At a congressional hearing in May, senior defense officials publicly acknowledged that CYBERCOM 2.0 — an initiative launched by U.S Cyber Command (CYBERCOM) to overhaul how it builds and manages cyber forces — fell short of the Pentagon’s expectations. The effort was loosely modeled on Special Operations Command, but even under this model, CYBERCOM still lacks the authority to enforce common standards for the services, tailor recruitment to the unique dynamics of cyberspace operations, or control initial training. “We think it needs even more work,” said Laurie Buckhout, the acting assistant secretary of defense for cyber policy.

There have been attempts to address structural shortfalls in the past. Most recently, Congress granted CYBERCOM enhanced budgetary control in fiscal year 2024, giving the command oversight of roughly $2 billion in acquisitions for cyber tools, systems, and training. But the services still control the vast majority of cyber acquisition funds.

More than two decades after declaring cyberspace a warfighting domain, the U.S. military relies on an inefficient and ineffective solution to generate the capabilities needed to defend it. CYBERCOM holds the primary responsibility for operating in and through cyberspace, but it relies on personnel drawn from five different military services to do so. There are no common standards for recruiting, initial training, or career progression across the services, and none treats cyberspace as a core mission. The result is chronic readiness gaps, inconsistent quality, and top talent regularly lost to the private sector.

The solution is not more reform around the margins. Instead, a dedicated U.S. Cyber Force is long overdue. A U.S. Cyber Force would unify the responsibility for recruiting, training, and promoting cyber talent under one roof. It would foster a cyber-native culture, prioritize cultivating mastery within the cyber domain, and allow for a more flexible, mission-driven force structure. This construct is consistent with how the military organizes itself to man, train, and equip forces across all the warfighting domains. And it is structurally and fiscally viable.

Some critics argue that a U.S. Cyber Force would be too costly and duplicative. But the initial budget would be largely budget-neutral by consolidating existing cyber funding. The fact is that the Department of Defense is already paying for this force, but scattered across five services, with a cyberspace activities budget of nearly $15 billion.

If a new service were created, CYBERCOM would remain as a unified combatant command and serve as the primary force employer — just as U.S. Space Command does for the U.S. Space Force.

The U.S. Cyber Force should focus on generating capabilities for three core missions. First, it should be responsible for generating forces for national-level defensive cyber missions, such as defending against active and ongoing threats facing the Defense Department or supporting defense of critical national infrastructure. Second, it should organize, train, and equip for offensive cyber missions to project power in and through cyberspace, both as an independent capability and as an enabler of joint force missions and objectives. And third, it should generate capabilities to support cyber-related military intelligence — especially foundational intelligence relevant for the cyber domain.

Scoping the remit of the U.S. Cyber Force will be critical to ensure its effectiveness, and some functions must remain outside its purview. For example, the U.S. Cyber Force should not take over the Defense Department’s day-to-day IT operations — it cannot and should not be the cybersecurity service provider for the department. Its role should also be carefully scoped when it comes to related but not core functions, such as information warfare or artificial intelligence.

In short, the U.S. Cyber Force must focus squarely on warfighting readiness in cyberspace — building elite forces to defend national interests, deter adversaries, and, if necessary, fight and win in the cyber domain.

In designing the new service, the architects should focus on five core design principles. First, the service should prioritize quality over quantity, recruiting and retaining the right people to perform the mission. Second, the U.S. Cyber Force should establish a model where career progression follows from demonstrated expertise, rather than time in service. Third, in light of the dynamic nature of the cyber domain, the force should be structured to enable flexibility and adaptation over time, as missions, technology, the threat environment, and other factors evolve.

Fourth, standing up the service should involve a phased transition, taking due care to minimize impact to ongoing cyber operations. And finally — and most importantly — the service must focus on organizational leadership and culture. The U.S. Cyber Force can succeed to the extent that it fosters an organizational culture conducive to the cyber domain.

Every year the Pentagon delays creating a U.S. Cyber Force, the military remains underprepared for modern conflict. Establishing a dedicated cyber service is not a moonshot. It is the logical next step to build a purposeful military for a domain the United States can no longer afford to neglect.

Erica Lonergan is an assistant professor at Columbia University’s School of International and Public Affairs and an adjunct fellow at the Foundation for Defense of Democracies’ Center on Cyber and Technology Innovation. She previously served as a senior director on the bipartisan Cyberspace Solarium Commission.

Jiwon Ma is the senior policy analyst at the Foundation for Defense of Democracies’ Center on Cyber and Technology Innovation, where she contributes to the work of CSC 2.0 and authors its annual assessments.

The post The Pentagon knows its cyber force model is broken. Here’s how to fix it appeared first on DefenseScoop.

The House and Senate Armed Services Committees released the text of the compromise fiscal 2025 National Defense Authorization Act on Dec. 7, which included a provision calling for an independent assessment by the National Academies of Sciences, Engineering, and Medicine to “conduct an evaluation of alternative organizational models for the cyber forces of the Armed Forces.”

Each chamber passed nearly identical provisions earlier this year directing the Defense Department to enter into an agreement with the Academies to conduct an evaluation regarding the advisability of establishing a separate military service focused on cyber or refining and further evolving the current organizational approach for Cybercom based on the Special Operations Command model.

However, the final compromise version stripped some of the original language, and some sources referred to the final version as being watered down.

There is no longer due date for such an assessment, meaning it will likely fall down on the prioritization list unless funds are allocated to the Academies to conduct the assessment.

Moreover, the final version placed a larger focus on alternative models for cyber forces rather than solely focusing on an independent armed service, likely a nod to efforts currently underway by DOD and Cybercom to examine other readiness models and force generation, dubbed Cybercom 2.0.

These measures likely have been put in place to weaken the overall provision and effort to examine a potential sixth armed service.

In a statement, Rep. Morgan Luttrell, R-Texas, who co-sponsored the measure in the House Armed Services Committee, said he was “disappointed that my amendment to evaluate the need for a Cyber Force was scaled back.”

Members believe that while some progress has been made to advance America’s cyber forces, much more work is left to do and all options are on the table.

“Since arriving in Congress, I have used my role on the House Armed Services Committee to advance several initiatives to strengthen and expand the cyber capabilities of our armed forces,” Rep. Chrissy Houlahan, D-Pa., said in a statement. “Although significant progress has already been made to ensure our military’s cyber capabilities are the most advanced in the world, there is still more work to be done to ensure that we remain ahead of our adversaries in this important domain. It is important that we remain open to all options to move forward, including the creation of a distinct uniformed Cyber Force, and I am glad that the Fiscal Year 2025 National Defense Authorization Act mandated a new independent study on this important question.”

Others in Congress are positive they can use their oversight powers to push the DOD.

“This study is a step in the right direction and Congress, through its power of oversight can work to ensure the sense of the language is executed,” Rep. Pat Fallon, R-Texas, said in a statement. “All options are on the table except the status quo regarding the DOD’s manning, training, and operations in the cyber domain because the scope, scale, and level of sophistication of the threat has changed. We all agree that we need to adapt fast to show our adversaries power through strength. … I am sure that the incoming administration will take a hard look at everything within the cyber realm to ensure maximum protection, efficiency, and lethality. We in Congress will do the same and I am confident we’ll see changes based on the level of threats we are faced with.”

