Defense policy bill directs creation of ‘cyber intelligence capability’

The compromise annual defense policy bill between the House and Senate Armed Services Committees directs the Pentagon to establish a dedicated cyber intelligence capability.

The language in the conference version of the fiscal 2025 National Defense Authorization Act marks a change from a provision that passed out of the Senate that specifically called for a dedicated cyber intelligence “center” rather than a “capability.”

Senate lawmakers introduced the provision in last year’s defense policy bill, but it was axed during the reconciliation process. The exact same provision, word for word, had been reintroduced this year and again passed out of committee and the full chamber.

The conference version, released over the weekend, requires the secretary of defense along with the director of national intelligence by October 1, 2026 to ensure DOD has a dedicated cyber intelligence capability in support of the military cyber operations requirements for the warfighting missions of U.S. Cyber Command, other combatant commands, defense agencies, the Joint Staff, and the Office of the Secretary of Defense.

Additionally, the defense secretary must ensure the Pentagon budget materials submitted for each fiscal year beginning with fiscal 2027 should include a request for funds necessary for the capability, noting the funds under the Military Intelligence Program must be made available for Cybercom. It further directs that the National Security Agency cannot provide any information technology services for the cyber intelligence capability, laying it squarely on Cybercom.

In its conference report accompanying the final bill last year where the center was eliminated, lawmakers said while they agree intelligence support to the planning and execution of cyber operations conducted below the level of armed conflict for preparation of the operational environment, must be improved, the causes of, and solutions to, this requirement are complex. They noted that while they’re concerned DOD will fail to address the shortfall without a legislative mandate, they weren’t prepared to dictate a specific organizational solution, but expect the secretary of defense to generate and implement one.

A Senate Armed Services Committee spokesperson previously stated following the panel’s markup of the bill earlier this year, that the committee hadn’t seen enough progress from DOD and there is still a demand signal within the department for the legislation. Introducing it again places pressure on the Pentagon to make progress, they added.

The report accompanying the final conference version between both chambers this year noted members foster continued support for the creation of a cyber intelligence capability within DOD, adding they recognize that there are pockets of people with useful analytical expertise across existing service intelligence centers that will have valuable contributions to the cyber intelligence mission — and the notion that those contributions may go beyond any single center is understandable.

“We believe that as the Department formulates a plan for addressing this provision, it is important to carefully consider what constitutes a ‘cyber intelligence capability.’ We believe that capability should include existing centers where relevant expertise exists, but should also focus fundamentally on how to build and maintain the new and emerging types of technical knowledge and expertise that is needed by the cyber operations community, but that does not currently exist anywhere in the Department in the scale or depth that is required,” the members wrote in the explanatory statement. “Based on recent experience and the emerging results from current cyber pilots, we do not believe that existing all-source intelligence centers alone will be sufficient for the intelligence needs of cyber operators in the future.”

Cyber intelligence and intelligence support to cyber has often seemed elusive, with officials explaining the inherent differences and challenges associated with it relative to traditional military intelligence, especially since it is also so new.

When it comes to foundational intelligence, much is known about the physical world and the platforms like tanks and airplanes that forces have been using for decades. But that is still lacking in the cyber or network realm where detailed intelligence on foreign computer systems, configurations and architectures are paramount for successful operations. This also extends into the open-source world of social media as well.

For years, dating back to when Cybercom was created, there have been talks about building the capability and capacity for developing organic cyber intelligence within the U.S. military. Relatedly, as cyber has grown in importance, there have been increasing discussions at the Defense Intelligence Agency regarding what constitutes foundational cyber intelligence.

Additional challenges include the relationship between Cybercom and NSA. Despite the close linkage — the two organizations share a boss and are co-located — NSA has a fundamentally different mission focused on foreign intelligence targets. Having a dedicated military cyber intel capability under Title 10 — the part of U.S. law that governs the armed forces — is considered increasingly important. In fact, Cybercom sought to create such a capability and center as a pilot effort a couple of years ago.

Conferees from last year’s NDAA, as well as other sources, indicated that as a still maturing combatant command — created in 2010 and only reaching full-blown command status in 2018 — Cybercom must improve its ability to define and articulate requirements for intelligence support. Members of Congress noted that it’s likely Cybercom will continue to need assistance in maturing requirements, with the secretary of defense ensuring that aid is provided by DIA, NSA and intelligence components of the military departments.

At issue are funds and resources required to help establish the necessary capabilities to assist Cybercom and cyber intelligence support, with one former defense official noting that while it will cost money, NSA believes they have it covered and DIA’s budget is much smaller than NSA’s and can’t afford it.

Congressional conferees previously explained they couldn’t burden the national intelligence mission and budget of NSA for the level of tailed support for military cyber operations needed, adding the secretary of defense should provide funding separate from the national intelligence budget for Cybercom to acquire and sustain required technical analytical capability and capacity.

The 2023 DOD cyber strategy sought to make intelligence support for cyber operations a priority, expanding on the 2018 version that simply asserted the department “will conduct cyberspace operations to collect intelligence and prepare military cyber capabilities to be used in the event of crisis or conflict.”

“The 2023 DoD Cyber Strategy places renewed emphasis on the role intelligence plays in the planning and execution of cyberspace operations,” Ashley Manning, acting assistant secretary of defense for cyber policy, stated in written congressional testimony earlier this year. “The Office of the Under Secretary of Defense for Policy is working closely with the Office of the Under Secretary of Defense for Intelligence and Security, and through them, the Defense Intelligence Enterprise, to ensure that the intelligence requirements of the cyber warfighter are prioritized. The Department will improve business practices and human capital management processes to expand cyber intelligence production and reduce barriers to information sharing consistent with applicable law, policies, and procedures.”

The strategy notes the DOD will prioritize necessary reforms to meet the intelligence needs of the cyberspace operations community.

There is wide belief that such an organization is needed, on par with how intelligence centers are set up for the other domains of warfare such as the National Ground Intelligence Center or National Air and Space Intelligence Center.

The agreed-to language for the provision might make it tricky to implement, Mark Montgomery, senior director of the Foundation for Defense of Democracies’ Center on Cyber and Technology Innovation and former executive director of the congressionally mandated Cyberspace Solarium Commission, said.

Cybercom chief Gen. Timothy Haugh noted that there is a gap in how DOD thinks about cyberspace as a warfighting domain.

“Our targeting process is so built around the physical location. This does bring complexity that looks very different when we start to think about applying all the tradecraft that we’ve done for decades on how we target. Building that foundation is an area that we will continue to work with the department,” he said at a dinner hosted by the Intelligence and National Security Alliance in July.

He noted that DIA Director Lt. Gen. Jeffrey Kruse has agreed on a series of pilots to look at problem sets on how the broader intelligence enterprise can help enable Cyber Command from a foundational intelligence perspective.

Kruse told Congress earlier this year his organization was running a series of pilots and “sprints” to evaluate and improve how it provides what it calls foundational cyber intelligence.

“We’re going to take those pilots, we’re going to bring them back into the department to say this is what we think are the lessons that we’ve learned and how we can close that gap from a foundational intelligence perspective,” Haugh said.