Cyber Command Needs New Acquisition Authorities

In fiscal 2016, Congress granted limited acquisition authorities to U.S. Cyber Command, which sunset in 2021. Given the dynamic nature of the cyberspace environment, the rapidly changing pace of technological development, and the speed at which adversaries operate, Congress should accept the recommendation in the Cyberspace Solarium Commission’s March 2020 report to create a major force program (MFP) category for cyberspace as part of the fiscal 2021 National Defense Authorization Act (NDAA). This was among the number of issues I worked on as a senior director on the commission.

The Department of Defense acquisitions process drives how the military builds and equips its fighting forces to achieve strategic priorities set by national leadership, and it is a central element of how the military determines planning, budgeting and procurement. The overall projected budget planning process, called the Future Years Defense Program (FYDP), takes place in five-year intervals and is organized into 12 different MFP categories, each of which represents a combination of the personnel, forces and appropriated funding that together constitute a Defense Department program to achieve certain objectives. How the MFP categories are defined and organized, and which elements within the Pentagon manage the acquisition authorities associated with each MFP category, is important: These issues shape what kinds of capabilities the department can acquire for different missions and purposes.

MFP categories can provide Defense Department entities with enhanced flexibility in acquisitions to meet emergent and unanticipated needs—as well as a seat at the table in working with the services. This is why, in the past, Congress created two distinct MFP categories for special operations and space. These entities currently have independent acquisition authority to acquire goods and services that are unique to their needs. However, for cyberspace, acquisition authorities remain limited.

Major Force Programs Over Time

The MFP concept was originally conceived of in the early 1960s by then-Secretary of Defense Robert McNamara and the “whiz kids” at the Office of the Secretary of Defense. Initially, the Pentagon created 10 MFP categories, ranging from “Research and Development” to “Training, Medical, and Other General Personnel Activities.” Since the 1960s, only two additional categories have been created: MFP-11 for U.S. Special Operations Command (SOCOM) in 1987, and MFP-12 for National Security Space in 2016.

When Congress established SOCOM, it established an MFP category for the new unified combatant command as well, granting SOCOM acquisition authorities specific to special operations. Providing SOCOM with acquisition authorities that were independent from the military services effectively made it “service-like” without creating a new service. It also gave SOCOM greater flexibility and an ability to react rapidly to emergent situations, a particularly important capability for a command operating in environments where unexpected contingencies are likely to arise. SOCOM could directly control resources that were unique to its specific needs—including the capabilities and systems designed for use by special operations forces rather than the services, tailored modifications to capabilities that were originally created for use by the services, or goods and services urgently needed for some developing situation. SOCOM’s acquisition authorities became particularly important in the post-9/11 era as the military grew to rely heavily on SOCOM for overseas contingency operations.

The government did not reassess the MFP construct until decades later,when the Commission to Assess United States National Security, Space Management and Organization—established in the 2000 NDAA—recommended the creation of an MFP for space. Initially, the Pentagon used a “virtual” MFP to more easily track space funding—essentially, aggregating program elements related to space—until Congress created MFP-12 for national security space in the fiscal 2016 NDAA. This decision stemmed from a growing concern that nation-state adversaries, particularly Russia and China, were seeking to exploit the U.S. military’s reliance on space-based systems. Lawmakers also sought to address concerns about a lack of transparency within Defense Department budgeting for space programs, including the Air Force shifting funds from space to other air power programs. However, while Congress simultaneously established an MFP and a unified combatant command for special operations in the 1980s, the MFP for space preceded the creation of the Space Force and U.S. Space Command, which occurred in the fiscal 2020 NDAA.

It is relatively easy to define what resources are peculiar to special operations—like the MH-47G Chinook special operations helicopter, a modified version of the CH-47 Chinook, or the AC-130U gunship, a modified C-130 gunship. But there are inherent challenges associated with defining what “counts” as space-peculiar, as well as cyber-peculiar, goods and services. Space-related assets and functions—such as satellite-based communications or precision navigation and timing systems—are widely dispersed across the services and integrated into numerous military capabilities and systems. The same is true for cyber capabilities. The Defense Department has acknowledged this challenge for space, noting that scoping budgeting in this area “is complicated due to the various classifications and categories.” For instance, the fiscal 2020 budget request for MFP-12 does not contain the full scope of space-specific funding, such as funding for personnel.

