Submitted by: Daryl Haegley Director, Mission Assurance & Cyber Deterrence at the DOD and (CS)²AI Fellow
Opinion by: Robert M. Gates
March 28, 2021 at 8:00 a.m. EDT
Robert M. Gates served as director of central intelligence from 1991 to 1993 and as defense secretary from 2006 to 2011.
In recognition of the danger posed by foreign cyberattacks against the U.S. military, economy, infrastructure and political system, I directed the creation of U.S. Cyber Command on May 21, 2010. I concluded that the mission to defend "the nation from significant cyberattacks” required a new, overarching military command, consolidating previously disparate units into one integrated command structure.
For Cyber Command to be able to respond instantly to attacks, the commander also had to be in charge of the National Security Agency, the only U.S. institution with the capability to defend the country against such attacks and retaliate. Cyber defense and cyber offense, I was convinced (and still am), needed to be commanded by one person. The commander of Cyber Command could not be in the position of having to ask for or negotiate NSA support, thus increasing the danger of delays in our response time.
Even in 2010, we recognized a fundamental legal and structural problem in defending the United States against cyberattack: The Defense Department and NSA had limited legal authority to defend against such an attack originating inside the United States. By law, primary responsibility for defending against domestic-based attacks belonged to the Department of Homeland Security. Unfortunately, DHS had the authority but little capability.
More than 10 years later, that conundrum continues to make the country vulnerable to attacks initiated from abroad but launched from within this country, such as the SolarWinds attack (likely of Russian origin) and those against Microsoft’s Exchange servers (likely of Chinese origin).
Some contend the solution is for the government to partner with private-sector companies. Others argue that Congress should give NSA additional authority to conduct cyber defense domestically — thus breaking the decades-long prohibition against intelligence agencies operating inside the United States. The latter path is almost certainly not politically feasible. And any kind of formal partnering with the private sector is likely to encounter resistance from most such companies and, in any case, would be challenging to operationalize in such a way as to provide the necessary rapid responses. (That said, improved informal cooperation between the government and private cybersecurity companies could enhance protection of the U.S. private sector.)
The NSA is the only U.S. government organization with the vast capabilities to conduct both cyber defense and cyber offense at home and abroad. Civil libertarians and privacy advocates might hope to see creation of a purely domestic organization to defend against attacks launched from within the United States — with appropriate legal safeguards — but that is a fantasy. There is not enough money, human talent or time to establish a domestic equivalent to the NSA.
We recognized this dilemma in 2010 within weeks of establishing Cyber Command. In an attempt to resolve it, I reached out to then-DHS Secretary Janet Napolitano with a proposal that would organizationally empower her department to draw directly on NSA resources to deal with cyberattacks originating inside the United States. Recognizing DHS’s legal authority and responsibility for cyber defense internally, I proposed that we agree to appoint a “dual hat” senior DHS officer who would also serve as a deputy NSA director with the authority to task the NSA in real time to defend against cyberattacks of domestic origin. That deputy director would have her or his own legal staff and general counsel, and we would create firewalls and regulations to ensure that DHS tasking would be kept separate from and follow different rules than the foreign intelligence operations of the NSA.
Napolitano and I took this proposal to President Barack Obama, who, after proper vetting by the Justice Department and White House lawyers, authorized us to implement this proposal. Sadly, the initiative came to naught, mainly because of bureaucratic foot-dragging and resistance.
I still believe the most expeditious path to an effective U.S. defense against cyberattacks launched from within the United States — through servers located here or other means — is to return to the initiative of a decade ago: to enable DHS to fulfill its domestic cyber defense responsibility through new arrangements giving it authority to use NSA’s incomparable resources with appropriate structural and regulatory safeguards. The challenge for DHS Secretary Alejandro Mayorkas and Defense Secretary Lloyd Austin would be to ensure that their designees make the arrangement work.
SolarWinds and the attack on Microsoft make clear that prompt action is necessary. The approach we devised in 2010 would not require new legislation and could be implemented quickly. We are under attack. There might be a more elegant solution to our vulnerability, but a better means of defense is available now.