Editor’s note: This story was updated July 21 with comment from Sen. Mike Rounds, R-S.D., ranking member of the Senate Armed Services Subcommittee on Cybersecurity.
The Senate’s version of the annual defense policy bill raises the specter that the Navy should entirely get out of cyber operations for U.S. Cyber Command.
While the Senate Armed Services passed its version of the National Defense Authorization Act for fiscal 2023 on June 16, the full text of the bill and its provisions were not released until July 18.
The latest version of the bill follows concerns from some quarters that the Navy does not have a dedicated military occupational specialty for cyber, which some believe is a direct result of the readiness issue.
One provision in the bill seeks to evaluate the way the Department of Defense trains, organizes and presents cyber forces. Under the current structure, the services provide a pre-determined number of cyber mission force teams to Cyber Command and are largely responsible for training them under joint standards developed by Cyber Command.
Given the cyber mission force was initially designed in 2013, many experts and members of Congress have sought a reexamination of these forces to see if there are the right number of forces, if they’re focused on the right set of threats, if they’re organized properly and if they have the right tool sets, to name a few.
The SASC bill, which still must be approved by the full Senate and then reconciled with the House version, requires a study on the responsibilities of the military services for organizing training and presenting the total forces to Cyber Command.
As part of this study, the committee is requiring the establishment of a new or revised model by the secretary of defense by December 31, 2024, which, among other aspects, determines whether the Navy should no longer be responsible for developing and presenting forces to Cyber Command as part of the cyber mission force. A force structure assessment was included in the fiscal 2021 NDAA and as a result, the cyber mission force is slated to grow.
Concerns regarding the organization and readiness of the Navy’s cyber teams has been ongoing for some time. A provision in the House NDAA is pushing the Navy to create a singular and special work role dedicated to cyberspace.
The Navy is currently the only service that does not have a dedicated military occupational specialty or, in Navy parlance, “designator” for cyber. Its cyber personnel are primarily resourced from its cryptologic warfare community — which is also responsible for signals intelligence, electronic warfare and information operations, among several mission sets — with additional roles resourced from information specialists and cyber warfare engineers. Cyber warfare engineers are not operators, but specialize in highly technical skills and development of tools.
Critics argue that this leads to a less proficient cyber workforce because personnel have to constantly cycle in and out to gain experience in the other aspects of the cryptology field, while proponents say they want to build a well rounded information force.
In a report accompanying the Senate bill, the committee notes that it is “concerned about continued readiness challenges with cyberspace operations forces, particularly with the Navy contributions to the Cyber Mission Force.”
Relatedly, another provision in the SASC bill requires a plan by the secretary of defense and chairman of the Joint Chiefs of Staff to develop a plan to correct readiness shortfalls of the cyber mission force.
Readiness has long been one of if not the top priority for Cyber Command.
“In terms of our priorities this year and going into next, a major priority that [Cybercom commander Gen. Paul Nakasone] has set for us is our force readiness — how do we look at our cyber mission teams and ensure that our operators and our analysts are the best qualified, most lethal cyber force in the world,” Dave Frederick, the command’s executive director, said at an online event in June. “Readiness is a big focus for us.”
In recent years, the command has sought various approaches to improve readiness and readiness oversight.
However, some senators are concerned with how ready the teams actually are.
“As Ranking Member of the Cybersecurity Subcommittee, I have worked with U.S. Cyber Command to understand the readiness challenges faced by the Cyber Mission Force (CMF). I have also discussed these challenges with leaders in each branch of the military, including a Cybersecurity Subcommittee hearing and a visit to Fort Gordon, Georgia. These conversations culminated in my development of this provision. I am also working to make certain that cyber career fields are prioritized within the Services in order to avoid a shortfall,” Sen. Mike Rounds, R-S.D., said in a statement. “Individuals in these roles defend the nation in the cyber domain in order to maintain our freedom and accomplish overarching goals. An adequate CMF is essential, as cyber-attacks are an existing and dangerous threat to our national security. The threat is not going away, and we must have well-equipped and sufficient manpower to combat it.”
Additional aspects of the study on responsibilities for organizing training and presenting the total forces to Cyber Command include:
- which services should organize, train, and equip civilian assets and military cyber forces to Cyber Command;
- the organization of the cyber operations force and if the total forces or elements of the forces function best as a collection of independent teams or through a different model;
- if a single military service should be responsible for basic, intermediate and advanced training for the cyber operations forces, or at a minimum for the cyber mission force;
- whether or how the duties of the director of the National Security Agency and the duties of the commander of Cyber Command, which is currently the same person, enable each organization and if technical directors and intelligence experts of the National Security Agency should serve rotations in the cyber operations forces;
- what work roles in the cyber operations forces can only be filled by military personnel, which work roles can be filled by civilian employees or contractors and which work roles should be filled partially or fully by civilians, and;
- if the Department of Defense should create a separate service to organize, train and equip the cyber operations forces or at a minimum the cyber mission force, to name a few.