Some close observers were also optimistic and excited that the assessment made it into the compromised version, despite the changes, especially given a similar proposal that passed the Senate last year was axed from the final bill.

The Cyber Force provision “was diluted — but I am glad it made it — and it remained independent,” Mark Montgomery, senior director of the Foundation for Defense of Democracies’ Center on Cyber and Technology Innovation and former executive director of the congressionally mandated Cyberspace Solarium Commission, said. “I think DOD may come to regret this effort to weaken the study if the incoming Administration has any plans if its own with regard to an independent cyber service.”

The Record previously reported that DOD formally objected to the assessment proposal that came out of the Armed Services Committees earlier this year.

Some observers are also under the impression that the incoming Trump administration might be more inclined to back — or even direct — the creation of a Cyber Force, much like it did for the Space Force.

Others indicated that the legislation is overall a positive development.

“This legislation is a major step in the right direction,” said Dan Van Wagenen, co-founder and vice president of the Association of the United States Cyber Forces (AUSCF), a nonprofit dedicated to supporting the cyber warfighter. “After five years of debate and analysis, there is a growing consensus that the U.S. needs a dedicated Cyber Force to defend America in Cyberspace. While AUSCF would have liked to have seen the provision go further with the National Academies having a due date to report to the Congress, we are excited to see this critical first action necessary for the establishment of an independent US Cyber Force. It is our hope the incoming Congress and Administration continue to prioritize Cyber in 2025 and beyond.”

There is widespread agreement, however, that the current model needs to be refined, especially in light of advances in adversary capabilities and number of cyber forces.

“If there’s one thing history teachers us, it’s that the enemy gets a vote. Since U.S. Cyber Command was established about a decade and a half ago, our forces have adapted to the evolving operational environment,” Chris Cleary, national president of the Military Cyber Professionals Association (MCPA), a nonprofit dedicated to advocating for military cyber issues, said. “What the MCPA stands firm on is calling for the continued refinement to organizational constructs to better enable success in combat, conflict, and competition. We, as a nation, must continue investing in serious sober analysis of how to increase effectiveness in cyberspace … just like we do for other domains such as the land and sea. This is why we at the MCPA host critical dialogue on such topics. Our national strategic leadership may want incremental change, or something more bold. I’m excited to see what comes of a new study.”

The House passed the NDAA on Wednesday. It must also be passed by the Senate and signed by the president to become law.

The post Despite softened bill language, observers still optimistic about independent cyber force assessment appeared first on DefenseScoop.

Both houses of Congress passed nearly identical provisions in their respective versions of the fiscal 2025 National Defense Authorization Act earlier this year, and they were incorporated into the final conferenced bill that was reconciled between both chambers and released Saturday evening.

The House passed a similar provision last year that was axed during this conference process for the annual defense policy bill, effectively killing it until it was revived this year.

Despite some in the Biden administration and the Defense Department voicing opposition to a cyber service, there has been growing support in Congress and among interest groups. The provision calls for an independent assessment by the National Academies of Sciences, Engineering, and Medicine to “conduct an evaluation regarding the advisability of either establishing a separate Armed Force in the Department of Defense dedicated to operations in the cyber domain or refining and further evolving the current organizational approach for United States Cyber Command.”

The issue of creating a sixth military service that is focused solely on cyber operations, while not new, has gained steam over the last year as threats have grown, the landscape is becoming more dynamic and readiness issues have plagued the military services’ forces that they present to U.S. Cyber Command.

Each of the military services is responsible for providing personnel for a set number of teams to Cybercom, which then employs those forces in operations for the other geographic combatant commands. But detractors believe the services are too siloed in their approach, leading to incongruent models for presenting forces to Cybercom and forces maintaining their unique service identities, which leads to readiness issues, according to skeptics.

Cybercom and DOD owe their own set of studies back to Congress through previous legislative asks, after requesting more time to make their assessments and implementations.

Lawmakers have grown frustrated with how long this process has taken, and thus, have begun to take matters into their own hands, requesting independent assessments.

Members of Congress recognized in language accompanying the policy bill Saturday that agreeing on the optimal structure of cyber forces and operations “continues to be a work in progress,” but noted that an evaluation is more challenging when those forces are constantly engaged in demanding training and competition with the private sector for a limited worker pool.

“We believe that an independent, outside examination of these challenge may provide valuable insights to inform decision makers on future force design concepts,” the explanatory statement accompanying the bill states.

Congress is imploring the National Academies to take into account several analyses to include lessons from the creation of the Space Force in 2019. Members also acknowledge challenges with such a study with the National Academies given some might not have deep expertise in military cyber missions.

Lawmakers listed a series of areas they hope the National Academies cover, which include, among others:

• What is the optimal force size of qualified cyber professionals to satisfy existing and projected requirements of the Defense Department, and how are these variables most likely to change?
• Is the department’s current understanding and definition of cyber operations adequate to future challenges and opportunities?
• What options exist to improve training requirements, outputs, and programs in support of cyberspace operations?
• How could the DOD improve recruiting and retention of qualified officers and enlisted members of the armed forces in cyberspace operations and related and supporting fields?
• How might the department better utilize reserve component forces in support of cyberspace operations?
• What approaches could improve force readiness?
• How should the DOD structure itself for acquisition and provision of cyber capabilities in support of cyberspace operations?
• How could the department improve professional military education content and curricula focused on the cyber domain?
• Does increased optimization for cyberspace operations incur cost, risk, efficiency, or other tradeoffs to other missions and responsibilities of the DOD, or elsewhere within the national security community?

The bill now heads to the full House and Senate to be passed before going to the president to sign into law.

The post House and Senate defense committees agree on independent cyber force assessment appeared first on DefenseScoop.

Following a proposal in last year’s annual defense policy bill that was shut down, legislative provisions passed defense committees in both houses of Congress – and one passed the full House of Representatives – that would direct independent assessments examining the prospect of a new military service focused on cyber.

Congress has also asked the Pentagon to provide its own force-generation study, which has yet to be fully completed, briefed to the secretary of defense and delivered to Congress — much to lawmakers’ chagrin in the past and a big impetus behind the efforts to commission an independent study.

But the head of Cybercom wants to tap the brakes on those outside efforts until the command’s assessment has been completed.

“What I told each of those members of Congress when I spoke with them is just let us finish study one. Let us come tell you about it and then you can make a decision whether or not you need another study,” Gen. Timothy Haugh said Tuesday during a presentation at the annual DAFITC conference in Alabama. “Let’s finish the work you asked us to do. Because there’s one thing I really have learned in the last 10 years of being involved in this [is that] Congress is our partner. They have been the biggest advocate for cyber inside of the Department of Defense.”

Haugh noted that the legislative branch has asked for several studies and pushed new polices over the years in an attempt to advance cyberspace within the DOD, adding that they’ve been impactful and informed major decisions to make digital warriors more capable.

The issue of creating a sixth military service that is focused solely on cyber operations, while not new, has gained steam over the last year as threats have grown, the landscape is becoming more dynamic and readiness issues have plagued the forces that the individual services present to U.S. Cyber Command.

