Skip to main content

The Evolution of CYBERCOM

Posted on November 02, 2017
The Department of Defense faces tens of millions of attempted cyberattacks every year. In response, it established the U.S. Cyber Command in 2009 to more effectively address the growing risk of these threats. Although initially located within the U.S. Strategic Command, in August 2017 the President ordered CYBERCOM to be elevated to the status of a full and independent command—traditionally a military organizational unit under the command of one individual. Earlier this year, we looked at some advantages and disadvantages of CYBERCOM’s structure and leadership style, as well as DOD’s progress in implementing its cybersecurity strategy. Today’s WatchBlog shares some of what we found. The dual hat To get CYBERCOM up and running quickly, in 2010 the President assigned the Director of the National Security Agency—who also leads the Central Security Service—to also lead CYBERCOM. This is called a “dual-hat” leadership arrangement—one person leading two (or more) organizations simultaneously—and is a common practice within DOD. As the sole leader of these organizations, the dual-hatted leader has a lot of responsibilities.

Table 1: Roles and Responsibilities for the Dual-Hatted Leader of the National Security Agency (NSA)/Central Security Service (CSS) and U.S. Cyber Command (CYBERCOM)(Excerpted from GAO-17-512)

But is it the right fit?  Although DOD has no official position on the merits of CYBERCOM’s dual-hat leadership arrangement, officials we spoke with noted some advantages and disadvantages. For example, some told us that the arrangement improved coordination and collaboration between NSA and CYBERCOM, and allowed both organizations to elevate critical issues and receive quicker decisions from a single leader. On the other hand, some were concerned that CYBERCOM’s needs and priorities might receive preferential treatment from NSA over other combatant commands—given the single leader. Additionally, having one person head both organizations may result in such broad responsibilities that it limits effective leadership, particularly considering the growing number and sophistication of cyberattacks. DOD has been considering separating NSA and CYBERCOM’s dual-hat leadership, but—as of October 2017—it has not announced whether it plans to do so. Should DOD decide to terminate this dual leadership, there are strategies that could maintain some of its advantages. For example, DOD could formalize agreements between NSA and CYBERCOM to continue collaborating on issues of mutual interest. It could also continue to develop more independent capabilities for CYBERCOM so that it will be less reliant upon NSA’s tools and infrastructure. Implementing cybersecurity guidance DOD's progress towards implementing key cybersecurity guidance varies. DOD implemented the key cybersecurity elements of its Cloud Computing Strategy and made progress implementing a number of tasks related to its 2015 Cyber Strategy and Cybersecurity Campaign. However, DOD closed tasks that support its Cyber Strategy before they were fully implemented. For example, it closed a task that required completing cyber risk assessments on 136 weapon systems prior to performing all of the assessments. The Department also lacks a timeframe and process for monitoring the implementation of its Cybersecurity Campaign objective to conduct operational risk assessments for its cybersecurity readiness. To find out more about CYBERCOM’s leadership, as well as how its cybersecurity strategy is progressing, check out our full report.
About Watchblog

GAO's mission is to provide Congress with fact-based, nonpartisan information that can help improve federal government performance and ensure accountability for the benefit of the American people. GAO launched its WatchBlog in January, 2014, as part of its continuing effort to reach its audiences—Congress and the American people—where they are currently looking for information.

The blog format allows GAO to provide a little more context about its work than it can offer on its other social media platforms. Posts will tie GAO work to current events and the news; show how GAO’s work is affecting agencies or legislation; highlight reports, testimonies, and issue areas where GAO does work; and provide information about GAO itself, among other things.

Please send any feedback on GAO's WatchBlog to blog@gao.gov.