top of page
  • Mike McCormick

One Hat Two Hat, Red Hat Blue Hat

Updated: Nov 29, 2022

When the US Cyber Command (CYBERCOM) was founded in 2009 to establish our nation’s cyber fighting force, it was grafted onto the National Security Agency (NSA). This choice made sense at the time. President Obama wanted to stand up CYBERCOM quickly. By leveraging cyber skills and resources already in place at NSA, CYBERCOM became operational much faster.

The NSA director (DIRNSA) is “dual hatted” meaning he leads both NSA and CYBERCOM. Many other individuals at all levels of the NSA are also dual hatted. There are intelligence officers, analysts, technicians, and others who can wear either hat.

This creates both opportunities and dilemmas. For example, an analyst who obtains intelligence about an adversary can take off his blue team hat (NSA), put on his red team hat (CYBERCOM), and use that same intelligence to guide an offensive action. The ease with which hats can be switched has generated unease among some DC insiders.

While NSA and CYBERCOM are both DoD agencies, they play by different rules. NSA is an intelligence agency governed under Title 50. Specifically, the Espionage Act constrains what it can or cannot do. CYBERCOM is a Title 10 war fighting command with different rules of engagement. There is concern that dual hatting may blur this distinction.

With a new president coming to the White House, those concerns are bubbling to the surface. An unusual alliance of privacy advocates and military hawks is calling for separation of CYBERCOM from NSA, and an end to dual hatting. Director of National Intelligence James Clapper (who resigned his post today) recently said “we’ve reached the point where each of these responsibilities should be separate.” Defense Secretary Donald Rumsfeld once challenged the practice of dual hatting. Even current DIRNSA Mike Rogers, a staunch defender of dual hatting, admits that “in the long run the right thing is to keep these two aligned, but to separate them.”

Hawks seeking to expand US cyberwarfare capabilities tend to support the split, because it would free CYBERCOM to pursue missions even when they conflict with the goals of signals intelligence (SIGINT). At the other end of the political spectrum, privacy advocates support the split because of the potential for abuse to occur with dual hatting, as highlighted in some of the Snowden materials.

Opponents of the split tend to be aligned with the intelligence community. While they have a vested interest in status quo, some of their arguments for dual hatting are compelling. Here's three I’ve heard: (1) If NSA learns an adversary plans to exploit a particular cyber vulnerability, they can put on a CYBERCOM hat and take immediate action. (2) Cyber skills take longer to develop than the 3-year duty station tours that are typical in the military. NSA mitigates that with a large civilian workforce, and under the current arrangement CYBERCOM benefits from them too. (3) Separation of the organizations would lead to competition for scarce resources at a time when CYBERCOM already has thousands of unfilled positions.

Although the issue is heating up, Senator John McCain and others in Congress have indicated they won’t allow President Obama to take action on it in the waning days of his administration. So, like it or not, incoming President Trump will find it’s his problem to solve. And he’ll probably have to deal with it early since it affects the war on ISIL, response to Russian cyberattacks, defense budget, and many other national security issues.

Famous for giving red campaign hats to his supporters, Trump must decide whether his cyber warriors need new hats too.


UPDATE 7/17/2017: Associated Press reports the Trump administration is moving ahead with separation of Cyber Command from NSA, in part due to perceived NSA reticence to take a more aggressive stance against ISIS on the cyber battlefield.


Michael McCormick is an information security consultant, researcher, and founder of Taproot Security.

bottom of page