Each of the military services is responsible for providing personnel for a set number of teams to Cybercom, which then employs those forces in operations for the other geographic combatant commands. But detractors believe the services are too siloed in their approaches, leading to incongruent models for presenting forces to Cybercom and personnel maintaining their own service identities, which results in readiness issues, according to skeptics.

That congressionally mandated study — which is known as Section 1533 and was due to Congress June 1 – called for an examination of the current cyber enterprise, requested a look at how the services should man, train and equip for cyber, and inquired if a single military service should be responsible for basic, intermediate and advanced cyber training of the cyber mission force and if the Pentagon should create a separate service.

Previously, the DOD tapped the RAND Corp. to conduct a portion of a review that generated insights regarding challenges and opportunities of force presentation and design, mission essential tasks, civilian-contractor-military mix, training pipelines, talent management, career progression and pay.

Officials previously said alternative models presented in the study informed the Pentagon’s understanding of current and potential future constructs of the cyber forces and that DOD is exploring tradeoffs presented by the various models.

Haugh said they will bring the results of what the study found to the secretary of defense to choose a force-generation model to implement with the aim of optimizing the force.

“As we examine each of these options that are in front of us, we want to inform the secretary with both, here is what you would gain from each model, here’s what it looks like in terms of impacts to the overall department, and here are the impacts to the overall cyber force,” Haugh said.

A number of briefings across DOD have been conducted, Haugh added, saying officials expect to give their force-generation recommendations to the secretary “pretty soon.”

“Based on that, we’ll get guidance and then we’ll go back and talk to Congress,” he said.

Readiness improvements

Despite readiness concerns in the past, Haugh has noted recent improvement in how the services have presented their forces to Cybercom.

Last year, the first time the command was required to conduct a report on readiness levels, it reported to Congress recommendations on personnel polices that it expected to be most impactful if implemented across all the services.

This year’s report, by contrast, said while there are still the same priorities, the services have made progress and there is a commitment to cyberspace across all the services — something each service chief pledged to Congress during their respective confirmation hearings.

Haugh said the most impactful policy — and the one he’d like to see implemented across all the services — deals with incentive pay to retain talented cyber warriors.

“We just want to ensure [the services are] retaining the right numbers, because that’s really a service responsibility. But for me as the combatant commander, I want to be focused on the mastery of our force,” he said. “One of the ways that we can do that is a partnership with the services, so that our incentive pay is really focused on are you advancing in terms of your overall qualification and expertise? We should reward that. If someone’s a master at their work role, that’s what we would like to see rewarded. Proficiency and excellence is what we should be rewarding.”

Haugh pointed out that the Army is leading the way on that effort.

The post Cybercom chief to Congress: Let us finish our study before directing an examination for a Cyber Force appeared first on DefenseScoop.

The rapid evolution of technology and the digital landscape has fundamentally altered the nature of warfare. Cyber has become the fifth domain along with land, sea, air and space. As cyber threats continue to grow in sophistication and frequency, the United States must adapt its defense posture to meet these challenges head-on. Our current distributed approach leaves gaps in capabilities, training, recruiting and innovation, leaving us vulnerable to digital attack. An independent U.S. Cyber Force is not just a strategic necessity but an inevitable progression in the evolution of military operations.

Cyber warfare has become a critical component of modern conflicts. Adversaries such as China, Russia, Iran, and North Korea have developed formidable cyber capabilities, launching attacks that target both governmental and civilian infrastructure. The 2020 SolarWinds cyberattack, which compromised multiple U.S. federal agencies, and the persistent ransomware attacks on critical infrastructure underscore the urgent need for a dedicated and specialized cyber force. According to a 2021 report by the Center for Strategic and International Studies (CSIS), the frequency and severity of cyberattacks have increased exponentially, with nation-states being the primary actors. The report highlights that traditional military structures are ill-equipped to deal with the unique challenges posed by cyber threats, necessitating a distinct and independent cyber force.

Key benefits of having an independent cyber service

Specialization and Focus: The creation of an independent U.S. Cyber Force would allow for the specialization and focused training required to tackle complex cyber threats. Unlike conventional military units, a cyber force would be dedicated exclusively to defending against and conducting cyber operations. This specialized focus is crucial for developing the expertise needed to stay ahead of adversaries in the fast-paced cyber domain.

Streamlined Command and Control: An independent cyber force would enhance command and control capabilities, ensuring a more agile and responsive structure. Currently, cyber operations are often spread across multiple branches of the military, leading to fragmented efforts and bureaucratic inefficiencies. A unified command structure within an independent cyber force would enable more coherent and effective responses to cyber incidents.

Enhanced Recruitment and Retention: Attracting and retaining top talent is a significant challenge in the cyber domain. An independent cyber force would have the flexibility to implement specialized recruitment and retention strategies tailored to the unique demands of cyber warfare. This includes offering competitive salaries, advanced training programs, and career development opportunities that are more aligned with the private sector sector, as well as allow the cyber operator to actually perform in the job they are assigned.

Innovation and Adaptability: The cyber domain is characterized by rapid technological advancements. An independent cyber force would be better positioned to innovate and adapt to emerging threats. By fostering a culture of continuous learning and technological experimentation, a cyber force can develop cutting-edge capabilities and stay ahead of adversaries.

Opponents of an independent U.S. Cyber Force often argue that it would create redundancy and overlap with existing military branches. However, this perspective fails to recognize the unique nature of cyber warfare. The U.S. Space Force, established in 2019, provides a precedent for the creation of a specialized military branch to address specific operational needs. Just as space operations require distinct capabilities and focus, so too does the cyber domain.

Another argument against an independent cyber force is the potential for bureaucratic growth and increased costs. While the initial establishment of a new military branch may incur costs, the long-term benefits of having a dedicated and efficient cyber force far outweigh these concerns. The current fragmented approach to cyber operations leads to inefficiencies and higher costs in the long run. Consolidating these efforts under a single command would streamline operations and ultimately reduce redundancies. Furthermore, aligning the U.S. Cyber Force under the Department of the Army as recommended in the FDD study released earlier this year, would alleviate these red tape and cost concerns.

As cyber warfare continues to shape the future of conflicts, an independent U.S. Cyber Force is required to safeguard national security and maintain technological superiority. Now is the time to take the necessary steps to ensure our cyber defenses are robust and resilient. By establishing an independent U.S. Cyber Force, we can better protect our nation, deter adversaries, and establish dominance in the fifth domain.

Daniel Van Wagenen is a retired Army combat infantryman and defensive cyber operator. He is also the co-founder of the Association of U.S. Cyber Forces (AUSCF), the first dedicated nonprofit to being a voice for the cyber warfighter, and co-founder and COO of Minerva Cyber Technologies, a full-spectrum cyber operations services and products firm. 

Kim Irving is a senior cyber executive focused on supporting the warfighter and the national security mission. Co-founder and CEO of Minerva Cyber Technologies, she has 20+ years of experience serving on executive leadership teams and boards. Her experience includes full-spectrum cyber services and capability development for U.S. Cyber Command, Army Cyber Command, Air Force Cyber Command, Navy Fleet Cyber Command, and Marine Corps Forces Cyberspace Command.

