The House and Senate Armed Services Committees released the text of the compromise fiscal 2025 National Defense Authorization Act on Dec. 7, which included a provision calling for an independent assessment by the National Academies of Sciences, Engineering, and Medicine to “conduct an evaluation of alternative organizational models for the cyber forces of the Armed Forces.”

Each chamber passed nearly identical provisions earlier this year directing the Defense Department to enter into an agreement with the Academies to conduct an evaluation regarding the advisability of establishing a separate military service focused on cyber or refining and further evolving the current organizational approach for Cybercom based on the Special Operations Command model.

However, the final compromise version stripped some of the original language, and some sources referred to the final version as being watered down.

There is no longer due date for such an assessment, meaning it will likely fall down on the prioritization list unless funds are allocated to the Academies to conduct the assessment.

Moreover, the final version placed a larger focus on alternative models for cyber forces rather than solely focusing on an independent armed service, likely a nod to efforts currently underway by DOD and Cybercom to examine other readiness models and force generation, dubbed Cybercom 2.0.

These measures likely have been put in place to weaken the overall provision and effort to examine a potential sixth armed service.

In a statement, Rep. Morgan Luttrell, R-Texas, who co-sponsored the measure in the House Armed Services Committee, said he was “disappointed that my amendment to evaluate the need for a Cyber Force was scaled back.”

Members believe that while some progress has been made to advance America’s cyber forces, much more work is left to do and all options are on the table.

“Since arriving in Congress, I have used my role on the House Armed Services Committee to advance several initiatives to strengthen and expand the cyber capabilities of our armed forces,” Rep. Chrissy Houlahan, D-Pa., said in a statement. “Although significant progress has already been made to ensure our military’s cyber capabilities are the most advanced in the world, there is still more work to be done to ensure that we remain ahead of our adversaries in this important domain. It is important that we remain open to all options to move forward, including the creation of a distinct uniformed Cyber Force, and I am glad that the Fiscal Year 2025 National Defense Authorization Act mandated a new independent study on this important question.”

Others in Congress are positive they can use their oversight powers to push the DOD.

“This study is a step in the right direction and Congress, through its power of oversight can work to ensure the sense of the language is executed,” Rep. Pat Fallon, R-Texas, said in a statement. “All options are on the table except the status quo regarding the DOD’s manning, training, and operations in the cyber domain because the scope, scale, and level of sophistication of the threat has changed. We all agree that we need to adapt fast to show our adversaries power through strength. … I am sure that the incoming administration will take a hard look at everything within the cyber realm to ensure maximum protection, efficiency, and lethality. We in Congress will do the same and I am confident we’ll see changes based on the level of threats we are faced with.”

Some close observers were also optimistic and excited that the assessment made it into the compromised version, despite the changes, especially given a similar proposal that passed the Senate last year was axed from the final bill.

The Cyber Force provision “was diluted — but I am glad it made it — and it remained independent,” Mark Montgomery, senior director of the Foundation for Defense of Democracies’ Center on Cyber and Technology Innovation and former executive director of the congressionally mandated Cyberspace Solarium Commission, said. “I think DOD may come to regret this effort to weaken the study if the incoming Administration has any plans if its own with regard to an independent cyber service.”

The Record previously reported that DOD formally objected to the assessment proposal that came out of the Armed Services Committees earlier this year.

Some observers are also under the impression that the incoming Trump administration might be more inclined to back — or even direct — the creation of a Cyber Force, much like it did for the Space Force.

Others indicated that the legislation is overall a positive development.

“This legislation is a major step in the right direction,” said Dan Van Wagenen, co-founder and vice president of the Association of the United States Cyber Forces (AUSCF), a nonprofit dedicated to supporting the cyber warfighter. “After five years of debate and analysis, there is a growing consensus that the U.S. needs a dedicated Cyber Force to defend America in Cyberspace. While AUSCF would have liked to have seen the provision go further with the National Academies having a due date to report to the Congress, we are excited to see this critical first action necessary for the establishment of an independent US Cyber Force. It is our hope the incoming Congress and Administration continue to prioritize Cyber in 2025 and beyond.”

There is widespread agreement, however, that the current model needs to be refined, especially in light of advances in adversary capabilities and number of cyber forces.

“If there’s one thing history teachers us, it’s that the enemy gets a vote. Since U.S. Cyber Command was established about a decade and a half ago, our forces have adapted to the evolving operational environment,” Chris Cleary, national president of the Military Cyber Professionals Association (MCPA), a nonprofit dedicated to advocating for military cyber issues, said. “What the MCPA stands firm on is calling for the continued refinement to organizational constructs to better enable success in combat, conflict, and competition. We, as a nation, must continue investing in serious sober analysis of how to increase effectiveness in cyberspace … just like we do for other domains such as the land and sea. This is why we at the MCPA host critical dialogue on such topics. Our national strategic leadership may want incremental change, or something more bold. I’m excited to see what comes of a new study.”

The House passed the NDAA on Wednesday. It must also be passed by the Senate and signed by the president to become law.

The post Despite softened bill language, observers still optimistic about independent cyber force assessment appeared first on DefenseScoop.

Both houses of Congress passed nearly identical provisions in their respective versions of the fiscal 2025 National Defense Authorization Act earlier this year, and they were incorporated into the final conferenced bill that was reconciled between both chambers and released Saturday evening.

The House passed a similar provision last year that was axed during this conference process for the annual defense policy bill, effectively killing it until it was revived this year.

Despite some in the Biden administration and the Defense Department voicing opposition to a cyber service, there has been growing support in Congress and among interest groups. The provision calls for an independent assessment by the National Academies of Sciences, Engineering, and Medicine to “conduct an evaluation regarding the advisability of either establishing a separate Armed Force in the Department of Defense dedicated to operations in the cyber domain or refining and further evolving the current organizational approach for United States Cyber Command.”

The issue of creating a sixth military service that is focused solely on cyber operations, while not new, has gained steam over the last year as threats have grown, the landscape is becoming more dynamic and readiness issues have plagued the military services’ forces that they present to U.S. Cyber Command.

Each of the military services is responsible for providing personnel for a set number of teams to Cybercom, which then employs those forces in operations for the other geographic combatant commands. But detractors believe the services are too siloed in their approach, leading to incongruent models for presenting forces to Cybercom and forces maintaining their unique service identities, which leads to readiness issues, according to skeptics.

Cybercom and DOD owe their own set of studies back to Congress through previous legislative asks, after requesting more time to make their assessments and implementations.

Lawmakers have grown frustrated with how long this process has taken, and thus, have begun to take matters into their own hands, requesting independent assessments.

Members of Congress recognized in language accompanying the policy bill Saturday that agreeing on the optimal structure of cyber forces and operations “continues to be a work in progress,” but noted that an evaluation is more challenging when those forces are constantly engaged in demanding training and competition with the private sector for a limited worker pool.

“We believe that an independent, outside examination of these challenge may provide valuable insights to inform decision makers on future force design concepts,” the explanatory statement accompanying the bill states.

Congress is imploring the National Academies to take into account several analyses to include lessons from the creation of the Space Force in 2019. Members also acknowledge challenges with such a study with the National Academies given some might not have deep expertise in military cyber missions.

