Congress axes independent cyber force study

Lawmakers stripped language from the annual defense policy bill that would have required an independent study to determine the feasibility of creating a separate cyber military service.

In the conference report for the reconciled version of the fiscal 2024 National Defense Authorization Act, legislators noted that they nixed a provision that was included in the Senate bill that would have directed the secretary of defense to enter into an agreement with the National Academy of Public Administration to conduct an evaluation regarding the advisability of establishing a separate military branch for digital warriors.

There has been a growing chorus in recent years arguing for the creation of a cyber service or cyber force, that would be the seventh uniformed military service following the creation of the Space Force in 2019.

Each of the military services is responsible for providing personnel for a set number of teams to U.S. Cyber Command, which then employs those forces in operations for the other geographic combatant commands. But each branch has its own identity, culture, and way of classifying and providing forces to Cybercom — and observers have argued that this has been to the detriment of cyber warriors given they are soldiers or airmen or sailors first, with a secondary focus on cyber.

The argument for a new model is that the current system does not work. However, opponents of a new service say there hasn’t been enough time to allow the current system to prove itself — especially given Cybercom has only just gained full control over its budget in October with service-like authorities much like U.S. Special Operations Command.

Some outside organizations were upset to see the provision excluded from this year’s legislation.

“The exclusion of the Cyber Force study in the NDAA is beyond disappointing; it’s a deliberate impediment to progress in an area where it’s needed most,” Nathan Rolfe, president of the Association of US Cyber Forces (AUSCF), a nonprofit dedicated to advancing the capabilities and effectiveness of the United States in the cyber domain, said.

“With the cyber talent gap continuing to worsen nationwide, and traditional military thought still holding back the DOD from realizing its full manning and operational potential in the cyber domain, we cannot keep pace with the aggressive advancements of our major power peer competitors. This omission from the NDAA is not a delay; it represents backward momentum in terms of national security,” Rolfe added.

AUSCF has been advocating for the creation of a cyber force. The organization noted that while the Senate bill fell short of establishing a separate cyber force, a feasibility study would have been the first proactive step in safeguarding the nation’s security and an investment in the future resilience of U.S. digital infrastructure.

Additionally, the Military Cyber Professionals Association (MCPA), a nonprofit dedicated to advocating for military cyber issues, sent a memo in March to both houses of Congress urging the creation of a United States Cyber Force in this year’s annual defense policy bill.

“Given the serious consequences of both action and inaction, the MCPA looks forward to serious analysis of the options at hand to reorganize and establish a Cyber Corps, Force, Service, or the like. Studies should be conducted both internal to DOD, including those sponsored by DOD entities, and those independent that are unencumbered by the requirement to tow the current party line,” Chris Cleary, MCPA national president, said in a statement.

The Senate’s provision, introduced by Sen. Kirsten Gillibrand (D-N.Y.), that was stripped would have examined the best route forward between establishing a separate armed force dedicated to operations within cyberspace or refining and evolving the current approach for Cybercom, based on the Socom model.

Lawmakers have danced around the issue of an independent cyber service in years prior, mandating the Department of Defense include an assessment of the costs, benefits and values of establishing a uniformed cyber service in the 2022 cyber posture review, as well as a separate examination of the current cyber enterprise; how the services should man, train and equip for cyber; if a single military service should be responsible for basic, intermediate and advanced cyber training of the cyber mission force; and if the DOD should create a separate service.

Members of Congress have not been pleased with how the Pentagon has responded to these assessments and reports — and in some cases, not providing assessments — leading to calls for an independent study.

Moreover, in successive NDAAs Congress has sought to address concerns related to the readiness of the current cyber forces, to include a provision in this year’s bill to create a more standard approach to how the military services present forces.

The House version did not include a provision regarding a study, but had two provisions aimed at improving and examining the current structures. The first directed a review of DOD’s management of cyber operations, while the other directed the Pentagon to assess the resiliency of its cyber operators given personnel often work long hours and are always conducting operations in constant contact with adversaries in cyberspace — either defending DOD networks from daily enemy probes or carrying out offensive ops.

The review was included in the conference bill’s report language and the assessment was adopted by conferees.