The prospect of an independent Cyber Force within the US military might be assessed in Washington soon. However, experts aren’t sure that this is the right time to commit to reorganization.
A provision in the US Senate Armed Services Committee’s version of the fiscal 2024 National Defense Authorization Act (NDAA), specifying the annual defense budget, directs an outside study on the creation of an independent cyber service.
This would presumably be the new US Cyber Force, akin to the Army, Navy, Air Force, Marine Corps, and Space Force.
A provision in the executive summary of the NDAA mentions “an independent assessment of creating a Cyber Force or further evolving the existing force development and management model.”
The Committee is suggesting that the Department of Defense (DoD) use the National Academy of Public Administration to conduct the assessment, which would be neutral. The full NDAA language hasn’t been released yet.
Of course, the provision is probably just the first salvo in what could be a protracted battle between various agencies inside and outside the Pentagon.
But for quite some time now, there have been rumblings that the US Cyber Command, one of the eleven unified combatant commands of the DoD, is not powerful and organized enough to combat the threats in cyberspace. Some experts, though, doubt this would be the right time to reorganize.
Strong voices in favor
It’s clear it’s been coming, especially after the chairman of the House Armed Services Committee directed the Comptroller General to review the DoD’s management of cyber operations in order to better understand how the US military trains and funds forces for cyber operations.
Right now, each of the military services is responsible for providing personnel for a set number of teams to US Cyber Command. The latter then employs those forces in operations for other combatant commands.
However, each service has its own way of operating: the cultures, identities, and methods of classifying and providing forces are different.
According to critics of the current modus operandi, this usually means that for many of the service members, cyber is not the priority. Besides, supporters of a separate Cyber Force point out that a more consistent approach is sorely needed because the current Cyber Command is overly reliant on personnel from other military branches.
Last but not least, modern cyber threats are something the US already finds it hard to keep up with, even though America has long held the advantage in cyberspace. Russian, Iranian, North Korean, and especially Chinese cyber actors are now posing a significant threat to US national security, experts say.
In a statement on March 26th, the Military Cyber Professionals Association (MCPA) called for the creation of a US Cyber Force and said that modern threats are "significant, dynamic, ever-present, and consequential."
They can no longer be addressed in a hodgepodge fashion, according to the MCPA, which has more than 3,000 members.
"For a decade, each service has taken its own approach to providing United States Cyber Command Forces to employ and the predictable results remain inconsistent readiness and effectiveness," the group wrote. "Only a service, with all its trappings, can provide the level of focus needed to achieve optimal results in their given domain."
This camp also boasts the very influential voice of James Stavridis, a retired Navy admiral and former supreme allied commander of NATO. In a column for the Boston Herald in March, Stavridis said that a new Cyber Force “is now also necessary.”
A lot of work already
A new Cyber Force could be modeled on the US Space Force, established in late 2019 under the Donald Trump administration. The Space Force is rather small, with less than 10,000 uniformed personnel, but it runs around 100 spacecraft and supports US satellite systems.
A Cyber Force could be even more modest, according to Stavridis. Moreover, its staff could be housed in the DoD or the Homeland Security Department. All this would translate into lower costs.
Even so, the Biden administration isn’t complementing its aggressive push to bolster the US cyber defenses with a commitment to creating another military service. In fact, even the White House’s National Cybersecurity Strategy, released in March, doesn’t mention it.
This is for good reasons, opponents of the independent Cyber Force pointed out to Cybernews. They would like to give the current model more time – and a chance to show its worth.
After all, the current US Cyber Command’s stature was only elevated to a fully unified combatant command in 2018, and the Cyber Mission Force within the Command is expanding from 133 to 147 teams.
"A new Cyber service will still rely on the intelligence community, namely the NSA, as US Cyber Command currently does,”Michael Klipstein.
According to US Army Major General William Hartman, commander of the Cyber National Mission Force, cyber warriors are not sitting idly. The force actively plans and directs cyberspace operations to deter, disrupt, and if necessary, defeat adversary cyber actors.
During the 2023 RSA Cybersecurity Conference, Hartman claimed they had completed 47 defensive operations across 20 countries in the last three years – all had been via invitation. Ukraine is quite obviously a temporary home for dozens of American cyber specialists, too.
Finally, Biden’s team keeps pushing, too. The president’s recent budget proposal called for $13.5 billion for DoD cyberspace efforts – that’s a $1.8 billion increase from the current budget. $3 billion goes to the US Cyber Command.
Michael Klipstein, former director of International Cybersecurity Policy for the National Security Council, additionally warns that personnel for the new Cyber Force would have to be pulled from the existing services.
“Another problem is that a new Cyber service will still rely on the intelligence community, namely the NSA, as US Cyber Command currently does,” Klipstein told Cybernews.
The elephant in the room
Tom Kellermann, Senior Vice President of cyber strategy at Contrast Security, who served on the Commission on Cybersecurity for President Obama’s administration, told Cybernews that he didn’t think that a new Cyber Force was needed – this is not the right time.
“This is not the time to reorganize as we are waging a counter-insurgency. Cyber Command is viable and well-entrenched. The last thing we need is to reorganize while we are fighting a guerrilla war in American cyberspace,” said Kellermann.
According to him, US Cyber Command already defends the country internationally, while at home this is done by the Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation.
“Anytime there is an overlap, the Joint Task Force is activated. These distinct missions must exist so as to comply with US law and existing legally binding authorities,” Kellermann told Cybernews.
Irina Tsukerman, a geopolitical analyst and national security lawyer, concurs. Although she agrees that the current system is a bit of a mess, her concern is that a new Cyber Force would not actually replace it.
“It will instead add a layer of complexity by creating yet another parallel bureaucracy which will compete with the Cyber Command. Very few agencies have been abolished or completely scrapped as a result of new US initiatives,” Tsukerman told Cybernews.
As a result, the institutions most likely to be scrapped or significantly diminished have the most to gain from not playing along and resisting change.
“Moreover, it is not yet clear how a new structure would streamline the process any more than the Cyber Command has. In order to ‘control’ other federal agency cyber sectors, it would still need to be either a direct part of or to coordinate with those agencies, which would essentially replicate the current dilemma,” Tsukerman believes.
Finally, there’s this elephant in the room, she adds: “It’s the general cybersecurity weakness across all agencies that has fluctuated but mostly gotten worse over the past several administrations.”
“All the restructuring in the world will not help address the proliferation of agencies that have gotten far behind in the process and where both the technical and the personnel sides of the issues are simply not prepared for the increasingly sophisticated threats and concerns,” said Tsukerman.
Mike Lyborg, chief information security officer at Swimlane, a security automation company, told Cybernews that around 75% of the US federal budget is allocated toward operating and maintaining legacy systems.
It is, of course, tiresome: “These systems consist of outdated technology that lacks the necessary safeguards to withstand modern cyber threats.”
More from Cybernews:
Subscribe to our newsletter