The post The case for an independent U.S. Cyber Force appeared first on DefenseScoop.

Through several National Defense Authorization Acts, Congress mandated studies focused on these challenges. The Office of the Secretary of Defense, the Principal Cyber Advisor, Cybercom, and the rest of the DOD cyberspace operations community are currently supporting DOD’s response to each study. Cybercom 2.0 is the capstone response which will include the command’s recommendations to the secretary of defense and Congress. Recent academic examination and inquiry into these challenges has produced a variety of solutions — not all informed by realism or logic. Some academics, military leaders and politicians believe that establishing a U.S. Cyber Force will address challenges faced by the DOD cyberspace operations community. We disagree.

Proponents of USCF establishment often cite excision of the U.S. Army Air Corps from the Army to form the U.S. Air Force as precedent for their argument. Equating the creation of the USAF to the proposals for a USCF is built on flawed logic and a fundamental misunderstanding of DOD cyberspace operations missions. 

Proponents leverage the aforementioned force generation and readiness challenges then employ a logic that there are no unique aspects of cyberspace, or cyberspace functions, specific to the services to justify the establishment of a USCF. The argument continues that this homogenous domain requires a standalone advocate because the services do not have unique equities and therefore cannot advocate properly for the maturity of DOD cyberspace operations overall. But cyberspace is not the same across the services, and the excision argument built on this is therefore similarly challenged. 

For example, DOD cyberspace enclaves are not separable components that can be removed and used to create a USCF. These enclaves, and their interconnected functions, permeate all facets of DOD operations and support activities. Furthermore, the cyberspace expertise resident within each service is tailored to the unique mission and domain-specific requirements for the cyberspace elements supporting the warfighting platforms in the physical domains (land, air, maritime and space.) 

A USCF would, by necessity, be forced to integrate itself within each of the other services, since cyberspace systems, and the forces that secure, operate and defend them cannot be extracted from the existing services. Such an integration has already been most efficiently accomplished by establishing cyberspace forces within each of the services. Giving these cyberspace forces a new uniform and a new chain-of-command will not improve the operational integration of cyberspace with the other domains.  

Following the logic applied by most proponents, establishing a separate USCF would be equivalent to establishing a separate service that flies all military aircraft or a separate service to drive and maintain all military trucks. Of course, that is not a reasonable approach, but neither is establishing a service whose forces would need to be similarly integrated at the tactical level with the forces of other services. 

Practically, the Marine Corps’ experience in Guadalcanal and the resultant establishment of the Marine Air-Ground Task Force (MAGTF) are illustrative comparisons. During the Marine campaign in August 1942, Naval air and amphibious support forces “left the 1st Marine Division alone” and “exposed to Japanese attacks,” rendering them “virtually a besieged garrison.” In December 1963, the Marine Corps published Marine Corps Order 3120.3 which formalized the MAGTF as an organization to ensure the Marine Corps deployed projection forces with the ability to move ashore with sufficient sustainability for prolonged operations, including organic air, ground and support assets. Today cyberspace operations are also integrated into the standard MAGTF structure. There are similar examples that demonstrate how quintessential elements of force projection are retained within each service, and cyberspace forces should be no different. Cyberspace operations are inherently connected to the modern battlefield, so cyberspace forces must be integrated down to the tactical level — an effect which is best achieved by the current model.

A recent article claimed that a USCF should be established because only a USCF could adequately develop and maintain doctrine for cyberspace operations. The article claims that the Army is primarily responsible for developing cyberspace operations doctrine today. These claims are false. Congress gave the Cybercom commander authority to develop doctrine for DOD cyberspace operations in section 167b of Title 10 U.S. Code, and Cybercom has diligently worked to do so.

The article claims that there is only one joint doctrine publication for cyberspace operations. This claim is also false. There are two joint publications for cyberspace operations (Joint Publication 3-12 Joint Cyberspace Operations, and Joint Publication 6-0 Joint Communications).

Furthermore, Cybercom develops and maintains many command-level doctrine publications in a Cyber Warfighting Library, and some of the services have developed service-specific doctrine for cyberspace operations (e.g. Army Field Manual 3-12 Cyberspace Operations and Electromagnetic Warfare and Air Force Doctrine Publication 3-12, Cyberspace Operations, and Navy Warfare Publication 3-12 Cyberspace Operations). Doctrine development for DOD cyberspace operations is not a challenge equivalent to recruiting, training, retaining, and tracking readiness of cyberspace forces.

Proponents of USCF establishment often present creation of a new service as the only reasonable approach to address training and readiness issues faced by Cybercom and the services. This assertion is false. Congress recently expanded Cybercom service-like authorities to include enhanced budgetary control, and the president designated the command as joint force provider and joint cyberspace trainer for cyberspace forces. Despite becoming a unified combatant command in 2018, it is only now in 2024 that there is a complete alignment between acquisition, the scope of training and provisioning, and budgetary responsibility and authorities. Therefore, it is only in fiscal 2024 that the commander responsible for readiness of cyberspace forces now has the authority over the acquisitions and resources to drive that readiness. These authorities have not yet been fully implemented and evaluated, but external commentators are already calling for a solution that is completely divergent from the Cybercom-centric approach U.S. leadership has advocated for consistently over the past 15-plus years. 

Both the former Cybercom commander, retired Gen. Paul Nakasone, and the current Cybercom commander, Gen. Timothy Haugh, answered congressional inquiry about establishing a new service with discussion on how effective the existing U.S. Special Operations Command (Socom)-like model is. Nakasone also publicly declared his opposition to the creation of a new service for cyberspace operations. A recent article highlights Mieke Eoyang, deputy assistant secretary of defense for cyber policy, advising caution toward the idea of creating a USCF. The article quotes her as warning “be careful what you wish for” in reference to the aforementioned excision fallacy.

Recent articles claim that existing services place a low priority on, and perform poorly at, recruiting and retaining cyberspace forces. Creating a new service is not the only way of addressing this problem and it should not be presented as such. Congress, DOD and Cybercom need to hold the services accountable for providing the trained and ready cyberspace forces they’ve been tasked to deliver. What existing programs can be used to improve performance? How might the Congress, DOD and Cybercom help the services improve recruiting and retention? Ultimately, what is evident to us is that some current scholarship proposes a course of action without adequately considering alternatives to the one they prefer. Without providing complete evaluation criteria to compare proposals against, the community of interest is left wanting.

However, aside from the obvious associated cost, the most critical evaluation criteria must be disruption. Cybercom is responsible for ensuring the security, operations and defense of all DOD-controlled cyberspace, defending the nation from advanced cyber threats, and providing cyberspace operations support to other combatant commands. These are critical all-day-every-day missions. Among the wide range of possible solutions, which options are least disruptive to these ongoing missions? What options are most likely to result in steady improvement while minimizing the disruption of these missions? It is reasonable to assume that creation of a USCF would be the most disruptive option. It is highly likely that all the personnel that are actively working to implement new service-like authorities and address these challenges today would have to cease their progress to “Go figure out how to establish a cyber service.” This disruptive proposal presents unacceptable risk to the nation.

