The proposals are part of each chamber’s version of the annual defense policy bill, the National Defense Authorization Act for fiscal 2026.

According to the Senate Armed Services Committee’s version, DOD must conduct a study on force employment of cyber in support of combatant commands and evaluate establishing Joint Task Force-Cyber elements across those geographic combatant commands.

A proposal in the House, offered by Armed Services Subcommittee on Cyber, Innovative Technologies and Information Systems chairman Rep. Don Bacon, R-Neb., requires a similar evaluation, though focused specifically on the Indo-Pacific Command area of responsibility.

According to Bacon, the military is not properly organized for the current cyber conflict.

“Since becoming Chairman of the Subcommittee, I’ve grown increasingly concerned that we are not correctly organized for the cyber fight we find ourselves in today, let alone a more complex and consequential future fight. Our Cyber Command does great working national threats, but I want to ensure our Cyber team is postured right for a potential fight with China over Taiwan,” he said in a statement.

He said he plans to push for the establishment of a Joint Task Force-Cyber — not merely an evaluation — when both chambers of Congress convene to reconcile their bills.

“If we accept the reality that we are already in hostilities with our principal adversary in cyberspace, then there is no time to waste,” Bacon said.

Bacon also pointed to the fact that this is not a new issue. In the fiscal 2023 NDAA, Congress required the creation of a similar organization — a Joint Task Force — in Indo-Pacom to support joint operations in the kinetic space before conflict, because the military was not sufficiently acting jointly, in lawmakers’ view.

Sources indicated that construct has worked well so far and these proposals could mirror that on the non-kinetic side.

Moreover, a classified DOD Inspector General report that examined the effectiveness of Indo-Pacom and Cyber Command’s planning for offensive cyberspace operations and Cybercom’s execution of offensive cyberspace ops in support of Indo-Pacom’s plans, recommended the creation of a Joint Task Force-Cyber, according to someone familiar. That examination began in 2023.

Congress has in several previous NDAAs asked for studies and evaluations on how Cybercom’s headquarters elements are organized and how it employs cyber capabilities effectively. Sources indicated these proposals are likely, in part, an indication that lawmakers aren’t pleased with either the responses from the Defense Department, or there has been a lack of response from DOD.

If realized, the creation of joint task forces for cyber at the combatant commands could potentially lead to a complete restructure for how operations are conducted, according to sources.

How cyber operations are conducted

Ultimately, these proposals could end up giving more oversight and control of cyber operations to the geographic combatant commanders.

Unlike the other domains of warfare, there still is no cyber component command at the geographic combatant commands. Each component command — land, air and maritime — is responsible for commanding and coordinating the forces under their domain on behalf of the four-star combatant commander, who has the ultimate authority on how and which forces are employed for particular operations.

Cyber, however, is different.

Since Cybercom established its cyber mission force over 10 years ago — the 147 teams that the services provide to Cybercom to conduct cyber operations — digital forces and capabilities are employed through what the command calls Joint Force Headquarters-Cyber.

These entities are commanded by the heads of the service cyber components and are assigned particular combatant commands to provide planning, targeting, intelligence, synchronization, and command and control of cyber capabilities.

Joint Force Headquarters-Cyber Army is responsible for Central Command, Africa Command and Northern Command. Joint Force Headquarters-Cyber Navy is responsible for Indo-Pacom, Southern Command and United States Forces Korea. Joint Force Headquarters-Cyber Air Force is responsible for European Command, Space Command and Transportation Command. Joint Force Headquarters-Cyber Marine Corps is responsible for Special Operations Command. DOD Cyber Defense Command, formerly Joint Force Headquarters-DOD Information Network, is the coordinating authority for Transportation Command.

None of the these entities were designed to be identical.

Moreover, there is also the Cyber National Mission Force, a sub-unified command under Cybercom, which is responsible for defending the nation against significant digital threats and is thought to possess the most elite cyber operators. It is a global entity aligned in task forces assigned to different threat actors, which means they are also operating within the areas of responsibility for geographic combatant commands.

Given Cyber National Mission Force’s global mission, the commander of Cybercom can conduct operations in a particular theater based on his priorities and mission sets. While this may be coordinated with the regional commander, they don’t necessarily have to ask for permission, in what could be seen by the geographic combatant commander as infringing on their area of operations.

The geographic combatant commanders don’t have as much control over cyber forces in their regions as they do for the physical or kinetic forces. The cyber teams are controlled by the JFHQ-Cs through Cybercom. Moreover, Cybercom has the ability to reorganize and realign forces around as they see fit against different priorities and threats, though, this is usually done in consultation with the combatant commands.

Cybercom, not the combatant commands themselves, approves the cyber operations for the regional commands, which includes interagency coordination.

Approvals for cyber ops flow through the commander of Cybercom, not the geographic combatant commands themselves, which includes interagency coordination.

Taken together, sources indicated these could all be seen as a loss of control for the geographic combatant commanders, who are responsible for running the operations in their regions and typically have oversight of their forces. Some have argued that the regional combatant commanders should have control and oversight of all the forces in their geography.

Sources indicated tensions exist in this construct with a regionally focused combatant command and a globally focused combatant command that has a high-demand, low-density asset in cyber.

“I think what you’re seeing is the tension that exists today between having Cybercom forces that really, at the end of the day, are controlled by the Cybercom commander in general support to the other Cocoms versus having that combatant commander have full control,” a former military cyber official told DefenseScoop.

Others indicated the creation of a joint task force is a natural evolution for the command and control of cyber forces.

Indo-Pacom, in particular, poses a unique challenge with all the cyber forces operating within its area of responsibility.

There are combat mission teams that conduct cyber operations on behalf of combatant commands, mostly in the offensive sphere, coordinated by Joint Force Headquarters-Cyber Navy, Joint Task Force-Ares — which initially was a counter-ISIS cyber task force but shifted four years ago to focus more on nation-states, particularly in the Pacific region — run by Marine Corps Force Cyberspace Command — as well as teams from the Cyber National Mission Force.

For those reasons, the command and control of these forces must be under a single chain of command. Those forces could be packaged together and work for the Indo-Pacom commander, the former officials posited when discussing a potential future scenario, and then the Indo-Pacom commander would have full control over them, a departure from the situation today.

For Indo-Pacom, everything is on island, a second former military cyber official said, meaning where their Hawaii headquarters are located. Indo-Pacom wants everyone on island with them so capabilities can be better integrated, they added.

Experts and former officials noted that a Joint Task Force-Cyber structure would likely clean up command and control lines for the employment of cyber.

Those that spoke to DefenseScoop noted combatant commands could see this as enhancing simplicity and speed.

In a future conflict, decisions will have to be made at unprecedented speeds, as seen in the Ukraine-Russia war.

However, the global nature of cyberspace and actors could complicate such an arrangement where the regional commander has more control.

China, for example, is a global threat actor and taking control from Cybercom could lessen its ability to surge or act in other regions. If there is a global threat versus a regional threat, officials would have to figure out what takes priority, who makes the decision and who has the authority to re-direct cyber forces to address them, a third former military cyber official posited.

Questions and resource constraints

Experts raised several issues that should be addressed with the potential formulation of joint task forces for cyber at the combatant commands, posing questions that should be answered in an evaluation for their necessity or creation.

One concern is whether the assessment for the creation of a Joint Task Force-Cyber is fair when balanced against what Cybercom has been doing over the last couple of years.