Lawmakers listed a series of areas they hope the National Academies cover, which include, among others:

• What is the optimal force size of qualified cyber professionals to satisfy existing and projected requirements of the Defense Department, and how are these variables most likely to change?
• Is the department’s current understanding and definition of cyber operations adequate to future challenges and opportunities?
• What options exist to improve training requirements, outputs, and programs in support of cyberspace operations?
• How could the DOD improve recruiting and retention of qualified officers and enlisted members of the armed forces in cyberspace operations and related and supporting fields?
• How might the department better utilize reserve component forces in support of cyberspace operations?
• What approaches could improve force readiness?
• How should the DOD structure itself for acquisition and provision of cyber capabilities in support of cyberspace operations?
• How could the department improve professional military education content and curricula focused on the cyber domain?
• Does increased optimization for cyberspace operations incur cost, risk, efficiency, or other tradeoffs to other missions and responsibilities of the DOD, or elsewhere within the national security community?

The bill now heads to the full House and Senate to be passed before going to the president to sign into law.

The post House and Senate defense committees agree on independent cyber force assessment appeared first on DefenseScoop.

Influence operations, ransomware attacks, and intrusions into critical infrastructure represent recent examples of the increasing threat malicious cyber actors pose to our national security. U.S. Cyber Command has responded to these threats by conducting operations continuously and building closer partnerships across the public and private sector to address these challenges. Recognizing the capacity and capabilities that military cyber forces bring to continuous campaigning against our adversaries, Cyber Command was granted new authorities. The command can now dictate training and certification standards for all of DOD’s cyber operations forces. Additionally, Congress authorized Cyber Command to exercise broader acquisition and budgeting powers this fiscal year. These authorities allow the command to manage and execute its own budget and run acquisition programs tailored to developing cyber capabilities in a rapidly changing environment.   

However, despite these successes and improvements in training and equipping the force, concerns remain over the command’s ability to field enough forces to meet the nation’s requirements. Simply put, some of the military services have not kept pace with providing Cyber Command with the personnel required for sustained mission success.   

The creation of a new cyber service to organize, man, train, and equip forces for Cyber Command is one option to address these shortfalls. This option utilizes the DOD’s traditional approach, tasking a service to perform these functions, and fits comfortably within the Pentagon’s established processes. Over time, such an approach may improve the manning levels at Cyber Command by creating an organization focused on recruitment, career development and the retention of cyber personnel. Cyber service cadre would also become the cyber experts inside the Pentagon, advocating for the department’s cyber needs.   

An alternative option is to let the command exercise its new budgeting, training and equipping powers while prioritizing DOD’s collective recruitment efforts to solve the cyber manning shortfalls across all services. Cyber Command needs to intensify its efforts and focus on synchronizing its direct engagement with existing service efforts on recruitment, career development, promotions, and retention of cyber personnel. Also, the department could mandate that the existing services provide specific, cyber force-manning levels at Cyber Command before they can retain cyber talent for their own service requirements. These steps could also improve manning levels at the command. Cyber Command has also already begun placing cyber exports inside the Pentagon to advocate for cyber requirements within the department.  

Either option is feasible, but what is the best course to ensure we meet the current and future cyber needs of the department and the nation? That answer requires an examination of the timing and funding costs, the risks to current operations, and of the unique aspects of the cyber domain.   

Establishing a cyber service will take years — with no guarantee of success — much longer than simply allowing Cyber Command to fully execute its new “service-like” authorities. Standing up a new military service involves lengthy bureaucratic processes and a significant transition period. In contrast, allowing the command to focus on working directly with the services regarding recruitment, training, promotions, and retention of personnel would improve manning more rapidly, enabling the command to address current and evolving cyber threats with the urgency they demand.

Further, establishing a new cyber service requires the reallocation of significant funds and manning/expertise from existing roles, weakening current warfighting capabilities at a time when the nation must maintain strong cyber capabilities to address election security, Chinese intrusions into our critical infrastructure, and Russian and Iranian malicious cyber actors’ actions against our nation and allies. The diversion of these resources from current warfighting operations to build a new Pentagon service staff, and with it a greater bureaucracy, seems like a poor tradeoff.  

Finally, unlike the other warfighting domains, in the cyber environment we are persistently engaged with our adversaries and these operations are fundamental to the success of all military actions, not just a way to enhance their operations. We must recognize and embrace the unique and ubiquitous nature of cyberspace, its inextricable link to departmentwide success, and the unique warfighting capabilities it can provide. This suggests a DOD-wide cyber-centric culture, not an individual service one. 

The development of our cyber forces must continue and keep pace with the capabilities of our adversaries. The fastest way to do this, with the lowest cost, and the ability to support our nation’s current security needs, is to accelerate the authorities Cyber Command possesses today, not create a service of the future. The stakes are too high in cyberspace and it is not the time to experiment with an idea that may not deliver solutions now or in the future.

Lt. Gen. Charlie “Tuna” Moore (Ret.) is a distinguished visiting professor at Vanderbilt University. He is a former U.S. Air Force fighter pilot and deputy commander of U.S. Cyber Command.

The post Now is not the time for a new cyber service appeared first on DefenseScoop.

A measure included in the Senate version of the National Defense Authorization Act last year was ultimately nixed from the final proposal during the conference process with the House, which didn’t have a similar provision in its bill.

However, the issue of creating a sixth military service that is focused solely on cyber operations, while not new, has gained steam over the last year as threats have grown, the landscape is becoming more dynamic and readiness issues have plagued the military services’ forces that they present to U.S. Cyber Command.

Each of the military services is responsible for providing personnel for a set number of teams to Cybercom, which then employs those forces in operations for the other geographic combatant commands. But detractors believe the services are too siloed in their approach, leading to incongruent models for presenting forces to Cybercom and forces maintaining their service identities, which leads to readiness issues, according to skeptics.

An amendment to the fiscal 2025 NDAA on the House side proposed by Rep. Morgan Luttrell, R-Texas, during its marathon markup May 22 directs an independent evaluation on the establishment of a U.S. Cyber Force to be conducted by the National Academies of Sciences, Engineering, and Medicine.

“I think the study is a great step forward and it kind of lays the groundwork for something. Or it could very well tell us we’re not ready yet,” Luttrell told DefenseScoop before the committee marked up the bill.

He also noted that he’s not opposed to other solutions, adding that he’s happy to engage with the DOD on possible alternatives to creating a Cyber Force.

Luttrell and other Republican co-sponsors believe the timing for this is now because the cyber risks are increasing and the current approach is too disjointed.

“[T]oday, each service generally builds cyber capacity in isolation. The forces are also supposed to be built to a single standard, but that intent or vision has never come to fruition, with dramatic disparities across the services. In fact, they don’t even align on the names of the career fields for personnel aligned to cyber operations. While seemingly minor, the consequences are significant,” Rep. Pat Fallon, R-Texas, wrote in a recent op-ed. “It’s critical we establish an independent military service aligned to cyberspace, responsible for the Title 10 functions of ‘Organize, Train, and Equip.’”

The Senate Armed Services Committee, which marked up its version of the NDAA this week, included a provision examining the prospect of an independent cyber force or service, according to committee staff. However, a summary of the bill, which passed the committee Thursday night by a vote of 22-3, did not offer any details.

