The proposals are part of each chamber’s version of the annual defense policy bill, the National Defense Authorization Act for fiscal 2026.

According to the Senate Armed Services Committee’s version, DOD must conduct a study on force employment of cyber in support of combatant commands and evaluate establishing Joint Task Force-Cyber elements across those geographic combatant commands.

A proposal in the House, offered by Armed Services Subcommittee on Cyber, Innovative Technologies and Information Systems chairman Rep. Don Bacon, R-Neb., requires a similar evaluation, though focused specifically on the Indo-Pacific Command area of responsibility.

According to Bacon, the military is not properly organized for the current cyber conflict.

“Since becoming Chairman of the Subcommittee, I’ve grown increasingly concerned that we are not correctly organized for the cyber fight we find ourselves in today, let alone a more complex and consequential future fight. Our Cyber Command does great working national threats, but I want to ensure our Cyber team is postured right for a potential fight with China over Taiwan,” he said in a statement.

He said he plans to push for the establishment of a Joint Task Force-Cyber — not merely an evaluation — when both chambers of Congress convene to reconcile their bills.

“If we accept the reality that we are already in hostilities with our principal adversary in cyberspace, then there is no time to waste,” Bacon said.

Bacon also pointed to the fact that this is not a new issue. In the fiscal 2023 NDAA, Congress required the creation of a similar organization — a Joint Task Force — in Indo-Pacom to support joint operations in the kinetic space before conflict, because the military was not sufficiently acting jointly, in lawmakers’ view.

Sources indicated that construct has worked well so far and these proposals could mirror that on the non-kinetic side.

Moreover, a classified DOD Inspector General report that examined the effectiveness of Indo-Pacom and Cyber Command’s planning for offensive cyberspace operations and Cybercom’s execution of offensive cyberspace ops in support of Indo-Pacom’s plans, recommended the creation of a Joint Task Force-Cyber, according to someone familiar. That examination began in 2023.

Congress has in several previous NDAAs asked for studies and evaluations on how Cybercom’s headquarters elements are organized and how it employs cyber capabilities effectively. Sources indicated these proposals are likely, in part, an indication that lawmakers aren’t pleased with either the responses from the Defense Department, or there has been a lack of response from DOD.

If realized, the creation of joint task forces for cyber at the combatant commands could potentially lead to a complete restructure for how operations are conducted, according to sources.

How cyber operations are conducted

Ultimately, these proposals could end up giving more oversight and control of cyber operations to the geographic combatant commanders.

Unlike the other domains of warfare, there still is no cyber component command at the geographic combatant commands. Each component command — land, air and maritime — is responsible for commanding and coordinating the forces under their domain on behalf of the four-star combatant commander, who has the ultimate authority on how and which forces are employed for particular operations.

Cyber, however, is different.

Since Cybercom established its cyber mission force over 10 years ago — the 147 teams that the services provide to Cybercom to conduct cyber operations — digital forces and capabilities are employed through what the command calls Joint Force Headquarters-Cyber.

These entities are commanded by the heads of the service cyber components and are assigned particular combatant commands to provide planning, targeting, intelligence, synchronization, and command and control of cyber capabilities.

Joint Force Headquarters-Cyber Army is responsible for Central Command, Africa Command and Northern Command. Joint Force Headquarters-Cyber Navy is responsible for Indo-Pacom, Southern Command and United States Forces Korea. Joint Force Headquarters-Cyber Air Force is responsible for European Command, Space Command and Transportation Command. Joint Force Headquarters-Cyber Marine Corps is responsible for Special Operations Command. DOD Cyber Defense Command, formerly Joint Force Headquarters-DOD Information Network, is the coordinating authority for Transportation Command.

None of the these entities were designed to be identical.

Moreover, there is also the Cyber National Mission Force, a sub-unified command under Cybercom, which is responsible for defending the nation against significant digital threats and is thought to possess the most elite cyber operators. It is a global entity aligned in task forces assigned to different threat actors, which means they are also operating within the areas of responsibility for geographic combatant commands.

Given Cyber National Mission Force’s global mission, the commander of Cybercom can conduct operations in a particular theater based on his priorities and mission sets. While this may be coordinated with the regional commander, they don’t necessarily have to ask for permission, in what could be seen by the geographic combatant commander as infringing on their area of operations.

The geographic combatant commanders don’t have as much control over cyber forces in their regions as they do for the physical or kinetic forces. The cyber teams are controlled by the JFHQ-Cs through Cybercom. Moreover, Cybercom has the ability to reorganize and realign forces around as they see fit against different priorities and threats, though, this is usually done in consultation with the combatant commands.

Cybercom, not the combatant commands themselves, approves the cyber operations for the regional commands, which includes interagency coordination.

Approvals for cyber ops flow through the commander of Cybercom, not the geographic combatant commands themselves, which includes interagency coordination.

Taken together, sources indicated these could all be seen as a loss of control for the geographic combatant commanders, who are responsible for running the operations in their regions and typically have oversight of their forces. Some have argued that the regional combatant commanders should have control and oversight of all the forces in their geography.

Sources indicated tensions exist in this construct with a regionally focused combatant command and a globally focused combatant command that has a high-demand, low-density asset in cyber.

“I think what you’re seeing is the tension that exists today between having Cybercom forces that really, at the end of the day, are controlled by the Cybercom commander in general support to the other Cocoms versus having that combatant commander have full control,” a former military cyber official told DefenseScoop.

Others indicated the creation of a joint task force is a natural evolution for the command and control of cyber forces.

Indo-Pacom, in particular, poses a unique challenge with all the cyber forces operating within its area of responsibility.

There are combat mission teams that conduct cyber operations on behalf of combatant commands, mostly in the offensive sphere, coordinated by Joint Force Headquarters-Cyber Navy, Joint Task Force-Ares — which initially was a counter-ISIS cyber task force but shifted four years ago to focus more on nation-states, particularly in the Pacific region — run by Marine Corps Force Cyberspace Command — as well as teams from the Cyber National Mission Force.

