The Department of Defense has just crossed a major milestone, finally releasing their new “Cyber 3.0” Strategy for Operating in Cyberspace as well as having been deeply involved in the White House’s International Strategy for Cyberspace.

   Despite the department’s energy and enthusiasm on cyber issues, it is facing a serious short-term crisis which may sap their momentum: many of the Department’s senior cyber leaders – the very ones most behind these new successes – are leaving. Here are the most important departing officials:

  • Bill Lynn, Deputy Secretary of Defense: The DepSecDef – who has been heavily involved in cyber issues, indeed seeing himself as the lead “cyber strategist” for the DoD – has submitted his resignation. He met frequently with his cyber team and had a very strong hand in the development of the Strategy for Operating in Cyberspace, which could be seen as his document. His replacement will not be known for some time, but is unlikely to take as keen an interest in cyber operations.
  • General James Cartwright, Vice Chairman of the Joint Chiefs of Staff: Cartwright will be leaving his job soon. He has also been an important proponent for cyber operations, and indeed shared the podium with Lynn to handle the “hard questions” after the launch of the cyber strategy. Having been named “geek’s best pal” by Wired magazine, Cartwright’s departure at the same time as the DepSecDef means the DoD will have lost the two most senior cyber-smart officials.   He will be replaced by Admiral James Winnefeld
  • Bob Butler, Deputy Assistant Secretary of Defense for Cyber Policy: Butler, the senior-most official working “cyber” full time, is at the end of his two-year stint at the Pentagon and will be returning to Texas and the private sector. His will be a difficult position to fill, as candidates should not only be familiar with military cyber operations and defense policymaking, but also be effective in both the interagency processes and within the Pentagon. Some insiders feel this last may be a stumbling point, as the DoD still has a smothering amount of bureaucracy at times. It seems there is a short list of potential hires to replace Butler, with at least one person having senior experience at US Cyber Command.
Moreover, it is not just DoD that is losing cyber leadership. As longtime DC cyber watcher Bob Gourley has discussed on his own blog,

The deputy secretary is the latest cybersecurity leader to announce his departure from the Obama administration. On June 16, the White House revealed that Federal Chief Information Officer Vivek Kundra would leave later this summer (see Vivek Kundra Resigning as Federal CIO). A day later, Justice Department CIO Van Hitch, who co-chairs the Federal CIO Council’s panel on IT security, said he would retire (see Van Hitch to Retire as Justice CIO). In late May, Deputy Undersecretary Philip Reitinger left the Department of Homeland Security as its top cybersecurity policymaker (see Reitinger Resigns Top DHS Cybersecurity Post).

DoD has now set itself a goal to “treat cyberspace as an operational domain to organize, train, and equip so that DoD can take full advantage of cyberspace’s potential.” The DoD has generations of officials and officers that understand the air, space, land, and sea domains but few that understand cyberspace. There is a new generation that is making its way up through the system now, but without senior leadership these may never stay in the Department long enough and be stripped off to contractors or industry. 

Fortunately, there are many important officials that will be staying with the DoD to implement their own strategy and the White House’s. Jim Miller, the Principal Deputy Under Secretary for Policy, has been involved in cyber issues for years and can provide oversight to whomever replaces Bob Butler. Teresa Takai, the DoD CIO, also remains to oversee the more technical parts of the cyber portfolio. The directors in the Cyber Policy Office (direct reports to DASD Bob Butler) also seem they will be in place for the transition. These include Steve Schleien, Mary Beth Morgan, Colonel BJ Shwedo, and Dr David Mussington; all are longtime veterans of the policy process, cyber issues, or both.

Even better, initial feedback is that during his first weeks, Secretary Panetta has shown an interest for cyber issues. Combined with his guaranteed access to the President, this could go a long way to making up for the loss of Lynn. It also means that both General Alexander at Cyber Command and Secretary Panetta have had their formative cyber experiences in intelligence agencies (NSA and CIA respectively). This may drive DoD planning and operations to an even heavier intelligence focus.

The Department has come a very long way and learned many painful lessons, but there are many more yet to come. Whether or not the replacements for Lynn, Cartwright, and Butler understand (or care about) cyberspace as deeply as their predecessors is still unknown; either way it will be up to them and their staff and advisors to ensure  they can execute the DoD’s many sorely needed actions to operate securely in cyberspace. 

Jason Healey is the Director of the Cyber Statecraft Initiative at the Atlantic Council of the United States. You can follow his comments on cyber cooperation, conflict and competition on Twitter, @Jason_Healey.

Related Experts: Jason Healey