention, much of it pinning the blame in large part on NSA. This fueled arguments to the effect that NSA should not be allowed to create or preserve such tools (or at least that current procedures for balancing the competing equities involved (building NSA’s collection capacity, vs. improving the security of commercially available products) should be altered significantly to reduce NSA’s capacities in this area).

That argument was out there before WannaCry and NotPetya broke, but once those stories broke it received a strong boost from Microsoft. As this June piece in The New York Times from Nicole Perlroth and David Sanger underscores, this perspective has gained considerable momentum with some in private industry, Congress and foreign governments. Just this morning, former NSA deputy director Rick Ledgett wrote a post here at Lawfare fighting back against this argument, highlighting how important the issue is.

Whether you agree or disagree with this argument, surely you can appreciate how it has made the government acutely sensitive to questions about the security of NSA’s tools. As a result, the argument that the dual hat creates significant security risks for those tools has the potential to have an outsize impact on the dual-hat debate. Which is a good thing, if the argument is a persuasive one. Unfortunately, the GAO report does not come anywhere close to giving us enough information to judge the matter. And yet this part of the report grabbed headlines in some quarters (see this piece in NextGov, titled “GAO: Keeping NSA and CyberCom Together Makes Hacking Tool Leaks More Likely”).

10. The next con listed by GAO: NSA and CYBERCOM are too much for any one person to manage.

That’s a familiar and serious concern, and it is unsurprising that it arose here. It is entangled to some extent with the deconfliction issue, of course, but at the end of the day being director of NSA and commander of CYBERCOM both concern vastly more than deconfliction.

11. The next con on the list? Strangely, it’s the deconfliction issue, which we already discussed above as a “pro” for the dual hat. What gives?

It is telling that the deconfliction issue pops up both as a pro and a con. As noted above, the dual hat is a good thing for deconfliction insofar as one thinks there ought to be a single decision-maker who takes both collection and disruption equities seriously. But here we see the flip-side of the argument, as GAO reports that personnel from both NSA and CYBERCOM (“including a senior-level official”) told GAO that the “dual-hat leads to increased tension” between NSA and CYBERCOM staffs, because their respective collection and disruption missions “may not always be mutually achievable.”

You know what I’m going to say, I suspect. The tension is caused by the combination of incompatible missions and shared tools/accesses. That’s not the dual hat’s fault. The dual hat is one solution to resolving the tension. As I have noted here, there clearly is a view in some circles that the fix is in with the dual hat, in favor of NSA’s collection mission. Maybe that’s right, maybe it’s not. But at any rate, listing the dual hat as a con here seems to be a reflection of that perspective.

12. The last con on the list has to do with difficulties in tracking expenditures the NSA makes on behalf of CYBERCOM.

This may well be a very important issue, but it seems to me the sort of thing to be addressed through improved procedures and should not matter much in deciding whether to keep the dual hat.

13. How strong is the evidence supporting the various pro and con claims?

I recommend caution. We get a description of GAO’s methods, as noted above, but we do not also get the underlying documents, interview notes, etc. And the report’s narrative on each point is exceedingly thin, no longer really than what I’m providing here. Note, too, my earlier observation that GAO does not appear to have sought the views of ODNI, and sought NSA views only to a limited extent. None of which is to say that any of the observations are incorrect, of course.