For those reasons, the command and control of these forces must be under a single chain of command. Those forces could be packaged together and work for the Indo-Pacom commander, the former officials posited when discussing a potential future scenario, and then the Indo-Pacom commander would have full control over them, a departure from the situation today.

For Indo-Pacom, everything is on island, a second former military cyber official said, meaning where their Hawaii headquarters are located. Indo-Pacom wants everyone on island with them so capabilities can be better integrated, they added.

Experts and former officials noted that a Joint Task Force-Cyber structure would likely clean up command and control lines for the employment of cyber.

Those that spoke to DefenseScoop noted combatant commands could see this as enhancing simplicity and speed.

In a future conflict, decisions will have to be made at unprecedented speeds, as seen in the Ukraine-Russia war.

However, the global nature of cyberspace and actors could complicate such an arrangement where the regional commander has more control.

China, for example, is a global threat actor and taking control from Cybercom could lessen its ability to surge or act in other regions. If there is a global threat versus a regional threat, officials would have to figure out what takes priority, who makes the decision and who has the authority to re-direct cyber forces to address them, a third former military cyber official posited.

Questions and resource constraints

Experts raised several issues that should be addressed with the potential formulation of joint task forces for cyber at the combatant commands, posing questions that should be answered in an evaluation for their necessity or creation.

One concern is whether the assessment for the creation of a Joint Task Force-Cyber is fair when balanced against what Cybercom has been doing over the last couple of years.

Cybercom has continued to reevaluate how it conducts cyber operations over the years.

Discussions in recent years inside the command have also focused on creating task forces that would be assigned against particular threat actors. This would potentially allow cyber forces to transcend the geographic boundaries given cyber threat actors are global.  

The drafting of this legislation, however, signals that the current processes can be done better.

Would a new process create more hurdles or would it enable greater simplicity?

“You have to ask yourself with what we’ve designed today, is it simple … Simplicity, speed, precision, clarity, these kind of things are really important in a fast fight for C2. And you could offer that’s not necessarily the case with the current design,” the first former official said. “Is the juice worth the squeeze?”

The third former official noted it’s important to ask what problem is this trying to solve? What is this a joint task force to do? Is this an authorities issue, is it a cyber mission force capacity issue, or what are the combatant commands not getting that they need from Cybercom?

Some of these issues could be wargamed or worked out through table top exercises, they noted.

For many officials, an education gap still exists where combatant commands still don’t always know how to employ the JFHQ-Cs or what to ask for from Cybercom. Some of this is relationship and personality based and can differ based on each organization.

About eight years ago, Cybercom began to create planning cells — Cyber Operations-Integrated Planning Elements (CO-IPEs) — located within the staffs of the geographic combatant commands to help them with synchronization and planning given the JFHQ-Cs are at remote locations.

While the CO-IPEs were designed to assist in planning and understanding how to employ cyber operations, they still haven’t all matured effectively to provide all the necessary answers and planning requested.

According to the third former official, some of the geographic combatant commands are probably saying, “I just don’t have the authority.”

They pushed back on that assessment, noting if the combatant commands asked for something, they’d likely get it, but an educational issue on both sides of the problem exists.

Another model could be to bolster the CO-IPEs to mirror Special Operations Command’s theater special operations commands (TSOCs), which are small teams and how special operations forces are employed in geographic combatant commands.

These entities can act as a connective tissue between seams in geographic regions and anticipate which threats may need more resources. They can provide command and control for running operations, if needed. CO-IPEs are currently only for planning and have no command and control functions.  

Another option could be to co-locate the cyber forces within the JTF within the combatant command. Currently, only the CO-IPE is embedded in the geographic combatant command staff. The JFHQ-C and cyber forces conducting the operations are at remote locations, not directly within the geographic combatant command they’re supporting.

But part of the challenge with the way the legislation is written is if Congress wants a Socom model, lawmakers would establish a TSOC equivalent for a Cybercom forward element or cyber element for forces in theater and not a Joint Task Force-Cyber, one of the former officials said. The reason that doesn’t exist today, they added, is the control is done in the rear of the CO-IPE and they conduct the integrated planning with the combatant command staff forward.

“I don’t think Cocom commanders are happy with that. I think they want the control,” the official suggested.

Other key questions surround resources. Oftentimes when there’s a new problem, organizations stand up a new headquarters, but nobody gets any more people, one of the former officials pointed out.

Of note, given each Joint Force Headquarters supports multiple combatant commands, in many cases officials within those organizations wear multiple hats. For example, a service cyber component might have an integrated operations staff that does everything for all their Joint Force Headquarters.

If each combatant command creates a Joint Task Force-Cyber and the Joint Force Headquarters go away — something that isn’t necessarily clear based on the legislation proposed — where do the new joint task force personnel come from? Are those staff that wore multiple hats ripped apart, some sources asked.

Setting priorities

One of the other aspect driving an assessment to create a new joint task force construct is to help drive more emphasis on the combatant command cyber forces and capabilities.

According to a congressional staffer, there was a sense that there was neglect for the combatant command-related cyber capabilities in favor of the Cyber National Mission Forces that defend the nation.

It comes down to prioritization and resources. The Cyber National Mission Force has a global mission and there is a lot of prioritization that goes to them, but that doesn’t mean the other teams aren’t working, former officials said.

With limited resources, what gets the focus? Are they things that are important to Cybercom or the geographic combatant commands, one former official asked, noting they could see an argument coming from a combatant command asking is Cybercom doing things that are of the most interest to that combatant commander or are they working on things that are of less interest to them, but of more interest to Cybercom, which are typically CNMF targets.

The post Congress pushing Joint Task Force-Cyber, shaking up how DOD employs digital capabilities appeared first on DefenseScoop.

The secretary’s order, signed Friday but first made public Tuesday, came after an eye-opening investigation by ProPublica revealed Microsoft had been relying on China-based engineers to support DOD cloud computing systems.