A more reasonable approach is to build up the existing Cybercom-centric model while allowing for controlled progress toward a more robust model like that of the Socom. The force generation model of Socom works because each of its service components deliver domain-peculiar forces and capabilities to the Joint Force. Maturing Cybercom’s employment of the Socom-like force generation model has the potential to address the recruiting, training, retention and readiness challenges. 

It is essential that U.S. leaders give Cybercom a reasonable amount of time to implement, test and iterate on its newly enhanced budgetary control authority, doctrine development authority, and joint force provider and joint cyberspace trainer responsibilities. Leaders, and the broader community of interest, should also allow highly-qualified DOD experts with firsthand experience to complete and present maturation recommendations under the Cybercom 2.0 initiative and likewise consider how leaders in the services, DOD and Congress can enable more rapid progress toward Cybercom 2.0-recommended solutions to address DOD’s challenges in cyberspace. 

DOD has made significant progress toward integrating cyberspace operations within broader department operations. Many challenges remain to optimizing DOD processes that enable successful cyberspace operations, but the arguments for establishing a new service do not justify this extremely expensive and radically disruptive course of action. Instead, U.S. leaders should stay the course, double down on the Cybercom-centric model for military cyberspace operations, and trust the expert recommendations of the experienced individuals they have appointed to lead military cyberspace operations on behalf of the nation. Any solution presented to address these challenges should include robust course of action evaluation criteria, including the degree to which they are likely to disrupt ongoing cyberspace operations and put the nation’s cybersecurity at risk. Future analysis should be focused on evaluating, implementing and refining Cybercom 2.0-recommended solutions.

Authors’ note: The views expressed in this work are those of the authors and do not reflect the official policy or position of the U.S. Cyber Command, the Department of Defense, or any other U.S. government entity.

Alan Brian Long Jr. is a Senior Policy and Doctrine Analyst at U.S. Cyber Command, where he serves as one of the foremost experts on DOD cyber policy and doctrine. He has 11 years of experience at Cybercom, and prior to arriving at the command, he served in the U.S. Marine Corps signals intelligence community. Brian is credited with authoring several notable cyber policy and doctrine documents within the DOD cyberspace operations community. He has deep institutional knowledge about the maturation of Cybercom and the broader DOD cyberspace operations community derived from over a decade of firsthand experience as a practitioner and action officer.

Maj. Alexander Pytlar is an Army Strategist (Functional Area 59) at U.S. Cyber Command, where he serves as the Deputy Branch Chief for the Strategy Branch within the Cybercom J55 Strategy, Policy, and Doctrine Division. His most recent assignment was as an assistant professor of geography at the United States Military Academy at West Point. Prior assignments include reconnaissance platoon leader and tank company commander, with deployments supporting Operation Enduring Freedom and Operation Spartan Shield, respectively.

The post An argument against establishing a U.S. Cyber Force appeared first on DefenseScoop.

A measure included in the Senate version of the National Defense Authorization Act last year was ultimately nixed from the final proposal during the conference process with the House, which didn’t have a similar provision in its bill.

However, the issue of creating a sixth military service that is focused solely on cyber operations, while not new, has gained steam over the last year as threats have grown, the landscape is becoming more dynamic and readiness issues have plagued the military services’ forces that they present to U.S. Cyber Command.

Each of the military services is responsible for providing personnel for a set number of teams to Cybercom, which then employs those forces in operations for the other geographic combatant commands. But detractors believe the services are too siloed in their approach, leading to incongruent models for presenting forces to Cybercom and forces maintaining their service identities, which leads to readiness issues, according to skeptics.

An amendment to the fiscal 2025 NDAA on the House side proposed by Rep. Morgan Luttrell, R-Texas, during its marathon markup May 22 directs an independent evaluation on the establishment of a U.S. Cyber Force to be conducted by the National Academies of Sciences, Engineering, and Medicine.

“I think the study is a great step forward and it kind of lays the groundwork for something. Or it could very well tell us we’re not ready yet,” Luttrell told DefenseScoop before the committee marked up the bill.

He also noted that he’s not opposed to other solutions, adding that he’s happy to engage with the DOD on possible alternatives to creating a Cyber Force.

Luttrell and other Republican co-sponsors believe the timing for this is now because the cyber risks are increasing and the current approach is too disjointed.

“[T]oday, each service generally builds cyber capacity in isolation. The forces are also supposed to be built to a single standard, but that intent or vision has never come to fruition, with dramatic disparities across the services. In fact, they don’t even align on the names of the career fields for personnel aligned to cyber operations. While seemingly minor, the consequences are significant,” Rep. Pat Fallon, R-Texas, wrote in a recent op-ed. “It’s critical we establish an independent military service aligned to cyberspace, responsible for the Title 10 functions of ‘Organize, Train, and Equip.’”

The Senate Armed Services Committee, which marked up its version of the NDAA this week, included a provision examining the prospect of an independent cyber force or service, according to committee staff. However, a summary of the bill, which passed the committee Thursday night by a vote of 22-3, did not offer any details.

The measures from both House and Senate Armed Services Committees must be passed by their respective chambers of Congress before going into conference where the two versions will be reconciled into a single bill. The full House passed its version on Friday.

Two of the leading outside groups on military cyber issues have applauded the efforts of Congress in exploring options to improve how DOD presents and employs cyber forces, to include the prospect of a new, independent military branch.

The Association of US Cyber Forces (AUSCF) “fully supports the creation of a Cyber Force to support our national security in cyberspace. The provisions of the NDAA calling for a study into this possibility are a step in the right direction, but we have been here before,” the nonprofit, which is dedicated to advancing the capabilities and effectiveness of the United States in the cyber domain, wrote in a statement to DefenseScoop. “This is not the first congressional call for such a study, though we do applaud the move to have it conducted by an entity outside the DOD. Our hope is that this study will unequivocally find what we all already know, that such a dedicated force is not only appropriate, but a vital need for our country if we ever hope to match and surpass our adversaries in this domain … This NDAA inclusion is a step in the right direction, though the time has come for us to build momentum and move towards action quickly following the results of the study.”

The organization, which has been advocating for the creation of a cyber force, is hopeful the assessments conducted outside the DOD will determine the potential for such a force to also exist outside of the department and its currently limited authorities. AUSCF has been advocating for a more holistic national defense force with the authorities to better protect the homeland from a defensive posture and conduct operations against outside actors.

“One thing is certain in the debate on whether or not there should be a bold reorganization to establish a new military service focused on the cyber domain of warfare, and that is there is deep disagreement among relevant stakeholders. However, there is wide consensus that an unbiased independent study to examine the potential value and feasibility of such a service is not only appropriate, but sorely needed,” Chris Cleary, national president of the Military Cyber Professionals Association, a nonprofit dedicated to advocating for military cyber issues, said in a statement to DefenseScoop. “To that end, and in pursuit of our mission and vision, the MCPA wholeheartedly supports the proposed study.”

Congress wants answers

Part of the congressional concern stems from the need for more information and data.

