At the heart of our national-scale capability for defending the nation in cyberspace is the set of relationships for intelligence, analysis, and information security and assurance. The NSA makes that team work. The agency’s importance was reflected in then secretary of defense Robert Gates’s 2009 decision to designate the director of the NSA as commander of U.S. Cyber Command (USCYBERCOM) as well, and to locate the new command’s headquarters at Fort Meade, Maryland, alongside the NSA. Through these decisions, the department leveraged the similarities and overlaps between the capabilities needed for the conduct of the NSA’s core missions—signals intelligence and information assurance—and those of USCYBERCOM: to provide for the defense and secure operation of Defense Department networks and, upon order by appropriate authority, to operate in cyberspace in defense of the nation.

The NSA and USCYBERCOM operate under multiple layers of institutional oversight that reinforce our commitment to privacy and civil liberties. These include processes internal to both organizations, executive-branch oversight accountability mechanisms, congressional oversight and judicial scrutiny. Physical, managerial and technical safeguards serve to prevent, correct and report violations of procedures. There is a culture of accountability and compliance, rigorous training and competency testing, auditable NSA practices and self-reporting of incidents. The NSA and USCYBERCOM do not set these procedures but comply with very specific provisions approved by our nation’s lawmakers. Far from imperiling civil liberties and privacy, the tight links between the NSA and our growing cybercapabilities help to ensure professional, sober and accountable consideration of potential impacts from our operations.

The evolution of USCYBERCOM has reinforced the imperative for a close and unique connection with the NSA. The command’s creation in 2010 reorganized the department’s Title 10 “war fighting” segment of our cyberteam and represented a major organizational step toward developing and refining the Department of Defense’s role in strengthening the nation’s cybersecurity. Events since the formation of USCYBERCOM have taught us a great deal about the gravity of the cybersecurity threat, the development of the Department of Defense’s operational capabilities, the department’s role in a whole-of-government approach to cybersecurity, and structural, policy and doctrinal changes that are needed. Some of these changes can be implemented as part of the natural evolution of the command. Others require activity outside USCYBERCOM itself—within the Department of Defense, by the executive branch more broadly, by Congress and by the private sector.

The synergy between the NSA and USCYBERCOM is evident every day even if it is not visible. The cryptologic platform constitutes the collection of signals-intelligence and communications-security capabilities that since 1952 have served users ranging from national customers to departmental analysts to battlefield commanders. To the extent permissible by law, USCYBERCOM and the NSA have integrated operations, people and capabilities to help the nation and its allies respond to threats in cyberspace. USCYBERCOM’s defense of U.S. military networks depends on knowing what is happening in cyberspace, which in turn depends on intelligence produced by the NSA and other members of the intelligence community on adversary intentions and capabilities. USCYBERCOM’s planning and operations also rely on the NSA’s cybercapabilities. No one entity in the United States manages or coordinates all this activity on a strategic scale. It requires cooperation across government agencies and with industry.

The cyberteam works for strategic, operational and tactical ends, and it does so because we cannot afford (in terms of resources, security or missed opportunities) to maintain distinct capabilities for strategic, operational and tactical decision makers. This approach makes it possible for the United States to operate national-security information systems with some assurance of security; to understand the dimensions of the threats that we face; and to know which threats are exaggerated. It also gives us a measure of warning and situational awareness and is the basis on which those vital attributes will be improved in the future. What are the possibilities for maximizing its potential?

AT THE dawn of the “cyberage” in the 1980s, the United States was positioned to take a commanding military lead in this new domain. Much of the world’s cyberinfrastructure, capacity and computer-security expertise resided in America, and the U.S. government debated policies that might have made federal and critical infrastructure networks much more secure than contemporary external threats could have surmounted. The U.S. military and intelligence community held strong advantages in cybercapabilities that might have been mobilized in the 1990s. Although potential threats were recognized early, there was little urgency to reorganize and change established processes. By the time the United States started losing intellectual property on a massive scale in the middle of the last decade, the opportunity to capitalize on commanding advantages had been lost.