Cybercom has continued to reevaluate how it conducts cyber operations over the years.

Discussions in recent years inside the command have also focused on creating task forces that would be assigned against particular threat actors. This would potentially allow cyber forces to transcend the geographic boundaries given cyber threat actors are global.  

The drafting of this legislation, however, signals that the current processes can be done better.

Would a new process create more hurdles or would it enable greater simplicity?

“You have to ask yourself with what we’ve designed today, is it simple … Simplicity, speed, precision, clarity, these kind of things are really important in a fast fight for C2. And you could offer that’s not necessarily the case with the current design,” the first former official said. “Is the juice worth the squeeze?”

The third former official noted it’s important to ask what problem is this trying to solve? What is this a joint task force to do? Is this an authorities issue, is it a cyber mission force capacity issue, or what are the combatant commands not getting that they need from Cybercom?

Some of these issues could be wargamed or worked out through table top exercises, they noted.

For many officials, an education gap still exists where combatant commands still don’t always know how to employ the JFHQ-Cs or what to ask for from Cybercom. Some of this is relationship and personality based and can differ based on each organization.

About eight years ago, Cybercom began to create planning cells — Cyber Operations-Integrated Planning Elements (CO-IPEs) — located within the staffs of the geographic combatant commands to help them with synchronization and planning given the JFHQ-Cs are at remote locations.

While the CO-IPEs were designed to assist in planning and understanding how to employ cyber operations, they still haven’t all matured effectively to provide all the necessary answers and planning requested.

According to the third former official, some of the geographic combatant commands are probably saying, “I just don’t have the authority.”

They pushed back on that assessment, noting if the combatant commands asked for something, they’d likely get it, but an educational issue on both sides of the problem exists.

Another model could be to bolster the CO-IPEs to mirror Special Operations Command’s theater special operations commands (TSOCs), which are small teams and how special operations forces are employed in geographic combatant commands.

These entities can act as a connective tissue between seams in geographic regions and anticipate which threats may need more resources. They can provide command and control for running operations, if needed. CO-IPEs are currently only for planning and have no command and control functions.  

Another option could be to co-locate the cyber forces within the JTF within the combatant command. Currently, only the CO-IPE is embedded in the geographic combatant command staff. The JFHQ-C and cyber forces conducting the operations are at remote locations, not directly within the geographic combatant command they’re supporting.

But part of the challenge with the way the legislation is written is if Congress wants a Socom model, lawmakers would establish a TSOC equivalent for a Cybercom forward element or cyber element for forces in theater and not a Joint Task Force-Cyber, one of the former officials said. The reason that doesn’t exist today, they added, is the control is done in the rear of the CO-IPE and they conduct the integrated planning with the combatant command staff forward.

“I don’t think Cocom commanders are happy with that. I think they want the control,” the official suggested.

Other key questions surround resources. Oftentimes when there’s a new problem, organizations stand up a new headquarters, but nobody gets any more people, one of the former officials pointed out.

Of note, given each Joint Force Headquarters supports multiple combatant commands, in many cases officials within those organizations wear multiple hats. For example, a service cyber component might have an integrated operations staff that does everything for all their Joint Force Headquarters.

If each combatant command creates a Joint Task Force-Cyber and the Joint Force Headquarters go away — something that isn’t necessarily clear based on the legislation proposed — where do the new joint task force personnel come from? Are those staff that wore multiple hats ripped apart, some sources asked.

Setting priorities

One of the other aspect driving an assessment to create a new joint task force construct is to help drive more emphasis on the combatant command cyber forces and capabilities.

According to a congressional staffer, there was a sense that there was neglect for the combatant command-related cyber capabilities in favor of the Cyber National Mission Forces that defend the nation.

It comes down to prioritization and resources. The Cyber National Mission Force has a global mission and there is a lot of prioritization that goes to them, but that doesn’t mean the other teams aren’t working, former officials said.

With limited resources, what gets the focus? Are they things that are important to Cybercom or the geographic combatant commands, one former official asked, noting they could see an argument coming from a combatant command asking is Cybercom doing things that are of the most interest to that combatant commander or are they working on things that are of less interest to them, but of more interest to Cybercom, which are typically CNMF targets.

The post Congress pushing Joint Task Force-Cyber, shaking up how DOD employs digital capabilities appeared first on DefenseScoop.

The language appears in the SASC-passed version of the annual defense policy bill for fiscal 2026. While the committee approved the legislation last week, the full text was only released Wednesday.

Specifically, if it becomes law, the legislation would require a report from the Pentagon on the integration of reserve components, namely the National Guard, into the cyber mission force. It would also mandate an implementation plan.

The cyber mission force is comprised of 147 teams — including offensive, defensive and support teams — that the military services provide to U.S. Cyber Command to employ for operations.

Guard units have been used to support or supplement active units in various capacities. In fact, at the outset and creation of the cyber mission force nearly 15 years ago, the Air Force decided to initially take a total force approach to build its contribution, meaning its teams were made up of a mix of active component and Guard members.

Other assistance, most notably, includes Task Force Echo, the biggest Guard cyber mobilization to date with soldiers from 32 states having supported it over a number of years.

Little public information is known about the task force other than it aids full-spectrum cyber operations for Cybercom’s Cyber National Mission Force. While not so-called “trigger pullers,” sources have also indicated the task force provides infrastructure support.

The Guard has also conducted experiments with Cybercom in years past to test what was called the Cyber 9-Line, a tool that allows participating Guard units from their respective states to quickly share incidents with the Cyber National Mission Force, which can provide analysis of discovered malware and offer feedback to the states to help redress the incident, while also potentially taking action against the threat outside U.S. borders.

The Senate Armed Services Committee’s fiscal 2026 policy bill would require a report that provides an assessment of different authorities in each status of the reserve components, with particular focus on the National Guard and authorities under title 32, and how the DOD can use those personnel in such statuses within the cyber mission force.

It should also include an analysis of current and planned efforts to work with the military departments, the National Guard and the adjutants general of each state to develop unique cyber capabilities that address identified operational requirements — and a description of methods to work with those entities to track and identify key skills and competencies that aren’t part of primary military occupational specialties.

Moreover, senators want to see an evaluation of what types of authorities would be most beneficial to maximize the activation and support of the reserve components to cyber operations as well as an evaluation of the existing barriers to or impediments for integration of the reserve components into the cyber mission force.

The Guard has been lauded as an under-tapped and potentially vital resource for the nation in cyberspace. Many of its members work in cybersecurity as their full-time jobs when they’re not in uniform, meaning they oftentimes possess unique skills not always found in the active component.

There have been big pushes in recent years to more tightly integrate these Guard and Reserve forces into the larger DOD cyber enterprise to be able to act as surge capability in the event of a major cyber incident against the nation.

Legislation has also been introduced previously to help clear hurdles — real or perceived — to allow the Guard to respond to cyber threats.

The post Senate bill calls for tighter reserve component inclusion in cyber mission force appeared first on DefenseScoop.

A provision in the committee’s version of the annual defense policy bill, of which an executive summary was released Friday, would require the secretary of defense to review future force employment concepts for cyber operations. The full text of the bill has yet to be released.

Senior congressional officials that briefed reporters Friday pointed to the fact that to date, cyber operations and forces have largely been focused on the strategic level. More and more, there are other avenues to conduct digital actions, officials said, to include tactical cyber.

