The Defense Department was not well organized internally to deal with cyber issues. The director of national intelligence under President Bush, Mike McConnell, had urged me in 2008 to create a separate combatant command to deal with cyber threats. We were just then establishing Africa Command, and I thought the president and Congress would balk at yet another major command. But I made some organizational changes in the fall of 2008 and in June 2009 established Cyber Command as a subordinate component of Strategic Command. I recommended that the president nominate Army Lieutenant General Keith Alexander, the director of the NSA, to run this “subunified” command as well. Its purpose would be to better organize Defense operations in cyberspace, to ensure our freedom of access to cyberspace, and to oversee investments in people, resources, and technology to prevent disruptions of service to the military.

On May 21, 2010, I took the step suggested two years before by McConnell and established an independent Cyber Command with now-General Alexander in command. (Part of my motivation for creating the independent command was to get a fourth star for Alexander, whom I considered one of the smartest, best officers I ever met. Without such a command and promotion, I feared we would lose him to retirement.) I also created a new civilian office to lead policy development and provide oversight to the new command. Overall, thanks to the NSA and other components in Defense devoted to information and cyber security, and with these organizational changes, I felt reasonably comfortable that Defense Department cyber networks were protected, even though they were attacked by hackers many times a day. A major initiative, led by Deputy Secretary Lynn, to get key defense industries to come voluntarily under our cyber umbrella for protection, was also enjoying considerable success. By mid-2010, I thought we had made considerable progress.

Not so in the rest of government. A major issue was the role of the NSA. Specifically, privacy advocates and civil libertarians were loath to use this military intelligence agency to protect cyber networks at home. The real-world implication of their position was creation of some kind of domestic counterpart to the NSA. I thought that was sheer idiocy. Time and again I argued that there wasn’t enough money, time, or human talent to create a domestic clone. When we got warning in the summer of 2010 that a major cyber attack was being planned on the United States in the fall, I saw an opportunity to break the stalemate.

I devised a politically risky but potentially successful way to bypass the entire bureaucracy, including the White House staff, and present the president with a solution. To somewhat oversimplify, as secretary of defense I had responsibility for national-security-related cyber matters outside the United States, and under the law, the secretary of homeland security—Janet Napolitano—had responsibility for network protection inside the United States. I invited Janet to lunch. We met on July 7, and I proposed that we assign several of our top people to work together urgently on a plan for her department to be able to use the NSA to defend U.S. domestic cyber networks. My idea was that I would appoint a senior homeland security person—recommended by Napolitano—as an additional deputy director of the NSA, with the authority to use the agency’s unique capabilities to protect domestic computer networks. This homeland security appointee would have his or her own general counsel inside the NSA, and together we would build firewalls to protect privacy and civil liberties, to ensure that the wide authority that the NSA had for operating abroad was limited at home.

We met again for lunch a week later to review a preliminary draft proposal. We made some adjustments, and the two of us presented the proposal to the president in the Oval Office on July 27 (unheard-of speed in Washington). We had bypassed everyone else in government—but we told the president the two of us were the ones with operational responsibility, and we could make this work. We told him he could have John Brennan quickly run it through the interagency coordination process (especially the Justice Department) to make sure we hadn’t missed something, but that he ought to be able to approve our signing a memorandum of understanding by August 15. Napolitano and I met on August 5 with Brennan in his West Wing basement office, a large but low-ceilinged and cluttered room. With his support in moving the proposal quickly, within three weeks of our meeting with him, the president signed off on the proposal.

Napolitano and I had briefly been able—with the president’s support—to part the bureaucratic Red Sea, but the waters soon came crashing back together. Although we fairly quickly made the organizational and personnel decisions and changes at NSA to implement our plan, months later General Alexander told me that Homeland Security wasn’t much using the new authority. I don’t know why to this day. But because of the failure to make this or something like it work—along with political paralysis in Congress on how to deal with the cyber challenge—the country remains dangerously vulnerable, as my successor starkly pointed out in a speech in 2012.

The process by which the secretary of defense formally conveys presidential authority to use military force to combatant commanders is through the preparation and signature of “execution orders,” and they apply to the use of force outside war theaters such as Iraq and Afghanistan. These orders, called EXORDs, usually are quite specific, but there were some on the books from the Bush administration, particularly in the counterterrorism arena, that provided combatant commanders broad authority to launch operations without further authorization—particularly when the opportunity to hit a target might require a very fast decision. In every case, the president had broadly authorized the use of lethal force, but I was uncomfortable with any arrangement where use of that force would catch the president by surprise. Under President Bush, I made clear that whatever the EXORD said, I wanted to be informed of any action beforehand so I could inform the president.

In 2010, I decided we should review all the EXORDs to bring the language in them into conformity with my practice of informing the president in advance. Neither Obama nor his advisers had reviewed the EXORDs approved by President Bush in detail. What I had envisioned as a largely mechanical effort to ensure that the president was properly informed became a broad, time-consuming interagency effort led by an NSS always eager to micromanage the Pentagon. The effort on our side was led by Michèle Flournoy and the assistant secretary for special operations and low-intensity conflict, Mike Vickers. We often had to push back hard to keep the White House and State Department from getting too far into our military knickers, but at the end of a year’s work, we had updated the EXORDs, ensured that except in the most extraordinary circumstances the secretary and president would know about operations prior to launch, and had Obama administration buy-in. When we were finished, there didn’t seem to be too much unhappiness on the part of the combatant commanders about the curtailment of their unilateral authority to launch military operations.

In a place as big as the Defense Department, something is always going wrong. Most of the time, it’s just a bureaucratic screwup. But when our nuclear forces are involved, it can quicken your pulse. The first two such incidents on my watch, as I’ve described, had led to my firing of the secretary and chief of staff of the Air Force in 2008. In October 2010, at F. E. Warren Air Force Base near Cheyenne, Wyoming, all communications were lost with a squadron of fifty Minuteman III nuclear-tipped intercontinental ballistic missiles. While alternative communications were soon reestablished, no one had informed the secretary of defense or the president when we lost contact with a launch control capsule and fifty ICBMs. And of course, when the communications went down, no one at the base, or at its higher headquarters at Strategic Command, knew at that moment how long they might be down or whether they had been lost due to a technical malfunction, terrorist act, sabotage, or some other scary scenario—or even whether one or more of the missiles might somehow be at risk. In a masterpiece of understatement, Obama allowed as how he would have liked to have known about it. It was a sentiment I shared.