Recent reporting indicates that U.S. Cyber Command (CYBERCOM) is in the middle of restructuring the organization and the forces that support it in order to best position the command to address the changing cyber threat landscape.  The strategy behind “CYBERCOM 2.0” is that the more than 10-year-old command was built on principles that are outdated for the needs of the times.  It took approximately six years (2012-2018) for the cyber mission teams – those entities involved in offensive and defensive cyber operations – to reach full functioning capacity, and now that they have, they need to be positioned for maximum effect.  Declassified orders show that a priority was to get these teams up and running as quickly as possible, which was achieved in 2018 according to the documents.  Fast forward to today, and it is evident that the Command and its teams have achieved what was accomplished.  CYBERCOM’s  Cyber National Mission Forcehas conducted at least 47 operations in 20 countries, and even became its own subordinate command.

Now, CYBERCOM is looking to undergo its next evolution, particularly as the command has gained new authorities to support the execution of its cyber missions.  This includes expanding in size with 14 new teams to be added over five years (there are currently 39).  Per its departing commander, CYBEROM needs to be revamped with all options on the table save for the “status quo.”  Although these terms are generic and murky at best, the commander acknowledged that when it was stood up, CYBERCOM was very counterterrorism/violent extremist organization-focused, with state actors taking a back seat.  And while extremists continue to leverage the Internet for logistics, social media propaganda and disinformation, radicalization, fundraising, and yes, offensive cyber activities, they haven’t materialized to be the next level threat many had projected.  Based on the last five years, and how the Ukraine war has reshaped how the military views the way cyber attacks are used during periods of armed conflict, CYBERCOM has shifted its focus toward nation state threats as evidenced by their defense-forward operations that only continue to increase as the cyber mission team ranks swell.

Expanded operational size will provide CYBERCOM not only more capable teams to deploy quickly, but expand its global reach, able to operate in many different geographic areas simultaneously.  This further supports the “defense-forward” strategy that has been in place since 2018, allowing for the United States to put into operation its long-known formidable offensive cyber prowess for maximum effect.  What’s more, under defense-forward, while many of the details of its active-defense activities are kept secret, the publicization that the United States will use and is using cyber offensives has been communicated to the world, and U.S. adversaries.  While the world may have suspected the United States conducts these types of cyber missions, it is now public knowledge that it is doing so, albeit under the umbrella of partnering with other governments in the name of proactive defense.  What’s clear is that persistent engagement will remain the foundation for CYBERCOM 2.0 as it has provided the kind of dividends the United States has long sought in cyberspace.

What’s curious is if CYBERCOM 2.0 will finally be willing to stand on its own, letting its commander shed its other hat as director of the National Security Agency (NSA).  The current commander is set to depart from the position and there is no indication that the powers that be will finally split the roles of this unique position.  This continued entanglement of two organizations and the authorities imparted to them suggests that NSA will continue to play a significant role in influencing CYBERCOM operations.  This bears noting in that while it makes sense that NSA be involved in helping to protect civilian organizations like it did when it issues public cybersecurity advisories, especially about vulnerabilities, NSA has also been known to keep knowledge of vulnerabilities secret in order to leverage them for its own use.  Keeping the same individual leading both organizations certainly suggests a strengthening of info-sharing such as this but to what extent that will benefit the public remains murky at best.  Further complicating matters is the continued bolstering of relationships between NSA and private sector industry.  Whether those translate into more robust security guidelines and relevant advanced warning of hostile activity, or into more quid-pro-quo arrangements that support more NSA clandestine missions remains uncertain.

How CYBERCOM 2.0 shapes out will invariably set the tone set for U.S. cyber activities for the near future.  Everything points to more proactive, offensive -minded missions to take down adversaries.  With CYBERCOM having enhanced budget authority, it intends on getting better control over its programs by integrating disparate factions under its Joint Cyber Warfighting Architecture.  Currently, such capabilities are hot harmoniously integrated, which needs to change given the maturation of the command and its mission forces, according to the CYBERCOM’s director of cyber acquisition and technology directorate.  This effort is consistent with the reimagining of CYBERCOM 2.0 and clearly designed to enhance operations on military-specific platforms separate from the NSA, which makes sense given mission focuses.

It also further reinforces the notion that the United States is committed to taking the fight to adversaries in cyberspace.  Over the past year-and-a-half or so, the United States has been very active taking down the infrastructure of some of the more state and nonstate cyber threats.  Recently, it helped dismantle the Chinese VOLT TYPHOON botnet comprising hundreds of U.S.-based small office and home office (SOHO) routers, as well as other VOLT TYPHOON activity attempting to infiltrate U.S. critical infrastructures.  Similar actions were taken to disrupt Russian state actors toward the end of 2023.  These coupled with the aforementioned Cyber National Mission Force activities foretells that despite the periodic publishing of advisories, offense not defense will be the focus of operations for the future.

Unfortunately, there does not appear to be an appetite for splitting the dual-hatted role for the individual that assumes both command and director positions.  In October 2022, the Biden Administration evaluated the situation but did not come up with a formal recommendation, meaning the status quo will prevail.  To be sure, there are a fair amount of supporters of keeping the current situation including powerful lawmakers that see one individual making the decisions key to harmonizing operations and communications.  Perhaps.  But one needs to weigh the operational advantages against what it may look like without the dual-hat role, and there is simply nothing to compare that to since it’s always functioned this way.  With CYBERCOM 2.0 set to expand in budget, force size, and mission, having the ability to harness the NSA and the extent of its capabilities seems a lot of power that may go unchecked.  When it comes to protecting the homeland, supporting warfighting theaters, targeting sophisticated cybercrime groups, and engaging adversaries, that’s a lot of responsibility for any one individual to have without oversight.

Current commander/director Nakasone has long advocated the need to keep the arrangement for the speed and freedom for him to make operational decisions in cyberspace.  Fair enough.  But it does wonder how often these decisions are made independently of any other intelligence agency input.  There is value in cyberspace to being able to act quickly; there is also value in getting input from outside intelligence partners that may have important contributions to add.  One is reminded that the Department of State’s INR provided its own alternative analysis of the “Iraq’s Continuing Programs for Weapons of Mass Destruction” that proved to be more accurate about Iraq’s acquisition of aluminum tubes being sought for nuclear purposes.  There may be more to consider than just effects-based operations, and it is worth considering before engaging in immediate cyber retaliation whenever possible.

There is much to be admired to how CYBERCOM has demonstrated U.S. capability in addressing adversary operations in cyberspace.  However, now with so many operations under its belt, the global community and specifically adversarial cyber powers have seen it in action, some firsthand.  To think adversaries will continue to function as they have done since these defense-forward activities have transpired is wishful thinking.  If these have been as successful as we believe, the enemy will change tactics and may elect to follow suit with their own active-defense measures.  China has been more willing to call out U.S. cyber activity, and the governments of Iran and Russia may follow suit.  This provides a public track record of alleged cyber malfeasance on the part of the United States, which may be done by these governments on the international stage to provide justification should they commit to their own defense-forward operations.  And this is a concern that needs attention as this is the very type of activity that risks escalation in the name of “proactive-defense.”