Short on specific details, Hegseth’s order enlists the CIO — with the support of the department’s heads of acquisition and sustainment, intelligence and security, and research and engineering — to “take immediate actions to ensure to the maximum extent possible that all information technology capabilities, including cloud services, developed and procured for DoD are reviewed and validated as secure against supply chain attacks by adversaries such as China and Russia.”

Hegseth first referenced his order in a video posted to X on Friday, in which he said, “some tech companies have been using cheap Chinese labor to assist with DoD cloud services,” calling for a “two-week review” to make sure that isn’t happening anywhere else in the department’s tech supply chains.

The secretary, in both his video and the new memo, stopped short of calling out Microsoft specifically. However, a spokesperson for the company has since stated publicly that it has made changes to “assure that no China-based engineering teams are providing technical assistance for DoD Government cloud and related services.”

“This is obviously unacceptable, especially in today’s digital threat environment,” Hegseth said in the Friday video, claiming that the system at the center of the incident is “a legacy system created over a decade ago during the Obama administration.”

He added: “We have to ensure the digital systems that we use here at the Defense Department are ironclad and impenetrable, and that’s why today I’m announcing that China will no longer have any involvement whatsoever in our cloud services.”

The memo itself calls on the department to “fortify existing programs and processes utilized within the Defense Industrial Base (DIB) to ensure that adversarial foreign influence is appropriately eliminated or mitigated and determine what, if any, additional actions may be required to address these risks.” Specifically, it cites the Cybersecurity Maturity Model Certification (CMMC) — the final rule for which, as of Wednesday, is undergoing regulatory review with the Office of Management and Budget — acting CIO Katie Arrington’s new Software Fast Track program, and the FedRAMP process as existing efforts the Pentagon CIO should rely on to ensure the department’s tech is secure.

Within 15 days of the order’s signing, DOD’s Office of the CIO must issue additional implementing guidance on the matter, led by department CISO Dave McKeown.

On top of that, it taps the undersecretary of defense for intelligence and security to “review and validate personnel security practices and insider threat programs of the DIB and cloud service providers to the maximum extent possible.”

The post Hegseth calls on DOD CIO to protect tech supply chain from influence of China appeared first on DefenseScoop.

The language appears in the SASC-passed version of the annual defense policy bill for fiscal 2026. While the committee approved the legislation last week, the full text was only released Wednesday.

Specifically, if it becomes law, the legislation would require a report from the Pentagon on the integration of reserve components, namely the National Guard, into the cyber mission force. It would also mandate an implementation plan.

The cyber mission force is comprised of 147 teams — including offensive, defensive and support teams — that the military services provide to U.S. Cyber Command to employ for operations.

Guard units have been used to support or supplement active units in various capacities. In fact, at the outset and creation of the cyber mission force nearly 15 years ago, the Air Force decided to initially take a total force approach to build its contribution, meaning its teams were made up of a mix of active component and Guard members.

Other assistance, most notably, includes Task Force Echo, the biggest Guard cyber mobilization to date with soldiers from 32 states having supported it over a number of years.

Little public information is known about the task force other than it aids full-spectrum cyber operations for Cybercom’s Cyber National Mission Force. While not so-called “trigger pullers,” sources have also indicated the task force provides infrastructure support.

The Guard has also conducted experiments with Cybercom in years past to test what was called the Cyber 9-Line, a tool that allows participating Guard units from their respective states to quickly share incidents with the Cyber National Mission Force, which can provide analysis of discovered malware and offer feedback to the states to help redress the incident, while also potentially taking action against the threat outside U.S. borders.

The Senate Armed Services Committee’s fiscal 2026 policy bill would require a report that provides an assessment of different authorities in each status of the reserve components, with particular focus on the National Guard and authorities under title 32, and how the DOD can use those personnel in such statuses within the cyber mission force.

It should also include an analysis of current and planned efforts to work with the military departments, the National Guard and the adjutants general of each state to develop unique cyber capabilities that address identified operational requirements — and a description of methods to work with those entities to track and identify key skills and competencies that aren’t part of primary military occupational specialties.

Moreover, senators want to see an evaluation of what types of authorities would be most beneficial to maximize the activation and support of the reserve components to cyber operations as well as an evaluation of the existing barriers to or impediments for integration of the reserve components into the cyber mission force.

The Guard has been lauded as an under-tapped and potentially vital resource for the nation in cyberspace. Many of its members work in cybersecurity as their full-time jobs when they’re not in uniform, meaning they oftentimes possess unique skills not always found in the active component.

There have been big pushes in recent years to more tightly integrate these Guard and Reserve forces into the larger DOD cyber enterprise to be able to act as surge capability in the event of a major cyber incident against the nation.

Legislation has also been introduced previously to help clear hurdles — real or perceived — to allow the Guard to respond to cyber threats.

The post Senate bill calls for tighter reserve component inclusion in cyber mission force appeared first on DefenseScoop.

“It’s about bringing all of those traditionally stovepiped elements together — and employing them at different times and in new and innovative ways,” Col. Michael McFeeters, chief of Transcom’s special activities division, told DefenseScoop last week.

During an exclusive tour of the command’s headquarters at Scott Air Force Base, Illinois, he and other officials shared new details regarding ongoing efforts to fuse information operations with cyber operations in Transcom’s non-kinetic arsenal, and some of the latest trends they are observing from U.S. adversaries in cyberspace.  

“A lot of this is intel-driven to wherever the threats are. And what threats are we talking about? Are we worried about China, Iran, Russia? Because they’re very, very different in how they conduct themselves and how they execute operations to contest logistics or the battle space that we’re trying to operate in through. So, you know, we have to … think differently based on whatever adversary where we’ll go up against,” McFeeters explained.

Transcom is a functional combatant command charged with executing global logistics and the transport of personnel and equipment for the Department of Defense and its components. 

The command relies heavily on data, digital systems and commercial partners to meet its mission, all of which requires significant cybersecurity protections.

