war on the rocks

Strategic Outpost Debates a Cyber Corps

February 20, 2018

A few weeks ago, we gave a joint lecture on the changing shape of war to 300 students at the Eisenhower School at National Defense University. During the question and answer period, something rare happened: We publicly disagreed with each other.

The question that prompted the on-stage clash was simple. The cyber domain has become an increasingly critical element of warfare. Today, each of the services has its own cyber personnel. Given the changing nature of the threats in that domain, should the U.S. military establish a separate cyber corps?

Dave responded first, saying that a separate cyber corps was unnecessary. He readily acknowledged that the Americans with the best cyber talent may not meet military and appearance standards — they might be out of shape, overweight, have facial tattoos, or some other disqualifying factor. That was okay, he said, because (as Mark Cancian recently wrote) the services can scoop up enough of that vital cyber talent by hiring civilians or contractors.

Nora was taken aback, since that was not what she had expected him to say. She told the audience they were about to witness a rare disagreement, and then argued that the Defense Department’s cyber-warriors absolutely needed to be kept in the military services.

We left the argument unfinished given the time constraints, but were both surprised by the extent of our disagreement and were equally convinced that we needed to quickly show the other the error of his/her thinking. The argument resumed in full force as soon as we returned to our office.

Nora started by telling Dave that he was contradicting much of our past work. After all, we’ve written extensively about how the military personnel system desperately needs to be updated — how its rigidity drives out too much talent that the military needs to address the challenges of 21st century warfare. And, in one of our early “Strategic Outpost” columns, we argued that the military needs an entirely new approach to the cyber domain that “effectively breaks all the personnel rules and shreds all accepted norms of rank, seniority, and deference that currently characterize what it means to be in the military.” In other words, we had advocated letting people with blue hair serve — which is exactly what Cancian argued against.

Dave shot back that he had not changed his mind, and that the future U.S. military may well need an entirely new personnel system with few to none of today’s rules and regulations. And some of those changes are badly needed now. But that transformed force, he said, is a long way off — as the intense pushback against Defense Secretary Ash Carter’s 2015 Force of the Future initiative made clear. By 2040 or 2050, all of the services might have legions of people with blue hair. But cyber is an urgent 2018 problem. The Defense Department needs access to the best cyber talent in the nation today, while it steadily works on the long-term process of institutional change.

That made sense to Nora, since nothing in the Pentagon ever changes quickly. The services need time to grow into a whole new way of thinking about attracting and keeping talented personnel (though the sooner, the better).

But Dave persisted that, for now, cyber warriors still need not be in the military at all. In fact, many of them are already civilians serving at the National Security Agency. It’s a safe bet that the nation’s very best cyber geeks will not be eager to join the military where they have to crawl under barbed wire, stand in formations, and wear short haircuts. Furthermore, if they are going to spend their entire career behind a keyboard at places like Ft. Meade, why should the country have to pay the huge costs of putting them in uniform, training them, and giving them the same expensive benefits as those who actually deploy into combat zones? It would be cheaper and more effective to hire them as civilians or contractors.

Nora replied that this would make sense for some of the military’s cyber functions. But she argued that some of the best and brightest hackers must be in uniform, especially to legitimately and legally conduct offensive cyber operations — the kind of cyber attacks whose cascading effects could readily inflict grievous harm and death. These cyber warriors need to be subject to the Uniformed Code of Military Justice, so they are held accountable for their actions and legally protected from liability. Putting them in uniform also clearly identifies them as lawful combatants under the Law of Armed Conflict, and, though it may seem quaint, offers them certain rights under the Geneva Conventions.

Dave fired back that hackers don’t need to be in uniform to conduct offensive and potentially lethal cyber attacks. U.S. intelligence agencies already have the authority to do so under Title 50 of the U.S. code, with sufficient accountability mechanisms. He agreed, though, that if we were going to expand the number of people in the Department of Defense doing offensive cyber operations, they should at least be government employees, not contractors. That said, the uniformed military was still not the right place for hackers with blue hair.

Nora held her ground. Some cyber warriors must be in uniform to ensure a single, effective chain of command for all military operations. Cyber is now its own domain of warfare. Today’s joint force commanders already seamlessly integrate forces on land, at sea, and in the air into their operational plans — and now they need to do so with forces operating in the cyber domain as well. Effective operations require unity of command under a single person with clear unified authority, not some cobbled-together patchwork of Title 10 and Title 50 authorities.

