Copyright Breaking Defense
WASHINGTON — It’s been nearly seven months since the Trump administration fired Gen. Timothy Haugh, commander of US Cyber Command and the director of the National Security Agency. And with no nominee named yet, experts, former military officials and a sitting Congressman are all raising red flags that the long gap has hurt American cyber preparedness. At the core of the issue, eight sources Breaking Defense spoke to said, is that the absence is undermining stated goals from the administration as well as military readiness, while noting how unprecedented it is to go this long without a name chosen. “[It’s] just sort of heartbreaking to see what’s going on with cyber and NSA under this administration right now. I say that as a Republican,” Rep. Don Bacon, R-NE, who also chairs the House Armed Services subcommittee in charge of cyber oversight, said in an interview. “This is seven months. It’s indefensible and it shows just a total disregard by the administration and the secretary of defense for this mission area.” For Bacon and others, one of the key issues is that the US is “under cyberattack every day” and there is no one in charge of the top military and intelligence agency responsible for defending against such attacks and going on the offensive. CYBERCOM’s deputy commander, Lt. Gen. William Hartman, has been the acting commander of the organization and the acting director of NSA, the latter notable because the CYBERCOM deputy, while having a working relationship with NSA, is distinctly separate organizationally from the agency. One former top military cyber official said they couldn’t imagine the top roles at Central Command, European Command and Indo-Pacific Command being left open this long, noting while those regions face their own threats on and off, the nation is experiencing persistent cyber intrusions daily. Throughout the past seven months a few names have emerged from DoD as the desired permanent nominees, such as Lt. Gen. Richard Angle, commander of Allied Special Operations Forces Command and Special Operations Command Europe, though, the White House axed that choice. Reports were that Hartman was expected to be chosen as the nominee, only to have other reports note he will not be chosen and has put in his papers to retire. The Record reported this week that Army Lt. Gen. Paul Stanton and Air Force Lt. Gen. Thomas Hensley are now leading nominees. White House spokesperson Anna Kelly said in a statement to Breaking Defense that the administration “will make a US Cyber Command nomination at the appropriate time. In the interim, we remain fully equipped to address any potential cyber threats. Stay tuned!” But every day there is a delay in getting someone nominated and confirmed is a bad day for America’s interests, said Erica Lonergan, assistant professor at Columbia University and an adjunct fellow at the Foundation for Defense of Democracies Center on Cyber and Technology Innovation. “Cyberspace and cybersecurity are so important that this is a position that should be filled with a Senate confirmed appointee as soon as possible,” she said. A Surprise Firing In early April, Haugh was fired just over a year into his tenure leading both CYBERCOM and NSA. There still has been no formal reason given by the administration regarding his termination, though, it has been linked to political activist Laura Loomer, who has urged President Donald Trump to fire certain officials due to their perceived disloyalty to his agenda, and who has taken credit for the firing. The risks of having a leadership gap for so long, those that spoke to Breaking Defense noted, are wide ranging. “The risk of leaving it unfilled is there is no one to set priorities, ensure compliance with administration priorities, authorize operations, and aggressively go after threats,” Kori Schake, senior fellow and the director of foreign and defense policy studies at the American Enterprise Institute, said. Mark Cancian, senior adviser with the CSIS Defense and Security Department, similarly noted that CYBERCOM was created to increase focus on the domain. Lacking a four-star commander reduces cyber’s influence in decision-making at the top level, he said, adding there is the risk of organizational inertia with acting commanders reluctant to launch major initiatives on their own since a new commander might want to go in a different direction. In fact, experts stressed, acting leaders are limited in terms of what they are able to do. Some equated it to autopilot while others noted it is just maintaining the status quo. In this case, with an acting commander that is being considered for the permanent role, there can be sentiments not to rock the boat. The guidance and direction of the administration will still be followed, but there will naturally be a slower pace with an acting leader at the helm, according to a second former official. That slowed tempo could even factor down to units such as the service component commanders, who could delay guidance from an acting that isn’t fully bought into. And while operations will continue, the first former official described how pushing major efforts up the chain could become a problem. The desire to advance or expand current operations or start new ones that might need to be coordinated through the interagency could run into some resistance, and an acting official as opposed to a Senate-confirmed