September 11, 2023 By Ronda Swaney 4 min read

The dual-hat arrangement, where one person leads both the National Security Agency (NSA) and U.S. Cyber Command (Cybercom), has been in place since Cybercom’s creation in 2010. What was once touted as temporary 13 years ago now seems established.

Will the dual-hat arrangement continue? Should it? Experts have discussed the pros and cons of both viewpoints for years. It remains in place for now, but is that likely to change in the future? That remains to be seen, and points of view shift based on the political and geopolitical landscape, as well as the rise and fall of cyber threats.

Who supports the arrangement

Those inside the NSA and Cybercom, as well as key lawmakers, favor keeping the dual-hat leadership. DefenseScoop notes that the initial leadership agreement made sense. Both organizations are inside the same Fort Meade, Maryland, location. At its birth, Cybercom required NSA personnel, experience and infrastructure to grow. The assumption was that Cybercom would eventually grow large and powerful enough to stand alone and justify having its own separate leadership structure.

In practice, however, the dual role enabled faster decision-making, which can be crucial in defeating cyber threats. Rep. Jim Langevin, current chair of the House Armed Services Subcommittee on Cyber, Innovative Technologies and Information Systems, supports the arrangement, saying, “I think the dual-hat arrangement benefits both organizations and provides the infrastructure and expertise that helps both Cyber Command and the NSA achieve success in their individual missions.”

Sen. Mike Rounds, ranking member of the Senate Armed Services Subcommittee on Cybersecurity, voiced similar praise in the article, noting that without the dual-hat arrangement, “You would have two separate bureaucracies who would clash on a daily basis about the use of the tools, about the coordination of efforts, about the protection of their own silos.”

An October 2022 report drafted by a four-person group led by retired Gen. Joseph Dunford Jr., a former chair of the Joint Chiefs of Staff, did not give an official recommendation about keeping the arrangement. However, he argued strongly for the benefits derived from it. A Director of National Intelligence spokesperson noted the report showed benefits of the structure and found no adverse impacts that would justify terminating or splitting the role.

Arguments against the dual-hat role

There’s also opposition to the arrangement and has been since the organization was created. Some feared the combined role was simply too powerful for one person. The same concern exists today as Cybercom’s role becomes larger, addressing wide-ranging societal concerns like election security and ransomware. Those defenses are often made public, which raises another concern: Could Cybercom’s activities reveal too much about the NSA? As a spy agency, the NSA’s activities are meant to stay hidden. If Cybercom uses NSA tools, could that expose espionage activity?

Does a single leader benefit both agencies?

Army General Paul Nakasone currently holds the head role and has since 2018. Obviously, it’s in his self-interest to tout his own abilities, but he detailed the benefits in his Cybercom 2023 posture statement delivered to the U.S. Senate Armed Services Committee in March. His statement quotes the October 2022 report noting “substantial benefits that present compelling evidence for retaining the existing structure.” He also states that “protecting the national security of the United States in cyberspace would be more costly and less decisive with two separate organizations under two separate leaders.”

The statement notes successful collaborations between the NSA and Cybercom, including defense of the 2022 midterm election. Nakasone maintains that “foreign attempts to meddle in our electoral process via cyber means escalated in 2016 and have persisted in every election cycle since.” The goal of this collaboration has been to “render these campaigns inconsequential,” meaning they would have no effect on election outcomes. The result was that the “2022 midterms progressed from primaries to certifications without significant foreign malign influence or interference.”

Nakasone also outlined efforts to hinder state-sponsored cyberattacks from China, Russia, Iran and other cyber criminals. He notes that as a result, the organization “made partner-nation networks more secure; increased our global cybersecurity partnerships; led to the public release of more than 90 malware samples for analysis by the cybersecurity community and ultimately kept us safer here at home.”

Demonstrable successes have to date, prevented splitting this role, but the issue continues to come up.

Will a split still happen? If so, what is the holdup?

Even with general agreement that the dual-hat arrangement works, consensus also seems to be that the split will happen eventually in line with the original vision for Cybercom. In 2016, over concerns that a split was imminent (and also premature), Congress legislated metrics that would have to be met before the split could happen. Among those metrics was that each organization would have its own systems in place to plan, de-conflict and execute military cyber and national intelligence operations. Both organizations also need separate tools for cyber operations, including the ability to acquire or create needed tools.

Cybercom has made gains on those metrics but has not fully achieved them yet. And, as long as the two organizations work successfully together and continue to achieve their separate but complementary missions, it’s unlikely there will be a significant push to change their operations.

What’s next for the NSA and Cybercom?

As required, both organizations continue to make progress toward the legislated metrics. Yet there appears to be no appetite for changing the leadership arrangement in the short term. What is on the short-term horizon? Gen. Nakasone plans to step down from the role sometime this year. The leadership role is generally held for four years, but Nakasone agreed to extend his tenure into 2023.

In May, U.S. Air Force Lt. Gen. Timothy Haugh was nominated as Nakasone’s replacement. Haugh currently serves as deputy commander at Cybercom. He helped spearhead some of the key initiatives at Cybercom, including election protection. The role requires Senate confirmation, but Sen. Tommy Tuberville is currently blocking all military nominations, with 200 nominations currently pending due to his block. Haugh’s appointment and Nakasone’s retirement plans remain in the air until that stalemate ends.

More from Government

CIRCIA feedback update: Critical infrastructure providers weigh in on NPRM

3 min read - In 2022, the Cyber Incident for Reporting Critical Infrastructure Act (CIRCIA) went into effect. According to Secretary of Homeland Security Alejandro N. Mayorkas, "CIRCIA enhances our ability to spot trends, render assistance to victims of cyber incidents and quickly share information with other potential victims, driving cyber risk reduction across all critical infrastructure sectors."While the law itself is on the books, the reporting requirements for covered entities won't come into force until CISA completes its rulemaking process. As part of…

Important details about CIRCIA ransomware reporting

4 min read - In March 2022, the Biden Administration signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This landmark legislation tasks the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments.The CIRCIA incident reports are meant to enable CISA to:Rapidly deploy resources and render assistance to victims suffering attacksAnalyze incoming reporting across sectors to spot trendsQuickly share information with network defenders to warn other…

Unpacking the NIST cybersecurity framework 2.0

4 min read - The NIST cybersecurity framework (CSF) helps organizations improve risk management using common language that focuses on business drivers to enhance cybersecurity.NIST CSF 1.0 was released in February 2014, and version 1.1 in April 2018. In February 2024, NIST released its newest CSF iteration: 2.0. The journey to CSF 2.0 began with a request for information (RFI) in February 2022. Over the next two years, NIST engaged the cybersecurity community through analysis, workshops, comments and draft revision to refine existing standards…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today