“We’ve tried to change the way we do cyber operations. In the past, Transcom really focused on just the stuff that we own and operate. But the joint deployment distribution enterprise is a global enterprise,” said Patrick Grimsley, director of Transcom’s J6 command, control, communications and cyber systems directorate.

Over the last few years, command officials have expanded operations and been moving to better ensure they can present senior decision-makers with the greatest understanding of existing and emerging cyber risks — beyond the elements they operate within the DOD Cyber Defense Command (formerly known as the Joint Force Headquarters-DOD Information Network, or JFHQ-DODIN). 

“We’re also becoming a lot more active in information operations. So not just looking at cyber in and of itself, but it’s really cyber is part of the non-kinetic portfolio. So how do we fight through or combat some of the threats that are coming at us, again, outside the things that just Transcom controls? And how do we integrate and work with the other combatant commands to do that, too?” McFeeters said.

“I’d say the majority of what Transcom does is defensive cyber operations. And this is part of thinking in a new way [about] how we leverage the IO side of that to help execute Transcom’s mission,” he added.

Information operations involve the employment of capabilities to influence adversaries’ decision-making and protect friendly forces.

“[U.S] adversaries, they’re all out there — and their focuses are very different. Like, Russia is still focused right now on being able to understand and predict when aid and munitions are crossing the border to get into Ukraine, so they can interdict it before they actually get into the hands of the fighters … who can then employ those. China — completely different. China is just trying to get into everything [in cyberspace]. They’re not facing that same existential threat that Russia is. So, they’re playing more of a wait-and-see, and let’s get in there and have effects ready to shut down systems or critical infrastructure,” McFeeters told DefenseScoop.

DOD leadership expects all military and civilian components to follow its zero-trust cybersecurity framework to protect critical national security data and information. As its name suggests, the zero-trust concept presumes all networks are compromised from the get-go.

“You won’t always be able to keep the bad guys out of everything, right? You have to assume they’re there. But I would say that’s where, by bringing together those non-kinetic disciplines becomes important, [for] intelligence and awareness. For instance, if the bad guys get into one of our systems and we know they’re there, we may not want to kick them out. We may want to take advantage of that,” McFeeters said. “And as long as we know where they’re at and we’re confident they have not laterally maneuvered in that space, we may intentionally start putting stuff into that system so they will see or think something that is not reality.”

When asked for an example, he pointed to a scheduling system Transcom might rely on to coordinate deliveries.

“We may put false schedules in there, right? So that if an adversary is watching and they think something is going to go out of a certain place at a certain time, carrying certain goods, that may not be the case. We have done that in the real world before. We will do that again,” McFeeters said.

The post Transcom cyber officials moving to be ‘a lot more active’ in information operations appeared first on DefenseScoop.

A provision in the committee’s version of the annual defense policy bill, of which an executive summary was released Friday, would require the secretary of defense to review future force employment concepts for cyber operations. The full text of the bill has yet to be released.

Senior congressional officials that briefed reporters Friday pointed to the fact that to date, cyber operations and forces have largely been focused on the strategic level. More and more, there are other avenues to conduct digital actions, officials said, to include tactical cyber.

In fact, the DOD updated its cyber doctrine at the end of 2022 to include for the first time a definition of what it called “expeditionary cyberspace operations,” defined as “[c]yberspace operations that require the deployment of cyberspace forces within the physical domains.”

That recognition was significant given authorities to conduct cyber operations were held at the highest levels of government for many years due to fears that such activities could have unintended consequences or spread into networks beyond the intended targets.

Cybercom owns the offensive cyber capabilities within DOD, and the services conduct offensive cyber operations through Cybercom and the cyber mission forces that each service provides to the command that operate from static, remote locations, mostly focused on IP-based networks.

However, increasingly, there are targets that either aren’t reachable through IP networks or remote access might not be possible. And as DOD has matured its cyber policies, doctrine and capabilities, the reins have begun to loosen up.

Certain factions have sought to use more proximal effects conducted through radio-frequency, which require fewer levels of approval to conduct operations at the very tactical level.  

Several of the services have begun investing in capabilities and forces for their own offensive activities. However, that is mostly in the blended electronic warfare or RF-enabled sphere at the tactical level.

While individual services have started developing and even deploying such forces, all cyber operations must still be connected through Cybercom.

For example, the Army created the 11th Cyber Battalion — which stemmed from the 915th Cyber Warfare Battalion before it — a unit that provides tactical, on-the-ground cyber operations (mostly through RF effects), electronic warfare and information ops. It consists of four companies with over 300 personnel total and five expeditionary cyber teams, which are scalable formations designed to augment units upon request. The Army was recently approved to create another unit called the 12th Cyber Battalion.

The Air Force in the last year or so has developed a concept called Cyber Enabled Air Superiority (CEAS), that aims to use organic Air Force cyber assets to protect its critical missions, such as safeguarding fighter jets from cyberattacks. While the concept is still emerging, the Air Force re-missioned a National Guard unit to initially take charge of the effort.

The Navy has been building what it calls non-kinetic effects teams that are afloat assets to provide cyber, electronic warfare and other similar capabilities for commanders at sea.

The Marine Corps has developed information units for its Marine Expeditionary Forces that include cyber, intelligence, EW and information-related capabilities.

Cybercom has recognized these capabilities, and command officials have begun exploring ways to utilize them, especially as they can serve as entry points for its high-end operators to access hard-to-reach networks that might not be connected to the internet.

These efforts also fit into the concept of the modern triad, which consists of combining the capabilities of space, cyber and special operations forces to create military packages greater than the sum of their parts. SOF are located in some of the hardest places on earth, giving them the opportunity to get close to targets and potentially providing access and entry points for cyber effects.

Given this growth in the concept, the Senate Armed Services Committee also wants the review to encompass the types of personnel DOD will require to conduct cyber operations of all kinds in the future. To date, that has only really included the cyber mission force. As referenced, this could include a much larger pool across the conventional and even special operations forces beyond the Cybercom enterprise.

