With new authorities and assistant secretary, DOD prepares for next generation of cyber
The culmination of new authorities and establishment of a top policy office is accelerating what the next iteration of U.S. Cyber Command and military cyber forces will look like going forward.
The passage of the fiscal 2024 appropriations bill at the end of March enshrined new authorities for Cybercom known as enhanced budget authorities. Despite being in the works for a couple of years, the congressional gridlock to pass a budget delayed these authorities.
Now, the command will be in direct control and management of planning, programming, budgeting and execution of the resources to maintain the cyber mission force.
Moreover, the Department of Defense, again at the direction of Congress, created the role of assistant secretary of defense for cyber policy — the top cyber policy office and official in the department.
Together, these actions seek to bring closer to fruition the vision to make Cybercom in the image of U.S. Special Operations Command, with unique service-like authorities to equip warfighters and set training standards along with a civilian secretary-like position overseeing the policy. In the case of Socom, that oversight is provided by the assistant secretary of defense for special operations and low-intensity conflict.
“That is clearly Congress’s vision — is the relationship between ASD SO/LIC and Socom should evolve that ASD Cyber will look like that with Cyber Command,” Gen. Timothy Haugh, commander of Cybercom, said Tuesday at his organization’s annual legal conference. “Our grade sheet should be built on how well we use the authorities we’ve been given, how fast we scale and how we partner.”
Haugh, in one of his first public remarks since taking command Feb. 2, noted that this partnership will be tested early as the acting ASD for cyber and him will be testifying before both houses of Congress this week. The ASD Cyber office was only just officially established March 20.
One of the critical areas the two organizations must work closely together on is an effort dubbed Cybercom 2.0 — a holistic top-to-bottom review underway at the command to examine how to reshape its organization and forces and ensure it’s best postured for the future and emerging threats.
Officials in the past have described that effort as a means of consolidating many of the products owed to Congress.
“That’s how do we take all these new authorities, how do we take this partnership with ASD Cyber and how do we leverage a series of things that Congress has asked us to do,” Haugh said of Cybercom 2.0.
Among the issues Cybercom and DOD are evaluating for Congress is a study to determine the optimal strategy for structuring and manning elements of the various Joint Force Headquarters-Cyber (JFHQ-C), joint mission operations centers, cyber operations-integrated planning elements and joint cyber centers.
Most pressing, however, is the future for how the services present forces to Cybercom, known as the force generation model. Since the early 2010s when the cyber mission force was created, each of the services has been responsible for providing a set number of offensive and defensive teams to Cybercom that are trained by the services based on basic standards that the command sets.
Given concerns with the varying readiness statuses of these teams across the services, incongruencies with how personnel are compensated across the services and overall inequities, there has been growing concern that the current model is inefficient and the only solution is an independent cyber service.
“We’re doing a study right now that will evaluate, and we brought in an outside think tank to help us look at this — what are the spectrum of options?” Haugh said. “There are also a number of things in between there that we should consider, and also whether or not any of that menu should be applied together. We’re evaluating that. And that’ll be a great test for us as our teammates within ASD Cyber and Cyber Command as we go forward.”
Congress has grown frustrated that DOD has not included certain studies requested by Congress in the manner in which they were requested, to include the force generation study. Cybercom and the Pentagon are now looking into the matter.
“One of those studies on force generation has required us to go back between ASD Cyber and the commander of U.S. Cyber Command and brief the secretary on our vision for the future of force generation this summer,” Haugh said. “In the force generation study, what it asked us to do was to look at our partnership with the services. What I will tell you is, over time, we have had with the services a different relationship between each service and at different parts of our creation and to where we are today.”
Haugh explained that before his predecessor, Gen. Paul Nakasone, left, he submitted a response evaluating the services’ readiness and their ability to present forces to the command — outlining five things the departments could do to improve.
They were mostly in line with how Socom addressed force presentation issues in the past, Haugh said. He didn’t provide specifics regarding all five, only offering that they centered around personnel policies, how the services leveraged tools that Congress had given for retention, and assignment policies.
Despite readiness concerns, Haugh said over the last year the services began implementing some changes and there has been a significant jump in readiness. However, he added that officials would like to see the services implement all five recommendations uniformly.
“We would like to see them all raise that floor farther. And that would be an area. That’s our starting point when we look at where we are in force generation,” Haugh said.
Next generation for acquiring capability
The realization of enhanced budget authority will now allow Cyber Command to control its own capabilities, from requirements to execution.
To date, the services are responsible for building major acquisition programs as executive agents on behalf of Cybercom.
“That model was really one that was thinking that a monolithic acquisition system would be able to, over time, be able to generate the requisite capabilities. What we have found is that largely we’ve had to generate our capabilities inside our force,” Haugh said. “What that has now occurred over time, has been the growth of what are the expectations of U.S. Cyber Command as an acquisition organization — and with a model that was thinking about how can we grow Cyber Command to be Socom-like, leveraging service-like authorities?”
The command now is fully in charge for the budget responsibility of equipping offensive and defensive cyber teams within DOD, validating requirements and allocating resources to acquire capabilities.
“That’s a pretty radical change from where we started to now what we’re authorized to do today. What Cyber Command now has to do is grow into that role very quickly,” Haugh said.
Officials in the past have noted that in the short term, not much will change. The services will still build major capabilities for the command, though now Cybercom will just reimburse the services as opposed to the services footing the bill. As the command grows its acquisition office and establishes its program executive office by 2027, it will be looking for help on how best to structure itself.
In addition to rapidly growing the acquisition force, the command is also looking at how to partner with others to develop capabilities.
That includes working with organizations like the Defense Advanced Research Projects Agency — for which the command already inked an agreement to bridge the so-called valley of death in acquisitions and get more cyber capabilities into operational use — and other research and engineering teams within the Office of the Secretary of Defense.
“What does that partnership look like with the services now that we have resources, multibillion-dollar resources, to align against our capability development? How do we use the authorities the department has given us as an S&T center to do tech transfer? Where does that put us now to be able to partner with industry as we start to think about capability [and] capability development?” Haugh said. “That’s an area that for us is going to be one of the most significant priorities that we will focus on and we will accelerate. Those partnerships will primarily drive us with our teammates and the services and with industry.”
