Facebook
Twitter
LinkedIn
EmailIt is no longer a matter of debate that cyberspace will be—indeed, already is—a central element of modern conflict. As Russian conventional forces prepared to invade Ukraine in February 2022, its cyber forces had already initiated the conflict in cyberspace. In the hours before the war’s onset, the GRU launched a cyber attack against Viasat, a satellite communications provider, to degrade Ukraine’s command, control, and communications capabilities. And just last year, the US government warned that Chinese actors had infiltrated in US and allied critical infrastructure networks, laying the groundwork to launch cyber attacks in the event of a crisis or conflict with the United States.
Yet, despite officially recognizing cyberspace as a domain of warfare for more than two decades, the US military still lacks the capabilities necessary to fight and win the nation’s wars in cyberspace. There are critical gaps across the military in recruiting and retention of quality personnel, as well as mastery of vital skills for the cyber domain.
Internal surveys routinely reveal frustration and dismay among personnel about leadership, culture, mission, and climate. Indeed, our prior research, which drew on more than 75 interviews with active-duty and retired US military officers with significant leadership and command experience in the cyber domain, revealed an alarming picture of the status quo.
The Need for a New Approach
Put simply, the military’s current force generation model—its approach to organizing, training, and equipping personnel—for cyberspace is broken. Force generation is fragmented across the existing Services: Army, Navy, Air Force, Marine Corps and, soon, Space Force. Understandably, each Service is prioritizing recruiting, training, managing, and equipping personnel for the distinct warfighting requirements of their primary operational domains, not the cyber domain. Moreover, unlike special operations, there is little overlap between the skills, physical standards, and capabilities needed to fight in cyberspace versus on land, at sea, in the air, or in space.
At the same time, US Cyber Command—the primary force employer for the cyber domain—has gained increasing “service-like” responsibilities, such as enhanced budgetary authority to acquire capabilities and ownership of major aspects of training and workforce development. However, US Cyber Command is limited in its ability to impose requirements on the Services for recruiting and initial training. And even if it sets higher standards, it has little recourse if (and when) the Services fail to meet them.
This distributed approach to force generation has resulted in inconsistencies and shortfalls in the proficiency and readiness of US military cyber capabilities. The best and only way to fix these widely-recognized readiness challenges is to establish an independent branch of the Armed Forces dedicated to organizing, training, and equipping the military for the cyber domain—a US Cyber Force. An independent cyber service would naturally prioritize the creation of a consistent approach to recruitment, training, promotion, and retention of qualified personnel whose skills correspond to the requirements of warfighting in cyberspace.
Such an approach would be in line with historical precedent, following in the footsteps of the establishment of the Air Force in 1947 and the Space Force in 2019. The creation of both of these services reflected a recognition that the air and space domains, respectively, play unique roles in warfighting and demand a single service laser-focused on generating capabilities that align to those domains. So too, cyberspace is a distinct operational domain with unique force generation requirements—and thus demands its own service that can optimize organizing, training, and equipping for that domain.
Establishing a US Cyber Force would also be consistent with how the United States distinguishes between roles and responsibilities across the services and the combatant commands. The 1986 Goldwater-Nichols Act defined clear roles for the Services as force generators, and the Combatant Commands as force employers. A US Cyber Force would align force generation in the cyber domain with the model applied to every other domain of warfare. An independent service would also facilitate robust civilian oversight, as there would be a civilian Secretary overseeing the service and accountable to Congress.
How a Cyber Force Would Work
If created, what might a US Cyber Force look like and what would its responsibilities be? At its core, this service would be the nation’s principal force for the cyber domain. It would be a separate, independent military service of the Armed Forces. We propose that the most pragmatic approach would be to establish the US Cyber Force under the Department of the Army, in part due to the Army’s greater bandwidth to manage a new service (the Departments of the Air Force and Navy also oversee the US Space Force and US Marine Corps, respectively). That said, it will be critical for the US Cyber Force to have the opportunity to develop a distinct service culture matched to the requirements of the cyber domain, rather than be dominated by Army culture.
Similar to the other services, the enduring purpose of the US Cyber Force would be to generate the capabilities required to leverage cyberspace as an instrument of power to achieve national and strategic objectives—even as how it does so will likely change over time, given the dynamism of cyberspace. It would be the proponent for joint concepts in cyberspace operations and drive requirements across doctrine, organization, training, material, leadership and education, personnel, facilities, and policy.
More specifically, the US Cyber Force would have the primary force generation responsibility for offensive and defensive cyber operations, as well as intelligence as it relates to cyberspace. In other words, it would be responsible for recruiting, training, educating, and equipping personnel capable of defending against active and ongoing cyber threats, projecting power in and through cyberspace to achieve independent or coordinated effects against adversaries, and supporting military intelligence activities related to cyber missions and operations.