The measures from both House and Senate Armed Services Committees must be passed by their respective chambers of Congress before going into conference where the two versions will be reconciled into a single bill. The full House passed its version on Friday.

Two of the leading outside groups on military cyber issues have applauded the efforts of Congress in exploring options to improve how DOD presents and employs cyber forces, to include the prospect of a new, independent military branch.

The Association of US Cyber Forces (AUSCF) “fully supports the creation of a Cyber Force to support our national security in cyberspace. The provisions of the NDAA calling for a study into this possibility are a step in the right direction, but we have been here before,” the nonprofit, which is dedicated to advancing the capabilities and effectiveness of the United States in the cyber domain, wrote in a statement to DefenseScoop. “This is not the first congressional call for such a study, though we do applaud the move to have it conducted by an entity outside the DOD. Our hope is that this study will unequivocally find what we all already know, that such a dedicated force is not only appropriate, but a vital need for our country if we ever hope to match and surpass our adversaries in this domain … This NDAA inclusion is a step in the right direction, though the time has come for us to build momentum and move towards action quickly following the results of the study.”

The organization, which has been advocating for the creation of a cyber force, is hopeful the assessments conducted outside the DOD will determine the potential for such a force to also exist outside of the department and its currently limited authorities. AUSCF has been advocating for a more holistic national defense force with the authorities to better protect the homeland from a defensive posture and conduct operations against outside actors.

“One thing is certain in the debate on whether or not there should be a bold reorganization to establish a new military service focused on the cyber domain of warfare, and that is there is deep disagreement among relevant stakeholders. However, there is wide consensus that an unbiased independent study to examine the potential value and feasibility of such a service is not only appropriate, but sorely needed,” Chris Cleary, national president of the Military Cyber Professionals Association, a nonprofit dedicated to advocating for military cyber issues, said in a statement to DefenseScoop. “To that end, and in pursuit of our mission and vision, the MCPA wholeheartedly supports the proposed study.”

Congress wants answers

Part of the congressional concern stems from the need for more information and data.

“Many members of Congress, myself included, feel we need better information to understand our current and projected cyber defense capabilities. That’s why this year’s House-passed NDAA has multiple efforts to achieve our shared goal of supporting our cyber professionals and systems,” Rep. Chrissy Houlahan, D-Penn., an Armed Services Committee member, said in a statement to DefenseScoop. “The truth is that the civilian and military cyber landscapes are changing rapidly, almost daily. Because cyber is an integral part of our national defense and needs to be supported with a robust workforce, it’s a matter of congressional concern.”

Congress has previously provided bill language requiring DOD to include an assessment of the costs, benefits and values of establishing a uniformed cyber service in the 2022 cyber posture review. It has also more recently required a study, which among many aspects, called for an examination of the current cyber enterprise, requested a look at how the services should man, train and equip for cyber, and inquired if a single military service should be responsible for basic, intermediate and advanced cyber training of the cyber mission force and if the Pentagon should create a separate service. This effort is known as the Section 1533 study from the fiscal 2023 NDAA.

“The Section 1533 study was looking at all options to include the establishment of a separate service and hence a separate analysis — is it necessary — but we required the department to do the study … as part of the cyber posture review. It seems to me that DOD ignored that requirement and then pointed us to a section in the posture review that included an assessment, but if you look at that section, no such assessment existed,” Mike Gallagher, who until late April was the chairman of the House Armed Services Subcommittee on Cyber, Innovative Technologies, and Information Systems, said during an April hearing. “Why should we believe that the department will follow on with an objective analysis as part of the 1533 study, given that it was ignored previous to this?”

This so-called force structure assessment was due to the secretary of defense June 1.

The DOD has taken the approach of packaging the variety of studies Congress has required, to include 1533, and bundle them into an effort it dubs Cybercom 2.0, a holistic top-to-bottom review underway to examine how to reshape Cybercom’s organization and forces and ensure it’s best postured for the future and emerging threats.

Gen. Timothy Haugh, who became commander of Cybercom in February, said at the command’s legal conference April 9 that along with the newly established Office of the Assistant Secretary of Defense for Cyber Policy he must brief the secretary on the vision for the future of force generation this summer. Later that week, he told the House Armed Services Subcommittee on Cyber, Innovative Technologies, and Information Systems that the command and ASD-Cyber are working on Section 1533 along with other efforts and owe a briefing of 1533 to the secretary of defense in June.

“There are a couple of things that Congress has already given us that is where we’re going to owe products,” he said at the conference, later telling lawmakers: “We owe that [force generation study] to the secretary in June and we are required to brief them in June [on] the results of that study, and we’re moving at pace to ensure that we look at all the options that you directed.”

Other elements Congress has asked DOD and Cybercom to study that are being folded into Cybercom 2.0 efforts include the optimal strategy for structuring and manning various headquarters elements.

According to a DOD spokesperson, the department tapped the RAND Corp. to study the issue.

“In response to Section 1533 of the FY23 NDAA, DOD commissioned an independent research study of U.S. cyber forces through the RAND Corporation, which generated insights concerning challenges and opportunities of force presentation and design, mission essential tasks, civilian-contractor-military mix, training pipelines, talent management, career progression, and pay,” they said. “The alternative models presented in the study have informed the Department’s understanding of current and potential future constructs of the cyber forces. The Department is currently exploring tradeoffs presented by the various models and is on track [to] meet the 1533 legislated timeline to present an implementation plan by June 2025.”

The HASC version of the NDAA for fiscal 2025 that passed in May included an amendment by Houlahan requiring the secretary of defense to submit the 1533 study, along with any supporting analyses that may have been conducted by any other entities, no later than Sept. 30.

As the law currently exists, the DOD owes congressional defense committees briefings at least once every 180 days on the progress of the section 1533 effort until receipt of the plan.

While many observers, including top officials, have acknowledged that the status quo is not working, detractors of an independent cyber force within DOD maintain now is not the time to shake things up.

The current model has not had enough time to prove itself, the argument goes. The command only just received enhanced, more service-like authorities with the passage of the fiscal 2024 appropriations bill earlier this year that provides enhanced budget authority, giving full budget ownership of cyber and direction of cyber forces to Cybercom.

The command modeled itself off U.S. Special Operations Command, a combatant command with unique service-like authorities.

Some outside experts believe the DOD is working to head off congressional direction for outsiders to study an independent cyber force.

“When they were trying to kill the independent assessment DOD suggested and they didn’t think it was needed, they implied the overdue 1533 report was right around the corner. I no longer think that’s true,” Mark Montgomery, senior director of the Foundation for Defense of Democracies’ Center on Cyber and Technology Innovation and former executive director of the congressionally mandated Cyberspace Solarium Commission, told DefenseScoop. “One might consider that poor form to say ‘I don’t need that because I have this other thing coming,’ and the other thing is not really there.”

Montgomery, who also previously served as policy director for the Senate Armed Services Committee, gives the measure of an independent assessment a 50/50 chance of becoming law at best, even though it was included in both the HASC and SASC versions of the NDAA.

Despite Congress’ affinity for studies and assessments, the fact that the measure didn’t make it into the final bill last year and there are questions surrounding its passage this year, indicate DOD is working to prevent it, sources suggested.

