Secretary of Defense nominee Mark Esper, speaking to senators during his July 16 confirmation hearing, shared his feelings that U.S. Cyber Command possesses “exceptional” cyber capabilities, but just as important is a streamlined framework for using them outside U.S. networks.
“Maybe as important as our capabilities, last year the administration put out a new [National Security Presidential Memorandum] 13, which really put our cyber capabilities on a more offensive footing, allowing us to lean forward,” Esper said.
Under the previous process, approval for cyber operations had to go all the way to the president for approval. NSPM 13 now allows the president to delegate some of those authorities and reorganizes the approval process through the interagency.
Esper credited the new process for the successful operations during the 2018 midterm elections that sought to mitigate threats to the democratic process.
“I think for those reasons it’s why you saw in the 2018 elections no issues. That’s why I think we’re more and more confident that the 2020 elections will also be” unfettered, he said of NSPM 13.
Esper committed to senators that DoD will play its fair share when it comes to securing elections in the future, something that has previously drawn the ire of Congress, which has yet to see documents related to NSPM’s authorities approval process, much to members’ chagrin.
Esper also remarked that both the public and private sector remain vulnerable to cyberattacks. In his prehearing questionnaire he offered almost identical responses to Gen. Mark Milley’s comments stressing the importance of partnerships for protecting the nation. Milley has been nominated for chairman of the Joint Chiefs of Staff and his confirmation hearing took place last week.
“Through a series of partnerships with DHS and sector-specific agencies (SSAs), such as the SSAs for the financial and energy sectors, DoD is executing ‘Pathfinder’ initiatives to build the expertise and gain the experience needed to support our critical infrastructure partners’ efforts to anticipate, prevent, and respond to significant cyber incidents,” Esper wrote.
“Specifically, we have focused on lessons learned from our election security efforts, and have focused on the sharing of threat information and collaborative analysis of vulnerabilities and threats. The Department has a plan to leverage the National Guard’s resources and capabilities, and to expand these partnerships to other critical sectors where DoD and the private sector have shared interests.”
Officials have noted that the pathfinder pilot program with the energy sector, specifically the Department of Energy, is fairly new. These pathfinders rely on the unique authorities DoD can bring to bear, such as operating outside U.S. networks.
“Once these secretaries sign these agreements, we don’t necessarily bring the expertise in what’s critical in the financial sector. We’re looking for [Department of] Treasury, [Department of] Homeland Security to help us gain an understanding of what that is so that as we look overseas, that we’re now focused on the things that are important to that sector in a way that we wouldn’t have done without the partnership with DHS, Treasury and the sector,” Maj. Gen. (s) Timothy Haugh, commander of the Cyber National Mission Force, told reporters in May.
“That’s what some of these pathfinder activities have been really helpful for us to understand what is actually critical and how would we approach our operations for the different perspective to help them in their defense.”
Haugh added that these pathfinders allow DoD to apply its “defend forward” approach — fighting adversaries in networks as far from the United States as possible — to the defense of these broader sectors and ultimately the homeland.
Dual-hat
Esper and Milley, both of which currently lead the Army, touched upon the ongoing issue of the dual-hat relationship between the National Security Agency and Cyber Command, which share a leader, tools, infrastructure and staff to some extent.
Milley, for his part, said his current view is the dual-hat arrangement presently is working well and should be maintained.
Esper noted during his confirmation process the “challenge of determining whether the ‘dual-hat’ relationship should be maintained or terminated is balancing the U.S. Cyber Command and National Security Agency responsibilities and priorities in a way that is optimal for the national security of the United States,” adding that both organizations will have a unique and enduring relationship regardless of the dual-hat.
Gen. Paul Nakasone, who leads both NSA and Cyber Command, delivered his assessment on the dual-hat to the chairman and secretary in August 2018, 90 days after taking command.
The decision on whether to split remains with the secretary, chairman and the president.
“I understand that, if confirmed, my certification and that of the secretary is required before the current dual-hat leadership arrangement can be terminated,” Milley said.
“A recommendation to the president will require careful collaboration and coordination with the Chairman of the Joint Chiefs of Staff and the Director of National Intelligence, and must be fully informed by the benefits, costs and risk mitigation factors to ensure there is no degradation to national security,” Esper wrote.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.