The summary of the policy bill states the review would include an assessment of personnel policies that could be needed to support any such evolving cyber force, though committee officials clarified this has nothing to do with discussions surrounding the potential creation of a separate and distinct service, or Cyber Force.

“We have focused a lot of this around how we man, train and equip for very exquisite cyber mission forces. There is a bigger pool of people out there,” an official said. “How are we going to employ that full scope of people and how do we need to adjust the personnel policies to be able to keep that flow of people?”

The post Senate Armed Services Committee wants DOD to explore ‘tactical’ cyber employment appeared first on DefenseScoop.

The provision is part of the annual defense policy bill. The committee released a summary Friday, although the full text of the legislation won’t be released until a later date.

The executive summary of the bill only offers that a provision mandates “a strategy to reestablish a credible deterrence against cyberattacks targeting American critical infrastructure using the full spectrum of military operations.”

A senior congressional official who briefed reporters Friday on the condition of anonymity described the provision as trying to identify a full scope using various methods and full spectrum options to more critically deter adversaries, particularly China, from conducting attacks on critical infrastructure, especially defense critical infrastructure.

An official noted the provision directs DOD toward what the department needs to be doing to more effectively establish a deterrent. Officials in open testimony have indicated a clear concern that Beijing, in particular, continues to attack critical infrastructure.

They singled out Volt and Salt Typhoon by name, noting they’re a growing and more aggressive threat in cyberspace to utilities and critical infrastructure that supports DOD.

Volt Typhoon is one of a number of cyber players from China that have been discovered in U.S. networks, troubling American officials. For its part, Volt Typhoon was discovered inside U.S. critical infrastructure using a technique in the cybersecurity world dubbed “living off the land,” which means it’s using legitimate tools organic to the systems for malicious purposes.

China has become more brazen in intrusions and probes into U.S. and defense networks, particularly in maritime or port environments to potentially limit an American military mobilization response if Chinese leaders decide to invade Taiwan.

Guam, a key U.S. military outpost, has been a top target for Beijing in recent years. Chinese hackers targeted critical infrastructure there, burrowing deep inside a couple of years ago and startling experts who referred to it as one of the largest cyber espionage campaigns against America.  

What has particularly alarmed officials regarding Volt Typhoon is the paradigm shift of Chinese threats moving from espionage and intellectual property theft to holding critical infrastructure at risk.

Salt Typhoon, by contrast, has been found inside networks of telecoms and other companies, likely for the purpose of espionage.

Cyber deterrence has been an elusive policy point for many years. While some academics have pointed to evidence cyber deterrence exists, such as U.S. hesitance to hit back against Russia following its malicious activity in the 2016 election for fear of America’s great digital vulnerability, current and past officials have noted the difficulties of deterrence and how adversaries don’t fear the United States in cyberspace.

Senators recently pressed the Trump administration’s nominee to be the top cyber policy official at DOD on the subject.

“There’s no price to pay for our adversaries. I hope in your counsels within the Defense Department and in the administration you’ll argue for a serious and substantial cyber deterrent stated policy. If it’s not stated, a deterrent doesn’t work,” Sen. Angus King, I-Maine, a fierce critic of perceived weaknesses in cyber deterrence, said at the May hearing.

For her part, Katie Sutton, President Donald Trump’s nominee to be assistant secretary of defense for cyber policy, wrote to senators as part of her confirmation process that a critical part of her role, if confirmed, would be to improve the nation’s defenses and digital deterrent.

“Deterrence is possible in cyberspace and can be made more effective through a combination of denial, resilience, and credible responses. If confirmed, I will review the capabilities we have in our toolkit, integrate military cyberspace capabilities with other tools of national power, and restore deterrence in the cyber domain. One of my core goals as ASD Cyber Policy will be to ensure the Department has the offensive and defensive capabilities and resources necessary to credibly deter adversaries from targeting the United States,” she wrote.

While Salt Typhoon was considered traditional espionage activity, which is virtually impossible to deter, especially given the United States does the same thing, officials are hoping to deter activity like Volt Typhoon in the future.

As Trump was coming back into power for his second term, officials associated with the transition and new administration vowed a top priority would be a more aggressive posture in cyberspace to respond to a bevy of activity against the U.S., namely from China.

The post Senate panel pushing DOD on strategy to deter Chinese cyber activity on critical infrastructure appeared first on DefenseScoop.

The biggest single pot of money under the “One Big Beautiful Bill” would be for Cyber Command, a $250 million allocation for “artificial intelligence lines of effort.” Another $20 million would go to cybersecurity programs at the Defense Advanced Research Projects Agency.

The U.S. Indo-Pacific Command — which counts among its geographical areas of responsibility territorial waters for cyber adversaries in Russia, China and North Korea — would get $1 million for cyber offensive operations. Cyber offense was something the second Trump administration emphasized when coming into office.

A $90 million pool of funds for several purposes at the Defense Department would include “cybersecurity support for non-traditional contractors.”

A broader set of funds at the Coast Guard would allow some funds to be spent on cyber there. A $2.2 billion allocation for maintenance includes upkeep of “cyber assets.” A $170 million allocation for “maritime domain awareness” includes “the cyber domain.”

The lone non-military mention of money that can be spent on cyber comes via the $10 billion-per-year Rural Health Transformation Program, a state grants program meant to counter the legislation’s Medicaid funding cuts that the National Rural Health Association says falls short of doing so.

Grants can be devoted to, among other things, “cybersecurity capability development.”

Earlier in the process, when House committees were assembling their sections of the bill, Democrats took issue with a lack of funds for the Cybersecurity and Infrastructure Security Agency.

“On the matter of cybersecurity, once again, Republicans say one thing [and] do another. Despite the Chairman’s pronouncement that the 119th Congress would be devoted to improving the Nation’s cybersecurity, there is not one penny in the Homeland Security Committee’s reconciliation title devoted to the issue,” the Democratic critique reads.

