US must establish independent military cyber service to fix ‘alarming’ problems — report

The current model for military services providing forces to U.S. Cyber Command is broken, and the only way to fix it is to create an independent Cyber Force, a new report asserts.

“America’s cyber force generation system is clearly broken. Fixing it demands nothing less than the establishment of an independent cyber service,” a report published Monday by the Foundation for Defense of Democracies states. “This research paints an alarming picture. The inefficient division of labor between the Army, Navy, Air Force, and Marine Corps prevents the generation of a cyber force ready to carry out its mission. Recruitment suffers because cyber operations are not a top priority for any of the services … The current system compounds these force-generation challenges. Each of the services has developed its own solutions, leading to both inconsistencies and shortcomings.”

The report’s authors — retired Rear Adm. Mark Montgomery, who is senior director of FDD’s Center on Cyber and Technology Innovation, and Erica Lonergan, an assistant professor in the School of International and Public Affairs at Columbia University — interviewed over 75 active duty and retired U.S. military officers with significant leadership and command experience within cyber. Both authors were members of the now-sunset Cyberspace Solarium Commission.

While not all interviewees believe the creation of a new service is the answer, “everyone agrees that the status quo is not sustainable, even if not everyone we interviewed agreed that necessarily that the solution is to establish an independent uniformed service for cyberspace,” Lonergan told reporters ahead of the report’s release.

Each of the military services is responsible for providing personnel for a set number of teams to U.S. Cyber Command, which then employs those forces in operations for the other geographic combatant commands.

Proponents of an independent cyber service argue the cyber operators have no distinct identity — as they are still members of their respective services — as well as that there are readiness issues associated with each service resourcing their cyber contributions differently, lexicon and pay scales are different for the members of each service, and that command and control structures are confusing.

In one of the most pertinent and striking examples, Congress recently was forced to act in directing the Navy to create cyber-specific work roles as it was the only service to date that had not done so. Navy service members were rotating too frequently in and out of the cyber mission force creating continuity issues, forcing retraining, and ultimately, readiness issues.

Those cyber mission force teams — offensive and defensive — were initially designed to be joint from the outset, trained to the same standards so they could be interchangeable and operate alongside one another. But individual service intricacies have plagued that design, the report alleges.

“The services do not coordinate to ensure that trainees acquire a consistent set of skills or that their skills correspond to the roles they will ultimately fulfill at CYBERCOM … At root, the current readiness issue stems from the fact that none of the existing services prioritizes cyberspace,” it states. “Promotion systems often hold back skilled cyber personnel because the systems were designed to evaluate servicemembers who operate on land, at sea, or in the air, not in cyberspace. Retention rates for qualified personnel are low because of inconsistent policies, institutional cultures that do not value cyber expertise, and insufficient opportunities for advanced training.”

The report, as well as sources who detailed the issue to DefenseScoop previously, allege the services played “shell games” when it comes to staffing the team, oftentimes double counting personnel to make the teams look fully manned.

‘The status quo isn’t working’

There has been frustration among many outside the military that despite readiness shortfalls, not much to date has been done to address how forces are presented.

“This is also a concern that this poor force generation model is negatively impacting readiness. It’s preventing the cyber mission force from conducting operations or really from growing and expanding,” Montgomery told reporters. “We need to absolutely get better or we’re going to create a catastrophic condition where an adversary’s cyber capabilities either enable him to do something we can’t stop or him to stop us from doing something we need to do. I think we’re rapidly getting to that.”

The cyber mission force was conceived in 2012-2013 and began building then. At the time, it envisioned 133 teams. However, that force has remained steady until the fiscal 2022 budget that, for the first time, authorized growth for the cyber mission force approving 14 additional teams.

For Montgomery, the growth and maturation of the force has not been enough to keep pace with America’s adversaries.

“Over the last 14 years, one thing I can definitely say by the Chinese and Russians is their capacity has grown, and the idea that we’ve maintained the exact same level is really concerning. I think we’re there because we’re not able to get the maximum readiness out of that lower level, much less grow and expand it,” he said.

Each of the service chiefs has pledged to make cyber mission force readiness a top priority. However, Montgomery contends the services have completely failed thus far.

“It is definitely a criticism of [the] services. There’s no two ways about it,” he said.

Lonergan noted that there is beginning to be recognition that the current status quo is inefficient and changes must be made.