“DOD is telling the senior congressional leadership an independent assessment is ‘not needed,’ very emphatically, repeatedly. DOD leadership is lobbying hard and working hard against this,” Montgomery said.

He acknowledged that if this was an easy fix it would’ve been done already, adding that the problem with continuing to do nothing is that it’s been the approach for 12 years.

“If we don’t do this assessment, we’re doing nothing because DOD is not changing. This force generation problem is getting worse every year and the Chinese are getting better every year,” he said. “DOD has had an open door with congressional leaders to get whatever they needed over the past decade and we ended up in this position.”

The post Assessment for independent cyber force passes House, Senate defense committee appeared first on DefenseScoop.

“America’s cyber force generation system is clearly broken. Fixing it demands nothing less than the establishment of an independent cyber service,” a report published Monday by the Foundation for Defense of Democracies states. “This research paints an alarming picture. The inefficient division of labor between the Army, Navy, Air Force, and Marine Corps prevents the generation of a cyber force ready to carry out its mission. Recruitment suffers because cyber operations are not a top priority for any of the services … The current system compounds these force-generation challenges. Each of the services has developed its own solutions, leading to both inconsistencies and shortcomings.”

The report’s authors — retired Rear Adm. Mark Montgomery, who is senior director of FDD’s Center on Cyber and Technology Innovation, and Erica Lonergan, an assistant professor in the School of International and Public Affairs at Columbia University — interviewed over 75 active duty and retired U.S. military officers with significant leadership and command experience within cyber. Both authors were members of the now-sunset Cyberspace Solarium Commission.

While not all interviewees believe the creation of a new service is the answer, “everyone agrees that the status quo is not sustainable, even if not everyone we interviewed agreed that necessarily that the solution is to establish an independent uniformed service for cyberspace,” Lonergan told reporters ahead of the report’s release.

Each of the military services is responsible for providing personnel for a set number of teams to U.S. Cyber Command, which then employs those forces in operations for the other geographic combatant commands.

Proponents of an independent cyber service argue the cyber operators have no distinct identity — as they are still members of their respective services — as well as that there are readiness issues associated with each service resourcing their cyber contributions differently, lexicon and pay scales are different for the members of each service, and that command and control structures are confusing.

In one of the most pertinent and striking examples, Congress recently was forced to act in directing the Navy to create cyber-specific work roles as it was the only service to date that had not done so. Navy service members were rotating too frequently in and out of the cyber mission force creating continuity issues, forcing retraining, and ultimately, readiness issues.

Those cyber mission force teams — offensive and defensive — were initially designed to be joint from the outset, trained to the same standards so they could be interchangeable and operate alongside one another. But individual service intricacies have plagued that design, the report alleges.

“The services do not coordinate to ensure that trainees acquire a consistent set of skills or that their skills correspond to the roles they will ultimately fulfill at CYBERCOM … At root, the current readiness issue stems from the fact that none of the existing services prioritizes cyberspace,” it states. “Promotion systems often hold back skilled cyber personnel because the systems were designed to evaluate servicemembers who operate on land, at sea, or in the air, not in cyberspace. Retention rates for qualified personnel are low because of inconsistent policies, institutional cultures that do not value cyber expertise, and insufficient opportunities for advanced training.”

The report, as well as sources who detailed the issue to DefenseScoop previously, allege the services played “shell games” when it comes to staffing the team, oftentimes double counting personnel to make the teams look fully manned.

‘The status quo isn’t working’

There has been frustration among many outside the military that despite readiness shortfalls, not much to date has been done to address how forces are presented.

“This is also a concern that this poor force generation model is negatively impacting readiness. It’s preventing the cyber mission force from conducting operations or really from growing and expanding,” Montgomery told reporters. “We need to absolutely get better or we’re going to create a catastrophic condition where an adversary’s cyber capabilities either enable him to do something we can’t stop or him to stop us from doing something we need to do. I think we’re rapidly getting to that.”

The cyber mission force was conceived in 2012-2013 and began building then. At the time, it envisioned 133 teams. However, that force has remained steady until the fiscal 2022 budget that, for the first time, authorized growth for the cyber mission force approving 14 additional teams.

For Montgomery, the growth and maturation of the force has not been enough to keep pace with America’s adversaries.

“Over the last 14 years, one thing I can definitely say by the Chinese and Russians is their capacity has grown, and the idea that we’ve maintained the exact same level is really concerning. I think we’re there because we’re not able to get the maximum readiness out of that lower level, much less grow and expand it,” he said.

Each of the service chiefs has pledged to make cyber mission force readiness a top priority. However, Montgomery contends the services have completely failed thus far.

“It is definitely a criticism of [the] services. There’s no two ways about it,” he said.

Lonergan noted that there is beginning to be recognition that the current status quo is inefficient and changes must be made.

“The consensus is that the status quo isn’t working and I think I can say that that’s the consensus of our military leaders in cyberspace, too. That’s what’s driving this Cybercom 2.0 effort to do this kind of holistic, comprehensive review of Cybercom,” she said.

Cybercom 2.0 is a holistic top-to-bottom review underway by the command to examine how to reshape its organization and forces and ensure it’s best postured for the future and emerging threats. It’s meant to look at force presentation, force composition, acquisition and other improvements and changes as it evolves.  

Last year, Congress attempted to begin evaluating the prospect of creating an independent cyber service. However, efforts in both the House and Senate were struck from the annual defense policy bill, one of which would have required an independent body to study the merits of establishing a new force.

Advocates for a cyber force are pushing hard this year to ensure something makes it into legislation.

“We do not take lightly the many challenges still ahead in implementing the recommendation for creation of a dedicated Cyber Force, but AUSCF calls upon our nation’s Executive and Congressional leaders to act, through policy and legislation, to meet this call for what our nation so urgently needs in support of national security. The creation of a Cyber Force is a clear message, both to our adversaries and our own citizens, that freedom of action in the cyberspace domain, and protection of our critical infrastructure and sovereignty, are priority responsibilities that the United States takes seriously and will meet with the best our nation can provide,” the Association of US Cyber Forces (AUSCF), a nonprofit dedicated to advancing the capabilities and effectiveness of the United States in the cyber domain, said in a statement provided to DefenseScoop ahead of the release of the FDD report.

Opponents of an independent cyber service argue that now is not the time. The current model has not had enough time to prove itself, the argument goes. Moreover, Cybercom is on the precipice of inheriting significantly more authority. Through what’s known as enhanced budget authority, Cybercom is slated to gain more service-like authorities from full budget ownership of cyber and direction of cyber forces. That was supposed to culminate at the beginning of fiscal 2024.

Others note that the command modeled itself off U.S. Special Operations Command, a combatant command with unique service-like authorities. However, the report notes incongruencies between special operations forces and cyber forces.

“In the SOCOM model, each of the services provides the force employer — SOCOM — with expert personnel who possess skills suited to their particular domain. For instance, an Army Ranger trains for special operations on land, while Navy SEALs possess skills tailored to maritime special operations. Rangers and SEALs are not interchangeable. The Army cannot train SEALS, nor the Navy Rangers. Thus, SOCOM actually gains strength from this one-of-a-kind distributed force-generation model,” the report states. “However, there are no land, sea, or air-specific cyber functions that only particular services can provide.”