“This tone-deaf reconciliation package ignores serious threats facing the Nation — including cyber threats from Russia, China and its typhoon campaign, Iran, and cyber criminals — while turning a blind eye to the administration’s reckless dismantling of America’s cybersecurity agency,” the critique continues. “From election security, to threat hunting, to security by design, the Trump administration is gutting the core services CISA offers governments and the private sector alike, and Committee Republicans do not care.”

The post GOP domestic policy bill includes hundreds of millions for military cyber appeared first on DefenseScoop.

While the budget proposal would allot just $5 million for the effort — a small portion of Cybercom’s $1.3 billion research and development spending plan — the stand-up of the program follows congressional direction to prod the command to develop an AI roadmap.

In the fiscal 2023 defense policy bill, Congress charged Cybercom and the Department of Defense chief information officer — in coordination with the chief digital and artificial intelligence officer, director of the Defense Advanced Research Projects Agency, director of the National Security Agency and the undersecretary of defense for research and engineering — to jointly develop a five-year guide and implementation plan for rapidly adopting and acquiring AI systems, applications, supporting data and data management processes for cyber operations forces.

Cybercom created its roadmap shortly thereafter along with an AI task force.

The new project within Cybercom’s R&D budget aims to develop core data standards in order to curate and tag collected data that meet those standards to effectively integrate data into AI and machine learning solutions while more efficiently developing artificial intelligence capabilities to meet operational needs.

The effort is directly related to the task of furthering the roadmap.

As a result of that roadmap, the command decided to house its task force within its elite Cyber National Mission Force.  

The command created the program by pulling funds from its operations and maintenance budget and moving them to the R&D budget from fiscal 2025 to fiscal 2026.

The command outlined five categories of various AI applications across its enterprise and other organizations, including vulnerabilities and exploits; network security, monitoring, and visualization; modeling and predictive analytics; persona and identity; and infrastructure and transport.

Specifically, the command’s AI project, Artificial Intelligence for Cyberspace Operations, will aim to develop and conduct pilots while investing in infrastructure to leverage commercial AI capabilities. The command’s Cyber Immersion Laboratory will develop, test and evaluate cyber capabilities and perform operational assessments performed by third parties, the budget documents state.

In fiscal 2026, the command plans to spend the $5 million to support the CNMF in piloting AI technologies through an agile 90-day pilot cycle, according to the documents, which will ensure quick success or failure. That fast-paced methodology allows the CNMF to quickly test and validate solutions against operational use cases with flexibility to adapt to evolving cyber threats.

The CNMF will also look to explore ways to improve threat detection, automate data analysis, and enhance decision-making processes in cyber operations, according to budget documents.

The post Cyber Command creates new AI program in fiscal 2026 budget appeared first on DefenseScoop.

The command’s research-and-development budget proposal includes $117.2 million under a portfolio called “Data and Sensors.” In last year’s budget release, the command anticipated spending just $20.8 million in FY26 in the future years defense program for that same portfolio. The fiscal 2025 request for the portfolio was $21 million.

According to budget justification documents, the increased funding would go toward cyber mission monitoring capabilities for the Department of Defense Information Network and expand operational technology asset installation at other Indo-Pacom defense critical infrastructure networks and systems. Moreover, the budget activity continues whole-of-government collaboration and coordination for sensor deployment, data sharing and lessons learned, and includes an expanded submarine cable landing monitoring capability, sensor placement in key networks and maintenance of automated alert capabilities to operators.

The documents also note that beginning in fiscal 2024 the DOD added funds within the portfolio for Indo-Pacom’s regional component of the National Defense Strategy to maintain and restore a comparative military advantage. Cybercom added resources and manpower to support the maturation and fielding of monitoring capabilities to hunt and trap adversaries across the DODIN’s priority edge devices and procure new hardware.

The portfolio’s enhanced sensing efforts are part of the larger Pacific Deterrence Initiative, a key effort to provide funding carveouts for Indo-Pacom to bolster its posture relative to China, and expand low-level network sensing and defense for key networks in the region, the documents state.

More specifically, the enhanced sensing investments in Cybercom’s budget request portfolio include support for specialized Indo-Pacom Low-Level Network Sensing and Defense capability, data feed, analytic resources and increased efforts to discover and characterize adversary networks — all of which are necessary to maintain or restore comparative military advantage and reduce risk of contingency plans in support of U.S. national security interests, according to the documents.

The investments have already supported the transition of existing DOD projects to Cybercom and expansion of new sensing and data analytic tools to strengthen the cyberspace defensive posture of Indo-Pacom networks, with a specific focus on defense critical infrastructure in Guam.

The budget touts examples of this, including the employment of over 3,000 operational technology assets that resulted in a 52 percent reduction in malicious and anomalous behavior in the environment and a 32 percent decrease in known vulnerabilities to key assets such as firewalls, switches and routers, to achieve 76 percent adherence to MOSAICS frameworks in industrial control systems.

Cybercom’s cyber protection teams — defensive teams focused on hunting adversaries within the network — performed 31 threat-hunting missions and investigated 58 additional artifacts across multiple networks, informed by the investments made in the portfolio. Those teams worked with local defenders within Indo-Pacom to bolster their tactics, techniques and procedures.

The command noted that that the work established real-time insight into the submarine cable landing in Guam to effectively monitor network traffic transiting to and from the island, including automated alert and visual interface tools for operators.

The scope is also different from the previous budget request, in which Cybercom articulated that most of the portfolio spending would go towards deployable sensors and the “fly away” kits that the command’s cyber protection teams use. Those teams sometimes deploy to sites locally that incur breaches — hence the need for specialized kits.

The funding for 2025, according to previous budget documents, was partially planned to go towards downselecting awardees for Joint Cyber Hunt Kits, standardized fly-away kits for both cyber protection teams and hunt-forward missions that involve physically sending teams to foreign countries to hunt for threats on their networks at the invitation of host nations.

Cybercom’s fiscal 2026 budget proposal moved funding for the Joint Cyber Hunt Kits to the procurement portion. A prototype effort was slated to be completed in June 2025, and a review of the capability was expected completed by August 2025 with a production award scheduled for FY26, the documents state.

