One of the interesting aspects of blogging for Lawfare is that I get to try on a few new hats. For years, I have thought of myself as a lawyer and a policy analyst — hats I get to wear every day and the ones I wear most often even on Lawfare. Today, I put on a different hat — journalist/reporter — call that my third hat.
On June 21, General Peter Pace gave an address on Cybersecurity sponsored jointly by the Marine Corp University Foundation and the Heritage Foundation. Pace is former Vice Chair and then Chairman of the Joint Chiefs of Staff — the first Marine ever to hold those positions. (So, if we read the tea-leaves correctly, he was CJCS at the time Flame and Stuxnet were first conceived of and developed).
I’ve been waiting to blog the speech until a podcast of it was available, but rather than let the news get stale waiting, I thought I’d begin with this note on one really fascinating (and likely to be controversial) aspect of Pace’s address. He was addressing an issue that has long been known to bedevil our current Federal governance — by far the greater expertise for cyber warfare and cyber espionage lies with the military (at NSA and CyberCommand), but for perfectly valid historical and philosophical reasons our country is uncomfortable with military control over civilian enterprises. For that reason we have let DHS take the lead in protecting the .gov domain and in coordinating public-private efforts to protect private infrastructure. But that effort lags, at least in part, because DHS lacks the depth of expertise and knowledge that NSA and CyberCommand possess. DHS is making strong efforts to fix the problem by hiring new talent, but everyone recognizes that strengthening DHS’s capabilities is a long-term project, not a quick fix.
So, what to do in the interim?
Pace’s novel suggestion is to give General Keith Alexander a third hat too. Right now, General Alexander is both the Commander of US CyberCommand (where his chain of command runs up through the Secretary of Defense) and the Director of the National Security Agency/Chief, Central Security Service (where his chain of command runs, in part, through the Director of National Intelligence). He is “dual-hatted” and may at times exercise either military authority under Title 10 or intelligence authority under Title 50 (a confluence familiar to anyone who has read Bobby Chesney’s posts on this blog).
Pace suggests giving Alexander a third hat. Put him in charge of the civilian cyber response, give him authority under the Homeland Security Act, and have him report to the Secretary of DHS about his work in this aspect of the domain. Since the Homeland Security Act is codified, we might call this the exercise of Title 6 authority as a shorthand.
For myself, I feel comfortable wearing three hats — but mine are pretty readily interchangeable. Pace’s proposal might solve some of the authority/responsibility/capability issues we have today, but it would make the triple-hatted incumbent the de facto cyber-czar of the US. As one senior member of the IC said when we discussed the idea: “It might make sense. But we can’t let it be a general.”
Anyway, since Lawfare is about surfacing interesting ideas, I thought I’d pass this one along.