As was stated previously, the cyber mission force was designed to be joint from the outset and trained to the same standards so individuals could be interchanged from team to team, offense or defense.

Department of Army and Cyber?

The report’s authors were sure to explain they’re not necessarily wedded to what a cyber force could look like if the Department of Defense has ideas for it.

But it did recommend placing it within the Department of the Army, with Cybercom continuing to be the force employer. Montgomery believes the Army has done the best in cyber, relative to the other services, placing cyber in the hands of general officers. Additionally, the other military departments already have subordinate forces: the Space Force under the Department of the Air Force and the Marine Corps under the Department of the Navy.

“Standing up this new service would be relatively straightforward. Initially, the Cyber Force would encompass the billets that currently comprise the CMF: a 6,200-person mission group consisting of servicemembers, civilians, and contractors,” the report stated. “Beyond the CMF, the Cyber Force could also absorb a select number of billets for cyberspace operators that currently fall within the SOCOM enterprise. The Cyber Force could draw on lessons from the Space Force, which has encountered few issues filling its new roles even though it requires highly technical and skilled personnel.”

The authors were also sure to note the services should keep their organic cyber and IT personnel, meaning the new cyber force wouldn’t suck up all the cyber expertise, leaving the services with nothing.

Ultimately, having a single service — with a service secretary adhering to civilian control of the military — that can solely focus on providing forces for cyberspace operations will improve the readiness of cyber forces and retention, the authors contend.

Montgomery explained that if Cybercom needed to grow, it would be as simple as working with one service as opposed to four right now.

“Cyber Command [could] say, ‘Hey, I need to be 20 teams bigger, to do that I need an extra 1,000 operators.’ He could talk to the cyber force chief and the two of them would then go see the chairman and the Secretary of Defense … and make that argument and then it’d be properly sized,” he said. “I think it would make Cyber Command much more effective and agile. You have a more ready force and then an ability to grow the force. Right now, if he wants to grow the force, he’s got to convince each of the services.”

The post US must establish independent military cyber service to fix ‘alarming’ problems — report appeared first on DefenseScoop.

In the conference report for the reconciled version of the fiscal 2024 National Defense Authorization Act, legislators noted that they nixed a provision that was included in the Senate bill that would have directed the secretary of defense to enter into an agreement with the National Academy of Public Administration to conduct an evaluation regarding the advisability of establishing a separate military branch for digital warriors.

There has been a growing chorus in recent years arguing for the creation of a cyber service or cyber force, that would be the seventh uniformed military service following the creation of the Space Force in 2019.

Each of the military services is responsible for providing personnel for a set number of teams to U.S. Cyber Command, which then employs those forces in operations for the other geographic combatant commands. But each branch has its own identity, culture, and way of classifying and providing forces to Cybercom — and observers have argued that this has been to the detriment of cyber warriors given they are soldiers or airmen or sailors first, with a secondary focus on cyber.

The argument for a new model is that the current system does not work. However, opponents of a new service say there hasn’t been enough time to allow the current system to prove itself — especially given Cybercom has only just gained full control over its budget in October with service-like authorities much like U.S. Special Operations Command.

Some outside organizations were upset to see the provision excluded from this year’s legislation.

“The exclusion of the Cyber Force study in the NDAA is beyond disappointing; it’s a deliberate impediment to progress in an area where it’s needed most,” Nathan Rolfe, president of the Association of US Cyber Forces (AUSCF), a nonprofit dedicated to advancing the capabilities and effectiveness of the United States in the cyber domain, said.

“With the cyber talent gap continuing to worsen nationwide, and traditional military thought still holding back the DOD from realizing its full manning and operational potential in the cyber domain, we cannot keep pace with the aggressive advancements of our major power peer competitors. This omission from the NDAA is not a delay; it represents backward momentum in terms of national security,” Rolfe added.

AUSCF has been advocating for the creation of a cyber force. The organization noted that while the Senate bill fell short of establishing a separate cyber force, a feasibility study would have been the first proactive step in safeguarding the nation’s security and an investment in the future resilience of U.S. digital infrastructure.

Additionally, the Military Cyber Professionals Association (MCPA), a nonprofit dedicated to advocating for military cyber issues, sent a memo in March to both houses of Congress urging the creation of a United States Cyber Force in this year’s annual defense policy bill.

“Given the serious consequences of both action and inaction, the MCPA looks forward to serious analysis of the options at hand to reorganize and establish a Cyber Corps, Force, Service, or the like. Studies should be conducted both internal to DOD, including those sponsored by DOD entities, and those independent that are unencumbered by the requirement to tow the current party line,” Chris Cleary, MCPA national president, said in a statement.

The Senate’s provision, introduced by Sen. Kirsten Gillibrand (D-N.Y.), that was stripped would have examined the best route forward between establishing a separate armed force dedicated to operations within cyberspace or refining and evolving the current approach for Cybercom, based on the Socom model.

Lawmakers have danced around the issue of an independent cyber service in years prior, mandating the Department of Defense include an assessment of the costs, benefits and values of establishing a uniformed cyber service in the 2022 cyber posture review, as well as a separate examination of the current cyber enterprise; how the services should man, train and equip for cyber; if a single military service should be responsible for basic, intermediate and advanced cyber training of the cyber mission force; and if the DOD should create a separate service.

Members of Congress have not been pleased with how the Pentagon has responded to these assessments and reports — and in some cases, not providing assessments — leading to calls for an independent study.

Moreover, in successive NDAAs Congress has sought to address concerns related to the readiness of the current cyber forces, to include a provision in this year’s bill to create a more standard approach to how the military services present forces.

The House version did not include a provision regarding a study, but had two provisions aimed at improving and examining the current structures. The first directed a review of DOD’s management of cyber operations, while the other directed the Pentagon to assess the resiliency of its cyber operators given personnel often work long hours and are always conducting operations in constant contact with adversaries in cyberspace — either defending DOD networks from daily enemy probes or carrying out offensive ops.

The review was included in the conference bill’s report language and the assessment was adopted by conferees.

The post Congress axes independent cyber force study appeared first on DefenseScoop.

“For people who think the cyber service is the answer to our current challenges in cyber personnel management, be careful what you wish for,” Mieke Eoyang, deputy assistant secretary of defense for cyber policy, told reporters Friday at a Defense Writers Group meeting.

Some inside and outside government have been advocating for a separate cyber force or branch akin to the Army, Navy, Marine Corps, Air Force and Space Force.

Currently, each of the services are responsible for providing a set number of personnel and teams to U.S. Cyber Command through the joint cyber mission force.

Proponents of an independent cyber service argue the cyber operators have no distinct identity — as they are still members of their respective services — there are readiness issues associated with each service resourcing their cyber contributions differently, lexicon and pay scales are different for the members of each service, and the command-and-control structures are confusing.

Eoyang said the Pentagon is studying the issue, as part of congressional direction in last year’s defense policy bill, to examine the current cyber enterprise, look into how the services should man, train and equip for cyber, ponder if a single military service should be responsible for basic, intermediate and advanced cyber training of the cyber mission force, and determine if the DOD should create a separate service.

Given congressional frustration that the department has not fulfilled that yet, the Senate Armed Services Committee has passed a provision in its annual defense policy bill for an independent assessment of creating a cyber service or cyber force. That still must be conferenced with members of the House and signed by the president to become law.