“Many members of Congress, myself included, feel we need better information to understand our current and projected cyber defense capabilities. That’s why this year’s House-passed NDAA has multiple efforts to achieve our shared goal of supporting our cyber professionals and systems,” Rep. Chrissy Houlahan, D-Penn., an Armed Services Committee member, said in a statement to DefenseScoop. “The truth is that the civilian and military cyber landscapes are changing rapidly, almost daily. Because cyber is an integral part of our national defense and needs to be supported with a robust workforce, it’s a matter of congressional concern.”

Congress has previously provided bill language requiring DOD to include an assessment of the costs, benefits and values of establishing a uniformed cyber service in the 2022 cyber posture review. It has also more recently required a study, which among many aspects, called for an examination of the current cyber enterprise, requested a look at how the services should man, train and equip for cyber, and inquired if a single military service should be responsible for basic, intermediate and advanced cyber training of the cyber mission force and if the Pentagon should create a separate service. This effort is known as the Section 1533 study from the fiscal 2023 NDAA.

“The Section 1533 study was looking at all options to include the establishment of a separate service and hence a separate analysis — is it necessary — but we required the department to do the study … as part of the cyber posture review. It seems to me that DOD ignored that requirement and then pointed us to a section in the posture review that included an assessment, but if you look at that section, no such assessment existed,” Mike Gallagher, who until late April was the chairman of the House Armed Services Subcommittee on Cyber, Innovative Technologies, and Information Systems, said during an April hearing. “Why should we believe that the department will follow on with an objective analysis as part of the 1533 study, given that it was ignored previous to this?”

This so-called force structure assessment was due to the secretary of defense June 1.

The DOD has taken the approach of packaging the variety of studies Congress has required, to include 1533, and bundle them into an effort it dubs Cybercom 2.0, a holistic top-to-bottom review underway to examine how to reshape Cybercom’s organization and forces and ensure it’s best postured for the future and emerging threats.

Gen. Timothy Haugh, who became commander of Cybercom in February, said at the command’s legal conference April 9 that along with the newly established Office of the Assistant Secretary of Defense for Cyber Policy he must brief the secretary on the vision for the future of force generation this summer. Later that week, he told the House Armed Services Subcommittee on Cyber, Innovative Technologies, and Information Systems that the command and ASD-Cyber are working on Section 1533 along with other efforts and owe a briefing of 1533 to the secretary of defense in June.

“There are a couple of things that Congress has already given us that is where we’re going to owe products,” he said at the conference, later telling lawmakers: “We owe that [force generation study] to the secretary in June and we are required to brief them in June [on] the results of that study, and we’re moving at pace to ensure that we look at all the options that you directed.”

Other elements Congress has asked DOD and Cybercom to study that are being folded into Cybercom 2.0 efforts include the optimal strategy for structuring and manning various headquarters elements.

According to a DOD spokesperson, the department tapped the RAND Corp. to study the issue.

“In response to Section 1533 of the FY23 NDAA, DOD commissioned an independent research study of U.S. cyber forces through the RAND Corporation, which generated insights concerning challenges and opportunities of force presentation and design, mission essential tasks, civilian-contractor-military mix, training pipelines, talent management, career progression, and pay,” they said. “The alternative models presented in the study have informed the Department’s understanding of current and potential future constructs of the cyber forces. The Department is currently exploring tradeoffs presented by the various models and is on track [to] meet the 1533 legislated timeline to present an implementation plan by June 2025.”

The HASC version of the NDAA for fiscal 2025 that passed in May included an amendment by Houlahan requiring the secretary of defense to submit the 1533 study, along with any supporting analyses that may have been conducted by any other entities, no later than Sept. 30.

As the law currently exists, the DOD owes congressional defense committees briefings at least once every 180 days on the progress of the section 1533 effort until receipt of the plan.

While many observers, including top officials, have acknowledged that the status quo is not working, detractors of an independent cyber force within DOD maintain now is not the time to shake things up.

The current model has not had enough time to prove itself, the argument goes. The command only just received enhanced, more service-like authorities with the passage of the fiscal 2024 appropriations bill earlier this year that provides enhanced budget authority, giving full budget ownership of cyber and direction of cyber forces to Cybercom.

The command modeled itself off U.S. Special Operations Command, a combatant command with unique service-like authorities.

Some outside experts believe the DOD is working to head off congressional direction for outsiders to study an independent cyber force.

“When they were trying to kill the independent assessment DOD suggested and they didn’t think it was needed, they implied the overdue 1533 report was right around the corner. I no longer think that’s true,” Mark Montgomery, senior director of the Foundation for Defense of Democracies’ Center on Cyber and Technology Innovation and former executive director of the congressionally mandated Cyberspace Solarium Commission, told DefenseScoop. “One might consider that poor form to say ‘I don’t need that because I have this other thing coming,’ and the other thing is not really there.”

Montgomery, who also previously served as policy director for the Senate Armed Services Committee, gives the measure of an independent assessment a 50/50 chance of becoming law at best, even though it was included in both the HASC and SASC versions of the NDAA.

Despite Congress’ affinity for studies and assessments, the fact that the measure didn’t make it into the final bill last year and there are questions surrounding its passage this year, indicate DOD is working to prevent it, sources suggested.

“DOD is telling the senior congressional leadership an independent assessment is ‘not needed,’ very emphatically, repeatedly. DOD leadership is lobbying hard and working hard against this,” Montgomery said.

He acknowledged that if this was an easy fix it would’ve been done already, adding that the problem with continuing to do nothing is that it’s been the approach for 12 years.

“If we don’t do this assessment, we’re doing nothing because DOD is not changing. This force generation problem is getting worse every year and the Chinese are getting better every year,” he said. “DOD has had an open door with congressional leaders to get whatever they needed over the past decade and we ended up in this position.”

The post Assessment for independent cyber force passes House, Senate defense committee appeared first on DefenseScoop.

“America’s cyber force generation system is clearly broken. Fixing it demands nothing less than the establishment of an independent cyber service,” a report published Monday by the Foundation for Defense of Democracies states. “This research paints an alarming picture. The inefficient division of labor between the Army, Navy, Air Force, and Marine Corps prevents the generation of a cyber force ready to carry out its mission. Recruitment suffers because cyber operations are not a top priority for any of the services … The current system compounds these force-generation challenges. Each of the services has developed its own solutions, leading to both inconsistencies and shortcomings.”

The report’s authors — retired Rear Adm. Mark Montgomery, who is senior director of FDD’s Center on Cyber and Technology Innovation, and Erica Lonergan, an assistant professor in the School of International and Public Affairs at Columbia University — interviewed over 75 active duty and retired U.S. military officers with significant leadership and command experience within cyber. Both authors were members of the now-sunset Cyberspace Solarium Commission.

While not all interviewees believe the creation of a new service is the answer, “everyone agrees that the status quo is not sustainable, even if not everyone we interviewed agreed that necessarily that the solution is to establish an independent uniformed service for cyberspace,” Lonergan told reporters ahead of the report’s release.

Each of the military services is responsible for providing personnel for a set number of teams to U.S. Cyber Command, which then employs those forces in operations for the other geographic combatant commands.