Furthermore, military commanders must be able to order cyber personnel to deploy when necessary. They probably won’t be ordered to the front lines of combat, of course, since their job involves operating keyboards. But they might have to deploy somewhere other than their home station — a secure rear base in the area of operations, perhaps, or even to another location within the United States. The only way to ensure that commanders will be able to deploy cyber warriors when and where they are most needed is to put them in uniform.

Dave grudgingly conceded both points. But he stressed that wearing a service uniform carries powerful expectations. The cultures that define each service are rooted in the shared understanding and cohesion that comes from knowing that everyone else wearing your uniform has been through the same socialization and training that you have. The bonds of trust within each service require that common experience and shared standards. When you look at a fellow soldier, sailor, airman, or marine, you know exactly what they have done to earn the right to wear that uniform. Cyber specialists who skip boot camp and parachute directly into the force, who neither look nor behave like anyone else, would deeply undermine the crucial bonds of service identity and trust. Yes, the Army now offers direct commissions that enable civilian cyber experts to become first lieutenants without attending the Basic Combat Training Course. But that five-year pilot program will only commission five officers per year into the active component — making it the exception that proves the rule. It demonstrates that the Army, like the other services, is not willing to allow more than a truly tiny number of officers to forego those common experiences and standards.

Okay, said Nora. We agree that some cyber warriors need to be in the military, and that the most talented cyber geeks may not meet, or want to meet, current military standards – but the services can’t change the standards just for them. U.S. Cyber Command and its Cyber Mission Force may be the right structures to address the cyber challenge, but they cannot succeed if they rely solely on personnel provided by the existing services. Maybe the best way to square this circle is to create a new military service –– a new Cyber Force. It would be institutionally equivalent to the Army, Navy, Air Force, and Marine Corps, but it would have its own standards, culture, uniforms, and — if need be — a separate pay and rank structure. Members of the Cyber Force would be subject to the military justice system and deploy under the military chain of command, integrating into military organizations just like any other service component or service member. They would mostly work for joint commanders both overseas and in the United States, and might even command joint task forces. In the military lingo, Cyber Force units could be either the supporting or supported commands.

We finally agreed: The Defense Department should establish a new military service called the Cyber Force. It might not be large, perhaps with just a few thousand personnel to start, but its “troops” would be very different from other military personnel. The Cyber Force would have its own entry standards, uniforms, appearance regulations, and possibly even pay and rank structures designed to attract as many talented geeks as possible. And, as retired Adm. James Stavridis has argued, a new Cyber Force would do a better job of recruiting, training, and equipping cyber personnel because none of the existing services have cyber operations as their core competency. It should also include a sizeable and well-integrated reserve component. This would help ensure access to the skills and talents of those who hold civilian cyber jobs as coders, hackers and cyber-security experts, but don’t want to serve full-time. Since the private sector will continue to dominate the cutting edge of the cyber domain, leveraging some of its topflight talent to serve in the military, even if only part-time, is essential.

The other military services would maintain some of their own uniformed cyber capability, but in reduced numbers. These troops would continue to meet existing service standards, but would focus primarily on tactical cyber operations — working directly as part of a submarine crew, a special operations team, or another type of combat unit — and on protecting individual service networks. The Cyber Force would be responsible for most other types of cyber operations and protecting joint Department of Defense networks. For joint operations, Cyber Force personnel would integrate into joint task forces in the same way that Army, Navy, Air Force, and Marine Corps personnel do today. A new Cyber Force would also serve as a unique test bed for the Defense Department to evaluate some very different definitions of what it means to be a soldier in the coming decades, and help move the other services towards the far more flexible and adaptable force that will be needed in the future. The lessons drawn from blue hair in the Cyber Force today may help lead to blue hair in the other services tomorrow.

The new cyber domain of warfare is no less revolutionary than when the invention of the airplane ushered in an entirely new air domain. It demands a bold new approach to war, and a recognition that its best warriors will not fit the conventional military mold. Your “Strategic Outpost” columnists now agree that standing up a new Cyber Force with its own requirements and standards is the best way to attract the best cyber talent into the military, while preserving the ability of the existing services to fight in the domains they know best.


Lt. Gen. David W. Barno, U.S. Army (Ret.) is a Distinguished Practitioner in Residence, and Dr. Nora Bensahel is a Distinguished Scholar in Residence, at the School of International Service at American University. Both also serve as Nonresident Senior Fellows at the Atlantic Council. Their column appears in War on the Rocks monthly. Sign up for Barno and Bensahel’s Strategic Outpost newsletter to track their articles as well as their public events.

Image: U.S. Air Force, Senior Airman Solomon Cook