CAPITOL HILL: The Quadrennial Defense Review is dead. Long live a unified combatant command known as Cyber Command.
Ok, it doesn’t quite ring like Long Live The Queen, but you get the idea. House Armed Service Committee staffers briefed reporters on some of the more important bits of the 2017 National Defense Authorization Act. Top of the list in the mind of this scribe are the demise of the QDR and the elevation of Cyber Command.
I’ve covered every QDR and have to say I loved them. As a reporter they gave us unparalleled access to fundamental debates about the strategy, policies and politics of the Pentagon and its constituents, which was one of the goals of Congress in creating them. But the QDR also became famous for the unfortunate process that came to be known as salami slicing. Instead of doing what the founding legislation said it should do — make hard and rational choices based on America’s interests and our strategy for achieving them — the QDR often became a proxy for Pentagon budget wars. That, in the end, is why QDRs lost the respect of those who had supported them.
Combined with the creation of what one HASC staffer referred to the armies of staff and consultants built to prosecute each QDR, they became disruptive and, ultimately, self-serving. Of course, we still have to see if the Senate Armed Services Committee shares the House goal of scrapping the QDR.
With an eye to better preserving some of the better goals of the QDR, the HASC will create a one-time “independent commission on national defense strategy for the united states,” comprised of seven “greybeards” appointed by HASC and the Senate Armed Services Committee, similar to the National Defense Panel that was supposed to critique and analyze the QDR.
The bill will also create a biennial product to be known as the “Defense Strategic Guidance.” It’s designed to ensure there is “top-down” civilian guidance from the highest levels giving written policy guidance to the force on global roles and missions, force planning and resource allocation.
The other action the HASC is taking is to place a “cap” on the number of staff in the National Security Council. Bloated at more than 400 under the Obama administration and often functioning as the leadership of the government departments it is supposed to coordinate, the NSC would be limited to a certain number which the HASC staffers were not willing to disclose.
In the long run, the elevation of Cyber Command may be more important than the demise of the QDR, but we’ll have to see how these new approaches drive the Pentagon’s decision-making. After all, strategy is more important in the long run than operations. In addition to the elevation of Cyber Command so that it can function directly without Strategic Command being involved, the staffer said that they would require a study investigating whether and how to separate the leader of Cyber Command from the director of the National Security Agency. Today, those positions are held by the same person.
As the staff member noted, StratCom’s primary responsibility is nuclear warfare, which requires very clear, direct and unambiguous command and control. As the comments below indicate, CyberCom’s requirements are very different.
Complexities Of Cyber Command
CyberCom commander Adm. Mike Rogers’ deputy, Air Force Lt. Gen. James McLaughlin, made clear this morning that Cyber Com is not interested in empire-building. “The notion that this boils down to which organization has OPCON [operational control] is, in my mind, not the issue anymore,” McLaughlin told an AFCEA conference. “The goal is how we make this less about control….This is about bringing the power of the enterprise to solve problems.”
That said, “we have a level of centralized control right now and it’s relatively new,” McLaughlin acknowledged. Cyber Command “has central control to direct operations across the DoD Information Network [DoDIN] — defensive operations — [but] that doesn’t mean all the forces associated with doing that are US Cyber Command forces.”
The other combatant commands have and should retain their own cyber defense asset, McLaughlin said. “They have forces that are responsible to them,” he said. “They know their terrain, they know their mission, and they understand what’s unique about their mission” — vital nuances that a centralized mega-headquarters might miss.
Traditional models of command and control, with strict chains of command and divisions of labor, just don’t translate to the fast-moving, fluid world of cyberspace, said Rear Adm. Dwight Shepherd, director of cyberspace operations for Northern Command and NORAD.
“We’ve got to throw out the old paradigms,” Shepherd told Sydney after the AFCEA panel. “It doesn’t work in cyber.” In traditional NORAD-style homeland defense, for example, you can see enemy aircraft or missiles coming miles away, and they have to come from known approaches: not so a virus or a denial of service attack.
“With cyber you don’t have those sort of boundaries, you don’t have those sort of approaches,” Shepherd said. “It’s 360 degrees and it’s moving at the speed of light.”
“That’s why you’re seeing this evolution,” Shepherd told Sydney. “As [the new] JFHQ DoDIN comes online and CYBERCOM comes online with more authorities and more responsibilities, we just have to figure how we get that C2 structure right.”
So if traditional centralized control won’t work, what will? “We need a global synchronizer, because right now we’ve got a supply and demand problem [with] cyber forces,” Shepherd told the AFCEA conference. “[That’s not] central control of the defensive forces. I’m not sure how that would work, because each combatant command has its own unique priorities, it has own unique mission requirements.”
That’s being thrashed out at this moment, said McLaughlin, with attention from the Joint Chiefs of Staff themselves. “We are now working specifically…. to clarify how we actually [work with] the combatant commands and how our command integrates directly into those commands,” McLaughlin said. “Those are still hard issues, but I think they pale in comparison with the issues we have resolved” already.