Pentagon touts revised cyber force generation model, but some experts say it’s insufficient

The Defense Department recently announced a revised cyber force generation model aimed at bolstering recruitment, training and retention of digital warriors. But some analysts say the changes won’t solve fundamental problems that can only be fixed by creating a new cyber-focused military service.

The Pentagon, meanwhile, appears to be leaving the door open for such a move.

In a Nov. 6 press release, DOD officials wrote that the revised model “enables the Department to build mastery, specialization, and agility” in the cyber forces assigned to U.S. Cyber Command.

Cybercom, headquartered at Fort Meade, Maryland, is the combatant command responsible for leading U.S. military operations in the digital domain.

According to officials and other observers, the old way of doing things was problematic. Some have noted that it led to readiness shortfalls and disparities among the teams that each of the services contributed to the Cyber Mission Force under Cyber Command.

“Since its inception over a decade ago, USCYBERCOM has relied on traditional military services’ man, train, and equip models to source its cyber forces. While appropriate for other warfighting domains, these traditional models have not met the unique requirements necessary to fight and win in the cyber domain,” officials wrote in the press release announcing the new approach.

What the revised model entails

According to DOD, the new approach under the “CYBERCOM 2.0” initiative — which was first contemplated during the Biden administration — will involve “integrating USCYBERCOM with the military departments to recruit, assess, select, train, and retain” the nation’s digital warriors.

The fundamental attributes of the updated model, according to DOD officials, include:

• Recruiting for assignment to Cyber Command and assessing for cyber work role fit.
• Incentivizing “cyber domain mastery” and retaining talent within the Cyber Mission Force.
• Providing specialized, mission-specific training to meet operational requirements.
• Adopting career paths that enable the development and retention of experts within the Cyber Mission Force.
• Shaping unit specialization and collective training based on tailored mission requirements.
• Presenting a fully functional tactical headquarters that “drives operational outcomes.”
• Implementing unit phasing to support a “sustainable operational tempo.”

A Cyber Talent Management Organization, Advanced Cyber Training and Education Center, and Cyber Innovation Warfare Center will be expected to support those efforts, according to the Pentagon.

What DOD leaders are saying

In statements accompanying the Nov. 6 press release, Pentagon leaders touted the new reforms.

“The model fundamentally changes the Department’s approach to generating cyber forces, enabling increased lethality in our cyber forces and establishing a warrior ethos built on domain mastery, specialized skills, and mission agility,” said Katie Sutton, assistant secretary of defense for cyber policy.

Elbridge Colby, undersecretary of defense for policy, asserted that the update will enhance the Pentagon’s ability to “respond decisively” against evolving threats.

“The War Department is laser-focused on strengthening our military’s cyber capabilities,” Colby said. The Trump administration recently rebranded the Department of Defense as the Department of War (DOW).

Sutton and others had previously noted the need to strengthen the Pentagon’s offensive cyber arsenal.

Anthony Tata, undersecretary of defense for personnel and readiness, said the new approach will accelerate the buildup of cutting-edge cyber tools that are needed to address “acute and emerging” threats and bolster deterrence against “escalating aggression” in the digital realm.

“Under the leadership of Secretary [Pete] Hegseth, the Department is acting swiftly to establish policy, implement programs, and execute a new approach to recruiting, developing, and retaining cyber talent, ensuring that we remain ready to achieve peace through strength,” Tata stated.

‘More needs to be done’

Despite that excitement from the Defense Department’s top brass, analysts who spoke to DefenseScoop said the new model isn’t sufficient, suggesting that the changes aren’t as transformational as Pentagon leaders are making them out to be.

“I would consider it to be a minor tweak. I mean, I think that there’s discussion of having more joint training and having some recruitment incentives, but it doesn’t change the sort of fundamental aspect of force generation that it’s going to happen individually by each service, that it’s going to be done by officers in that service who may have other priorities besides cyberspace’s domain. And so, at the margins it may result in improvements,” said Matt Pearl, director of the Strategic Technologies Program at the Center for Strategic and International Studies and former director for emerging technologies at the National Security Council during the Biden administration.

Pearl added: “I think more would need to be done.”

“I don’t think that this solves some of the fundamental challenges. One of them just fundamentally being that cyberspace is the only warfighting domain that does not have a [U.S.] military service,” he told DefenseScoop. “In every other case, there’s a separate military service because of a recognition of the unique attributes and challenges that are associated.”

He noted that the press release announcing the new force generation model didn’t indicate that the head of Cyber Command or another senior officer would oversee cyber personnel recruitment across all the military services.

A senior Pentagon official, addressing questions from DefenseScoop on condition of anonymity, indicated that the military departments will still be in charge of their respective efforts in that regard, but the head of Cyber Command will have additional impact when it comes to force generation.

“CYBERCOM 2.0 empowers the Commander, USCYBERCOM to execute authorities granted to him or her in Title 10, Section 167b. The Military Departments will retain Title 10 Authority for recruitment of forces and foundational cyber training. This model enables Commander, USCYBERCOM to exert greater influence over the Department’s generation of cyber forces assigned to USCYBERCOM. CYBERCOM 2.0 efficiently synchronizes Commander, USCYBERCOM’s authorities with the activities and authorities of the Military Departments to optimize the generation of DoW’s cyber forces,” they said in a statement to DefenseScoop.

Retired Rear Adm. Mark Montgomery, senior director of the Foundation for Defense of Democracies’ Center on Cyber and Technology Innovation and former executive director of the congressionally mandated Cyberspace Solarium Commission, told DefenseScoop that combatant commanders should be responsible for force employment, not force generation. He noted that the leader of Cybercom already has a lot on their plate while being dual-hatted as director of the NSA, which is co-located at Fort Meade.

