A Divorce Between the Navy and Cyber Command Would Be Dangerous

CyberCommand

Frustrated by reports of the U.S. Navy’s underperformance in cyber operations, Congress has made an unusual request. The Fiscal Year 2023 National Defense Authorization Act instructs the secretary of defense to report to Congress by 2024 on whether the Navy should continue contributing forces to U.S. Cyber Command. This request raises the unprecedented possibility that an armed service would not contribute forces to a joint combatant command. 

The National Defense Authorization Act provision may be merely an expression of congressional pique. In any event, the consequences of extricating the Navy from Cyber Command would be far-reaching. They would be harmful to the Navy, Cyber Command, and the overall defense of the nation. For the Navy in particular, it could undermine recruitment and retention of cyber talent, impede relevant experience and joint competency of Navy personnel, reduce relevant access, increase bureaucratic friction, and create issues involving legal authorities. Moreover, without Navy presence in planning and operations, Cyber Command could miss the distinctiveness of maritime issues in its preparations for a major Indo-Pacific conflict. Finally, excusing the Navy from Cyber Command decreases the effectiveness of joint operations critical to successful campaigns against an all-domain peer power in an increasingly hostile cybered world.

Rather than separation, the Navy should give its soon-to-be-created cyber billets sufficient tools, training, and talent to succeed at Cyber Command. There are, of course, alternative futures that would change the analysis here, such as the creation of a separate cyber service (which the National Defense Authorization Act also identifies as worthy of study) or the Navy giving its naval Cyber Command mission to the Marine Corps. While a thorough examination of these options is beyond our scope, the bottom line is that the Navy unilaterally leaving Cyber Command entails unique downsides.

Frustration with the Navy’s Cyber Performance

In 2018, as U.S. Cyber Command was gaining new capabilities and authorities, numerous senators raised questions about why the Air Force and Army budget requests for cyberspace were more than double that of the Navy and why certain Navy requirements were going unfunded. Within the Tenth Fleet — the Navy force component to Cyber Command — cyber has remained but one of the mission areas competing for resources. The Navy’s fleet cyber commander is dual-hatted with Tenth Fleet’s commander and is responsible for providing those resources. This arrangement does not appear to provide sufficient commitment to resourcing cyber operations. During a hearing in the House Armed Services Committee on the Fiscal Year 2023 Navy budget request, Rep. James Langevin stated multiple concerns about the state of the Navy’s cyber forces. He also pointed out that “the Secretary’s 28 pages of written testimony for today’s event meant to reflect the highest priorities of the Navy doesn’t mention cyber once.”

 

 

Part of the challenge is that the Navy has not had a single designator for cyberspace. Instead, three communities — cryptologic warfare officers, information professionals, and cyber warfare engineers — have different roles and responsibilities Moreover, the Navy lacks what are known as “service-retained cyber forces” capable of effectively performing tasks such as “securing sea lines of communication” beyond 12 nautical miles from U.S. shores.

The 2023 National Defense Authorization Act directly addresses some of these challenges and calls for a review of others. Regarding the fractured nature of cyber expertise, the Act directs the Navy to create a specific cyber “designator,” an occupational specialty separate from that of cryptologic warfare officers. Establishing a cyber designator has been previously discussed within the Navy without a clear decision. Now it is no longer optional. To ensure the formal establishment of a new naval cyber community, Congress has mandated that Navy cryptological officers not be in command of cyber operations personnel.  

As mentioned, the latest authorization act specifically calls for the secretary of defense to review “Whether the Navy should no longer be responsible for developing and presenting forces to the United States Cyber Command as part of the Cyber Mission Force or Cyberspace Operations Forces.” While this provision clearly reflects congressional frustration, it suggests a desire for a workable solution by highlighting the issues concerning Navy cyber directly to the secretary of defense level. The demand for a specific review increases the likelihood of Department of Defense pressure on the Navy to reorganize its cyber force and possibly shape its cyber forces to be more similar to the other services. Although it is too soon to tell what will ultimately transpire because of this review, it is already evident that a divorce between the Navy and Cyber Command would be bad for the Navy and bad for Cyber Command. From the very start, such a decision would appear to contradict the congressional desire to strengthen naval cyber as found in other provisions of the same defense bill.  

Undermining the Navy

Not having Navy cyber members embedded within Cyber Command would undermine the Navy’s future cyber competence in six significant ways.

Hobbling Recruitment and Retention of Cyber Personnel

The Navy already has had difficulty recruiting cyber personnel. The service offers an uncertain career path created by a so far vague status in the overall information warfare organization. It shows reluctance to create bonuses and retention pay on a par with the other services, and an seeming lack of urgency in dealing with cyber threats. Losing the career experience of the fully functional and more prestigious Cyber Command would deter some of the most promising recruits. Mid-grade cyber personnel would likely chafe at the lack of equal opportunities and status in their domain-relevant community, making retention even more problematic.

