The Pentagon’s cyber reform effort stumbles out the gate

The Pentagon just released its budget request for the upcoming fiscal year and, if an organization’s budget reflects what it values, cyber operations are not a top priority. While President Donald Trump’s national cyber strategy affirms that this administration will “act swiftly, deliberately, and proactively” and no longer “tinker at the edges” of America’s cybersecurity problem, the Pentagon bureaucracy does not appear to have gotten the memo. The Fiscal Year 2027 request includes just a small fraction of what the department itself said is necessary to fix shortfalls in America’s military cyber capabilities. After trusting the military to fix its own problems with unsatisfactory results, it is time for President Trump and the Congress to seize the reins and establish the United States Cyber Force to address the military’s cyber failings.

For more than a decade, Pentagon officials have repeatedly pledged to Congress that they were taking seriously lawmakers’ concerns about the readiness of the nation’s cyber forces. In November, Defense Secretary Pete Hegseth approved a new force generation plan, an updated CYBERCOM 2.0 plan, that would create three new organizations within U.S. Cyber Command focused on talent management, training and education, and capability development. Back in March 2025, the anticipated price tag to implement this initiative in FY27 was $956 million, however the proposed budget allocates including less than $75 million to CYBERCOM for the effort, less than 8% of the combined estimate presented to the Hegseth last year. The budget also included $103 million in incentive pay, however, this was allocated to the military services, with serious questions about whether these funds will actually be used for its intended purpose. 

Measured against the plan’s total projected cost of $3.7 billion, at the current rate of spending Americans should not expect meaningful improvements in the military’s cyber posture for another 74 years.

This discrepancy is all the more shocking because the Pentagon’s budget request represents a historic investment in defense. At $1.5 trillion, the budget will address underinvestment in key capabilities and significantly increase funding for Trump administration priorities, such as Golden Dome ($17.9 billion), the new B-21 Raider aircraft ($6.1 billion), and counter-unmanned systems efforts ($20.6 billion). Against this backdrop, the department’s failure to support its cyber mission is all the more concerning. 

The military’s reticence to prioritize cyberspace is a longstanding challenge. Four years ago, Congress felt compelled to intervene to address the military’s cyber readiness deficit. After more than a decade of work, the military’s hacking teams, the Cyber Mission Force, had still not reached the level of maturity that senior military and civilian leaders over the years had promised. The force was undermanned, readiness was unsatisfactory, and training was disjointed — all items that Congress had repeatedly, but unsuccessfully, tried to address. Congress’ response to the state of affairs was clear: the military should take 18 months to develop a new, functioning approach for building combat capability in cyberspace. 

At that time, then-CYBERCOM Commander Gen. Paul Nakasone said that “all options are on the table except the status quo.” The Pentagon announced a plan in December 2023. But, after a year of little progress, Congress included another provision in the annual defense bill requiring an independent study on alternative force generation models.  

Testifying before Congress last month, Assistant Secretary Katie Sutton, the department’s senior-most civilian cyber leader, conceded “our approach to building cyber talent has not been keeping pace with the rapidly evolving and increasingly contested cyberspace domain.” Elaborating further, she warned that the department faces “significant challenges…recruiting the right people with the right aptitude and skillsets, retaining our most skilled and experienced operators in the face of lucrative private-sector opportunities, and providing the specialized, agile training needed to win against our nation’s adversaries.” 

The Pentagon has no plan to fully remedy this problem. It may point to its $103 million request for incentive pay to address its force generation problems or alternatively as part of its CYBERCOM 2.0 allocation. This is misleading at best. These funds will go to the military services, not Cyber Command, making oversight of the investment more opaque, with no guarantee the services will use the funds exclusively for cyber incentive pay. To date, the services have been the cause of dramatic disparity in incentive pay, with cyber-qualified individuals making earning dramatically different pay, even if occupying the same work roles.  

The Pentagon’s budget confirms what those advocating for a Cyber Force have long known: absent a dedicated military service aligned to the cyber domain, there is no advocate within the defense establishment focused on building capabilities for cyber warfare. Without a military service to organize, train, and equip for this fight, cyber will always be a secondary or tertiary consideration for the existing military services, which are primarily judged on their ability to build combat capabilities for ground combat, maritime warfare, littoral operations, air combat, and space operations. Rep. Pat Fallon said it best in a recent address at the Center for Strategic & International Studies: “For the life of me, I can’t understand why anyone would say that having the Army to focus on land warfare and the Air Force to focus on air combat is sensible, but having a Cyber Force is a bridge too far.”

Indeed, creating a new military service for the cyber domain is no different from the Navy’s stewardship over the maritime domain or the Army’s responsibilities for ground combat. The systemic issues affecting the military’s cyber ecosystem echo the aviation community’s challenges before the Air Force’s establishment in 1947, as well as those of the space community before establishment of the Space Force in 2019. In each case, the established services undervalued the military relevance of new technologies and access to a new domain of warfare, failed to adequately address the competing requirements of the new warfighting domain, and were unable or unwilling to build leaders with domain mastery. 

The department created Cyber Command in 2010 to plan and execute missions in cyberspace. By the Pentagon’s own admission, military cyber readiness is lagging amid recruitment and retention challenges. Fifteen years is more than enough time before rendering judgement on the Pentagon’s approach. 

The Pentagon’s latest budget proposal reveals its hand: it has no intention of fixing the military’s cyber readiness shortfall because no one owns the cyber mission space. 

The only solution is to establish a Cyber Force responsible for organizing, training, and equipping for the cyber domain. Already, there is a robust, bipartisan, and bicameral coalition advocating for its establishment. Lawmakers know that, until there is a service that is uniquely responsible for force generation for cyberspace, nothing will change. 

Time has run out, and both the country and our service members deserve better.