Today the United States is striving to maintain the edge it holds over potential adversaries in cyberspace. This advantage is preserved in part by the large U.S. government capacity in this domain. Our lead is also maintained by our adversaries’ own difficulties in crafting new policies, doctrines and organizations to operate in the new cyberdomain; in some cases their social and political contexts are even more challenging than ours. This American advantage might not last long. We still, however, would not trade our predicament for that of any other nation on earth. Every nation has significant vulnerabilities that can be exploited in and through cyberspace; almost alone among nations, we have the ability to lessen ours dramatically.

As then deputy secretary of defense William Lynn explained in Foreign Affairs in 2010, global circumstances continue to require an agile and technologically advanced cybercapability. We have made progress but still must do more to ensure that we have: the situational awareness needed to defend our networks; the authority to respond to threats to the United States, even beyond the boundaries of military systems; legislation that facilitates information sharing with the private sector; established security standards for critical infrastructure; trained and ready cyberforces certified to common, baseline standards; doctrine along with tactics, techniques and procedures for educating our armed forces on the conduct of military operations in cyberspace; a defensible cyberarchitecture enabled by the new Joint Information Environment (JIE); and clear lines of command and control to ensure network-speed decision making and action. The Department of Defense is making progress on an array of efforts to address these challenges, all the while protecting the privacy of our citizens and the civil liberties that are at the foundation of our political system.

The Pentagon is moving to reduce significantly the number of its networks and limit the points where those networks touch the Internet. Its new joint network—the JIE—is inherently more defensible than the fifteen thousand disparate enclaves that currently exist in the Department of Defense. USCYBERCOM is involved in efforts to leverage cloud-computing technology to dramatically increase the ability to safely and securely store and access data.

We continue to improve our ability to understand the vulnerabilities of our networks, the cyberenvironment and the capabilities of adversaries. Doing so improves situational awareness of what is happening in cyberspace for the benefit of government organizations, private industry and foreign partners.

We are aware that as we increase our dependence on networks in cyberspace, we must have a codified and logical manner by which to provide structure, command and control to our forces—and to allow the coordination and synchronization of U.S. military operations with those of our military allies and our partners.

We are developing a force capable of defending the nation in cyberspace, operating and defending Department of Defense information networks, and providing direct support to Unified Combatant Command plans and operations. These forces must be able to defend our national-security networks, providing a vital sanctuary from which we can operate even while under attack. Having such an assured capability will not only defend Department of Defense and national-security functions, but also help government and civilian networks by convincing adversaries that an “Armageddon” strategy will not succeed against America.

We are working to understand how existing international and domestic laws and norms apply in the new cyberenvironment. We are also developing processes and policies to manage cyberemergencies and to defeat cyberattacks.

OUR RELIANCE on cyberspace yields significant strategic benefits but also poses grave risks to our nation. The very nature of cyberspace is one of convergence—of networks, devices and people combining and interacting in new and increasingly complex ways. Communications that previously moved in separate channels now travel in one, global network—the Internet. We must be able to operate securely in this convergent space and to protect the broader social, political and economic developments that the digital age has brought us. The things we value—personal wealth, national economic prosperity, intellectual property, our nation’s defense secrets and even our way of life—are all targets for our adversaries. More and more, those treasures reside in cyberspace, and that is the battleground where adversaries can threaten us. The potential for strategic-level theft and disruption is growing as adversaries probe our critical infrastructure networks and take our data. We do not know how economically and physically damaging coordinated cyberattacks could be if mounted on a national scale—or if a “limited” attack could get out of hand and cause cascading destruction. But the vulnerability of critical infrastructure and the power of cyberweapons together represent serious cause for concern about the resiliency of modern, networked economies and societies.

Image: Pullquote: Every nation has significant vulnerabilities that can be exploited in and through cyberspace; almost alone among nations, we have the ability to lessen ours dramatically.Essay Types: Essay