Reducing Experience and Joint Competency

The result would be a lack of opportunities for Navy cyber warfighters to have the full range of experience needed. Not only would they lack the knowledge of the capabilities, practices, and procedures of the other services, but they would also lack the experiential learning born of conceiving, staffing, and acting in national and Department of Defense decision-making and execution of higher-level cyber operations. Classroom-based joint professional military education is not a substitute for the hands-on skill development available in Cyber Command, or for developing Navy cyber competence in translating the commander’s intent into the complexity, urgency, and delicateness of the full spectrum of cyber operations. 

Furthermore, Navy cyber officers and sailors would have to learn the full range of cyber operations including both offense and defense while limited to a largely defensive, diminished, and legally constrained role in developing their cyber expertise. Operational experience in offense (or close cooperation with those who do offensive missions) is essential for effectiveness in defense. The Navy’s cyber protection will need a deep understanding of attacker tactics, the ways in which attackers find vulnerabilities, the variety of tactics, techniques, and procedures that attackers use to press defensive measures, the operational challenges to attackers, and how to stay ahead of the developments in attacker innovations. Expertise in defensive cyber operations requires more than awareness of the various attack modes, monitoring, best practices, and the ability to recover from a breach. Even traditional threat hunting in one’s own networks does not give the breadth of experience required to anticipate adversary innovation and campaign flexibilities. Until legislation changes, the bulk of the offensive cyber authorities rests in the dual-hatted commander of Cyber Command. Thinking from the adversary’s point of view is essential to defense, but so is the hands-on experience currently only available by working in or for Cyber Command’s hunt forward cyber teams. 

Strained Access to Robust Infrastructure

The Navy is unlikely to have or spend the money to replicate the wide range of skills and infrastructure to which it has access today as a component command of Cyber Command. Through its dual-hat command relationship with the National Security Agency and the control of its own budget, Cyber Command now operates considerable amounts of cyber infrastructure that dwarf what the Navy could set aside for cyber. After the departure of its forces from Cyber Command and even with the best of intentions across two large organizations negotiating for scarce resources, Navy cyber teams will never have access to the same extent of funds or timing necessary to maintain a fully capable cyber defense force, let alone one sufficiently competent in offensive capabilities.

Reinforcing Bureaucratic Walls

If the Navy leaves U.S. Cyber Command, it will be on the other side of the bureaucratic walls of four-star staff silos when it asks for cyber help from Cyber Command or other services. The ensuing reluctance to help might be especially present if Cyber Command had been forced to pick up the tab in personnel and resources for missing Navy support. Navy priorities would have even less weight than they might or might not have right now. The absence of naval personnel means no future commanders of Cyber Command will have a naval background, with the resulting lack of familiarity encouraging them, whether intentionally or not, to favor their own service personnel and concerns. It is not clear whether the commander, Fleet Cyber Command, will continue to personally report to commander, Cyber Command if the Navy component withdraws. This could further harden potential silos.

Legal Authorities

An adequate working knowledge of cyber offense needs the kinds of hands-on development of experience that generally requires the legal authorities afforded to Cyber Command, not the individual services. Without this practical knowledge, the Navy would still have the right to invite itself into joint cyber offensive operations, but, over time, the other services and Cyber Command itself might not want the less-experienced Navy personnel on their team. There is an evolving discussion over whether the legal authority to conduct offensive cyber operations should remain solely with Cyber Command, and generally not be delegated to combatant commanders.. For a variety of reasons including coordination, limitations of collateral damage risks, and avoidance of friendly fire, Cyber Command has long been reluctant to delegate offensive cyber operations outside of its operational command of service cyber components in the Cyber Mission Force. If the Navy realizes it needs offensive capability and moves to develop its own cyber offense forces, but no legislation or executive directives change, those units will either pose a nontrivial possibility of disruptive cyber crossfire or, more likely, be severely constrained in what actions they have authorities to perform in peacetime. If the divorce from Cyber Command incurs these cyber deficits in a significant way, then the delegation of such authorities might never occur even if the Navy is the service is doing the bulk of the warfighting in a major theater. 

Half In and Half Out Multiplies Gaps

Removing Navy personnel from Cyber Command does not mean the service leaves its other interactions with the National Security Agency. The relationship through cryptological service members deeply intertwined with the National Security Agency will continue. As things stand, the Navy would continue to have the option to participate in joint cyber operations. The Defense Information Systems Agency will continue to defend the back office of the entire Department of Defense. One presumes the other services will pick up the slack in Cyber Command’s Cyber National Mission Forces — including cyber training curriculum responsibilities currently held by the Navy. In 2022 Cyber Command received advanced budget authority and took over the advanced cyber training of its service components’ cyber personnel. It is not clear how a Navy separated from Cyber Command would benefit from this training — perhaps it would have to pay as any outside agency (but not service) must do. The gap could grow quite large between what other services learn and can provide, and what the Navy’s cyber officers and enlisted sailors know how to do effectively in cyber operations once deployed. The Navy’s cyber forces are unlikely to be prepared for the large-scale hybrid fight likely to come in the future. 

