According to recent reporting, the Senate Armed Services Committee has requested a third-party assessment on the potential establishment of an independent military Cyber Force for the Department of Defense (DoD). The six-month assessment would address such areas as the number of commands across the DoD cyber enterprise; the command-and-control relationships of each of these commands; budget and personnel size; the ratio of fully trained and qualified personnel within these commands; and identifying any potential redundancies across these entities, as well as the costs associated with them. If created, this Cyber Force would be the seventh uniformed military service inside the DoD. This move dovetails with the House Armed Services Committee’s direction of the U.S. Comptroller General to evaluate the management of DoD’s cyber operations in an effort to eliminate duplications of effort in how the services “organize, train, and equip” the cyber personnel they detail to U.S. Cyber Command (CYBERCOM), one of 11 unified combatant commands.
There has been much debate over the need to create an independent Cyber Force, a service that would presumably be solely focused on military cyber capabilities and to protect U.S. and allied security interests in cyberspace. Groups like the Association of U.S. Cyber Forces and the Cyber Solarium Commission 2.0 advocate for such a force citing improved command-and-control as an obvious advantage, though there are differing opinions of its existence independent of CYBERCOM. An independent Cyber Force would provide all necessary training, outfitting, and otherwise bear the responsibility for preparing these military personnel to support the larger DoD cyber mission. Currently, the military service arms contribute personnel to CYBERCOM and ensure that they meet job requirements prior to their deployment. Ostensibly, any new dedicated Cyber Force would relieve the services of this commitment, freeing up a portion of their budgets to be used for other purposes.
While it is reassuring to see the government investing in improving its cyber security posture by consistently upgrading and evolving its offensive and defensive cyber capabilities, the creation of a Cyber Force seems unnecessary at this moment. The creation of CYBERCOM was supposed to address the issues of having a dedicated cyber component within the U.S. military and while its evolution has been slow, the successes achieved underscore that its implementation into the military ecosystem has been done correctly and responsibly. In 2016, Congress gave CYBERCOM limited acquisition authority so that the infant command would employ a “walk, crawl, run” mentality” to ensure it was able to execute the authority capably. Fast forward to 2023, it appears that CYBERCOM has transitioned from an organization lightly jogging to one engaged in a quick trot, which is testament to developmental success. The command has benefitted from maturing at its own pace, and by doing so, has adapted and evolved according to the dynamic threat environment in which it serves.
In a move that further reinforces confidence in what CYBERCOM has been doing, in 2022, Congress granted CYBERCOM enhanced budget authority, which gave its commander greater responsibility and direct control of planning, budgeting, and executing its cyber mission. Now with the DoD’s 2024 budget, CYBERCOM has made its first-ever budget request to support its mission, which will set the baseline for budget requests in future years. The Pentagon released documents indicating that CYBERCOM requested USD $ 332 million for its headquarters, USD $129 million for procurement; and a $1.1 billion for research, development, test, and evaluation. To put it in perspective, in the 2024 fiscal year, the DoD is dedicating USD 13.5 billion to cyberspace activities overall, which include CYBERCOM’s budget, as well as other activities. In addition to this new enhanced budget authority, CYBERCOM plans to increase its Cyber Missions Force teams from 142 to 147, will be in charge of its own acquisition, and no longer rely on the other services to help fund its cyber weapons program, the platform from which it executes cyber operations.
One of the main arguments for the Cyber Force is to relieve the burden of the services dedicating personnel to CYBERCOM, a curious complaint given the nature of the United States commitment to “joint” operations. The Goldwater-Nichols Department of Defense Reorganization Act of 1986 propelled the United States to become the most effective joint military force in the world. The very concept of a joint military is one that brings members of different services together to combine assets for the purposes of reaching a common goal. More importantly, joint force commanders can utilize and integrate the resources and capabilities to achieve goals without being constrained by specific service-first hindrances.
As one article in a military journal correctly points out, “service-centric attitudes and perspectives are antithetical” to the joint concept. It is reflective of how the U.S. military operates and the efficacies that it has yielded has spurned other countries to replicate. The current CYBERCOM structure is emblematic of the joint concept, with Air Force, Army, Marines, and Navy components assembled under its cyber umbrella. So, any service pushback against what the U.S. military has continually been striving to perfect, and what other foreign militaries have been striving to emulate, seems adverse to the United States trying to leverage its jointness for strategic competition advantage particularly as U.S. adversaries evolve their own military capabilities.
Another concern raised is that the services all have their own unique “cultures and priorities” which extend to how they address the cyber mission. While this may be true, it is easily corrected by having CYBERCOM set the standards by which all service elements must follow in terms of supporting the cyber mission. This especially rings true if the Cyber Force will be primarily focused on the personnel aspect of DoD’s cyber efforts (e.g., recruitment, training, etc.). As the DoD sets the enterprise-level requirements and priorities (as defined in the National Defense Strategy) within major mission areas for the armed services, so should CYBERCOM with respect to DoD’s cyber mission. After all, more than a decade into its existence, CYBERCOM is best positioned to identify the types of individuals to support both offensive and defensive sides of its house. Therefore, it makes sense that it sets the measures and standards for personnel recruitment at the service level. Not only will soldiers, airmen, sailors, and mariners will still retain its unique service component attachment, but these cyber specialists will also have comparable shared technical backgrounds that can readily be deployed for CYBERCOM service.
Supporters of creating an independent Cyber Force might point to the recently built Space Force as a model. However, the two domains are not as similar as some think. For example, while space itself is huge, the assets the Space Force are responsible for (100+ satellites) are not nearly as numerous as those on the cyber side of the house, and though the force is responsible for offense and defense U.S. space capabilities, its personnel numbers are relatively small, consisting of approximately 14,000 civilian and military personnel. By contrast, the U.S. military cyber environment is massive in scale and integrated throughout the military, not to mention any civilian infrastructure relied upon to support military operations. Space systems are as well but not nearly to the degree of cyber. Applying Space Force mission responsibilities to the Cyber Force begs the question exactly how large would such a force need to be to address a similar mission on a much more massive scale? And this does not even reflect mission overlap, redundant responsibilities, and the other logistical challenges typically faced by bloated bureaucracies.
Washington has long resorted to throwing money at problems it doesn’t fully understand. Cyber has long been an enigmatic challenge, but that haze has been steadily dissipating over time. CYBERCOM has proven that proper investment and a willingness to study the domain will reap rewards in the backend. Thinking forward and not just in the present has unlocked cyber’s mystery. Building an effective cyber force is in the country’s best interest. But the foundation has already been laid. Giving CYBERCOM budget authority is a great step in solidifying its mission, a confirmation that the United States is on the right track. It seems it would be better for the command to eventually have control over the recruitment and training of the personnel under its purview.
Therefore, a Cyber Force would just be an unnecessary distraction just when the United States is moving steadily in the right direction. “You don’t change horses midstream” is a prudent adage that advocates forsaking unnecessary change during periods of turmoil and has applicability in today’s cyber landscape where geopolitical unrest has fostered hostile activities in the digital domain. Now is not the time to break CYBERCOM’s stride.