In fact, the DOD updated its cyber doctrine at the end of 2022 to include for the first time a definition of what it called “expeditionary cyberspace operations,” defined as “[c]yberspace operations that require the deployment of cyberspace forces within the physical domains.”

That recognition was significant given authorities to conduct cyber operations were held at the highest levels of government for many years due to fears that such activities could have unintended consequences or spread into networks beyond the intended targets.

Cybercom owns the offensive cyber capabilities within DOD, and the services conduct offensive cyber operations through Cybercom and the cyber mission forces that each service provides to the command that operate from static, remote locations, mostly focused on IP-based networks.

However, increasingly, there are targets that either aren’t reachable through IP networks or remote access might not be possible. And as DOD has matured its cyber policies, doctrine and capabilities, the reins have begun to loosen up.

Certain factions have sought to use more proximal effects conducted through radio-frequency, which require fewer levels of approval to conduct operations at the very tactical level.  

Several of the services have begun investing in capabilities and forces for their own offensive activities. However, that is mostly in the blended electronic warfare or RF-enabled sphere at the tactical level.

While individual services have started developing and even deploying such forces, all cyber operations must still be connected through Cybercom.

For example, the Army created the 11th Cyber Battalion — which stemmed from the 915th Cyber Warfare Battalion before it — a unit that provides tactical, on-the-ground cyber operations (mostly through RF effects), electronic warfare and information ops. It consists of four companies with over 300 personnel total and five expeditionary cyber teams, which are scalable formations designed to augment units upon request. The Army was recently approved to create another unit called the 12th Cyber Battalion.

The Air Force in the last year or so has developed a concept called Cyber Enabled Air Superiority (CEAS), that aims to use organic Air Force cyber assets to protect its critical missions, such as safeguarding fighter jets from cyberattacks. While the concept is still emerging, the Air Force re-missioned a National Guard unit to initially take charge of the effort.

The Navy has been building what it calls non-kinetic effects teams that are afloat assets to provide cyber, electronic warfare and other similar capabilities for commanders at sea.

The Marine Corps has developed information units for its Marine Expeditionary Forces that include cyber, intelligence, EW and information-related capabilities.

Cybercom has recognized these capabilities, and command officials have begun exploring ways to utilize them, especially as they can serve as entry points for its high-end operators to access hard-to-reach networks that might not be connected to the internet.

These efforts also fit into the concept of the modern triad, which consists of combining the capabilities of space, cyber and special operations forces to create military packages greater than the sum of their parts. SOF are located in some of the hardest places on earth, giving them the opportunity to get close to targets and potentially providing access and entry points for cyber effects.

Given this growth in the concept, the Senate Armed Services Committee also wants the review to encompass the types of personnel DOD will require to conduct cyber operations of all kinds in the future. To date, that has only really included the cyber mission force. As referenced, this could include a much larger pool across the conventional and even special operations forces beyond the Cybercom enterprise.

The summary of the policy bill states the review would include an assessment of personnel policies that could be needed to support any such evolving cyber force, though committee officials clarified this has nothing to do with discussions surrounding the potential creation of a separate and distinct service, or Cyber Force.

“We have focused a lot of this around how we man, train and equip for very exquisite cyber mission forces. There is a bigger pool of people out there,” an official said. “How are we going to employ that full scope of people and how do we need to adjust the personnel policies to be able to keep that flow of people?”

The post Senate Armed Services Committee wants DOD to explore ‘tactical’ cyber employment appeared first on DefenseScoop.

While the budget proposal would allot just $5 million for the effort — a small portion of Cybercom’s $1.3 billion research and development spending plan — the stand-up of the program follows congressional direction to prod the command to develop an AI roadmap.

In the fiscal 2023 defense policy bill, Congress charged Cybercom and the Department of Defense chief information officer — in coordination with the chief digital and artificial intelligence officer, director of the Defense Advanced Research Projects Agency, director of the National Security Agency and the undersecretary of defense for research and engineering — to jointly develop a five-year guide and implementation plan for rapidly adopting and acquiring AI systems, applications, supporting data and data management processes for cyber operations forces.

Cybercom created its roadmap shortly thereafter along with an AI task force.

The new project within Cybercom’s R&D budget aims to develop core data standards in order to curate and tag collected data that meet those standards to effectively integrate data into AI and machine learning solutions while more efficiently developing artificial intelligence capabilities to meet operational needs.

The effort is directly related to the task of furthering the roadmap.

As a result of that roadmap, the command decided to house its task force within its elite Cyber National Mission Force.  

The command created the program by pulling funds from its operations and maintenance budget and moving them to the R&D budget from fiscal 2025 to fiscal 2026.

The command outlined five categories of various AI applications across its enterprise and other organizations, including vulnerabilities and exploits; network security, monitoring, and visualization; modeling and predictive analytics; persona and identity; and infrastructure and transport.

Specifically, the command’s AI project, Artificial Intelligence for Cyberspace Operations, will aim to develop and conduct pilots while investing in infrastructure to leverage commercial AI capabilities. The command’s Cyber Immersion Laboratory will develop, test and evaluate cyber capabilities and perform operational assessments performed by third parties, the budget documents state.

In fiscal 2026, the command plans to spend the $5 million to support the CNMF in piloting AI technologies through an agile 90-day pilot cycle, according to the documents, which will ensure quick success or failure. That fast-paced methodology allows the CNMF to quickly test and validate solutions against operational use cases with flexibility to adapt to evolving cyber threats.

The CNMF will also look to explore ways to improve threat detection, automate data analysis, and enhance decision-making processes in cyber operations, according to budget documents.

The post Cyber Command creates new AI program in fiscal 2026 budget appeared first on DefenseScoop.

The command’s research-and-development budget proposal includes $117.2 million under a portfolio called “Data and Sensors.” In last year’s budget release, the command anticipated spending just $20.8 million in FY26 in the future years defense program for that same portfolio. The fiscal 2025 request for the portfolio was $21 million.

According to budget justification documents, the increased funding would go toward cyber mission monitoring capabilities for the Department of Defense Information Network and expand operational technology asset installation at other Indo-Pacom defense critical infrastructure networks and systems. Moreover, the budget activity continues whole-of-government collaboration and coordination for sensor deployment, data sharing and lessons learned, and includes an expanded submarine cable landing monitoring capability, sensor placement in key networks and maintenance of automated alert capabilities to operators.

The documents also note that beginning in fiscal 2024 the DOD added funds within the portfolio for Indo-Pacom’s regional component of the National Defense Strategy to maintain and restore a comparative military advantage. Cybercom added resources and manpower to support the maturation and fielding of monitoring capabilities to hunt and trap adversaries across the DODIN’s priority edge devices and procure new hardware.

The portfolio’s enhanced sensing efforts are part of the larger Pacific Deterrence Initiative, a key effort to provide funding carveouts for Indo-Pacom to bolster its posture relative to China, and expand low-level network sensing and defense for key networks in the region, the documents state.

More specifically, the enhanced sensing investments in Cybercom’s budget request portfolio include support for specialized Indo-Pacom Low-Level Network Sensing and Defense capability, data feed, analytic resources and increased efforts to discover and characterize adversary networks — all of which are necessary to maintain or restore comparative military advantage and reduce risk of contingency plans in support of U.S. national security interests, according to the documents.