Moreover, SOCOM usually aims to rely on service-common equipment, modifying capabilities that the services are already acquiring and adapting them to suit their specific needs. However, space and cyber are areas with minimal overlap between service and space- or cyber-specific weapons platforms. It is difficult to imagine Space Command or Cyber Command defining a need for a hypothetical “modified F-35” for space or cyber missions. This makes appropriations for space- and cyber-peculiar capabilities more difficult. Cyber acquisitions in particular may also not benefit from the economies of scale that come with special forces, service, or even space acquisitions because cyber-peculiar capabilities are unlikely to translate into bulk purchases from contractors. For example, rather than acquiring large numbers of aircraft, cyber acquisitions are likely to involve specific tools and capabilities for defined purposes that cannot necessarily be reused across different target sets and that may become irrelevant as technology changes or the target adapts. Despite these challenges, U.S. Cyber Command would benefit from cyber-peculiar acquisition authorities. The Defense Department’s 2018 Cyber Strategy requires an agile and adaptive cyber force that can respond to the dynamic cyber environment and the operational pace of U.S. adversaries. This is in large part what drove Congress to define cyber operations as traditional military activities under Title 10 of the U.S. Code, and the Trump administration to make policy more responsive to offensive cyber operations under National Security Presidential Memorandum-13. The missing piece, however, is comparable flexibility for acquisitions. As with special operations, in cyberspace unanticipated opportunities are likely to arise that may generate requirements for new cyber capabilities or personnel, and the current budgeting process does not have the speed necessary for the acquisitions required.

Current Cyber Acquisition Authorities

While Space Command and the Space Force were established after an MFP was created for space, acquisition authorities for cyberspace have lagged behind the organizational maturation of the force. In the fiscal 2015 NDAA, Congress requested that the secretary of defense submit a budget justification display that would include an MFP category for the Cyber Mission Force (CMF), Cyber Command’s “action arm.” At the time, Cyber Command was a subunified combatant command under U.S. Strategic Command (it was not elevated to a unified combatant command until 2018). Despite this request, in the following year’s NDAA—the same act that created a new MFP category for national security space—Congress granted limited acquisition authorities to U.S. Cyber Command. The idea was to first provide Cyber Command with “training wheels”—$75 million in limited acquisition authority through 2021, rather than a blanket MFP—and then assess whether the organization was sufficiently mature to warrant a real MFP.

In 2017 testimony before the House Armed Services Committee, then-Commander of U.S. Cyber Command and Director of the National Security Agency (NSA) Adm. Michael Rogers acknowledged that Cyber Command had not yet used its limited acquisition authorities. Cyber Command’s first priority, Rogers testified, was forming partnerships with the private sector—which Cyber Command would use to acquire defensive capabilities to support the cyber protection teams responsible for defending the Defense Department’s networks and, when authorized, critical infrastructure.

In 2018, the Defense Department shifted its strategy to “defend forward.” Defend forward posits that to disrupt, deny, and degrade malicious adversary cyber operations and campaigns (particularly in routine competition, below the level of armed attack), ideally before they reach their intended targets, the U.S. must position its cyber forces forward and maneuver where the adversary operates. Following this shift, it is not clear the extent to which Cyber Command has leveraged its new acquisition authorities to acquire offensive capabilities. In March 2019 testimony, Commander of U.S. Cyber Command and Director of the NSA Gen. Paul Nakasone noted that Cyber Command had not managed to completely spend even the relatively small amount of money Congress authorized. At that point, Cyber Command had executed only $44 million of the $75 million appropriated to it and was projected to execute $60-65 million by the end of that fiscal year. It had also filled only six of the 10 personnel positions created to execute these acquisitions.

Cyber Command currently lacks the full acquisition authorities of Space Command, which would make it “service-like.” But the NSA serves important “service-like” functions because it possesses an independent ability to acquire goods and services. Under the dual-hat structure, the NSA and Cyber Command are jointly headed by the same individual; what is more, the NSA plays the role of combat support agency. This allows Cyber Command to benefit indirectly from the NSA’s independent ability to acquire tools, capabilities, infrastructure and personnel—even though neither organization can use its own funds to support the other.

Nevertheless, this relationship may not last forever. Congress has t

[…]

Read the original article: Cyber Command Needs New Acquisition Authorities