The Senate Armed Services Committee’s version of the defense authorization bill will call for making U.S. Cyber Command a functional combatant command and also recommend consolidating some geographic commands, the panel’s chairman and ranking member said Tuesday.
When asked at a hearing whether Cyber Command was mature enough for such a step, Adm. Michael Rogers told the panel “yes,” but recommended that at least for now the commander also remain director of the National Security Agency. It would “be less than optimal to separate them now.” The command reached full operational capability Oct. 31, 2010 and is under Strategic Command.
Chairman John McCain (R-Ariz.), added that he intended to have the committee focus on cyber after markup of the authorization bill later this month in a similar manner to his hearings on defense reform—from acquisition to personnel to command structure—starting last fall.
Rogers told the committee, “Cyber is one area in which we have to acknowledge we have peer competitors.” He cited Russia as being there and China fast approaching that mark.
In answer to a question, he added cyber is among the least understood of the defense domains by the public and it is a domain that is rapidly and continually changing as state actors and non-state actors adapt. As he said in his opening statement, the “pervasive nature of cyberspace” affects not only military functions but civilian infrastructure, financial transactions and personal information. He said several times during the hearing some areas are more vulnerable to intrusion and attack than others.
Vulnerability also lies in the defense supply chain, particularly when working with allies, he said. While working with the civilian sector in shoring up its defenses, he reminded the panel the command is not tasked with defending every computer network in the United States.
Cyber “can be intimidating.” He mentioned the increased incidents of “ransom-ware” attacks in the health-care system as an example. It is also an example that shows the changes that sophisticated analytics used by hackers can make of data once it is extracted.
Speaking on the military aspect, he added later, “We want to have the same level” of capability and capacity as in other domains when it comes to cyber.
Rogers said the command is working with other commands and the services in Defense Department, and other federal agencies; Homeland Security has the lead on protecting domestic infrastructure, local governments and the private sector to coordinate their cyber activities and responses.
As an example of cooperation, Rogers said the services “have been very willing” to establish a single training standard.
On infrastructure, he added, “An element of the [cyber] force is focused like a laser” on infrastructure.
When asked about the command’s ability to respond to simultaneous cyber attacks on infrastructure such as power grids or water supplies, he said, “Capacity is the greater concern than capability.”
Rogers said that the command is on track to reach initial operating capability across the cyber mission force. He told the committee that the command’s recruiting and retention on the uniformed military side was also on track but he would return with some recommendations for several skill-sets to better recruit and retain on the civilian side.
The military makes up 70 percent of the command’s workforce today, and Rogers said the goal was to raise that to 80 percent. While “not trying to minimize the role of contractors,” he said, “priority Number One is the civilian [government employee] piece” to have resident in the command “the breadth of expertise.”
Rogers said, while activity is down, “the jury is still out” to see if the Chinese government is no longer passing trade and economic information it gathers to businesses, as agreed to by Presidents Barack Obama and Xi Jinping in November.