Should NSA and CyberCom split? A watchdog weighs in

As the status of the dual-hat leadership structure of the National Security Agency and U.S. Cyber Command remains under review, the Government Accountability Office teamed up with Pentagon officials to identify the advantages and disadvantages of such a change in a new report.

The benefits of the current arrangement, as identified by officials from the Department of Defense, involve collaboration, faster decision making and resource efficiency.

But the big downside is that wider access to NSA's toolkit of exploits increases the risk that destructive bugs will get loose – as has been seen recently.

GAO was directed to conduct the review in the report language of a recent defense bill.

Auditors found that because one officer calls the shots for two organizations, senior leaders from each organization have visibility into the procedures of the other, allowing for natural coordination on capability development, testing and business processes.

"In the absence of the dual-hat, [NSA] and CyberCom would need to formalize these internal processes in order to maintain them," auditors write.

Another advantage is that the single leader for both organizations allows for faster decision-making because it doesn't require building consensus across commands.

Officials from several DOD components, including NSA and CyberCom, told GAO that the structure allows the two organizations to make efficient use of their resources by sharing digital and physical infrastructure and by combining employee training sessions.

DOD officials also detailed the disadvantages of the dual-hat approach.

Officials reported concerns about preferential prioritization of one organization's requests for support over the other's, concerns that may only be exacerbated as CyberCom is set to receive the authorities of a unified combatant command.

And, as previously noted, CyberCom's use of NSA's tools and infrastructure increases the risk those tools being leaked or exposed.

Because of the wide range of responsibilities of the two organizations, and as CyberCom is elevated to become a full combatant command, DOD officials expressed concerns that the duties may be too broad for a single officer to realistically handle.

Although they both operate in cyberspace, the missions of CyberCom and NSA also have an inherent tension. CyberCom focuses primarily on conducting military operations, while NSA's mission is primarily intelligence-based.

DOD officials also told auditors that while the sharing of resources is efficient, the resource allocation between the two entities is sometimes unclear. They stated that DOD does not have an official position on the advantages and disadvantages of the dual-hat structure.

The report also includes actions that could limit potential risks of splitting the leadership.

While there is broad support from current and former officials, including former President Barack Obama, for elevating Cyber Command to the level of an independent combatant command, the idea of splitting the agencies has received some pushback.

Legislatively, 2017 National Defense Authorization Act stated that the dual-hat role, which dates back to CyberCom's creation in 2009, will remain in place until an assessment is conducted about the potential security risks of splitting the current structure.

The 2018 bill submitted by the House Armed Services Committee includes a $647 million boost to support the elevation of U.S. Cyber Command to a full combatant command level, but omits new language about an eventual split of the NSA and CyberCom.