commander puts them at a potential disadvantage. A third former military cyber official, who self-describes as someone aligned politically with the administration, said they’re “not crazy” about many of the people that have been put in particular cyber jobs. With the CYBERCOM chief spot open, not having experienced people in place could also impact the ability to get things done. CYBERCOM is in the midst of several major efforts such as moving out on its newly minted acquisition and budget authorities as well as continuing to build out its capability architecture, the Joint Cyber Warfighting Architecture, and its holistic revamp of the command dubbed CYBERCOM 2.0. These areas cannot gain steam without a Senate-confirmed leader at the top to put their stamp on them and drive them the way they want, experts noted. Others said that discussions with the House and Senate are harmed without a permanent head at the top, as Congress exercises oversight and proposes legislative initiatives. A four-star, Senate-confirmed official can help guide discussions and initiatives with Congress. In the absence of such an official, Congress could be left to legislate on its own, without a two-way discussion on highly technical matters. While most of the experts were concerned with CYBERCOM’s lack of leadership, Lonergan stated that the gap at the top of the NSA may be a more pressing issue. “Signals intelligence is so foundational in our understanding of the threat environment and our adversaries’ capabilities and intentions. The NSA is such an important piece of our intelligence community and it’s so important as a combat support agency,” she said. And what does the lack of nominee say about how the administration values cyber capabilities? That question received more of a mixed response. Some pointed to the Trump administration’s efforts to be more aggressive in cyberspace as proof the White House is committed and just hasn’t found its perfect choice for the job, while others said they were disappointed by the lack of nominee. Despite her concerns about the position being empty, Lonergan said the lack of nomination is just one part of the cyber picture. She cautioned against a singular cyber narrative, pointing to discussions at senior government levels regarding large-scale Chinese cyber intrusions and the appointment of a national cyber director. Bacon, for one, has been disappointed with officials in the Pentagon when it comes to cyber, noting it’s “all talk.” “You can say we’re building the best cyber capabilities, and blah, blah, blah. The reality is just not and people could see through the talk,” he said. “I’m very, I’d say discouraged and even say angry at the performance here of this administration on cyber and NSA and CISA. They’re creating a vulnerability for our country that our businesses and our military that there’s going to be impacts.” The Issue Of The Dual-hat Following the decision to let Haugh go, there had been discussions regarding if it set the path to finally sever the dual-hat leadership structure where the same person leads CYBERCOM and NSA. Months later, the extended vacancy in the two roles is leading some to believe the administration is setting the conditions the positions should be split. Since CYBERCOM was created 15 years ago, it has been co-located with NSA at Fort Meade, Maryland, and shared a leader to help the nascent command grow, relying on the personnel, expertise and infrastructure of the high-tech intelligence agency. Severing the dual-hat has been one of the most hotly contested issues in cyber policy. Proponents believe the military can benefit from the unique intelligence insights and resources of NSA, leading to faster decision-making and operational outcomes. Opponents argue the roles of NSA director and CYBERCOM commander are too powerful for one person to hold and relying on the intelligence community’s tools — which are meant to stay undetected — for military activities poses risks to such espionage activity. “This vacancy shows some of the hidden risks of the long-past-expiration-date dual-hat relationship,” Jason Healey, who previously worked at a precursor organization to CYBERCOM and is a senior research scholar at Columbia University, said. “On a daily basis, this key-person dependency just meant that the dual-hat commander was over-stretched. Now that the position is vacant, the military is getting a double gut punch of missing two key leaders, not just one.” At the end of the first Trump administration, officials made a last ditch effort to sever the dual-hat, but it ultimately was not brought to fruition. And officially, that doesn’t seem likely to change, despite the nominee delay: Secretary of Defense Pete Hegseth told the Senate Armed Services Committee June 18 that as of right now, they are maintaining the status quo, but they reserve the right to review. Bacon said there is no appetite in Congress to confirm a nominee that is not dual-hatted as commander of CYBERCOM and director of NSA, noting there have been some behind the scenes undermining the process and working for a split. “Without a dual-hat, they’re going to get very little support in Congress. All the people that work cyber, all four corners — Republicans and Democrats — support a dual-hat because we’re familiar with it,” he said. “There’ll be zero support in Congress without a dual-hat and that’s just a fact.”