“We’re going to study the question and we’ve been directed to do that, as you know, we have this [National Defense Authorization Act section] 1533 study, which tells us to look at our model and current and alternate models. We’ll certainly look at the question. We already have an effort underway to do that,” Eoyang said.

One of the arguments for a cyber service is that it will allow a singular organization to be focused solely on the manning, training and equipping of cyber forces. But Eoyang said she isn’t sure that an independent service would solve those issues.

“A cyber service might have some benefits in ease of administrative management, but we have a variety of services in the military services in the Department of Defense who perform a variety of missions. Those missions are enabled by technologies that are particular to those mission sets. Having a cyber service that is divorced from those particular mission sets may pose some challenges in understanding the warfighting needs of the services to provide cyber to enable that fight,” she said.

“We need to understand what the pros and cons are. There are certainly challenges to managing a career field that spans multiple services. There are challenges to jointness … The question is, which set of problems are we willing to live with and taking a look at all these things to understand that better before we throw out what we have in favor of something else or decide actually what we have needs to be fixed or there’s something else completely,” she added.

Opponents of a cyber service have suggested there hasn’t been enough time to prove out the existing model. Cybercom is slated to gain enhanced budget authority in October pending a passed budget by Congress, which officials say will provide greater oversight of the services and teams to improve readiness.

The three officials nominated to lead the Army, Air Force and Navy were all asked about how they’ll seek to address readiness concerns of the cyber mission force during their confirmation hearings this summer. Each recognized problems and committed to addressing them.

The post Senior DOD official on creating an independent cyber service: ‘Be careful what you wish for’ appeared first on DefenseScoop.

According to a summary of the fiscal 2024 National Defense Authorization Act released by the committee, which it finalized yesterday, the provision directs “an independent assessment of creating a Cyber Force or further evolving the existing force development and management model.”

Committee personnel briefing reporters Friday noted there has been considerable discussion and proposals on the prospect of an independent cyber force or service both inside and outside the DOD. This assessment would be neutral and balanced and the suggestion is the DOD use the National Academy of Public Administration to do it.

The full bill’s language has not been released yet.

For over a decade, there have been rumblings that cyber needs its own service given its importance and high specialization. Within the past year, those rumblings have gotten louder with more outside groups and even members of Congress questioning military officials on the prospect of an independent cyber force.

This provision is one of the first real such salvos that opens the door to the possibility of an independent cyber service, which would be the seventh uniformed military service following the creation of the Space Force – which sits within the Department of the Air Force much like the Marine Corps sits inside the Department of the Navy – in 2019.

This provision also follows an item released by the House Armed Services Committee last week in the chairman’s mark that reflects the priorities of the committee’s chairman and includes input from other members directing the comptroller general to review the DOD’s management of cyber operations.

The reasoning behind last week’s item was to determine redundancies and duplication regarding how the services organize, train and equip the cyber warriors they present to Cybercom and, in some ways, was thought of as a companion to assessing the feasibility of an independent cyber service.

“There is a robust infrastructure within each service that establishes curriculums, funding profiles, manning rosters, upon which cyberspace operations are built. In practical terms, that means that there are four independent teams across the Army, Navy, Air Force, and Marines conceiving and implementing cyber training requirements,” a senior House Armed Services Committee aide told DefenseScoop at the time.

In prior years, lawmakers have danced around the issue of an independent cyber service, mandating the DOD include an assessment of the costs, benefits and values of establishing a uniformed cyber service in the 2022 cyber posture review, as well as a separate examination of the current cyber enterprise; how the services should man, train and equip for cyber; if a single military service should be responsible for basic, intermediate and advanced cyber training of the cyber mission force; and if the DOD should create a separate service.

Members of Congress have not been pleased with how DOD has responded to these assessments and reports — and in some cases, not providing assessments — leading to the need for an independent assessment.

The issue of an independent cyber service has started to gain steam recently given concern among former military personnel and Congress regarding readiness issues of the cyber mission force teams each service provides to U.S. Cyber Command to conduct cyber operations.

Each of the military services is responsible for providing personnel for a set number of teams to U.S. Cyber Command, which then employs those forces in operations for the other geographic combatant commands. But each service has its own identity, culture, and way of classifying and providing forces to Cybercom with many arguing that this has been to the detriment of cyber warriors given they are soldiers or airmen or sailors first, with a focus on cyber second.

Such an approach has led to readiness shortfalls across the force, most notably within the Navy, given how it has historically approached its cyber force.

Opponents of a cyber force say the current model hasn’t had enough time to prove if it works or not. The cyber mission force was officially created in 2013 — three years after the creation of Cybercom itself — and only reached full operational capability in 2018. The DOD has also authorized growth for the cyber mission force in the next five years.

Moreover, Cybercom is set to inherit enhanced budget control in October, which will give it full financial oversight and ownership of capabilities, requirements and force structure.

The post Senate Armed Services Committee directs independent assessment for creating a Cyber Force appeared first on DefenseScoop.

As it currently stands, each of the military services is responsible for providing personnel for a set number of teams to U.S. Cyber Command, which then employs those forces in operations for the other geographic combatant commands.

Proponents of an independent cyber service argue the cyber operators have no distinct identity — as they are still members of their respective services — there are readiness issues associated with each service resourcing their cyber contributions differently, lexicon and pay scales are different for the members of each service and the command and control structures are confusing.

Those teams — both offensive and defensive — were initially designed to be joint from the very outset, trained to the same standards so they could be interchangeable and operate alongside one another.

“For over a decade, each service has taken their own approach to providing United States Cyber Command forces to employ and the predictable results remain inconsistent readiness and effectiveness,” says a March memo signed by the Military Cyber Professionals Association, a non-profit dedicated to advocating for military cyber issues, and sent to both congressional Armed Services Committees urging the creation of a United States Cyber Force in this year’s annual defense policy bill.

The memo notes that its thousands of members across the nation and comprise the broad military cyber community believe a cyber service is needed and inevitable.  

“Only a service, with all its trappings, can provide the level of focus needed to achieve the optimal results in their given domain. This is why we have a Navy, for example, that heavily invests in manning, training, and equipping to fight and win at sea. Cyberspace, being highly contested and increasingly, so, is the only domain of conflict without an aligned service. How much longer will our citizenry endure this unnecessary risk,” the memo continued.

There is too much at stake to continue going down the same path, others argue.

“The risk is that we will continue to build, plod along and probably survive to the superhuman effort above and beyond by individuals. We will not optimize our force generation for the really high-intensity fight we’re about to be in in cyber,” Mark Montgomery, a senior fellow at the Foundation for Defense of Democracies and the director of the Cyberspace Solarium Commission 2.0, told DefenseScoop. “Your other two choices are a massively overburdened Cyber Command trying to do this, plus by the way also be NSA, or a very inconsistent performance from three services … A separate service will give you, when properly established and resourced, the agility, the platform to ask for resources and the focus to ensure that force generation is optimized for whatever Cyber Command demands for force employment.”

Montgomery noted it’s been almost a decade with the services performing the man, train and equip functions for Cybercom, but, he adds, they have not progressed appropriately for the threat.