The investments have already supported the transition of existing DOD projects to Cybercom and expansion of new sensing and data analytic tools to strengthen the cyberspace defensive posture of Indo-Pacom networks, with a specific focus on defense critical infrastructure in Guam.

The budget touts examples of this, including the employment of over 3,000 operational technology assets that resulted in a 52 percent reduction in malicious and anomalous behavior in the environment and a 32 percent decrease in known vulnerabilities to key assets such as firewalls, switches and routers, to achieve 76 percent adherence to MOSAICS frameworks in industrial control systems.

Cybercom’s cyber protection teams — defensive teams focused on hunting adversaries within the network — performed 31 threat-hunting missions and investigated 58 additional artifacts across multiple networks, informed by the investments made in the portfolio. Those teams worked with local defenders within Indo-Pacom to bolster their tactics, techniques and procedures.

The command noted that that the work established real-time insight into the submarine cable landing in Guam to effectively monitor network traffic transiting to and from the island, including automated alert and visual interface tools for operators.

The scope is also different from the previous budget request, in which Cybercom articulated that most of the portfolio spending would go towards deployable sensors and the “fly away” kits that the command’s cyber protection teams use. Those teams sometimes deploy to sites locally that incur breaches — hence the need for specialized kits.

The funding for 2025, according to previous budget documents, was partially planned to go towards downselecting awardees for Joint Cyber Hunt Kits, standardized fly-away kits for both cyber protection teams and hunt-forward missions that involve physically sending teams to foreign countries to hunt for threats on their networks at the invitation of host nations.

Cybercom’s fiscal 2026 budget proposal moved funding for the Joint Cyber Hunt Kits to the procurement portion. A prototype effort was slated to be completed in June 2025, and a review of the capability was expected completed by August 2025 with a production award scheduled for FY26, the documents state.

In DOD parlance, China is the pacing threat. It has become more brazen in intrusions and probes into U.S. and defense networks, particularly in maritime or port environments to potentially limit an American military mobilization response if Chinese leaders decide to invade Taiwan.

Guam, a key U.S. military outpost, has been a top target for Beijing in recent years. Chinese hackers targeted critical infrastructure there, burrowing deep inside a couple of years ago and startling experts who referred to it as one of the largest cyber espionage campaigns against America.  

The group that conducted the operation has been referred to as Volt Typhoon, one of a number of cyber players from China that have been discovered in U.S. networks, troubling American officials. Volt Typhoon was discovered inside U.S. critical infrastructure using a technique in the cybersecurity world called “living off the land,” which means it’s using legitimate tools organic to the systems for malicious purposes.

What has particularly alarmed officials regarding Volt Typhoon is the paradigm shift of Chinese threats moving from espionage and intellectual property theft to holding critical infrastructure at risk.

In fiscal 2026, Cybercom plans to field hardware security capabilities and support sustainment of existing capabilities installed in fiscal 2024 and 2025, according the budget documents. It will also seek to implement improved or additional tools and tradecraft to keep pace with the dynamic and evolving threat landscape.

The 2026 funding request aims to complete full asset inventory to operational technology assets on Guam defense critical infrastructure for comprehensive and enduring monitoring to reduce malicious activity, address known vulnerabilities and ensure adherence to MOSAICS framework for industrial control systems, the documents state.

The post Cyber Command significantly increases funding request for defense in Indo-Pacific region appeared first on DefenseScoop.

“I also have learned that within the executive branch there are very limiting rules of engagement on what Cyber Command can do in response,” Rep. Don Bacon, R-Neb., said during a June 12 House Armed Services Committee hearing.

Bacon serves as the chair of the panel’s subcommittee that oversees Department of Defense cyber operations, forces and policies, giving him unique insights into this matter.

“I’m the chairman of the committee and I’ve talked to multiple layers, they are restricted based off the rules of engagement. Maybe they’re appropriate. I just hope we relook at them because if China can attack our energy grid, our Wall Street grid, our hospitals, I think we should be reviewing, okay, is our responses adequate? I just want to submit that for you to think about and consider,” he told the committee’s witnesses that day, Secretary of Defense Pete Hegseth and Chairman of the Joint Chiefs of Staff Gen. Dan Caine.

He implored them to review the current rules of engagement and consider if they need to be revamped.

In a statement, he later emphasized that while Russia and China are infiltrating systems, rules of engagement are hindering U.S. Cyber Command from responding properly, urging a more aggressive posture.

“China has surpassed Russia as our biggest cyber threat. With malicious intent, they’re attempting to – and largely succeeding in – infiltrating everything from our energy grid and cell phones to our financial institutions, and health care networks. While we have good cyber intelligence, China is no longer deterred in the cyber domain, and I believe our own rules of engagement are holding us back,” Bacon said. “We need to start imposing heavy costs on these cyber actors, including nation states like China and Russia, to establish better cyber deterrence. In some cases, this could mean allowing Cyber Command to fight fire with fire, in other cases this might mean applying targeted non-cyber response like significant economic or diplomatic sanctions or perhaps covert action. Regardless of how we do it, I think everyone can agree that the status quo (of continued cyber attacks) is not acceptable or sustainable: some level of cyber deterrence has to be established.”

When asked if DOD is reviewing its rules of engagement for cyberspace, a department spokesperson on Friday said they had nothing to announce.

For many years, restrictive rules of engagement and improper analogies handicapped the military’s ability to conduct cyber operations. It used to be that U.S. military offensive cyber actions were considered on par with nuclear weapons in terms of requiring presidential sign-off for employment, for fear that effects could lead to escalation and possibly unintended consequences.

The nuclear analogy proved to be a flawed model for cyber, as history has borne out. In 2018, a series of congressional and executive actions cleared the way for smoother cyber operations approval. Those included a clarification that cyber action is a “traditional military activity,” removing interagency barriers that might have previously required an exemption to the covert action statue, effectively allowing Cybercom to operate more freely. Congress also included what essentially boiled down to an authorization to use force in cyberspace against Russia, China, North Korea or Iran to “disrupt, defeat, and deter … active, systematic, and ongoing campaign of attacks against the Government or people of the United States.”

On the executive branch side, the first Trump administration repealed the Obama administration era policy for approvals, issuing what was known as Nation Security Presidential Memorandum-13, which delegated authorities to the secretary of defense to conduct timely cyber operations. The still classified policy also included components to deconflict cyberspace with other government agencies to avoid fratricide among different organizations and equities.

“In line with the shift to a more proactive cyber strategy … NSPM-13 enables faster, more agile decision-making better adapted to the strategic threat. It does so not only by allowing delegations of authority, but by reinforcing those delegations with a coordination and approval process run by the delegee, not the NSC,” Gary Corn, director of the Technology, Law and Security Program and an adjunct professor of cyber and national security law at American University and former Staff Judge Advocate at Cybercom, wrote in a paper in 2021.

Prior to 2018, the military conducted very few cyber operations. Some experts that spoke to DefenseScoop noted that the primary restriction and limitation to engage in offensive cyber action was the lack of clear authorities, but after 2018 it was the lack of a sufficient man, train and equip function to present Cybercom with enough trained, capable personnel to carry out the mission.

The second Trump administration’s pick for assistant secretary of defense for cyber policy noted last month in her confirmation hearing that it’s likely time to begin reassessing some of these authorities from 2018.

