There is one month left before the government-wide cyber review ends. Defense Secretary Robert Gates is expected to announce a four-star combatant commander to run cyber warfare soon after that review is finished. Our story about a cyber COCOM sparked a rollicking debate about the roles of DISA and, to a lesser degree, NSA and STRATCOM. While I can't identify who the posts came from, I can tell you that several of them came from practitioners of these dark arts.
In the hopes of driving the debate even further, here are some of the comments, with observations.
John Schrader, a colonel, said the country does need a cyber COCOM, but it should be kept within the current organizational structure. Since the Unified Command plan places cyber under STRATCOM he proposes making the cyber COCOM "a Sub-Unified Command of STRATCOM. It will be multi service and have its own component commands. The services will train and equip in order to present forces to the cyber commander who lives within the strategic context of STRATCOM with all the advantages of cross COCOM operational authority."
While I understand John's commitment to the UCP, I think he ignores the very real chain of command concerns that having a four star report to another four star. While you can get anyone to do anything within reason, I think it would dangerously muddy the chain of command.
He recommends taking DISA's Joint Task Force-Global Network Operations and expanding it. He argues that this "comes with a staff structure and one dimension of cyber built it."
But very few people I've spoke with in either the military or intelligence worlds believes that DISA is the right place to park such responsibilities, especially as long as NSA continues to throw its weight around. John argues that we should keep "NSA doing what it does best…it becomes a force provider." But, with all respect, to expect NSA to provide much of the muscle and therefore the money and expect the biggest chunk of the IC to just do what the regular military tells it to do is to ignore most of the last five years of conflict between these groups.
Create an industry council as part of the command group that engages and involves industry.
I'm afraid I'm more in line with Joe's thinking on this one.. He says, "DISA is a horrible choice for this. DISA is a bloated bureaucratic nightmare who cannot get any project of not completed without inflating the price tag beyond anything reasonable. They are shamed by any commercial counterpart, and a laughing stock everywhere else."
Sinlock also think DISA is "a horrible choice. You need to ask yourselves this. If the 40 some odd security vendors and companies out there cannot solve the problem (detect rates) and they employ the best in the business how in the heck do you think the DOD or intel agencies can?"
Caine weighs in, believing that "the Intel and DoD communities have the cream of the security crop" but are "hampered and hamstrung by horribly outdated and bureaucratic processes."
Take all this, compress it and I think you come up with several clear answers. One, we need a cyber COCOM with clear command responsibilities and his own troops. Forcing him to rely on NSA personnel will only prolong the already fatiguing fight between NSA, DoD and DHS.
Make sure that whoever gets final civilian authority to lead cyber activities in the federal government is given clear lines of funding and operational authority. DoD has to be able to exercise its Title 10 responsibilities without getting mired in battles between it, the IC and DHS.
I'm betting our readers know more about these issues than most because of your knowledge of the military and IC. Let's hear your thoughts.