“That 5,000-6,000 people that come from the services, they’re not being trained consistently, their readiness over the last half a decade has been flat despite increased attention … and some would argue that the readiness has been flat while the standards have been subtly lowered,” he said. “Really, that means you either have a flat or declining readiness in your national cyber mission forces.”

As the argument goes, each of the services has its own identity, culture, and way of classifying and providing forces to Cybercom. Many have argued that this has been to the detriment of cyber warriors given they are soldiers or airmen or sailors first, with a focus on cyber second.

Additionally, the readiness levels of the teams the services provide to Cybercom has ebbed and flowed over the years as the services have sought to address how they present forces. Most recently, the Navy has faced significant criticism based on the readiness of its teams. Congress has forced the Navy to create specific work roles for cyber officers and enlisted personnel as it was the only service that had not done so. Personnel, as a result, would cycle in and out of the cyber mission force.

Congress has danced around the issue while not explicitly demanding the creation of a cyber force. It asked the DOD to include an assessment of the costs, benefits and values of establishing a uniformed cyber service in the 2022 cyber posture review. And in the most recent defense policy bill, Congress also asked for a study, which among many aspects, called for an examination of the current cyber enterprise, requested how the services should man, train and equip for cyber, and inquired if a single military service should be responsible for basic, intermediate and advanced cyber training of the cyber mission force and if the DOD should create a separate service.

The DOD did not include the assessment in the posture review, instead opting to include it in the report demanded by the fiscal 2023 policy bill, much to the chagrin of some members of Congress.

“It’s not the prerogative of the department to decide which part of the congressional mandate you get to comply with, or will answer it in a different report at a different time. We wanted that assessment in the cyber posture review. I would appreciate getting back to my team on why that didn’t happen, just so we can improve this process of reporting and answering going forward,” Rep. Mike Gallagher, R-Wisc., chairman of the House Armed Services Subcommittee on Cyber, Information Technologies and Innovation, said during a March hearing.

Other members were vocal, sounding the alarm bells and equating this current moment in time to the birth of the Air Force by Army Gen. Billy Mitchell, who was eventually court-martialed for his disruptive, forward-thinking criticism of the U.S. military’s investment in naval ships instead of aircraft.

“When you think about how inexpensive it is, relative to the potential impact and damage that cyber can do today, it harkens, for me, Billy Mitchell comes to mind. Gen. Billy Mitchell, who rang the alarm in the 1920s about the importance of air and got court-martialed for it because he saw the future. We can’t fight the war today, we got to fight the war tomorrow, prepare for that,” Rep. Patrick Fallon, R-Texas, said at the same hearing. “I strongly feel that we should be creating a seventh branch and making a cyber service … We have over $800 billion budget and $13.5 billion is going to cyber. Less than two percent. It’s one thing that I really want to ring the alarm bells and I think that’s something that we should be seriously considering.”

On the Senate side, one top cyber lawmaker is still undecided on the matter.

“I’m open to it, but I don’t have a bias either way on it right now. I just simply don’t have enough good data about what the future brings on this to determine that it’s necessarily a good idea to create an additional service branch specifically for this particular piece,” Sen. Mike Rounds, R-S.D., the ranking member on the Senate Armed Services Subcommittee on Cybersecurity, told DefenseScoop. “Whether or not we should have a separate branch for me is still up in the air. I don’t want to make a major change in something unless I know that there’s a really high degree of certainty that we improve our capabilities and not detract from our ability to respond right now in an immediate fashion when the need arises.”

He added that at a certain point, there needs to be some buy-in from the administration. The studies Congress has directed are a way of drawing the department’s attention to an issue that Congress might be frustrated with.

“It gauges interest in a way, but it also gives them a heads up that we perhaps are not happy with all the different branches in terms of what they’re delivering to the cyber forces today,” Rounds said, adding the issue will continue to be an item of discussion at hearings and in oversight.  

Congress still receives classified briefings on the issue, Rounds noted, explaining there are shortcomings in the current system, especially when it comes to the way some services conduct training and cycle their cyber forces in and out.

As a result, he said to expect changes in consolidating training to standardize it more across all the services.

What would an independent cyber service or cyber force look like?

One outside organization has been developing a broad proposal that not only articulates the vision for a new and separate cyber service but also establishes a new agency and U.S. Code to house a cyber force along with many other cyber functions of government.

The Association of U.S. Cyber Forces (AUSCF) – a nonprofit founded in 2019 with the number one desire being to create an independent cyber force due to frustrations with the current status quo – believes that there has not been enough investment in the information domain as a whole, which includes cyber. Along with all the other issues some see with the current structure of military cyber forces, AUSCF wants a more robust information posture, and creating an agency dedicated to that – which includes an independent military cyber force – gives the U.S. a better posture.

“The challenge that the U.S. must address, and quickly, is to provide the same level of prominence within the government on the Information domain” as others, according to an AUSCF whitepaper. “[S]pecific Departments have been established to support what historically have been the most effective elements of power for the U.S. Therefore it makes sense to institute a separate Department to manage and address the challenges within the Information sector of national security.”

To govern the activities of a separate department, AUSCF has been advocating for the creation of Title 55 in the U.S. Code to govern its activities. A separate military entity would still perform its warfighting functions under Title 10, the part of U.S. law that governs the armed forces, but Title 55 would provide the left and right limits of what those forces would do domestically.

Under current law, the military has very strict limits regarding operations it can conduct within the borders of the U.S. This new structure would help clarify that for the active, Guard and Reserve forces as well as establish a national cyber auxiliary that could aid in the broader defense of the nation, not just focusing on external actors. Title 55’s national auxiliary of volunteers could be deputized in the event of a national cyber emergency as no such thing exists in the cyber realm.

This would be a similar arrangement to the Coast Guard, which while a uniformed military service, it is housed within the Department of Homeland Security. As a result, it has unique law enforcement authorities that make it an effective tool for combating a raft of malicious activity in the physical and virtual domains.

While some may argue that there are current laws and policies on the books that govern these activities, AUSCF believes that various mechanisms such as Title 10, Title 32 (which governs the National Guard ), and Title 50 (which primarily governs intelligence matters), among others, all predate the digital age. It’s difficult to try to amend these into something that would fit congruently into the cyber domain, AUSCF says, equating it to fitting a round peg in a square hole.

According to materials AUSCF has presented to Congress advocating for a new construct, and briefed to DefenseScoop, an independent cyber service would do away with Cybercom, creating a standalone force that would provide personnel to the combatant commands, just like each of the services do now in their respective domains. The Army provides land forces to each geographic command, for example, the Air Force provides air forces, and the Navy provides naval forces.

For cyber, those set number of teams that each service currently provides to Cybercom are then employed for operations through what’s known as Joint Force Headquarters-Cyber, for particular combatant commands to conduct operations for. Each service cyber component commander is also the commander of a Joint Force Headquarters-Cyber team. JFHQ-C Army is responsible for Northern Command, Africa Command and Central Command, JFHQ-C Air Force is responsible for European Command, Space Command and Strategic Command, JFHQ-C Navy is responsible for Southern Command, Indo-Pacific Command and U.S. Forces Korea, and JFHQ-C Marines is responsible for Special Operations Command.