“The cyber domain is continuing to evolve and the one constant that I’ve seen in being involved in this domain for over two decades is that the rate of change is exponential. My top priority if confirmed in this role will be to address this change with speed and agility in the department,” Katie Sutton told the Senate Armed Services Committee in May. “As you’re well aware, in 2018 there was a series of activities that enabled the offensive posture that the department is undergoing today; both establishment by President Trump of NSPM-13, the process to do cyber operations, as well as this committee’s definition of traditional military authorities for cyber. I believe we’re at a point where we need to reevaluate those and make sure that we’re postured to be able to respond to the increasing speed of cyber attacks and that we are able to address the incoming impacts of AI.”

Sutton served as a staff member on the Senate Armed Services Subcommittee on Cybersecurity and most recently chief technology advisor to the commander and director of Pentagon operations at Cybercom, giving her relevant insights into cyber operations.

Despite some criticism regarding the current rules of engagement, officials have indicated new rules have significantly increased the ability to conduct cyber operations.

“NSPM-13 is a repeatable, sustainable, agile process that is recognized across the Department of Defense and across the interagency that allows us to move at the speed and agility that’s required based on our intelligence, based on operational requirements, and it has increased our ability to execute cyber operations tenfold,” Lt. Gen. William Hartman, acting commander of Cybercom, told a Senate subcommittee during an April hearing.

Sources that spoke to DefenseScoop noted that after the first Trump administration gave new authorities, the Biden administration came into office with some folks that worked in the Obama White House, and there was still resistance to some actions in cyberspace — which led to efforts to walk back what the Trump team had put in place.

As President Donald Trump was coming back into power for his second term, officials associated with the transition and administration vowed a top priority would be a more aggressive posture in cyberspace to respond to a bevy of activity against the U.S., namely from China.

According to some, while there are standing rules of engagement for combatant commands to respond with force if necessary, cyber is a bit different given the risk profile and some policymakers’ lack of understanding about the digital realm.

As such, over time, certain presidential polices have limited that pre-authorization to use offensive measured except under certain defined circumstances, according to sources.

Legal experts agreed that the president has authority to act as commander-in-chief and respond to activities in America’s self defense. However, for some, response in cyber is a little more opaque.

“There’s been longstanding policy that, consistent with international law, if somebody starts shooting at us, we can shoot back. That is murkier in cyber because of a number of factors, part of which is less than clear lines in international law about what the thresholds are and what types of cyber activities cross those thresholds, and also concerns about escalation dynamics and risks,” Corn said in an interview. “We’ve gotten better at the risk side of it as compared to 10 years ago when there were lots of senior officials who were talking about any out-of-network cyber operations in terms of nuclear conflict.”

Speeding up decision space

One way in which operations under the current framework could be slowed down is if activity needs to be coordinated across the interagency at a time when most civilian government employees are offline and away from their desks.

Cybercom operates 24/7, monitoring threats across the globe and planning for operations. If something were to happen in the middle of the night or on a weekend and the command wants to coordinate with the interagency on the target set to be a good partner, the command could be in a situation where the options are to either violate the framework to complete the mission or delay until personnel are back at work, a former military cyber official explained.

This type of setup can also affect the command’s ability to campaign in cyberspace, that is, looking at sustained and persistent activity to set conditions rather than just conduct one-off operations. The current framework has allowed for those types of one-off engagements, but can hinder ongoing campaigning efforts that require persistence, the former official noted.

Going faster might not necessarily be about changing the framework itself as much as evaluating coordination across the interagency at a faster pace.

“[A]n effective decision-making process should be designed to aid the designated decision-maker in rendering a decision. A process that allows participants to effectively usurp decision authority without the attendant accountability is a design flaw, not a feature,” Corn wrote in 2021. “Imposing process for process’ sake is a fool’s errand, unless the objective is to drive interminable debate and bureaucratic inertia. Process is a means to an end, not an end in itself, and so it should always be designed to fulfill an objective. In the case of national security decision-making, the objective is to achieve the most well-informed decision possible under a given set of circumstances, including acceptable risk parameters and time available. The increasingly complex, fastmoving, and dynamic nature of modern national security threats requires disciplined decentralization of action consistent with centralized intent.”

Also at play now and especially into the future is the speed at which adversaries will likely execute operations employing AI and machine learning capabilities.

Experts referred to the notion of machine-on-machine competition in the future, necessitating the requirement to operate at high speed and be effective in defense and offense. The question for policymakers is if the current policy framework meets those challenges.

As such, some experts noted the need to relook cyber authorities on a more frequent basis than other areas of military operations given the dynamic environment and shifts in tactics.

“Cyber is definitely an area where authorities need to be looked at more frequently than the kinetic space. Obviously, not the idea of layering on more statutory or executive level guidance, but for tightening the OODA [observe, orient, decide and act] loop and coming up with ways to provide the higher level transparency and control that has to be there without sacrificing too much operational capability,” Tom Wingfield, a senior international and defense researcher in RAND’s Department of Defense and Political Sciences who served as deputy assistant secretary of defense for cyber policy from 2019 to 2021, said in an interview. “Part of that would need to be looking at the role AI can play in providing that transparency and tightening the OODA loop. There’s a lot of opportunity there to know what we’re talking about and to build in limitations so that we don’t have clunky 20th century techniques for reporting and waiting for permission.”

Corn noted that there’s a need to constantly assess if authorities and policies are fit for purpose given the risk environment, but acknowledged that lawmakers helped clarify some things a few years ago.

“What Congress did in the end of 2018 was more about clearing some hurdles that were perceived to exist in law from a domestic law perspective, like lifting a potential interagency objection to something that would constitute covert action versus a traditional military activity,” he said.

Ultimately, the more operations cyber forces conduct, the more comfortable national level leadership will be, similar to many of the other domains of warfare.

“The three main problems that really drive most of the oversight [in cyber] are first, the ability to know what needs to be hit. The second is having a weapon or an access that’s able to hit it. And the third is the ability to limit the knock-on effects of that attack to just the immediate area of the attack,” Wingfield said. “Each of those three things is a capability that, as it gets sharpened, would require less oversight and fewer packing peanuts around an operation. So as you do those three specific things better, then you can move much more quickly, much more like the kinetic areas of warfare.”

The post Are DOD’s rules of engagement in cyberspace too limited? appeared first on DefenseScoop.

Cyber Guard, the command’s premier annual exercise, integrated with Pacific Sentry. As cyber has matured within the Department of Defense, leaders have sought to integrate it deeper with other defense functions, using real-world exercises to game out how it can support others.

“When I was a young officer, we would deploy and we would do an exercise in [Indo-Pacific Command] or [European Command]. And it was a Eucom exercise[or] it was an Indo-Pacom exercise. Very stovepiped … But today, the chairman is driving the joint force to exercise together to ensure that when time comes, we can operate seamlessly at the highest level,” Rear Adm. Dennis Velez, acting deputy commander of Cybercom, said Thursday at HammerCon, hosted by the Military Cyber Professionals Association. “Cyber Guard this year was part of the Pacific Sentry exercise … to ensure that we could put it all together and really operate again at the highest levels as the joint force.”

The exercise, which encompassed several combatant commands, sought to execute a defense of Taiwan scenario against China.

As part of the scenario, the enemy was attacking multiple ports, forcing the participants to figure out the best way to defend them and exercise greater command and control over that effort.