It is also imperative to specify what will be beyond the scope of the US Cyber Force’s responsibilities, because cyberspace is integral to many missions across the Department of Defense. For one, we propose that the US Cyber Force would not be responsible for generating capabilities for Department of Defense Information Network operations. This is an enormous and complex task that would overwhelm the US Cyber Force in its initial instantiation and would detract from its core mission set. Additionally, the US Cyber Force should not be the primary force generator for information operations or other cyber-related emerging technologies, such as artificial intelligence. Unlike cyberspace, neither the information environment nor artificial intelligence are standalone operational domains. There are many activities that occur in the information environment that are beyond the scope of cyberspace. Similarly, AI is a general-purpose technology that has a range of applications across the Defense Department.
The decision-makers charged with building the service will need to grapple with critical questions about how existing cyber-related organizations within the Defense Department, such as the various operational groups within the Cyberspace Operations Forces, would relate to a US Cyber Force. For example, a non-controversial assumption is that the US Cyber Command would continue to exist as a unified combatant command and would be the primary force employer for the cyber domain. In addition, the other services would continue to retain some cyber capabilities that are directly relevant to their distinct joint functions (such as electronic warfare capabilities for the Army). Furthermore, each service will need to retain cybersecurity-related capabilities including the establishment, maintenance, and defense of their own IT infrastructure and defense of their segments of the Department of Defense Information Network.
Key Principles
To be successful, a US Cyber Force should prioritize four core objectives. The first is to produce the world’s preeminent cyber personnel. The service must recruit, train, and retain the nation’s most promising cyber talent. This will require looking beyond traditional recruitment pools and developing mechanisms for leveraging talent within and outside of the government, in both uniformed military and civilian roles. The second is to develop innovative and agile cyber leaders. The US Cyber Force must develop cyber-native leaders who grasp the technical, organizational, and strategic complexities of cyberspace, and be able to communicate the operational and strategic relevance of cyberspace across the Joint Force. Third, a US Cyber Force must continually equip the most advanced cyber warfighting capabilities. It must become the predominant leader in the development and employment of cyber capabilities, leveraging commercial, experimental, and exquisite technologies to achieve and maintain technical overmatch within defensive and offensive cyber operations. And finally, it is essential for the service to establish a distinct culture that reflects the defining features of the cyber domain. The service will require organizations and individuals to be adaptable and embrace different behaviors, values, and paradigms that reflect and reinforce these attributes.
A Time to Act
A US Cyber Force need not be large. An examination of existing cyber billets suggests it would initially comprise about 10,000 personnel, but might grow over time. As the US Space Force has shown, a smaller service can be more selective and agile in recruiting skilled personnel. Additionally, our research suggests that the initial budget for a US Cyber Force will be neutral—if anything, the Pentagon will reap significant efficiencies in consolidating force generation responsibilities within one entity, rather than the current duplicative and suboptimal structure.
Some argue that a US Cyber Force is not needed, and that the current readiness challenges can be address through providing US Cyber Command with greater “service-like” authorities, similar to US Special Operations Command. However, even with such changes, the reality is that US Cyber Command cannot induce the requisite changes across the existing Services to optimize recruiting and initial training for cyber personnel, nor can it induce the Services to reorient their priorities around the cyber domain.
Others posit that establishing a US Cyber Force is the right choice—but at some later date, because doing so will hamper operational readiness.
We believe the opposite is true: the time to establish a US Cyber Force is now, when policymakers have breathing room to grapple with the complex and challenging decisions surrounding how to best establish the US Cyber Force—rather than wait for a crisis or conflict to force America to scramble to figure out how to build one.
There is a dangerous gap between the centrality of cyberspace for modern warfighting and the US military’s persistent lack of readiness to fight and win in the cyber domain. If establishing an independent service for cyberspace is more a matter of “when” than “if,” then answering the tough questions about how to do so must be an urgent priority.
This piece is part of Aspen Digital’s Playing Offense project, which tackles how lawmakers and industry leaders alike should think about offensive cyber operations, including both the risks and opportunities.
The views represented herein are those of the author(s) and do not necessarily reflect the views of the Aspen Institute, its programs, staff, volunteers, participants, or its trustees.
Mark Montgomery is the Senior Director of the Center on Cyber and Technology Innovation and a Senior Fellow at the Foundation for Defense of Democracies. He serves as the Executive Director of Cybersolarium.org, a non-profit organization which works to implement the recommendations of the Cyberspace Solarium Commission, where he was Executive Director from 2019 to 2021. Prior to this, Mark was Policy Director for the Senate Armed Services Committee under the leadership of Senator John S. McCain and completed 32 years as a nuclear trained surface warfare officer in the U.S. Navy, retiring as a Rear Admiral in 2017. As a flag officer his assignments included Director of Operations at U.S. Indo-Pacific Command; Commander of Carrier Strike Group 5 homeported in Japan; and Deputy Director, Plans, Policy and Strategy at U.S. European Command.
