The NSA-CYBERCOM Split Will Not Fix American Cyber Operations

Why Does the NSA-CYBERCOM Relationship Keep Coming Up for Debate?

U.S. Cyber Command and the National Security Agency have shared a headquarters at Fort Meade, Maryland, and a commander since CYBERCOM was elevated to a unified combatant command in 2018. The dual-hat arrangement was supposed to speed the flow of intelligence into operations and give cyber warriors access to the NSA's signals intelligence infrastructure. Two decades into the cyber mission, many inside the building view it as a bottleneck dressed up as efficiency.

The question is not whether the two organizations should share a parking lot. The question is whether a cyber operator can act fast enough to matter. Most days, the answer is no. The problem is institutional, not personal. CYBERCOM is a Title 10 military command. It conducts defense, offense, and support to military operations under the laws of armed conflict and Department of Defense authorities. The NSA is a Title 50 intelligence organization. It collects foreign intelligence under the Foreign Intelligence Surveillance Act, Executive Order 12333, and oversight from the congressional intelligence committees. The same person wearing both hats must constantly switch legal frameworks, reporting chains, and even the definition of success.

Civilian leaders have noticed. In 2024, President Biden signed National Security Memorandum 22, which directed a study of the dual-hat arrangement and set conditions for a possible split. The study was due in 2025. As of May 2026, the bureaucracy is still producing options papers. Meanwhile, operators rotate through tours, adversaries update their infrastructure, and the workforce waits for a decision that may not arrive before the next major breach.

What Do Title 10 and Title 50 Actually Mean for Operators?

Title 10 means the operator wears a uniform, operates under military orders, and answers to the Secretary of Defense through the combatant command chain. Title 50 means the operator may work under civilian cover, collect intelligence for national consumers, and answer to the Director of National Intelligence through the NSA. The difference matters because the authorities, oversight regimes, and even the rooms where decisions get made are different.

Section 702 of the Foreign Intelligence Surveillance Act allows the intelligence community to target non-U.S. persons located outside the United States for foreign intelligence collection. The program expires unless reauthorized by Congress. In 2024, Congress renewed Section 702 with reforms to the FBI's query procedures after abuses of U.S. person data became public. For NSA, 702 is the backbone of much foreign cyber threat intelligence. For CYBERCOM, it is a feed, not a weapon.

The friction appears when a military operator needs to act against a foreign server that is also of intelligence interest. Is the target supporting an active hostile act against U.S. forces under Title 10? Or is it a collection target under Title 50? The lawyer's answer can take hours. The malware's answer can take minutes. Every operator knows which clock matters.

Executive Order 12333 governs much of what the intelligence community does overseas. It is not a blank check. It requires procedures approved by the Attorney General, coordination with host nations in many cases, and reporting to Congress. These rules exist for good reasons. They also create seams that adversaries exploit.

How Are Foreign Adversaries Organized Differently?

China's Ministry of State Security and People's Liberation Army Strategic Support Force do not worry about a statutory wall between espionage and attack. Russia's GRU military intelligence and SVR foreign intelligence operate under different bureaucratic cultures, but both answer to the same political leadership and share operational infrastructure when useful. Iran's Islamic Revolutionary Guard Corps and North Korea's Reconnaissance General Bureau blend criminal, intelligence, and military functions without a congressional committee to slow them down.

The United States does not want to imitate authoritarian systems. We should not. But we should recognize that our adversaries gain speed from their lack of legal restraint. A PLA unit probing U.S. critical infrastructure does not stop to ask whether its action is Title 10 or Title 50. It stops when it achieves the mission or when it gets caught. The asymmetry is real, and it is structural.

The 2023 Microsoft report on Volt Typhoon, a Chinese state-sponsored group, showed infrastructure targeting across Guam, Hawaii, and the continental United States. The targets included communications, government, and manufacturing sectors. Volt Typhoon's behavior suggested preparation for disruption, not just espionage. That distinction, between spying and prepositioning for attack, is exactly the seam where U.S. authorities become tangled.

What Would Real Reform Look Like?

Splitting the dual-hat commander is a structural change, not an operational solution, and it will not help the workforce if the two organizations keep the same tools and incentives. If the split leaves both organizations with the same stovepiped tools, the same legal ambiguity, and the same risk-averse promotion incentives, nothing improves for the operator on the floor. Real reform starts with clarity about who can do what, under what authority, and with what speed.

Congress should write a cyber operations title that gives the Department of Defense explicit authority to conduct limited defensive and offensive actions in cyberspace outside declared theaters of armed conflict. That does not mean unleashing the military against Americans. It means ending the absurdity where a cyber operator needs a lawyer's sign-off to defend a domestic critical infrastructure node from a known foreign adversary because the target happens to be outside the military network.

The workforce needs better tools and less theater. Operators spend enormous effort building PowerPoint decks for leadership and navigating classification barriers that prevent the sharing of Indicators of Compromise with private sector partners. CISA, the Cybersecurity and Infrastructure Security Agency, has improved information sharing since its creation in 2018, but classification remains the biggest obstacle. A report that cannot leave a SCIF is a report that cannot help a network defender.

Finally, the intelligence community should stop treating every cyber operation as a special access program by default. Secrecy protects sources and methods. Excessive secrecy protects incompetence. The operators know the difference. Leadership should listen.

The NSA-CYBERCOM relationship will eventually change. It should. But no headquarters reshuffle will defeat Volt Typhoon, APT29, or Lazarus Group. Only clear authorities, competent operators, and leadership willing to take risk can do that. The rest is reorganization theater.