In DOD parlance, China is the pacing threat. It has become more brazen in intrusions and probes into U.S. and defense networks, particularly in maritime or port environments to potentially limit an American military mobilization response if Chinese leaders decide to invade Taiwan.

Guam, a key U.S. military outpost, has been a top target for Beijing in recent years. Chinese hackers targeted critical infrastructure there, burrowing deep inside a couple of years ago and startling experts who referred to it as one of the largest cyber espionage campaigns against America.  

The group that conducted the operation has been referred to as Volt Typhoon, one of a number of cyber players from China that have been discovered in U.S. networks, troubling American officials. Volt Typhoon was discovered inside U.S. critical infrastructure using a technique in the cybersecurity world called “living off the land,” which means it’s using legitimate tools organic to the systems for malicious purposes.

What has particularly alarmed officials regarding Volt Typhoon is the paradigm shift of Chinese threats moving from espionage and intellectual property theft to holding critical infrastructure at risk.

In fiscal 2026, Cybercom plans to field hardware security capabilities and support sustainment of existing capabilities installed in fiscal 2024 and 2025, according the budget documents. It will also seek to implement improved or additional tools and tradecraft to keep pace with the dynamic and evolving threat landscape.

The 2026 funding request aims to complete full asset inventory to operational technology assets on Guam defense critical infrastructure for comprehensive and enduring monitoring to reduce malicious activity, address known vulnerabilities and ensure adherence to MOSAICS framework for industrial control systems, the documents state.

The post Cyber Command significantly increases funding request for defense in Indo-Pacific region appeared first on DefenseScoop.

“I also have learned that within the executive branch there are very limiting rules of engagement on what Cyber Command can do in response,” Rep. Don Bacon, R-Neb., said during a June 12 House Armed Services Committee hearing.

Bacon serves as the chair of the panel’s subcommittee that oversees Department of Defense cyber operations, forces and policies, giving him unique insights into this matter.

“I’m the chairman of the committee and I’ve talked to multiple layers, they are restricted based off the rules of engagement. Maybe they’re appropriate. I just hope we relook at them because if China can attack our energy grid, our Wall Street grid, our hospitals, I think we should be reviewing, okay, is our responses adequate? I just want to submit that for you to think about and consider,” he told the committee’s witnesses that day, Secretary of Defense Pete Hegseth and Chairman of the Joint Chiefs of Staff Gen. Dan Caine.

He implored them to review the current rules of engagement and consider if they need to be revamped.

In a statement, he later emphasized that while Russia and China are infiltrating systems, rules of engagement are hindering U.S. Cyber Command from responding properly, urging a more aggressive posture.

“China has surpassed Russia as our biggest cyber threat. With malicious intent, they’re attempting to – and largely succeeding in – infiltrating everything from our energy grid and cell phones to our financial institutions, and health care networks. While we have good cyber intelligence, China is no longer deterred in the cyber domain, and I believe our own rules of engagement are holding us back,” Bacon said. “We need to start imposing heavy costs on these cyber actors, including nation states like China and Russia, to establish better cyber deterrence. In some cases, this could mean allowing Cyber Command to fight fire with fire, in other cases this might mean applying targeted non-cyber response like significant economic or diplomatic sanctions or perhaps covert action. Regardless of how we do it, I think everyone can agree that the status quo (of continued cyber attacks) is not acceptable or sustainable: some level of cyber deterrence has to be established.”

When asked if DOD is reviewing its rules of engagement for cyberspace, a department spokesperson on Friday said they had nothing to announce.

For many years, restrictive rules of engagement and improper analogies handicapped the military’s ability to conduct cyber operations. It used to be that U.S. military offensive cyber actions were considered on par with nuclear weapons in terms of requiring presidential sign-off for employment, for fear that effects could lead to escalation and possibly unintended consequences.

The nuclear analogy proved to be a flawed model for cyber, as history has borne out. In 2018, a series of congressional and executive actions cleared the way for smoother cyber operations approval. Those included a clarification that cyber action is a “traditional military activity,” removing interagency barriers that might have previously required an exemption to the covert action statue, effectively allowing Cybercom to operate more freely. Congress also included what essentially boiled down to an authorization to use force in cyberspace against Russia, China, North Korea or Iran to “disrupt, defeat, and deter … active, systematic, and ongoing campaign of attacks against the Government or people of the United States.”

On the executive branch side, the first Trump administration repealed the Obama administration era policy for approvals, issuing what was known as Nation Security Presidential Memorandum-13, which delegated authorities to the secretary of defense to conduct timely cyber operations. The still classified policy also included components to deconflict cyberspace with other government agencies to avoid fratricide among different organizations and equities.

“In line with the shift to a more proactive cyber strategy … NSPM-13 enables faster, more agile decision-making better adapted to the strategic threat. It does so not only by allowing delegations of authority, but by reinforcing those delegations with a coordination and approval process run by the delegee, not the NSC,” Gary Corn, director of the Technology, Law and Security Program and an adjunct professor of cyber and national security law at American University and former Staff Judge Advocate at Cybercom, wrote in a paper in 2021.

Prior to 2018, the military conducted very few cyber operations. Some experts that spoke to DefenseScoop noted that the primary restriction and limitation to engage in offensive cyber action was the lack of clear authorities, but after 2018 it was the lack of a sufficient man, train and equip function to present Cybercom with enough trained, capable personnel to carry out the mission.

The second Trump administration’s pick for assistant secretary of defense for cyber policy noted last month in her confirmation hearing that it’s likely time to begin reassessing some of these authorities from 2018.

“The cyber domain is continuing to evolve and the one constant that I’ve seen in being involved in this domain for over two decades is that the rate of change is exponential. My top priority if confirmed in this role will be to address this change with speed and agility in the department,” Katie Sutton told the Senate Armed Services Committee in May. “As you’re well aware, in 2018 there was a series of activities that enabled the offensive posture that the department is undergoing today; both establishment by President Trump of NSPM-13, the process to do cyber operations, as well as this committee’s definition of traditional military authorities for cyber. I believe we’re at a point where we need to reevaluate those and make sure that we’re postured to be able to respond to the increasing speed of cyber attacks and that we are able to address the incoming impacts of AI.”

