Build a More Effective Cyber Force, Not More Bureaucracy
We trained hard, but it seemed that every time we were beginning to form up into teams we would be reorganized. … [W]e tend as a nation to meet any new situation by reorganizing; and a wonderful method it can be for creating the illusion of progress while producing confusion, inefficiency, and demoralization.
When is military reorganization warranted and when is it merely undertaken for its own sake? Charlton Ogburn Jr.’s observations on the downsides of reorganization, developed through his service as a communications officer with Merrill’s Marauders in World War II, serve as a cautionary tale for today.
David Barno and Nora Bensahel recently called for the United States to establish an independent cyber force on par with the Army, Navy, Air Force, Marine Corps, Coast Guard, and Space Force. This recommendation is not new and it offers some advantages. At the strategic level, proponents argue that a cyber service would accelerate doctrinal and capability innovations. Freed from the shackles of extant service parochialism, the expertise consolidated in a new service could allow it to approach cyber as its own mission and not merely as an enabler of conventional operations. Bureaucratically, it could address cyber talent gaps through Title 10 authorities to organize, train, and equip personnel according to standards and cultures that are different from those of the other services. Cyber warriors from the new service would integrate into joint operations and task forces just like personnel from conventional forces, while the other services would retain cyber personnel and capabilities only for tactical purposes.
Notwithstanding such benefits, the United States should not create a new military service for cyberspace: That would be a 20th-century solution to a 21st-century problem. It would risk cementing the false assumption that cyberspace is independent of air, land, sea, and space. In reality, the concept of “domain” has been more of a metaphor than an actual description for cyberspace, which has complex intersections and interdependencies with the military’s other operating environments. Precisely because of this dynamic, America’s force structure should reflect the need to integrate its digital capabilities with its kinetic ones. As an organizational construct, Cyber Command is fit for purpose. Were the United States to create a new cyber service, American policymakers would face tough questions about the future role of Cyber Command and risk ignoring important progress made by the existing services vis-à-vis cyberspace. While there is much merit in criticizing how the elements of the existing force structure coordinate and integrate, establishing a new service would waste precious time, energy, and money. Instead, the U.S. military should focus on achieving greater effectiveness with the cyber force that it already has.
With a New Cyber Service, What Would Happen to Cyber Command?
As a unified joint combatant command, United States Cyber Command draws personnel from its Army, Navy, Air Force, and Marine Corps service component commands. Although Cyber Command cannot directly recruit, train, or equip personnel like the services can, it has established joint standards that have helped to align service-administered and contractor-provided training. Unlike a service, Cyber Command retains operational authority, and key to its operational efforts is the Cyber Mission Force, the command’s “action arm.” The Cyber Mission Force consists of service components arranged into four types of teams: the cyber national mission teams focus on identifying and countering adversaries; cyber protection teams defend Department of Defense networks; cyber combat mission teams conduct operations in support of other combatant commands; and cyber support teams provide analytical and planning support to the other teams.
Any proposal for an independent cyber service produces a glaring question for America’s cyber force structure: What would happen to Cyber Command? Advocates of establishing a new service typically leave this issue unaddressed. Logically, creating a new cyber service would entail either the eventual disestablishment of Cyber Command or a redefinition of its relationship to the other combatant commands.
The first scenario — the disestablishment of Cyber Command — would risk an abrupt shift in the “dual hat” arrangement, whereby the commander of Cyber Command simultaneously serves as director of the NSA. This arrangement facilities the coordination of the command’s Title 10 military cyber capabilities and the NSA’s Title 50 cyber intelligence capabilities. Reconfiguring the dual hat relationship with the NSA by swapping out a combatant commander for a service commander would be in stark contrast to how Cyber Command has been led by commanders from different services. That dynamic has arguably introduced diversity of experience and decision-making into the strategic and operational calculus. Dual-hatted commanders of a cyber service could, whether they intend to or not, shape the NSA’s combat support functions over time to suit service-level preferences instead of military-wide prerogatives.
In the short term, replacing Cyber Command with a cyber service would also disrupt military access to the infrastructure and expertise that reside at the NSA while the new service focuses on building its own bureaucracy. This is ill advised given that Cyber Command itself has not met congressional requirements for separation from the NSA. In the longer term, such a move would give operational authority over independent cyber operations to combatant commanders who may be unfamiliar with their full range of utility. While that might ultimately force other combatant commands to develop their cyber proficiencies, it would also be likely to create greater barriers to the deconfliction of military- and intelligence-run cyber operations. Most cyber conflict more closely resembles espionage than it does traditional warfare and the current Cyber Command-led dual hat arrangement acts as a mechanism for weighing competing civilian and military interests in cyberspace. Without it, the distribution of cyber operational authority across combatant commanders would present multiple new avenues for the military and civilian agencies to clash.