The newly minted and sub-unified command under Cybercom, DOD Cyber Defense Command, formerly Joint Force Headquarters-DOD Information Network, sought to co-opt the Coast Guard to undertake that defensive effort under Task Force Port.

The Coast Guard possesses unique authorities as a uniformed service that falls under the Department of Homeland Security, such as law enforcement.

There are some Coast Guard members that are on Cybercom’s cyber mission force teams, the units each service provides the command to conduct offensive and defensive operations.

Port security has been a mainstay of Cyber Guard in the past under previous iterations, a precursor to the command’s premier exercise then dubbed Cyber Flag, where Cyber Guard would focus on defense of the homeland and Cyber Flag would then transition to a military operation.

This time, however, port security was a key part of the military component. Outside experts and wargames have warned that China will likely try to target U.S. ports and critical infrastructure ahead of any military action it takes against Taiwan to prevent or slow a mobilization and response from America’s armed forces that might try to intervene.

“As we were running the exercise, we were just coming with new ideas,” Velez said. “We needed to fight. How do we defend force? How do we defend electrical power, distribution centers, electrical generation? How do we do that at scale?”

Using its memorandum of agreement with the Coast Guard, DCDC created Task Force Port for the exercise and charged a Coast Guard official with leading it.

That MOA gives Cybercom the ability to quickly provide capabilities and forces to the Coast Guard for emergent needs that cannot be met through the Defense Support to Civil Authorities process, which is how DOD supports efforts outside its scope, such as work on the homeland, when requested, according to a Cybercom spokesperson.

They added that the MOA process is vital to ensure U.S. government capabilities are rapidly used in support of national security missions and closely mirrors similar processes used in support of homeland defense and other missions.

That portion of Cyber Guard took place about a week after Secretary of Defense Pete Hegseth designated DCDC as a sub-unified command, leading cyber officials to figure out how to utilize this new, higher-profile entity and perform the defensive portion.

While the elevation to sub-unified command doesn’t portend any immediate new resources, Lt. Gen. Paul Stanton, commander of DCDC, noted it comes with a mindset shift.

“There’s a culture shift. There’s a mindset shift. Gain and maintain contact with the enemy and impose cost,” Stanton said at the conference. “Don’t randomly chase incidents. Don’t chase events. Think in context. Think about what the enemy is attempting to accomplish. Think about what missions are relevant to us. Think about where our missions and the enemy’s intent capabilities overlap, the center of that Venn diagram, build your engagement area, and then … beat the enemy.”

Task Force Port fits within that shift to provide more context and purpose to cyber defense, Stanton added.

“When we were in the process of supporting the exercise, because in the exercise, the enemy was attacking multiple ports simultaneously. Again, don’t look at them individually, but what’s the intermediate level of headquarters that can command and control multiple different maneuver elements, CSSPs, industry partners, mission elements in cyber protection teams, together, synchronized, coordinated in support of an operational mission when we know that the enemy is campaigning against us,” he said, “The way that they’re attacking one port probably looks a lot like the way that they’re attacking another. Let’s synthesize that under one command-and-control headquarters so that we’re synchronized in our execution.”

The post Cyber Command creates task force with Coast Guard for port defense exercise appeared first on DefenseScoop.

“The strike package was supported by U.S. Strategic Command, U.S. Transportation Command, U.S. Cyber Command, U.S. Space Command, U.S. Space Force and U.S. European command,” Gen. Dan Caine, chairman of the Joint Chiefs of Staff, told reporters in a briefing at the Pentagon Sunday morning, later thanking the cyber operators, among others, who made the mission possible.

However, no further details about Cybercom’s efforts were disclosed. The command referred DefenseScoop to the Pentagon for comment, where a spokesperson said they had nothing further to provide at this time beyond the transcript from Sunday’s press conference.

Although details about Cybercom’s assistance for Operation Midnight Hammer, the code name for the strikes, remain murky, experts — most of whom spoke to DefenseScoop on condition of anonymity — outlined a number of possibilities for how the organization may have contributed to the effort.

Outside experts noted that there probably aren’t any U.S. military ops nowadays, regardless of how rudimentary, where a cyber component isn’t involved.

“We really don’t do military operations without cyber support anymore,” Gary Brown, Cybercom’s first senior legal counsel and now a professor at Texas A&M’s Bush School of Government and Public Service, told DefenseScoop. “There is a cyber component for everything we do, even if it seems really unsophisticated, even if the cyber component is just on the intelligence collection side. It’s always there.”

Moreover, others pointed out that with such a high-profile operation, many Defense Department components will want involvement in order to prove their value.

A former military cyber official noted that a sophisticated operation like Midnight Hammer points to the maturation of Cybercom, which was created just 15 years ago and now is “is a fully integrated mechanism,” supporting air superiority and global transportation.

While details regarding Cybercom’s involvement in the strike were limited, experts provided a few examples for how the command could have supported such an attack. These sources noted that they had no inside knowledge of the recent operation and were largely speaking in hypothetical terms to offer vignettes for how digital forces would likely be involved in that type of mission.

The operation involved seven B-2 Spirit stealth bombers that dropped 14 “massive ordnance penetrators” — 30,000-pound so-called bunker-busting bombs — as well as Tomahawk missiles launched from a submarine and 125 aircraft that included refuelers and fighter jets, some of which were used as decoys to draw Iranian air defenses away from the B-2s. The strikes targeted the Iranian nuclear facilities at Fordow, Natanz and Esfahan.

Sources noted that this would probably be a broad effort from Cybercom across several of its elements spanning the defensive side, offensive side — through teams that support combatant commands — and possibly its elite Cyber National Mission Force that protects the nation from nation-state cyber activity.

The former official said one of the most likely ways Cybercom would have aided the operation is through something akin to a cyber escort package. With air assets coming from all over the world and various commands — such as Transportation Command, European Command, Central Command and the Air Force’s Global Strike Command — it is important to ensure those aircraft and enabling functions execute missions smoothly.

That includes backups and failsafes as well as ensuring the Department of Defense’s Information Network is up and running to enable communication. Defensive cyber protection teams would likely ensure infrastructure was up and running and protected from any adversary intrusions or disruptions. That could include teams supporting several combatant commands as well as those protecting the DOD Information Network and Transportation Command, headed by the DOD Cyber Defense Command.

One of the classic examples always cited throughout Cybecom’s history as a key capability for enabling military operations is the monitoring and disabling of enemy integrated air defense systems to allow friendly aircraft to penetrate and strike. If access is gained into those systems, cyber operators could turn them off or make them malfunction, preventing the enemy from shooting down friendly aircraft looking to engage targets.

Experts that spoke to DefenseScoop noted they had no direct knowledge if this was part of the strike package or capability over the weekend, but cited it as a potential example for how Cybercom could support a kinetic strike operation.

B-2 bombers rely on stealth and thus don’t have many defensives. Given that and the fact they’re not very maneuverable under fire, monitoring and possibly disabling an adversary’s IADS would be desirable to minimize the risk of the aircraft being shot down.

Others noted that any support Cybercom can offer often requires access ahead of time, a key caveat that is often overlooked. Unlike in Hollywood, cyberspace operations aren’t as easy as just pushing a button on a keyboard. Forces must be forward and present to gain the necessary access for intelligence collection to map and understand systems, and eventually affect systems if the go-ahead is given. Moreover, that access can be eliminated if forces are discovered by the target or if a patch is implemented.