Proponents of an independent cyber service argue the cyber operators have no distinct identity — as they are still members of their respective services — as well as that there are readiness issues associated with each service resourcing their cyber contributions differently, lexicon and pay scales are different for the members of each service, and that command and control structures are confusing.

In one of the most pertinent and striking examples, Congress recently was forced to act in directing the Navy to create cyber-specific work roles as it was the only service to date that had not done so. Navy service members were rotating too frequently in and out of the cyber mission force creating continuity issues, forcing retraining, and ultimately, readiness issues.

Those cyber mission force teams — offensive and defensive — were initially designed to be joint from the outset, trained to the same standards so they could be interchangeable and operate alongside one another. But individual service intricacies have plagued that design, the report alleges.

“The services do not coordinate to ensure that trainees acquire a consistent set of skills or that their skills correspond to the roles they will ultimately fulfill at CYBERCOM … At root, the current readiness issue stems from the fact that none of the existing services prioritizes cyberspace,” it states. “Promotion systems often hold back skilled cyber personnel because the systems were designed to evaluate servicemembers who operate on land, at sea, or in the air, not in cyberspace. Retention rates for qualified personnel are low because of inconsistent policies, institutional cultures that do not value cyber expertise, and insufficient opportunities for advanced training.”

The report, as well as sources who detailed the issue to DefenseScoop previously, allege the services played “shell games” when it comes to staffing the team, oftentimes double counting personnel to make the teams look fully manned.

‘The status quo isn’t working’

There has been frustration among many outside the military that despite readiness shortfalls, not much to date has been done to address how forces are presented.

“This is also a concern that this poor force generation model is negatively impacting readiness. It’s preventing the cyber mission force from conducting operations or really from growing and expanding,” Montgomery told reporters. “We need to absolutely get better or we’re going to create a catastrophic condition where an adversary’s cyber capabilities either enable him to do something we can’t stop or him to stop us from doing something we need to do. I think we’re rapidly getting to that.”

The cyber mission force was conceived in 2012-2013 and began building then. At the time, it envisioned 133 teams. However, that force has remained steady until the fiscal 2022 budget that, for the first time, authorized growth for the cyber mission force approving 14 additional teams.

For Montgomery, the growth and maturation of the force has not been enough to keep pace with America’s adversaries.

“Over the last 14 years, one thing I can definitely say by the Chinese and Russians is their capacity has grown, and the idea that we’ve maintained the exact same level is really concerning. I think we’re there because we’re not able to get the maximum readiness out of that lower level, much less grow and expand it,” he said.

Each of the service chiefs has pledged to make cyber mission force readiness a top priority. However, Montgomery contends the services have completely failed thus far.

“It is definitely a criticism of [the] services. There’s no two ways about it,” he said.

Lonergan noted that there is beginning to be recognition that the current status quo is inefficient and changes must be made.

“The consensus is that the status quo isn’t working and I think I can say that that’s the consensus of our military leaders in cyberspace, too. That’s what’s driving this Cybercom 2.0 effort to do this kind of holistic, comprehensive review of Cybercom,” she said.

Cybercom 2.0 is a holistic top-to-bottom review underway by the command to examine how to reshape its organization and forces and ensure it’s best postured for the future and emerging threats. It’s meant to look at force presentation, force composition, acquisition and other improvements and changes as it evolves.  

Last year, Congress attempted to begin evaluating the prospect of creating an independent cyber service. However, efforts in both the House and Senate were struck from the annual defense policy bill, one of which would have required an independent body to study the merits of establishing a new force.

Advocates for a cyber force are pushing hard this year to ensure something makes it into legislation.

“We do not take lightly the many challenges still ahead in implementing the recommendation for creation of a dedicated Cyber Force, but AUSCF calls upon our nation’s Executive and Congressional leaders to act, through policy and legislation, to meet this call for what our nation so urgently needs in support of national security. The creation of a Cyber Force is a clear message, both to our adversaries and our own citizens, that freedom of action in the cyberspace domain, and protection of our critical infrastructure and sovereignty, are priority responsibilities that the United States takes seriously and will meet with the best our nation can provide,” the Association of US Cyber Forces (AUSCF), a nonprofit dedicated to advancing the capabilities and effectiveness of the United States in the cyber domain, said in a statement provided to DefenseScoop ahead of the release of the FDD report.

Opponents of an independent cyber service argue that now is not the time. The current model has not had enough time to prove itself, the argument goes. Moreover, Cybercom is on the precipice of inheriting significantly more authority. Through what’s known as enhanced budget authority, Cybercom is slated to gain more service-like authorities from full budget ownership of cyber and direction of cyber forces. That was supposed to culminate at the beginning of fiscal 2024.

Others note that the command modeled itself off U.S. Special Operations Command, a combatant command with unique service-like authorities. However, the report notes incongruencies between special operations forces and cyber forces.

“In the SOCOM model, each of the services provides the force employer — SOCOM — with expert personnel who possess skills suited to their particular domain. For instance, an Army Ranger trains for special operations on land, while Navy SEALs possess skills tailored to maritime special operations. Rangers and SEALs are not interchangeable. The Army cannot train SEALS, nor the Navy Rangers. Thus, SOCOM actually gains strength from this one-of-a-kind distributed force-generation model,” the report states. “However, there are no land, sea, or air-specific cyber functions that only particular services can provide.”

As was stated previously, the cyber mission force was designed to be joint from the outset and trained to the same standards so individuals could be interchanged from team to team, offense or defense.

Department of Army and Cyber?

The report’s authors were sure to explain they’re not necessarily wedded to what a cyber force could look like if the Department of Defense has ideas for it.

But it did recommend placing it within the Department of the Army, with Cybercom continuing to be the force employer. Montgomery believes the Army has done the best in cyber, relative to the other services, placing cyber in the hands of general officers. Additionally, the other military departments already have subordinate forces: the Space Force under the Department of the Air Force and the Marine Corps under the Department of the Navy.

“Standing up this new service would be relatively straightforward. Initially, the Cyber Force would encompass the billets that currently comprise the CMF: a 6,200-person mission group consisting of servicemembers, civilians, and contractors,” the report stated. “Beyond the CMF, the Cyber Force could also absorb a select number of billets for cyberspace operators that currently fall within the SOCOM enterprise. The Cyber Force could draw on lessons from the Space Force, which has encountered few issues filling its new roles even though it requires highly technical and skilled personnel.”

The authors were also sure to note the services should keep their organic cyber and IT personnel, meaning the new cyber force wouldn’t suck up all the cyber expertise, leaving the services with nothing.

Ultimately, having a single service — with a service secretary adhering to civilian control of the military — that can solely focus on providing forces for cyberspace operations will improve the readiness of cyber forces and retention, the authors contend.

Montgomery explained that if Cybercom needed to grow, it would be as simple as working with one service as opposed to four right now.

“Cyber Command [could] say, ‘Hey, I need to be 20 teams bigger, to do that I need an extra 1,000 operators.’ He could talk to the cyber force chief and the two of them would then go see the chairman and the Secretary of Defense … and make that argument and then it’d be properly sized,” he said. “I think it would make Cyber Command much more effective and agile. You have a more ready force and then an ability to grow the force. Right now, if he wants to grow the force, he’s got to convince each of the services.”

