Assessment for independent cyber force passes House, Senate defense committee
Defense panels in both chambers of Congress have passed measures directing independent assessments examining the prospect of an independent cyber force, as part of the annual defense policy legislation, setting up a showdown later this year when both bills are reconciled for final passage into law.
A measure included in the Senate version of the National Defense Authorization Act last year was ultimately nixed from the final proposal during the conference process with the House, which didn’t have a similar provision in its bill.
However, the issue of creating a sixth military service that is focused solely on cyber operations, while not new, has gained steam over the last year as threats have grown, the landscape is becoming more dynamic and readiness issues have plagued the military services’ forces that they present to U.S. Cyber Command.
Each of the military services is responsible for providing personnel for a set number of teams to Cybercom, which then employs those forces in operations for the other geographic combatant commands. But detractors believe the services are too siloed in their approach, leading to incongruent models for presenting forces to Cybercom and forces maintaining their service identities, which leads to readiness issues, according to skeptics.
An amendment to the fiscal 2025 NDAA on the House side proposed by Rep. Morgan Luttrell, R-Texas, during its marathon markup May 22 directs an independent evaluation on the establishment of a U.S. Cyber Force to be conducted by the National Academies of Sciences, Engineering, and Medicine.
“I think the study is a great step forward and it kind of lays the groundwork for something. Or it could very well tell us we’re not ready yet,” Luttrell told DefenseScoop before the committee marked up the bill.
He also noted that he’s not opposed to other solutions, adding that he’s happy to engage with the DOD on possible alternatives to creating a Cyber Force.
Luttrell and other Republican co-sponsors believe the timing for this is now because the cyber risks are increasing and the current approach is too disjointed.
“[T]oday, each service generally builds cyber capacity in isolation. The forces are also supposed to be built to a single standard, but that intent or vision has never come to fruition, with dramatic disparities across the services. In fact, they don’t even align on the names of the career fields for personnel aligned to cyber operations. While seemingly minor, the consequences are significant,” Rep. Pat Fallon, R-Texas, wrote in a recent op-ed. “It’s critical we establish an independent military service aligned to cyberspace, responsible for the Title 10 functions of ‘Organize, Train, and Equip.’”
The Senate Armed Services Committee, which marked up its version of the NDAA this week, included a provision examining the prospect of an independent cyber force or service, according to committee staff. However, a summary of the bill, which passed the committee Thursday night by a vote of 22-3, did not offer any details.
The measures from both House and Senate Armed Services Committees must be passed by their respective chambers of Congress before going into conference where the two versions will be reconciled into a single bill. The full House passed its version on Friday.
Two of the leading outside groups on military cyber issues have applauded the efforts of Congress in exploring options to improve how DOD presents and employs cyber forces, to include the prospect of a new, independent military branch.
The Association of US Cyber Forces (AUSCF) “fully supports the creation of a Cyber Force to support our national security in cyberspace. The provisions of the NDAA calling for a study into this possibility are a step in the right direction, but we have been here before,” the nonprofit, which is dedicated to advancing the capabilities and effectiveness of the United States in the cyber domain, wrote in a statement to DefenseScoop. “This is not the first congressional call for such a study, though we do applaud the move to have it conducted by an entity outside the DOD. Our hope is that this study will unequivocally find what we all already know, that such a dedicated force is not only appropriate, but a vital need for our country if we ever hope to match and surpass our adversaries in this domain … This NDAA inclusion is a step in the right direction, though the time has come for us to build momentum and move towards action quickly following the results of the study.”
The organization, which has been advocating for the creation of a cyber force, is hopeful the assessments conducted outside the DOD will determine the potential for such a force to also exist outside of the department and its currently limited authorities. AUSCF has been advocating for a more holistic national defense force with the authorities to better protect the homeland from a defensive posture and conduct operations against outside actors.
“One thing is certain in the debate on whether or not there should be a bold reorganization to establish a new military service focused on the cyber domain of warfare, and that is there is deep disagreement among relevant stakeholders. However, there is wide consensus that an unbiased independent study to examine the potential value and feasibility of such a service is not only appropriate, but sorely needed,” Chris Cleary, national president of the Military Cyber Professionals Association, a nonprofit dedicated to advocating for military cyber issues, said in a statement to DefenseScoop. “To that end, and in pursuit of our mission and vision, the MCPA wholeheartedly supports the proposed study.”
Congress wants answers
Part of the congressional concern stems from the need for more information and data.
“Many members of Congress, myself included, feel we need better information to understand our current and projected cyber defense capabilities. That’s why this year’s House-passed NDAA has multiple efforts to achieve our shared goal of supporting our cyber professionals and systems,” Rep. Chrissy Houlahan, D-Penn., an Armed Services Committee member, said in a statement to DefenseScoop. “The truth is that the civilian and military cyber landscapes are changing rapidly, almost daily. Because cyber is an integral part of our national defense and needs to be supported with a robust workforce, it’s a matter of congressional concern.”