Thus, cyber forces require constant persistence in order to gain and maintain those accesses, even during times outside of conflict. In 2018, Congress paved the way to enable the command to conduct this activity, referred to as intelligence preparation of the battlefield, without tipping the covert action statute that requires presidential authority to do so, clarifying cyber is a traditional military activity.

Given this access is difficult to gain and maintain, each operation requires an important calculus on whether to act on those implants and create effects because once used, that access is burned.

For example, if it wasn’t needed, the U.S. might not have acted on Iranian IADS if they weren’t poised to shoot down the B-2 bombers, provided this was part of the op.

Axios reported that the U.S. government asked Israel to eliminate Iranian air defense systems to clear a path for American aircraft.

Others pointed to how cyber operators could have been standing by to cause effects elsewhere to divert Iranian attention away from the targets. This could include brownouts or disrupting communications, though, again, those effects would likely be weighed against the downsides of giving up those accesses if those actions weren’t needed.

Cyber-enabled intelligence, surveillance and reconnaissance could have also been provided prior to the attack, producing targeting data, intelligence on Tehran’s likely immediate response, Iran’s force posture and ability to target U.S. forces during or right after the operation, according to sources.

Similarly, cyber forces could provide indications and warning during the attack to alert U.S. units with near real-time information on Iran’s military forces or counterattacks.

Support could also have taken the shape of offensive cyber action during the airstrikes, disabling Iranian military or civilian communications or their ability to respond, which likely would have been undertaken by combat mission teams that conduct cyber ops on behalf of combatant commands, mostly in the offensive sphere.

This activity could have disabled or disrupted enemy early warning systems or spoofed them in a way to show no activity incoming or many more assets moving in.

Sources also indicated cyber means could help with battle damage assessments after the strike, however, that would most likely fall within the purview of the NSA and its signals intelligence role, monitoring Iranian chatter and channels.

Some noted that it’s possible U.S. defense leaders were also lumping in NSA when they referred to the support of Cyber Command, both of which are co-located and share a leader despite having different missions — foreign intelligence, in the case of NSA.

In that vein, cyber forces, either from NSA or Cybercom, could’ve been monitoring for chatter among Iranian sources to see if they bit on the diversion the U.S. sought at the outset of the strikes against the nuclear facilities.

Defense officials reported that they sent some bombers initially west toward Guam as a ruse to distract from a potential strike in Iran, which was ultimately carried out by B-2s that flew east from the United States across the Atlantic to reach their targets.

There is also a defensive role Cybercom could be playing after the attack. Many experts are bracing for potential blowback in the digital domain and Iranian retaliation. While Tehran’s military has faced setbacks from Israeli attacks in recent days, it does pose a threat in cyberspace, which levels the playing field some as opposed to matching traditional forms of military might against the U.S. and Israel after having been significantly weakened.

Cybercom could be posturing and bolstering its capabilities to defend against threatening attempts against networks originating from Iran. This could take the form of a preemptive digital action against Iranian cyber capabilities to limit their capacity to conduct offensive retaliatory action. Forces standing by to support that role could be either combat mission teams focused on the Middle East region or Cyber National Mission Force teams assigned to specific Iranian threat actors poised to target the U.S. homeland in cyberspace.

The post Cyber Command supports strikes on Iran’s nuclear facilities, but officials keep details under wraps appeared first on DefenseScoop.

Congress directed Joint Force Headquarters-Department of Defense Information Network (JFHQ-DODIN) to elevate to a sub-unified command under Cybercom in the fiscal 2025 annual defense policy bill.

JFHQ-DODIN was created in 2015 as a subordinate headquarters under Cyber Command to protect and defend the Pentagon’s network globally. It’s led by a three-star general who also serves in a “dual-hat” role as the director of the Defense Information Systems Agency, a much bigger combat support agency providing critical IT services to warfighters.

Secretary of Defense Pete Hegseth directed that JFHQ-DODIN be designated a sub-unified command, effective immediately May 28, and its name has been changed to Department of Defense Cyber Defense Command (DCDC).

The name change was a recognition of the command’s ability to execute authority, direction and control over cyberspace forces, according to Steve Mavica, a spokesman for DCDC.

“This action aligns with the 2025 Interim National Defense Strategic Guidance to prioritize the command’s secure, operate, and defend the DODIN mission and enable U.S. Military Forces to deliver lethal effects when and where most needed. The elevation of DCDC to a subordinate unified command is a recognition of the vital importance of our mission to lead unified action in the security, operations, and defense of the DODIN, one of DOD’s most critical strategic assets,” Mavica said. “It is about increasing readiness and resiliency of the DODIN and those forces who conduct network operations, security, and defense activities in the face of the rapid pace of technological advances and the increasing abilities of cyber adversaries.”

The elevation follows Cybercom’s decision in December 2022 to elevate the Cyber National Mission Force — comprised of DOD’s most talented cyber operators aligned in task forces organized against specific threat actors, with the core mission of defending the nation against digital threats — to a sub-unified command. Congress wanted to put the defensive unit on the same playing field as the offensive entity.

The move doesn’t necessarily provide additional authorities or funding streams, but does offer opportunities to pursue certain resources, processes and authorities as needed for more effective approaches to protect the DODIN. Officials are working to deliver an assessment of requirements for the newly minted DCDC to be mission effective and combat ready as well as a plan for implementation, according to an official, who was not authorized to speak publicly.

DCDC’s commander, Lt. Gen. Paul Stanton, who took charge last fall, has tried to put the organization on more of a proactive footing to defend networks and respond to adversary activity. Having been exhausted by the whack-a-mole approach, with adversary intrusions continuing, he wants to impose costs.

“If it’s easy for the enemy to gain access into our environment and to achieve effects, shame on us,” he told reporters in January. “If we prioritize and make it really hard for the enemies to gain access to the things that they’re interested in, that we are also interested in, we start to make it hard on the enemy. While that’s an indirect imposition of cost, if they have to spend months, years, or even decide that that objective is not worth their time or energy because they’re simply not going to gain access to it, then we start shifting that cost curve.”

The command can also work to impose costs offensively, transitioning from defense by feeding information to the CNMF for action.

The organization is looking to “take the observations from our defense, where we gain and maintain contact with our enemies, and hand those insights to the appropriate forces that can conduct offensive missions,” he added.

The post Cybercom’s defensive arm elevated to sub-unified command appeared first on DefenseScoop.

Cybercom 2.0, as the effort is known, is an ambitious plan first unveiled by former commander Gen. Paul Nakasone and other top DOD officials, spurred largely by a report requested by Congress in the fiscal 2023 annual defense policy bill to evaluate how Cybercom generates its forces.

In addition to responding to reports required by lawmakers, the initiative was meant to provide a holistic examination of the command and its forces to better posture them for the future, serving as the first major update since Cybercom was formed over 10 years ago when many sophisticated threats and challenges in cyberspace did not exist.

Former Secretary of Defense Lloyd Austin approved a broad outline for Cybercom 2.0 in December 2024, which encompassed four buckets: a new force generation model for how each service provides digital warriors to Cybercom; a talent management model; an advanced training and education center to ensure troops are better prepared when they arrive at their units and have specialized training if needed; and a cyber innovation warfare center that could focus on rapid innovation and capability development.

