DOD creates Cyber Command as U.S. Strategic Command subunit

Defense Secretary Robert Gates issued a much-anticipated order June 23 establishing the U.S. Cyber Command, which will assume responsibility for the defense of the military’s portion of cyberspace.

The new Cybercom will be a subunit of the U.S. Strategic Command and will be commanded by the director of the National Security Agency. It is expected to be headquartered with NSA at Fort Meade, Md., and to reach initial operating capacity in October, with full operating capacity coming in October 2010.

The order is recognition that cyberspace is a distinct military domain, along with land, sea and air, and the Defense Department must be prepared to defend and conduct offensive operations in it.

“Cyberspace and its associated technologies offer unprecedented opportunities to the United States and are vital to our nation’s security and, by extension, to all aspects of military operations,” Gates wrote in his order. “Yet our increasing dependency on cyberspace, alongside a growing array of cyber threats and vulnerabilities, adds a new element of risk to our national security. To address this risk effectively and to secure freedom of action in cyberspace, the Department of Defense requires a command that possesses the required technical capability and remains focused on the integration of cyberspace operations.”

Planning for Cybercom has been in the works for some time, and the order has been expected for several weeks. Observers in the cybersecurity field have said such coordination of defensive and offensive activities is needed to ensure the security and availability of the critical information infrastructure.

Alan Paller, director of research at the SANS Institute, called the command a "spectacular idea" because it allows defense to be informed by offensive capabilities and offers the potential for increased interoperability, information sharing and visibility. It also could provide enhanced career paths for cybersecurity professionals.

“The only downside is the possibility that they will so militarize the Information Assurance Division of NSA that they stop it from fully realizing the promise of public/private partnership initiatives that will be critical for turning the tide against the attackers,” Paller said.

NSA and DOD officials have said that although the new command would assume responsibility for defending the .mil domain, NSA would continue offering its expertise and assistance to defend the .gov and .com domains. The Homeland Security Department has primary responsibility for the government’s .gov networks, and responsibility for nongovernment critical infrastructure falls to both the public and private sectors.

In remarks made last week, Deputy Defense Secretary William Lynn III said the new command does not represent an expansion of DOD’s mission in cyberspace. “On the contrary, it is keeping with our defined and historic mission, to protect and defend our national security and to protect the lives of our men and women in uniform,” he said.

He also stressed that “such a command would not represent the militarization of cyberspace. It would in no way be about the Defense Department trying to take over the government’s cybersecurity efforts. On the contrary, such a command would not be responsible for the security of civilian computer networks outside the Defense Department.”

The new command will be subject to congressional oversight and “would operate within all applicable laws, executive orders and regulations,” Lynn said.

NSA’s director will be the Cybercom commander and carry the grade of general or admiral. The deputy commander positions at NSA and Cybercom would be separate.

In conjunction with the establishment of the new command, officials will develop a national strategy for cybersecurity and review policy and strategy to develop a comprehensive approach to cyberspace operations.

Gates said the formation of Cybercom does not expand the role of the Strategic Command in military cyberspace operations, but the command will assume responsibility for several existing organizations. The Joint Task Force for Global Network Operations and the Joint Functional Component Command for Network Warfare will be dissolved by October 2010. The Defense Information Systems Agency, where JTF-GNO now operates, will provide technical assistance for network and information assurance to Cybercom.

Combatant commanders, the military services and DOD agencies will remain responsible for carrying out Cybercom policy and for operation and defense of the Global Information Grid.