Congress has previously provided bill language requiring DOD to include an assessment of the costs, benefits and values of establishing a uniformed cyber service in the 2022 cyber posture review. It has also more recently required a study, which among many aspects, called for an examination of the current cyber enterprise, requested a look at how the services should man, train and equip for cyber, and inquired if a single military service should be responsible for basic, intermediate and advanced cyber training of the cyber mission force and if the Pentagon should create a separate service. This effort is known as the Section 1533 study from the fiscal 2023 NDAA.
“The Section 1533 study was looking at all options to include the establishment of a separate service and hence a separate analysis — is it necessary — but we required the department to do the study … as part of the cyber posture review. It seems to me that DOD ignored that requirement and then pointed us to a section in the posture review that included an assessment, but if you look at that section, no such assessment existed,” Mike Gallagher, who until late April was the chairman of the House Armed Services Subcommittee on Cyber, Innovative Technologies, and Information Systems, said during an April hearing. “Why should we believe that the department will follow on with an objective analysis as part of the 1533 study, given that it was ignored previous to this?”
This so-called force structure assessment was due to the secretary of defense June 1.
The DOD has taken the approach of packaging the variety of studies Congress has required, to include 1533, and bundle them into an effort it dubs Cybercom 2.0, a holistic top-to-bottom review underway to examine how to reshape Cybercom’s organization and forces and ensure it’s best postured for the future and emerging threats.
Gen. Timothy Haugh, who became commander of Cybercom in February, said at the command’s legal conference April 9 that along with the newly established Office of the Assistant Secretary of Defense for Cyber Policy he must brief the secretary on the vision for the future of force generation this summer. Later that week, he told the House Armed Services Subcommittee on Cyber, Innovative Technologies, and Information Systems that the command and ASD-Cyber are working on Section 1533 along with other efforts and owe a briefing of 1533 to the secretary of defense in June.
“There are a couple of things that Congress has already given us that is where we’re going to owe products,” he said at the conference, later telling lawmakers: “We owe that [force generation study] to the secretary in June and we are required to brief them in June [on] the results of that study, and we’re moving at pace to ensure that we look at all the options that you directed.”
Other elements Congress has asked DOD and Cybercom to study that are being folded into Cybercom 2.0 efforts include the optimal strategy for structuring and manning various headquarters elements.
According to a DOD spokesperson, the department tapped the RAND Corp. to study the issue.
“In response to Section 1533 of the FY23 NDAA, DOD commissioned an independent research study of U.S. cyber forces through the RAND Corporation, which generated insights concerning challenges and opportunities of force presentation and design, mission essential tasks, civilian-contractor-military mix, training pipelines, talent management, career progression, and pay,” they said. “The alternative models presented in the study have informed the Department’s understanding of current and potential future constructs of the cyber forces. The Department is currently exploring tradeoffs presented by the various models and is on track [to] meet the 1533 legislated timeline to present an implementation plan by June 2025.”
The HASC version of the NDAA for fiscal 2025 that passed in May included an amendment by Houlahan requiring the secretary of defense to submit the 1533 study, along with any supporting analyses that may have been conducted by any other entities, no later than Sept. 30.
As the law currently exists, the DOD owes congressional defense committees briefings at least once every 180 days on the progress of the section 1533 effort until receipt of the plan.
While many observers, including top officials, have acknowledged that the status quo is not working, detractors of an independent cyber force within DOD maintain now is not the time to shake things up.
The current model has not had enough time to prove itself, the argument goes. The command only just received enhanced, more service-like authorities with the passage of the fiscal 2024 appropriations bill earlier this year that provides enhanced budget authority, giving full budget ownership of cyber and direction of cyber forces to Cybercom.
The command modeled itself off U.S. Special Operations Command, a combatant command with unique service-like authorities.
Some outside experts believe the DOD is working to head off congressional direction for outsiders to study an independent cyber force.
“When they were trying to kill the independent assessment DOD suggested and they didn’t think it was needed, they implied the overdue 1533 report was right around the corner. I no longer think that’s true,” Mark Montgomery, senior director of the Foundation for Defense of Democracies’ Center on Cyber and Technology Innovation and former executive director of the congressionally mandated Cyberspace Solarium Commission, told DefenseScoop. “One might consider that poor form to say ‘I don’t need that because I have this other thing coming,’ and the other thing is not really there.”
Montgomery, who also previously served as policy director for the Senate Armed Services Committee, gives the measure of an independent assessment a 50/50 chance of becoming law at best, even though it was included in both the HASC and SASC versions of the NDAA.
Despite Congress’ affinity for studies and assessments, the fact that the measure didn’t make it into the final bill last year and there are questions surrounding its passage this year, indicate DOD is working to prevent it, sources suggested.
“DOD is telling the senior congressional leadership an independent assessment is ‘not needed,’ very emphatically, repeatedly. DOD leadership is lobbying hard and working hard against this,” Montgomery said.
He acknowledged that if this was an easy fix it would’ve been done already, adding that the problem with continuing to do nothing is that it’s been the approach for 12 years.
“If we don’t do this assessment, we’re doing nothing because DOD is not changing. This force generation problem is getting worse every year and the Chinese are getting better every year,” he said. “DOD has had an open door with congressional leaders to get whatever they needed over the past decade and we ended up in this position.”