Undermining Cyber Command and Beyond

Cyber Command stands to lose more than just assets if the Navy were to unilaterally be excused from participation. One of the primary warfighting domains — the maritime environment — would not automatically be represented across the range of Cyber Command’s activities. Without built-in naval representation, maritime targets and issues are likely to receive less prioritization on a daily basis, whether by virtue of limited organizational attention or lack of awareness of maritime-relevant targets. The divorce adds one more seam in the operational coordination across the Department of Defense community. 

While cyber operators from the Army or Air Force may be able to master a variety of complex systems over time, they would likely have more difficulty providing surrogate maritime and service-specific representation in decision-making at Cyber Command. Each traditional warfighting domain has its own assets, concepts, and operational contributions that at times overlap and at times conflict with others. The maritime environment in particular entails a high degree of mobility and unique potentials for loitering, deception, and access. Understanding the unique aspects of ships, ports, or other maritime platforms, whether it be the Automatic Identification System or other navigational capabilities, gives cyber operators additional context for understanding the maritime-relevant networks which they are defending or attacking. It would be difficult for a joint force of Army, Air Force, or cyber agency teams to be effective in a maritime environment while “plugging their joint laptops into systems that are the operational responsibility of a Navy commanding officer.”

A lack of naval representation could also impede Cyber Command’s capacity to “operationalize the battlespace” in important ways by neglecting maritime factors in the operational picture. The Command Vision of U.S. Cyber Command’s current commander, Army Gen. Paul Nakasone, calls for the organization to “[e]nsure every process … aligns to the cyberspace operational environment.” Without maritime-oriented operators in the room to help identify requirements, and to contribute to discussions of battle damage assessment as it pertains to relevant platforms and the like, a skewed picture could emerge. If the Navy unexpectedly heavily funds the acquisition, retention, and development of its own cyber experts to work closely and largely uniquely with forward-deployed strike groups and individual warships, then Cyber Command not only has to compete with the Navy for these individuals, but also has to coordinate with them through siloed channels to avoid cross-purposes in operations.

A secretary of defense decision allowing the Navy to opt out of Cyber Command could create a precedent that affects the perceived value added of integrated jointness itself. Could a service struggling to perform adequately be allowed to pick which combatant command they wish to staff? Staffing Cyber Command currently costs resources to all the services. Under the potential warfighting scenarios now envisioned, the Air Force might find it more cost effective to put more personnel and resources in the combatant command staffs that support, say, expeditionary manned aviation rather than a domain like cyber that might not be perceived as decisive. While it is hard to imagine the Army opting out of the U.S. Indo-Pacific Command staff under the premise that the role of land forces would be limited in the envisioned East Asia scenario, that is a possibility if a combatant command “opt-out policy” becomes accepted. Whether the jointness norm that all services have a near equal slice of every mission is desirable is a question beyond the scope of this article, but certainly giving services the option to opt out or be pushed out undermines the unified defense effort. 

Seeking Creative Alternatives

One alternative approach may be a separate Cyber Service akin to U.S. Space Force. If the Navy cannot afford to build and contribute sufficiently skilled forces, why should any service have to? The 2023 National Defense Authorization Act explicitly calls for study of this possibility, which would effectively eject all the services from Cyber Command. It could result in all the services facing the same potential cyber deficits as a Navy-Cyber Command divorce.

A second idea is for the Navy to give the entirety of its naval Cyber Command mission over to the Marine Corps, in law a co-equal naval service. Former Marine Corps Commandant Gen. David Berger followed all recent commandants in vociferously arguing that the Marine Corps needs to get back to sea and naval operations, creating a sea-control-from-the-land mission. The corps has also expressed a very firm commitment to developing advanced cyber capabilities in accordance with their traditional and unchanging commitment to combined arms warfare. Amphibious Marine Corps cyber operations personnel could serve the cyber warfare area commanders in strike groups as well as being the naval representation on staff with Cyber Command. 

With those options aside, however, the balance of possibilities argues the Navy, Cyber Command, and the security of the nation are each worse off if the Navy divorces Cyber Command. The secretary of defense should report back to Congress with but a single word: “continue.”

 

 

Dr. Chris C. Demchak is Grace Hopper Chair of Cyber Security as well as the Senior Cyber Scholar in the Cyber and Innovation Policy Institute at the U.S. Naval War College. 

Dr. Michael Poznansky is an associate professor in the Strategic and Operational Research Department and a core faculty member of the Cyber & Innovation Policy Institute at the U.S. Naval War College. He holds a Ph.D. from the University of Virginia. 

Dr. Sam Tangredi is the Leidos Chair of Future Warfare Studies, the director of the Institute for Future Warfare Studies, and a senior scholar with Cyber and Innovation Policy Institute in the Strategic and Operational Research Department. He is a retired Navy captain and surface warfare officer specializing in naval strategy. 

All ideas are solely those of the authors and do not reflect the position of any element of the U.S. government.

Image: Department of Defense