The commander of U.S. Cyber Command suggested he’d like lawmakers’ help with addressing the readiness of the forces under his purview.
“I think it has to do with the way that we look at readiness,” Gen. Paul Nakasone said at Cybercom’s legal conference Wednesday when asked what he’d like to see in regards to the annual defense policy bill. “As I take a look at it, we’re going to need to have people that spend more time at U.S. Cyber Command than less.”
Readiness — both from an individual and team level — has been a top priority for Cybercom, though it has struggled for years with this issue.
Despite receiving more service-like authorities as well as being the joint force trainer for cyber — which gives Nakasone some ability to direct the military services — the command is largely subject to the whims of each service for how they decide to organize their cyber personnel.
The services are responsible for presenting the 133 cyber mission force teams to Cybercom.
Because each service is different — and has its own priorities for classifying and retaining certain personnel to meet its needs and responsibilities — Cybercom has struggled with forces constantly cycling in and out. Not only does this present readiness issues where forces ultimately lack institutional knowledge given the high rate of change, but it also comes at an expense to the taxpayer due to the costs and long duration of training it takes for some roles, according to the Government Accountability Office.
Nakasone has previously suggested a model similar to Special Operations Command and special operations forces.
“I do believe that when you come to our forces, that’s the only thing that you should do for your career, much in the same way I’ve watched special operations forces be successful,” he told the Senate Armed Services Committee in March. “When you become a special operations force operator, that’s what you’re doing all the time and that’s what they want to do. Our force is the same way.”
The services still present forces to Socom, but they have special operations billets that allow service members to do that work their entire careers.
Previously, in cyberspace, personnel might have done a quick tour at Cybercom and then cycled out to do communications work, intelligence, or some other IT-related function.
The Army was the first service to create a branch and military occupational specialty for cyber in 2014 to address this very issue.
The Marines followed suit in 2018, citing the SOF model of entering that role and never leaving. That role, 17XX, was shifted to information warfare last year, though it still includes cyberspace posts.
The Air Force has been dinged by Congress over the years, most notably in 2017 when it was pointed out that of 127 Air Force cyber officers that completed their first tour on the cyber mission force, none went back to a cyber-related job.
“The challenge with Cybercom, specifically the CMF forces, was the training that went along with the advanced work roles in there,” Maj. Gen. Daniel Simpson, assistant deputy chief of staff for intelligence, surveillance and reconnaissance, A2/6, told DefenseScoop in an interview, adding they’ve made headway to ensure the training is done.
The training “was like almost jumping into the very deep into the pool. So, how do we ease some of our younger enlisted and officers into some of this? So, kind of a build-up program before we get to the really advanced work role training, because some of it was no-kidding [like] going from zero to 100 in a nanosecond,” he said. “I think I’ve seen, from my seat, a much greater payoff with that. Higher success rates, get people trained, certified and then on the step.”
Simpson also noted that officials have done a better job tagging the workforce to ensure they keep track of who has done what training and where they are.
The Navy has been the most recent punching bag for Congress.
The Navy is currently the only service that does not have a dedicated military role for cyber. Its cyber personnel are primarily resourced from its cryptologic warfare community — which is also responsible for signals intelligence, electronic warfare and information operations, among several mission sets — with additional roles resourced from information specialists and cyber warfare engineers. Cyber warfare engineers are not operators, but specialize in highly technical skills and development of tools.
Congress began to notice particular gaps in readiness as a result of individuals cycling out too quickly and is now forcing the service through legislation to create specific work roles for its enlisted and officer ranks.
“The cyber mission force is an example where I think we’re wrestling with, yeah, how do you characterize readiness,” Vice. Adm. Kelly Aeschbach, commander of Naval Information Forces, which is responsible for the manning, training and equipping of the Navy’s cyber personnel, said at a conference in February. “To Cyber Command’s credit, they have laid in a readiness structure and then [the] Department of Defense decided what the workforce role should be. Some of that was decided in a way that all of the services, candidly, have had some difficulty in how fast we can move to align to it. But Army and Air Force, candidly, were a little better positioned than Navy to catch up.”
Cybercom has undergone several readiness models since its creation. Given it had to build fast, it developed the force while simultaneously employing it in operations. The Government Accountability Office reported in 2019 that the command moved too quickly in terms of getting teams on mission, at the expense of readiness.
Cybercom has had to shift the ball from a readiness perspective over the years to adjust to the rapid nature of the force. For example, the command a few years ago determined metrics, such as the number of people on teams and their training, would not be sufficient to provide a holistic readiness picture.
Instead, readiness of teams would depend on their ability to plan, develop access, report and maneuver in cyberspace, hold targets at risk and deliver capabilities.
Congress has begun to take issue with Cybercom’s apparent readiness shortfalls as it relates to the cyber mission force, and most notably recently, the Navy’s contributions.
“As Ranking Member of the Cybersecurity Subcommittee, I have worked with U.S. Cyber Command to understand the readiness challenges faced by the Cyber Mission Force (CMF). I have also discussed these challenges with leaders in each branch of the military, including a Cybersecurity Subcommittee hearing and a visit to Fort Gordon, Georgia. These conversations culminated in my development of this provision,” Sen. Mike Rounds, R-S.D., said regarding a provision in the most recent defense policy bill that requires a plan by the secretary of defense and chairman of the Joint Chiefs of Staff to correct readiness shortfalls of the cyber mission force.
“I am also working to make certain that cyber career fields are prioritized within the Services in order to avoid a shortfall. Individuals in these roles defend the nation in the cyber domain in order to maintain our freedom and accomplish overarching goals. An adequate CMF is essential, as cyber-attacks are an existing and dangerous threat to our national security. The threat is not going away, and we must have well-equipped and sufficient manpower to combat it,” Rounds said.
Certain tools the command has developed have helped it track the readiness of teams, officials have said. Having greater fidelity of data and better training tools gives it a better sense of who is ready and allows commanders to make more informed decisions based on the status of individuals and teams.
Nakasone has told Congress that there are some areas where Cybercom thinks it can work with the services to improve readiness structures.
“However that’s done in terms of how the services provide us a continual stream of people, or maybe it’s repeat tours, or maybe it’s incentives for more of our young people to retain in our military force or our civilian force — I think those are areas that really intrigue me,” he said at the legal conference this week.