Sutton served as a staff member on the Senate Armed Services Subcommittee on Cybersecurity and most recently chief technology advisor to the commander and director of Pentagon operations at Cybercom, giving her relevant insights into cyber operations.

Despite some criticism regarding the current rules of engagement, officials have indicated new rules have significantly increased the ability to conduct cyber operations.

“NSPM-13 is a repeatable, sustainable, agile process that is recognized across the Department of Defense and across the interagency that allows us to move at the speed and agility that’s required based on our intelligence, based on operational requirements, and it has increased our ability to execute cyber operations tenfold,” Lt. Gen. William Hartman, acting commander of Cybercom, told a Senate subcommittee during an April hearing.

Sources that spoke to DefenseScoop noted that after the first Trump administration gave new authorities, the Biden administration came into office with some folks that worked in the Obama White House, and there was still resistance to some actions in cyberspace — which led to efforts to walk back what the Trump team had put in place.

As President Donald Trump was coming back into power for his second term, officials associated with the transition and administration vowed a top priority would be a more aggressive posture in cyberspace to respond to a bevy of activity against the U.S., namely from China.

According to some, while there are standing rules of engagement for combatant commands to respond with force if necessary, cyber is a bit different given the risk profile and some policymakers’ lack of understanding about the digital realm.

As such, over time, certain presidential polices have limited that pre-authorization to use offensive measured except under certain defined circumstances, according to sources.

Legal experts agreed that the president has authority to act as commander-in-chief and respond to activities in America’s self defense. However, for some, response in cyber is a little more opaque.

“There’s been longstanding policy that, consistent with international law, if somebody starts shooting at us, we can shoot back. That is murkier in cyber because of a number of factors, part of which is less than clear lines in international law about what the thresholds are and what types of cyber activities cross those thresholds, and also concerns about escalation dynamics and risks,” Corn said in an interview. “We’ve gotten better at the risk side of it as compared to 10 years ago when there were lots of senior officials who were talking about any out-of-network cyber operations in terms of nuclear conflict.”

Speeding up decision space

One way in which operations under the current framework could be slowed down is if activity needs to be coordinated across the interagency at a time when most civilian government employees are offline and away from their desks.

Cybercom operates 24/7, monitoring threats across the globe and planning for operations. If something were to happen in the middle of the night or on a weekend and the command wants to coordinate with the interagency on the target set to be a good partner, the command could be in a situation where the options are to either violate the framework to complete the mission or delay until personnel are back at work, a former military cyber official explained.

This type of setup can also affect the command’s ability to campaign in cyberspace, that is, looking at sustained and persistent activity to set conditions rather than just conduct one-off operations. The current framework has allowed for those types of one-off engagements, but can hinder ongoing campaigning efforts that require persistence, the former official noted.

Going faster might not necessarily be about changing the framework itself as much as evaluating coordination across the interagency at a faster pace.

“[A]n effective decision-making process should be designed to aid the designated decision-maker in rendering a decision. A process that allows participants to effectively usurp decision authority without the attendant accountability is a design flaw, not a feature,” Corn wrote in 2021. “Imposing process for process’ sake is a fool’s errand, unless the objective is to drive interminable debate and bureaucratic inertia. Process is a means to an end, not an end in itself, and so it should always be designed to fulfill an objective. In the case of national security decision-making, the objective is to achieve the most well-informed decision possible under a given set of circumstances, including acceptable risk parameters and time available. The increasingly complex, fastmoving, and dynamic nature of modern national security threats requires disciplined decentralization of action consistent with centralized intent.”

Also at play now and especially into the future is the speed at which adversaries will likely execute operations employing AI and machine learning capabilities.

Experts referred to the notion of machine-on-machine competition in the future, necessitating the requirement to operate at high speed and be effective in defense and offense. The question for policymakers is if the current policy framework meets those challenges.

As such, some experts noted the need to relook cyber authorities on a more frequent basis than other areas of military operations given the dynamic environment and shifts in tactics.

“Cyber is definitely an area where authorities need to be looked at more frequently than the kinetic space. Obviously, not the idea of layering on more statutory or executive level guidance, but for tightening the OODA [observe, orient, decide and act] loop and coming up with ways to provide the higher level transparency and control that has to be there without sacrificing too much operational capability,” Tom Wingfield, a senior international and defense researcher in RAND’s Department of Defense and Political Sciences who served as deputy assistant secretary of defense for cyber policy from 2019 to 2021, said in an interview. “Part of that would need to be looking at the role AI can play in providing that transparency and tightening the OODA loop. There’s a lot of opportunity there to know what we’re talking about and to build in limitations so that we don’t have clunky 20th century techniques for reporting and waiting for permission.”

Corn noted that there’s a need to constantly assess if authorities and policies are fit for purpose given the risk environment, but acknowledged that lawmakers helped clarify some things a few years ago.

“What Congress did in the end of 2018 was more about clearing some hurdles that were perceived to exist in law from a domestic law perspective, like lifting a potential interagency objection to something that would constitute covert action versus a traditional military activity,” he said.

Ultimately, the more operations cyber forces conduct, the more comfortable national level leadership will be, similar to many of the other domains of warfare.

“The three main problems that really drive most of the oversight [in cyber] are first, the ability to know what needs to be hit. The second is having a weapon or an access that’s able to hit it. And the third is the ability to limit the knock-on effects of that attack to just the immediate area of the attack,” Wingfield said. “Each of those three things is a capability that, as it gets sharpened, would require less oversight and fewer packing peanuts around an operation. So as you do those three specific things better, then you can move much more quickly, much more like the kinetic areas of warfare.”

The post Are DOD’s rules of engagement in cyberspace too limited? appeared first on DefenseScoop.