In the second and more likely scenario — establishing a cyber service alongside Cyber Command, similar to the current setup of Space Force and Space Command — two bureaucratic issues loom large. First, the overhead costs of standing up a new service and its respective bureaucracy would place an undue burden on a military that is still struggling to modernize and likely faces a period of stagnating or declining budgets. Such costs may be inevitable for a new service, but they would be more acute in this scenario given the cyber-dedicated resources also needed for Cyber Command’s continued development. Even recommendations to reduce start-up costs, such as placing a cyber service under the Air Force, ignore the institutional overload that can result from creating new bureaucracy. One can just look at the rise and fall of Air Force Cyber Command (Provisional), a provisional command established in 2006 after the Air Force expanded its mission to include cyber. Then-Secretary of the Air Force Michael Wynne tasked the Eighth Air Force — known for its long-range nuclear bombers, not its cyber capabilities — with standing up the command. In addition to broadening the Eighth Air Force’s responsibilities, the service’s leadership placed few conceptual bounds on the cyber mission and gave little guidance on the command’s relationship to other services and the combatant commands. The Air Force also failed to allocate any new funds for the command. These challenges overloaded the Eighth and took a toll on its nuclear mission, ultimately leading the Air Force to suspend the provisional command. Although the 16th Air Force (Air Forces Cyber), the service’s contribution to Cyber Command, provides a more logical basis for spinning off new cyber bureaucracy today, the previous effort highlighted the pitfalls of overhauling organizational structures without providing proper vision and resourcing. This is a salient lesson, especially as the Air Force is already spreading its resources to support the Space Force.
Second, establishing a cyber service alongside Cyber Command would require a redefinition of the Cyber Mission Force, and more specifically of the cyber combat mission teams assigned to the other joint combatant commands. Would components of a new cyber service replace the current cyber combat mission teams? Or would those teams expand to include new cyber service elements alongside the components of the existing services? Here, the relationship between the Space Force and Space Command offers few insights, as both organizations are still sorting out their connections to other combatant commands. Both options carry the risk of disrupting other combatant commands and creating unnecessary stovepiping and in-fighting among the services.
Cyber Force Structure Should Include the Existing Services
A common assumption among cyber service advocates is that the existing services are more interested in maintaining legacy systems than addressing cyberspace. While it is true that cyber operations are not the primary function of the combat services, this assumption ignores much of what the services have done historically to incorporate cyber into their organizations. Moreover, the services are developing new frameworks for using cyber operations in conjunction with other military means. For instance, new ideas surrounding “multi-domain” warfighting doctrine have been a key part of the Army’s forward-looking doctrinal development. The services can and certainly should do more to focus on building cyber-minded cultures. However, this is not unique to the military, and a new cyber force is not a silver bullet for a cultural problem that affects the entire Department of Defense.
Precisely because cyberspace is a critical dimension of modern operations, concentrating strategic planning in a specialized service risks missing the forest for the trees. A cyber-specific service might well provide deeper expertise than what currently exists in the other services, but it will do so at the expense of a wider strategic and operational aperture. Cyber Command has already proven itself capable of conducting independent operations and operations in support of more conventional counter-terrorism efforts. In the case of the latter, Operation Glowing Symphony, conducted by Joint Task Force ARES under Strategic Command, offers an important precedent for the integration of cyberspace operations with conventional ones. Although Cyber Command retained command and control of the task force, instead of Strategic Command, the operation provided several lessons for conventional forces and a foundation for “coordinating fires” between cyber forces and conventional forces in the future. Given the increasingly acknowledged convergences of the digital and physical worlds, it makes little sense to isolate planning for cyberspace in a new service. Indeed, that would be a regression in the integration of capabilities in light of Cyber Command’s increased acquisition power and the likely expansion of the Cyber Mission Force.
Many proponents of an independent cyber force point to the creation of the independent Air Force and Space Force as important precedents for establishing a new service focused on cyberspace. Such analogies are misleading. Cyberspace fundamentally intersects with the other warfighting environments in ways that air and space do not. Responding with a service construct treats the challenges of cyberspace as if they are of the same type as challenges in the air, on land, at sea, and in space. Many are not. In this regard, a more apt analogy for organizing cyber forces — one that reflects a force operating across environments and that is functionally rooted — is that of special forces. Several overlaps exist between cyber forces and special forces, and the analogy actually played a role in facilitating the early discussions about creating Cyber Command.
A Strong Foundation in Need of Improvement
The United States should focus on achieving greater effectiveness with its current cyber force structure. Among the priorities, policymakers could look at ways for the Cyber Mission Force to integrate Space Force’s new cyber personnel. Although the service is in the early stages of building its cyber capabilities, there are still no plans for Space Force to contribute teams to Cyber Command.
Even more pressingly, Cyber Command can develop more concrete metrics for evaluating outcomes and for defining what constitutes “success” in cyberspace. This will require explicitly formulating strategy for cyberspace, defining its relationship to other warfighting efforts, detailing ways to operationalize it, and consistently measuring outcomes. The organization has already developed comparable metrics for assessing readiness. Yet, it would be a mistake to assume that these are the same as measures of effectiveness.
American officials should also devote time and resources to coordination and deconfliction of civilian intelligence and military cyber operations. The United Kingdom’s National Cyber Force offers one potential model for gaining greater efficiency and reducing bureaucratic conflicts. Pursuing greater effectiveness and cooperation with civilian intelligence may inevitably necessitate organizational changes. But an independent cyber service is not the answer.
America’s existing cyber force structure — consisting of Cyber Command and its current service-level components — provides a strong foundation for effectively carrying out the cyber mission. The United States should make this force structure work better, not undermine its progress with the creation of a new independent service.
Jason Blessing, Ph.D., is a Jeane Kirkpatrick Visiting Research Fellow with the foreign and defense policy department at the American Enterprise Institute. His research focuses on the development of military cyber forces, particularly in the transatlantic space. Follow him on twitter @JasonABlessing.