Gen. Nakasone releases US Cyber Command’s strategic priorities

Gen. Paul Nakasone, commander of U.S. Cyber Command, last week released an updated set of strategic priorities for the command that seeks to “own the domain.”

These refined priorities address global strategic challenges while enhancing Cybercom’s posture, according to the command.

The last command vision was released in 2018 when Cybercom was elevated to a unified combatant command. Since then, cyberspace — as well as adversary activities — have evolved significantly.

“Strategic competition has fundamentally changed the character of warfare,” Nakasone — who is entering his sixth year as leader of the command, which is typically a four-year term — said in a release. “From acute threats, pacing challenges, mis/disinformation and advancements in artificial intelligence and machine learning, our adversaries continue to challenge international norms and laws.”

Nakasone, speaking at the command’s industry day Monday, described 2024 as a pivotal year. Building upon streamlined authorities granted by Congress to conduct operations abroad in 2018 and enhanced authority to direct training and readiness, lawmakers last year provided the command significant authority for acquisition, taking over a portfolio of $3 billion. This will allow Cybercom to be more agile and have greater oversight and responsibility over acquiring capabilities it needs to stay ahead of adversaries.

“But [fiscal] ’24 is the year for us,” he said. “As we begin 1 October this fall, there are a tremendous amount of opportunities as we look toward the future that the department and Congress has empowered us to do.”

The new authorities will enable the command to act quicker against dynamic adversaries.

“These authorities will allow the command resources to respond rapidly to changes in adversary tradecraft within the domain and to maintain peace with shifts in technology and to innovate,” Holly Baroody, the command’s executive director, said during a presentation at the HammerCon conference, hosted by the Military Cyber Professionals Association, on May 18.

The three strategic priorities Nakasone released on May 17 center around people, partnerships and delivering a decisive advantage.

The first priority seeks to sharpen the force through readiness, resilience and mission improvement.

Nakasone has long spoken about the importance of improving the readiness of the force.

“One of the things that I’m most focused on is this idea of being able to drive a higher degree of readiness — how do we do that at a quicker pace?” he said.

Priority number two is to strengthen warfighting advantages through the competition phase to crisis and conflict.

Cyber has developed into the premier domain and tool for adversaries to achieve their goals in the so-called competition phase occurring below the threshold of armed conflict. Competitors have sought to use cyber and influence operations for subterfuge and sowing confusion.

The third priority aims to execute the command’s authorities to build and sustain a decisive advantage.

Along with the updated strategic priorities, Cybercom earlier this month also updated its “challenge problem set” for 2023. The problem set is a list of broad areas where the command seeks input from industry to close gaps it may have or ask for new technologies in order to improve capabilities.

“These are the six challenges that we’ve put out in terms of the problems that we need assistance and being able to solve,” Nakasone said. “As you think about these six challenges, what underlies all of them is the idea that we need to be able to get to … the outcomes quicker.”

Number one on the list are vulnerabilities and exploits.

“With vulnerabilities and exploits, when we’re thinking about it, a DOD Information Network that is as large as it is, how do I rapidly identify the vulnerabilities quickly and being able to patch them more expeditiously, particularly with the challenges of artificial intelligence in the hands of adversaries in the future? These are things that we’re going to have to be able to do,” Nakasone said.

This paradigm shift, in which adversaries are able to turn vulnerabilities into exploits in just hours, is a manifestation of the need for updated strategic priorities from 2018 when Nakasone first came into the role.

“Looking back just two or three years ago, when a new vulnerability was identified in Microsoft Office or Microsoft Windows or Linux, that we probably had six months to a year to posture the DODIN to be able to defend ourselves against that. We’d at least have two or three months,” Michael Clark, who until last week was the command’s acquisition chief, said at the AFCEA TechNet Cyber conference earlier this month. “Today, it’s hours. Today, our adversaries are taking advantage of large language models [like] ChatGPT, and can field an exploit and throw it against the DOD within hours. How do we begin operating, defending ourselves in that kind of environment?”

Clark, who has gone back to the plans and policy, or J5, directorate at Cybercom, noted that the command itself must figure out how to harness that kind of technology to achieve its objectives.