That whole structure goes away under AUSCF’s proposal, creating more streamlined command and control. But Cybercom would be used as the nucleus to carve out a service headquarters. Moreover, this new construct would decouple the NSA from Cybercom and cyber forces, returning it to a separate three-star command.

AUSCF believes the structure Congress created in 2019 when it established Space Force, in addition to Space Command, is redundant and thus it does not advocate for a cyber service and Cybercom to exist together.

For the Military Cyber Professionals Association’s part, its memo didn’t provide a legislative roadmap or recommendations. Rather, it offered that a thorough study be conducted to determine what the uniformed service should look like so as to not establish it too hastily and have the opposite effect it’s aiming to solve.

Montgomery said the Cyberspace Solarium Commission 2.0 is working on a study examining the pros and cons of establishing a new service.

He offered three potential options DOD has: continue on the current track, develop a system where the services just provide personnel to Cybercom with Cybercom performing the real man, train and equip function, or create an independent cyber service.

Montgomery noted the preferred method he’s advocating for is a separate cyber force along with a Cyber Command, similar to the Space Force and Space Command model.

Under this construct, the uniformed cyber service would provide the troops, training and equipment – along with the recruiting aspect – to Cybercom, who would then employ them.

“I’m telling you, readiness will increase, retention will increase,” Montgomery said.

The Cyberspace Solarium Commission is also examining something similar to the special operations construct, with a combatant command – Special Operations Command – that has certain service-like authorities and a service secretary-like office – the Assistant Secretary of Defense for Special Operations/Low-Intensity Conflict – over it that exists at the Pentagon.

Last year, Congress directed the creation of an assistant secretary of defense for cyber. However, the DOD has not nominated someone for the position yet. The department commissioned a study to determine what that office should look like and encompass.

“We’re going to look at all of them. There’s pros and cons to both, make a recommendation and then if we make a recommendation for the cyber force, go further down that recommendation, like, where do you cut the deck of cards, what’s cyber force, what’s service retained forces, that kind of stuff and how do you optimize it for success,” Montgomery said, adding it is expected to be completed in September.

Rounds posited on reevaluating the mix of uniformed and civilian personnel going forward.

“That’s something that I think has some really good possibilities, because you need cybersecurity experts in the private sector as well. If we can get folks that have a good background and then understand what our capabilities are with regard to our military capabilities and they are also then in as part of the private sector, if there’s a way to maintain that type of a reserve setup, that might very well provide additional interest in creating a separate cyber force that would be different than one of the current branches itself,” he said.

‘Now’s not the time’

Opponents of a cyber force argue that now is not the time because the current mechanisms haven’t had a chance to succeed or fail.

In 2007 when DOD was developing mechanisms to envision cyber as a warfighting domain, those in the offensive cyber organization precursor to Cybercom argued for a cyber service while Gen. Keith Alexander, the first commander of Cybercom, argued for a Socom-like model, wrote Michael Clark, director for cyber acquisition and technology at Cybercom, on LinkedIn in April.

“The SOCOM-like model was the right one then and remains so today,” he said.

Current Cybercom Commander Gen. Paul Nakasone, when asked by members of Congress as well as those in the general public about the prospect of a cyber service, has also harkened back to the Socom model saying that Cybercom has tried to emulate that.

“In my perspective, my experience, what we’re focused on is being able to do operations all the time. Being able to have a series of agile authorities like acquisition or personnel or force provision or training. Again, it comes back to what I have seen with Special Operations Command,” he said at the Cybercom legal conference in April. “They didn’t create a service for Special Operations Command. What they did is they focused on a command and providing it the necessary authorities to be agile and be speedy and be able to work across a series of different services, which I think is really important. That’s where I’m at with it in terms of looking at it.”

Montgomery noted that the services still provide service-unique special operations forces to Socom as opposed to the cyber mission force teams the services provide to Cybercom, which were designed to be joint, trained to the same standards and be interoperable together from inception.

“The services still have a [Navy] SEAL team training, [Army] Ranger training, [Air Force Special Operations Command] training, makes perfect sense,” he said. “Those forces aren’t the same as cyber forces because they are unique to their services. If you told me ‘Hey, we got to launch some special forces guys from a submarine 100 miles out to sea and go blow up a railhead,’ you don’t think to yourself, ‘Man, I want AFSOC helo pilots.’ You think to yourself, ‘Hey I want some SEALs,’ right?”

Clark argued that Cybercom, beginning in October, will just begin to function with its service-like authorities Congress granted them last year, known as enhanced budget authority.

“I accept that there are certain aspects of a Cyber Service that maybe attractive … but we’ve yet to prove that the SOCOM model won’t also be effective,” he wrote. “Before we start thinking about another organization, let’s give the current model the opportunity to prove itself with the [Cyber Mission Force] and then increase to include the [Cyber Operations Forces] in FY25. I’m absolutely confident the Command can succeed.”

Additionally, the Cyber Mission Force reached full operational capability five years ago with approved growth of its forces from 133 teams to 147 in the next couple of years.

Other officials want more studies done to determine the optimal outcome, especially given resources are scarce.

“Until there is really a study that looks at that, the kind of broad open question that hey, should we establish a cyber service without really articulating and studying, is it going to solve all of those problems or is it going to create additional problems, because at the end of the day, there aren’t a whole lot of additional resources out there,” Maj. Gen. William Hartman, commander of the Cyber National Mission Force, said at the Joint Service Academy Cybersecurity Summit in April.

Some worry about duplicating efforts across a cyber force and what the services will inevitably still need for their own internal cyber and IT needs.

“I think if you create a cyber force, you are going to have a duplicative force. The Army is still going to need cyber people to handle their cyber missions, the Navy is still going to have cyber things that are specifically for fleet defense that are not covered by Cybercom,” Vice Adm. Craig Clapperton, commander of Fleet Cyber Command/10th Fleet, said at the same conference. “You’re going to create a duplicative force and that force is not going to be optimized to meet neither the joint fight needs nor the needs of the individual services. I don’t think it’s the right time.”

Similarly, others have argued that they’re building to meet their own service needs, especially in the more tactical sphere.

“We are growing a significant amount of capacity within the Army and so my concern would be, first and foremost, how will we be able to conduct integrated [information operations], [electronic warfare] and cyber operations in support of the land component commander [if there’s a separate cyber force]? How are we going to do that with these forces and where does that cyber force extend to? Does it stay with the strategic CMF forces that we all represent here today or is it going to go extend down into the tactical, because I’m going to tell you, they’re building that in the Marines” too, Lt. Gen. Maria Barrett, commander of Army Cyber Command, said at the conference. “We’re focused on Army 2030 of laying in all of our capabilities and structure changes before that point. If we have to stop what we’re doing and reintegrate how we’re doing cyber, I think that’s going to be disruptive in this time, that’s not a lot of time. So, I’m no.”

Under the AUSCF-proposed model, the services would still maintain some of their service-retained cyber capabilities. Just like each service has an aviation component, they could still possess some type of cyber capability, especially for unique mission sets such as the Army’s cyber and electromagnetic activities concept, which is unique to land warfare. But in total, AUSCF is proposing around 85 percent of cyber forces and capability from the services migrate to a new uniformed force.

The post Many believe it’s time for an independent uniformed cyber service. Here’s what it could look like appeared first on DefenseScoop.