The Government Accountability Office evaluated the advantages and disadvantages of the National Security Agency and Cyber Command’s dual-hat leadership system and found that the system causes tension between the two agencies due to competing interests.
GAO was concerned that CYBERCOM priorities may receive preference over the NSA’s priorities. CYBERCOM uses cyber intelligence in combat situations against adversaries, including disabling enemy networks. The NSA collects information on adversaries and could value keeping enemy networks open in order to learn more information. This increases tension between NSA and CYBERCOM staff who are responsible for military or intelligence operation tasks that are not always mutually achievable, according to GAO.
The NSA and CYBERCOM are led by Adm. Michael Rogers, who has a military background. Opponents of the dual-hat system have weighed the benefits of allowing a civilian to lead the NSA.
As of April 2017, the Department of Defense had not determined whether it would end the dual-hat leadership arrangement.
GAO also found that the dual-hat system increases the potential that NSA operations and tools could be exposed. In recent years, the NSA has had a string of exposures, which have led to major global cyberattacks. Most recently, the WannaCry attack in May resulted from the hacker group the Shadow Brokers releasing an NSA vulnerability tool to the world.
Other disadvantages include too broad of a span of control that potentially limits effective leadership, and the sharing of resources between NSA and CYBERCOM resulting in resource allocation that is not always easily understood by personnel.
The advantages that GAO found include improved collaborations between the agencies, faster decision-making, and efficiency of resources.
“DoD has implemented the cybersecurity elements of the DoD Cloud Computing Strategy and has made progress in implementing The DoD Cyber Strategy and DoD Cybersecurity Campaign,” GAO said. “However, DoD’s process for monitoring implementation of The DoD Cyber Strategy has resulted in the closure of tasks before they were fully implemented.”
DoD prematurely closed a task that would require completing cyber risk assessments on 136 weapon systems. Officials acknowledged they are on track to complete the assessments by Dec. 31, 2019, but as of May 2017, the task was not complete, according to GAO.
GAO recommended that the DoD modify its criteria for closing tasks from The DoD Cyber Strategy, and establish a time frame for transitioning to commander-driven operational risk assessments for cybersecurity readiness.