“The consensus is that the status quo isn’t working and I think I can say that that’s the consensus of our military leaders in cyberspace, too. That’s what’s driving this Cybercom 2.0 effort to do this kind of holistic, comprehensive review of Cybercom,” she said.

Cybercom 2.0 is a holistic top-to-bottom review underway by the command to examine how to reshape its organization and forces and ensure it’s best postured for the future and emerging threats. It’s meant to look at force presentation, force composition, acquisition and other improvements and changes as it evolves.  

Last year, Congress attempted to begin evaluating the prospect of creating an independent cyber service. However, efforts in both the House and Senate were struck from the annual defense policy bill, one of which would have required an independent body to study the merits of establishing a new force.

Advocates for a cyber force are pushing hard this year to ensure something makes it into legislation.

“We do not take lightly the many challenges still ahead in implementing the recommendation for creation of a dedicated Cyber Force, but AUSCF calls upon our nation’s Executive and Congressional leaders to act, through policy and legislation, to meet this call for what our nation so urgently needs in support of national security. The creation of a Cyber Force is a clear message, both to our adversaries and our own citizens, that freedom of action in the cyberspace domain, and protection of our critical infrastructure and sovereignty, are priority responsibilities that the United States takes seriously and will meet with the best our nation can provide,” the Association of US Cyber Forces (AUSCF), a nonprofit dedicated to advancing the capabilities and effectiveness of the United States in the cyber domain, said in a statement provided to DefenseScoop ahead of the release of the FDD report.

Opponents of an independent cyber service argue that now is not the time. The current model has not had enough time to prove itself, the argument goes. Moreover, Cybercom is on the precipice of inheriting significantly more authority. Through what’s known as enhanced budget authority, Cybercom is slated to gain more service-like authorities from full budget ownership of cyber and direction of cyber forces. That was supposed to culminate at the beginning of fiscal 2024.

Others note that the command modeled itself off U.S. Special Operations Command, a combatant command with unique service-like authorities. However, the report notes incongruencies between special operations forces and cyber forces.

“In the SOCOM model, each of the services provides the force employer — SOCOM — with expert personnel who possess skills suited to their particular domain. For instance, an Army Ranger trains for special operations on land, while Navy SEALs possess skills tailored to maritime special operations. Rangers and SEALs are not interchangeable. The Army cannot train SEALS, nor the Navy Rangers. Thus, SOCOM actually gains strength from this one-of-a-kind distributed force-generation model,” the report states. “However, there are no land, sea, or air-specific cyber functions that only particular services can provide.”

As was stated previously, the cyber mission force was designed to be joint from the outset and trained to the same standards so individuals could be interchanged from team to team, offense or defense.

Department of Army and Cyber?

The report’s authors were sure to explain they’re not necessarily wedded to what a cyber force could look like if the Department of Defense has ideas for it.

But it did recommend placing it within the Department of the Army, with Cybercom continuing to be the force employer. Montgomery believes the Army has done the best in cyber, relative to the other services, placing cyber in the hands of general officers. Additionally, the other military departments already have subordinate forces: the Space Force under the Department of the Air Force and the Marine Corps under the Department of the Navy.

“Standing up this new service would be relatively straightforward. Initially, the Cyber Force would encompass the billets that currently comprise the CMF: a 6,200-person mission group consisting of servicemembers, civilians, and contractors,” the report stated. “Beyond the CMF, the Cyber Force could also absorb a select number of billets for cyberspace operators that currently fall within the SOCOM enterprise. The Cyber Force could draw on lessons from the Space Force, which has encountered few issues filling its new roles even though it requires highly technical and skilled personnel.”

The authors were also sure to note the services should keep their organic cyber and IT personnel, meaning the new cyber force wouldn’t suck up all the cyber expertise, leaving the services with nothing.

Ultimately, having a single service — with a service secretary adhering to civilian control of the military — that can solely focus on providing forces for cyberspace operations will improve the readiness of cyber forces and retention, the authors contend.

Montgomery explained that if Cybercom needed to grow, it would be as simple as working with one service as opposed to four right now.

“Cyber Command [could] say, ‘Hey, I need to be 20 teams bigger, to do that I need an extra 1,000 operators.’ He could talk to the cyber force chief and the two of them would then go see the chairman and the Secretary of Defense … and make that argument and then it’d be properly sized,” he said. “I think it would make Cyber Command much more effective and agile. You have a more ready force and then an ability to grow the force. Right now, if he wants to grow the force, he’s got to convince each of the services.”