“The truth is … force generation is not a Cyber Command mission or problem. Force generation is a military services problem. And as long as the [existing] military services rank cyber as like priority number eight or nine or 10 or 11 or 12, 13, 14, 15, whatever … it’s not going to get fed at the [resource] trough,” Montgomery said.

“The current model has people who don’t prioritize your [cyber] mission set for good reasons,” he added. “If I were the head of the Navy, I would prioritize submarines, fighters, Aegis [weapons systems], radar, submarine operators, fighter maintenance guys and pilots and Aegis operators, because that’s the blocking and tackling of my service. Cyber is coming up much later on.”

Fundamentally, the revised approach isn’t much different than previous models, in Montgomery’s eyes.

“Services are force generators. This is what we’ve been doing. What they’re describing is the existing process that has failed us for a decade,” he said, noting that during that timeframe, China has been ramping up its cyber operating forces at a much greater rate than the U.S. and has set up a dedicated cyber force. “One of us is doing it right and one of us is doing it wrong.”

Experts told DefenseScoop that the service’s recruiting standards are suboptimal for bringing in cyber talent.

“You can’t maximize the potential effectiveness” under the current system, Pearl said.

“If you look at things, for instance, like enlistment criteria, it’s very important and understandable that each of the other military services has physical requirements in terms of who is able to enlist in those services. And that’s not as necessary in cybersecurity. And so as a result, we’re leaving a lot of talent on the table and a lot of people who could really contribute to the U.S. military in terms of conflict in cyberspace, but, just as an example, who may not be able to pass the physical requirements,” he said.

Recruiters, who have to bring in personnel to fill a variety of military occupational specialties, aren’t necessarily prioritizing cyber-savvy individuals, analysts noted.

“Recruiters are working hard … to make their numbers. And with the physical fitness problems we have in high schools, they’re having to concentrate outside the locker rooms to get the right kids, not outside the robotics lab. They’re not excited about a fat kid with a tattoo — but I would be if I were in the [potential future service called] Cyber Force. So as far as I’m concerned, until you have a separate service that’s fixated on recruiting, training, maintaining and retaining the right kind of cyber warfighter that we need, we’re not going to solve the force generation model,” Montgomery said.

‘Decision space’ for the Trump administration

The idea of creating a standalone military service focused on cyber — or a “Cyber Force” — is a fiercely debated one in the U.S. national security community.

While some experts see it as an essential step to address readiness shortfalls, others view it as disruptive and say that a more Cyber Command-centric approach that leverages service-like authorities would yield better results. Some critics of the Cyber Force concept have worked at and served in leadership positions at Cybercom.

Montgomery said standing up a Cyber Force would help, not hurt, the combatant command.

“They’d kick ass,” he said. “If we had better force generation, we’d have better force employment. Cyber Command is the ultimate winner from the creation of a cyber service.”

The Trump administration appears to be leaving the door open for future moves.

When asked whether DOD leadership is considering setting up a separate military service focused on cyber, a senior Pentagon official told DefenseScoop that rolling out the revised cyber force generation model preserves “decision space” for the president and lawmakers.

“CYBERCOM 2.0 was informed by proven models across the Department to focus our cyber force generation efforts on delivering immediate warfighting outcomes. A key attribute of the model is that it allows the Department to immediately implement foundational force generation initiatives, while still preserving Presidential and Congressional decision space to build on new and existing force generation processes,” they said on condition of anonymity.

In a statement accompanying the Nov. 6 press release announcing the revised model, Sutton — who serves as the principal cyber advisor to the secretary of defense — said the initiatives approved by Hegseth are critical to meeting “immediate needs” in the cyber domain, while “supporting future decisions on the Department’s cyber forces.”

Montgomery told DefenseScoop that the core attributes of the revised model that were highlighted in the Nov. 6 press release are things that would be best done in a singular service focused on cyber.

“This document can help frame what they want Cyber Force to do,” he said.

The release “beautifully lays out why you need a Cyber Force and how you would organize it … [and] what critical functions you would give it. They just haven’t said ‘develop a Cyber Force’ because the president hasn’t said to,” according to Montgomery.

President Donald Trump was instrumental in the establishment of the Space Force as a separate military service during his first term. Some observers believe he might call for creating a Cyber Force in his second term.

“I’m not convinced that this president won’t do it,” Montgomery said, adding that he thinks the new Pentagon leadership will eventually become advocates for a Cyber Force.

The second Trump administration “needs to get in and do some learning, but I’m confident they will end up at the right solution in the next six months,” Montgomery said.

A new commission was stood up a few months ago by CSIS in partnership with the Cyber Solarium Commission 2.0 project at FDD to chart a path toward developing an independent Cyber Force for the U.S. military. The members — including former senior DOD leaders and cyber officials — are looking at the foundational issues for that type of entity, such as the organizational structure, core functions, roles and responsibilities, and necessary authorities.

Montgomery estimated that a new cyber service could reach initial operating capability in 12 to 18 months, although fully building it out would be a years-long process.

“This is a significant change … to create a Cyber Force,” he noted. “They need consistent, single administration leadership for at least two and preferably three years. So they’ve got to make this decision, I think, in the next six months so they can implement it over three years.”

Congress would need to approve the creation of a new military service focused on cyber. Montgomery believes there would be sufficient backing on Capitol Hill for such a move, but only if Trump pushes for it.

“There’s support to do what the administration wants,” he told DefenseScoop.