The Department of Defense faces tens of millions of attempted cyberattacks every year. In response, it established the U.S. Cyber Command in 2009 to more effectively address the growing risk of these threats. Although initially located within the U.S. Strategic Command, in August 2017 the President ordered CYBERCOM to be elevated to the status of a full and independent command—traditionally a military organizational unit under the command of one individual. Earlier this year, we looked at some advantages and disadvantages of CYBERCOM’s structure and leadership style, as well as DOD’s progress in implementing its cybersecurity strategy. Today’s WatchBlog shares some of what we found. The dual hat To get CYBERCOM up and running quickly, in 2010 the President assigned the Director of the National Security Agency—who also leads the Central Security Service—to also lead CYBERCOM. This is called a “dual-hat” leadership arrangement—one person leading two (or more) organizations simultaneously—and is a common practice within DOD. As the sole leader of these organizations, the dual-hatted leader has a lot of responsibilities.
(Excerpted from GAO-17-512)But is it the right fit? Although DOD has no official position on the merits of CYBERCOM’s dual-hat leadership arrangement, officials we spoke with noted some advantages and disadvantages. For example, some told us that the arrangement improved coordination and collaboration between NSA and CYBERCOM, and allowed both organizations to elevate critical issues and receive quicker decisions from a single leader. On the other hand, some were concerned that CYBERCOM’s needs and priorities might receive preferential treatment from NSA over other combatant commands—given the single leader. Additionally, having one person head both organizations may result in such broad responsibilities that it limits effective leadership, particularly considering the growing number and sophistication of cyberattacks. DOD has been considering separating NSA and CYBERCOM’s dual-hat leadership, but—as of October 2017—it has not announced whether it plans to do so. Should DOD decide to terminate this dual leadership, there are strategies that could maintain some of its advantages. For example, DOD could formalize agreements between NSA and CYBERCOM to continue collaborating on issues of mutual interest. It could also continue to develop more independent capabilities for CYBERCOM so that it will be less reliant upon NSA’s tools and infrastructure. Implementing cybersecurity guidance DOD's progress towards implementing key cybersecurity guidance varies. DOD implemented the key cybersecurity elements of its Cloud Computing Strategy and made progress implementing a number of tasks related to its 2015 Cyber Strategy and Cybersecurity Campaign. However, DOD closed tasks that support its Cyber Strategy before they were fully implemented. For example, it closed a task that required completing cyber risk assessments on 136 weapon systems prior to performing all of the assessments. The Department also lacks a timeframe and process for monitoring the implementation of its Cybersecurity Campaign objective to conduct operational risk assessments for its cybersecurity readiness. To find out more about CYBERCOM’s leadership, as well as how its cybersecurity strategy is progressing, check out our full report.