The post US must establish independent military cyber service to fix ‘alarming’ problems — report appeared first on DefenseScoop.

In the conference report for the reconciled version of the fiscal 2024 National Defense Authorization Act, legislators noted that they nixed a provision that was included in the Senate bill that would have directed the secretary of defense to enter into an agreement with the National Academy of Public Administration to conduct an evaluation regarding the advisability of establishing a separate military branch for digital warriors.

There has been a growing chorus in recent years arguing for the creation of a cyber service or cyber force, that would be the seventh uniformed military service following the creation of the Space Force in 2019.

Each of the military services is responsible for providing personnel for a set number of teams to U.S. Cyber Command, which then employs those forces in operations for the other geographic combatant commands. But each branch has its own identity, culture, and way of classifying and providing forces to Cybercom — and observers have argued that this has been to the detriment of cyber warriors given they are soldiers or airmen or sailors first, with a secondary focus on cyber.

The argument for a new model is that the current system does not work. However, opponents of a new service say there hasn’t been enough time to allow the current system to prove itself — especially given Cybercom has only just gained full control over its budget in October with service-like authorities much like U.S. Special Operations Command.

Some outside organizations were upset to see the provision excluded from this year’s legislation.

“The exclusion of the Cyber Force study in the NDAA is beyond disappointing; it’s a deliberate impediment to progress in an area where it’s needed most,” Nathan Rolfe, president of the Association of US Cyber Forces (AUSCF), a nonprofit dedicated to advancing the capabilities and effectiveness of the United States in the cyber domain, said.

“With the cyber talent gap continuing to worsen nationwide, and traditional military thought still holding back the DOD from realizing its full manning and operational potential in the cyber domain, we cannot keep pace with the aggressive advancements of our major power peer competitors. This omission from the NDAA is not a delay; it represents backward momentum in terms of national security,” Rolfe added.

AUSCF has been advocating for the creation of a cyber force. The organization noted that while the Senate bill fell short of establishing a separate cyber force, a feasibility study would have been the first proactive step in safeguarding the nation’s security and an investment in the future resilience of U.S. digital infrastructure.

Additionally, the Military Cyber Professionals Association (MCPA), a nonprofit dedicated to advocating for military cyber issues, sent a memo in March to both houses of Congress urging the creation of a United States Cyber Force in this year’s annual defense policy bill.

“Given the serious consequences of both action and inaction, the MCPA looks forward to serious analysis of the options at hand to reorganize and establish a Cyber Corps, Force, Service, or the like. Studies should be conducted both internal to DOD, including those sponsored by DOD entities, and those independent that are unencumbered by the requirement to tow the current party line,” Chris Cleary, MCPA national president, said in a statement.

The Senate’s provision, introduced by Sen. Kirsten Gillibrand (D-N.Y.), that was stripped would have examined the best route forward between establishing a separate armed force dedicated to operations within cyberspace or refining and evolving the current approach for Cybercom, based on the Socom model.

Lawmakers have danced around the issue of an independent cyber service in years prior, mandating the Department of Defense include an assessment of the costs, benefits and values of establishing a uniformed cyber service in the 2022 cyber posture review, as well as a separate examination of the current cyber enterprise; how the services should man, train and equip for cyber; if a single military service should be responsible for basic, intermediate and advanced cyber training of the cyber mission force; and if the DOD should create a separate service.

Members of Congress have not been pleased with how the Pentagon has responded to these assessments and reports — and in some cases, not providing assessments — leading to calls for an independent study.

Moreover, in successive NDAAs Congress has sought to address concerns related to the readiness of the current cyber forces, to include a provision in this year’s bill to create a more standard approach to how the military services present forces.

The House version did not include a provision regarding a study, but had two provisions aimed at improving and examining the current structures. The first directed a review of DOD’s management of cyber operations, while the other directed the Pentagon to assess the resiliency of its cyber operators given personnel often work long hours and are always conducting operations in constant contact with adversaries in cyberspace — either defending DOD networks from daily enemy probes or carrying out offensive ops.

The review was included in the conference bill’s report language and the assessment was adopted by conferees.

The post Congress axes independent cyber force study appeared first on DefenseScoop.

“For people who think the cyber service is the answer to our current challenges in cyber personnel management, be careful what you wish for,” Mieke Eoyang, deputy assistant secretary of defense for cyber policy, told reporters Friday at a Defense Writers Group meeting.

Some inside and outside government have been advocating for a separate cyber force or branch akin to the Army, Navy, Marine Corps, Air Force and Space Force.

Currently, each of the services are responsible for providing a set number of personnel and teams to U.S. Cyber Command through the joint cyber mission force.

Proponents of an independent cyber service argue the cyber operators have no distinct identity — as they are still members of their respective services — there are readiness issues associated with each service resourcing their cyber contributions differently, lexicon and pay scales are different for the members of each service, and the command-and-control structures are confusing.

Eoyang said the Pentagon is studying the issue, as part of congressional direction in last year’s defense policy bill, to examine the current cyber enterprise, look into how the services should man, train and equip for cyber, ponder if a single military service should be responsible for basic, intermediate and advanced cyber training of the cyber mission force, and determine if the DOD should create a separate service.

Given congressional frustration that the department has not fulfilled that yet, the Senate Armed Services Committee has passed a provision in its annual defense policy bill for an independent assessment of creating a cyber service or cyber force. That still must be conferenced with members of the House and signed by the president to become law.

“We’re going to study the question and we’ve been directed to do that, as you know, we have this [National Defense Authorization Act section] 1533 study, which tells us to look at our model and current and alternate models. We’ll certainly look at the question. We already have an effort underway to do that,” Eoyang said.

One of the arguments for a cyber service is that it will allow a singular organization to be focused solely on the manning, training and equipping of cyber forces. But Eoyang said she isn’t sure that an independent service would solve those issues.

“A cyber service might have some benefits in ease of administrative management, but we have a variety of services in the military services in the Department of Defense who perform a variety of missions. Those missions are enabled by technologies that are particular to those mission sets. Having a cyber service that is divorced from those particular mission sets may pose some challenges in understanding the warfighting needs of the services to provide cyber to enable that fight,” she said.

“We need to understand what the pros and cons are. There are certainly challenges to managing a career field that spans multiple services. There are challenges to jointness … The question is, which set of problems are we willing to live with and taking a look at all these things to understand that better before we throw out what we have in favor of something else or decide actually what we have needs to be fixed or there’s something else completely,” she added.

Opponents of a cyber service have suggested there hasn’t been enough time to prove out the existing model. Cybercom is slated to gain enhanced budget authority in October pending a passed budget by Congress, which officials say will provide greater oversight of the services and teams to improve readiness.

The three officials nominated to lead the Army, Air Force and Navy were all asked about how they’ll seek to address readiness concerns of the cyber mission force during their confirmation hearings this summer. Each recognized problems and committed to addressing them.

The post Senior DOD official on creating an independent cyber service: ‘Be careful what you wish for’ appeared first on DefenseScoop.