Those items had to be fleshed out by an implementation plan team. Upon coming into office, Secretary of Defense Pete Hegseth ordered the team to expedite their implementation plan in 45 days. The updated plan was delivered March 21. It had been held up within the Office of the Secretary of Defense because there was some pushback and it wasn’t being well-received.

Now, leadership is asking officials to reevaluate some components.

“We think that 2.0 was a great effort to improve our workforce, management and retention. We have taken another relook and decided that we think it needs even more work. We consider cyberspace as important as you do. We really appreciate your continued emphasis on that matter, so we have decided to do a deeper look and make it a better product,” Laurie Buckhout, the official performing the duties of assistant secretary of defense for cyber policy, told the House Armed Services Subcommittee on Cyber, Innovative Technologies and Information Systems during a hearing Friday.

Later in the hearing, when asked, Buckhout noted that DOD is essentially moving on from the original Cybercom 2.0 and will revamp it.

“DoD remains committed to being responsive to Congressional direction. Much analysis of various force generation challenges and models went into creating a draft implementation plan that was delivered to DoD leadership in March. The Department is currently evaluating whether that plan goes far enough to address this administration’s priorities, and we will adjust accordingly,” according to a department official.

Someone familiar with the situation also noted that the Trump administration wants a clear plan that can outmatch China, and what was submitted previously didn’t meet that standard in their eyes.

Such a relook isn’t completely surprising given the new administration and how late the plan was submitted to the last administration.

“It doesn’t surprise me if indeed, they’ve asked the command to take another look, because you have people in leadership roles inside the department at the White House, and others who may have some different views on specific aspects of what we’re looking to do or want to go further with certain aspects. I don’t think it’s uncommon if you have something that’s at the phase that this was where it really fell into the gap between two administrations,” Charlie Moore, former deputy commander of Cybercom and distinguished visiting professor at Vanderbilt University, told DefenseScoop.  

When Cybercom was first established, there were a lot of assumptions made about how it would operate, what resources would be shared by the NSA, as well as the relationships with the services and combatant commanders. Most of these initial assumptions have proven incorrect or the mission has evolved, according to sources. Having no choice, the command continued to operate while constrained by these assumptions. The Cybercom 2.0 effort is seeking to be the first of many steps to reshape the command into what is needed.

Lt. Gen. William Hartman, acting commander of Cybercom and performing the duties of the director of NSA, told the House Armed Services subcommittee last week that officials evaluated three models: the status quo, a Special Operations Command-like model and the creation of a separate Cyber Force military branch, with the preference being the SOCOM-like model.

While Cybercom was initially a sub-unified command under Strategic Command, which oversees U.S. nuclear weapons capabilities and doctrine — a flawed model for cyber, as history has borne out — officials have always maintained the best model for Cybercom was SOCOM: a combatant command with service-like authority.

Cybercom received enhanced budget authority from Congress that went into effect in March 2024, giving it oversight of cyber funds. Prior to that, the services were responsible for funding and procuring the resources and weapon systems the command relied upon. Hartman told the subcommittee that in fiscal ’24, the command managed over $2.5 billion.

Much of the Cybercom 2.0 effort was aiming to take advantage of those new service-like authorities and implement them, such as joint force trainer and improvements to the man, train and equip oversight functions over the services.

Officials have discussed improvements to how the services have been recruiting, retaining and training their cyber forces over the last year or so.

Congress also created the assistant secretary of defense for cyber policy position, which aims to act like a service secretary, much in the way the assistant secretary of defense for special operations and low-intensity conflict does for SOCOM.

There has been a growing chorus in recent years for the creation of a separate, standalone Cyber Force as proponents believe that is the only way to fix the issues facing Cybercom and cyber forces more broadly.

Rep. Don Bacon, R-Neb., chairman of the House Armed Services Subcommittee on Cyber, Innovative Technologies and Information Systems, expressed his preference for the SOCOM model but noted there are pros and cons to it, namely the fact that there needs to be service buy-in.

“That means they got to recruit, they got to provide trained people to the Cyber Command at a level that they need. They also got to develop cyber leaders within the promotion system and growing leadership. It’s gets at an earlier question I had — I’m not sure that we’re doing adequate there, but we got to have a full service buy-in to make this model work,” he said. “We were looking at all the general officers, all the services, trying to get a feel for just how much depth we have in the cyber career field. I really only spot one general officer that has extensive cyber experience before they became a general officer. Are we doing enough to develop our cyber leadership here? It seems like we’re low on cyber. We got a lot of depth in air, surface warfare, infantry, space, but the cyber area that there seems to be a shortage.”

Some have described what came out of the first Cybercom 2.0 effort as essentially status quo-plus, the result of what happens when trying to design by committee. The services have the ability to make the changes and accommodate the needs of the command, but that doesn’t always mean they have the desire or willingness to do so given the other competing priorities they’re dealing with, according to some observers, potentially laying the groundwork for and strengthening the case for an independent cyber service.

In his written statement to the House Armed Services subcommittee, Hartman said the Defense Department recently approved several concepts to update the command’s force design and the ways it builds and sustains specialization and expertise within the teams. They include ways of fielding new technologies rapidly and ensuring they are tested and scalable. The measures were prompted and facilitated by recent defense policy bills, Hartman wrote, on readiness and force generation that collectively gave the DOD the opportunity to modernize the cyber force and reshape the command.

Some lawmakers at last week’s hearing gave the witnesses a tough time regarding the change in approach for Cybercom 2.0 and how efforts to reach critical milestones and modernize have taken too long.

“I remain very concerned about the state of our cyber training and readiness. General Hartman’s statement noted that the service cyber components only recently attained ‘foundational readiness standards,’” Bacon said. “Foundational readiness has a very specific meaning, and the fact that it took us more than a dozen years to reach this point is not something to celebrate. To succeed in the cyber domain, we need far more than ‘foundational readiness.’ And I am particularly interested in hearing from you what you need to create and sustain a high level of readiness across the cyber warfare enterprise.”

The cyber mission force has faced constant readiness concerns from its inception. Designed around 2012, the running trope from leaders was they were building the airplane while flying it, an analogy they used when describing the construction of these forces. To meet readiness metrics, the services would sometimes double-count personnel, creating what one prominent think tank referred to as a “shell game.”

Ever since the advent of the Cybercom 2.0 effort, top command officials and service commanders have begun discussing the notion of mastery within the cyber force.

Hartman explained that there’s a more efficient training model to take a basic trained service member and create an expert through authorities granted by Congress.

“Instead of trying to do that across all the services, we do believe there’s an opportunity, using Cybercom service-like authorities, Cybercom joint force training authorities in order to build that mastery of the force. And we look forward to working with the services to do that,” Hartman said.

Some of that work has manifested itself in improving the training curriculum executed by each service, where Cybercom provides joint standards and the service schoolhouses train their cyber warriors that they feed to the command to those standards.

Previously, personnel often wouldn’t get all the training they would need at their schoolhouse prior to arriving at their operational units. Rather, digital warriors would get additional on-the-job training upon arriving at their unit. This was a contributing factor to readiness issues.

Now, some schoolhouses are trying to move that training to the left so personnel show up to their units better prepared to do their jobs.

The post DOD leadership asks for Cybercom 2.0 relook appeared first on DefenseScoop.