A Better Cyber Service
2024 will mark the fifth year of America’s newest military service, the Space Force. Its success has led to increased calls for a new service for the Department of Defense’s fifth recognized domain of warfare, cyberspace. These calls have grown so loud as to have reached the point where current U.S. Senate proposals for the 2024 National Defense Authorization Act include a provision that will task the Department of Defense to study the possibility of an independent cyber force.
Despite these calls, many significant challenges and obstacles exist. Though cyberspace is recognized by the department as a domain of warfare, it is unambiguously different in character from the physical domains of warfare that define existing services. And although from legal and budgetary standpoints the standup of Space Force has to date been relatively smooth, significant questions remain about the focus and culture of the fledgling service. Taken together, these issues give serious pause to a new Cyber Force as an independent military service. The churn of developing a new service combined with the lack of a sufficiently independent operating environment and unique set of capabilities and operating constructs may hinder cyber military capabilities, rather than enhance them, at a critical juncture in great-power competition.
To get serious about the future of cyber and national security, policymakers should look outside the Defense Department box to establish an effective U.S. Cyber Service. Rather than looking to the physical warfighting domains as an example, they should look instead to the functional domains of weather, medicine, and law enforcement. These are examples of non-military services that can integrate with military operations when needed while also partnering with the public sector in a non-militarized role for ongoing operations both foreign and domestic.
The Benefits and Drawbacks of a Cyber Force
The reasons for the increased calls for a cyber service are clear. Four of the five current military services are tied to the four physical domains of warfare, and the fifth specializes in one trans-domain region within the department of one of those domains. In this context, decaling a new domain of warfare implies the need for an independent service for that domain.
What’s more, recent conflicts have proven the growing vital importance of cyber operations to modern warfare. Cyber is increasingly the backbone of all advanced weapons system, and in the future cyber connections and even weapons may well be in the quiver of every soldier’s arsenal. To a large degree, fifth-generation fighters such as the F-22 and F-35 are more integrated supercomputers that can fly than cyber-augmented aircraft. As David Barno and Nora Bensahel noted in a previous article, “[n]o military service today can function without reliable, resilient cyber capabilities for everything from command and control, to intelligence analysis, to the routine functioning of every weapon system from tanks and ships to aircraft and satellites.”
Yet it is these very attributes that have made the declaration of cyberspace a domain of warfare alongside the four physical domains highly problematic, even dangerous, from a defense policy standpoint. The Space Force, like the Air Force before it, came into existence because the physical requirements of the unique domain required wholly separate equipment and operating constructs to enable human beings to fight and operate within those domains. The Air Force evolved toward independence because the Army was culturally unwilling to prioritize procurement of long-range aircraft. It also resisted the development of “airminded” officers to implement a system of war based on strikes deep into enemy territory rather than in direct support of ground maneuver forces. Similarly, calls for Space Force independence occurred because the Air Force was perceived as paying lip service to space launch and developing constructs of defense in orbital space, while instead being culturally biased towards air dominance.
Cyber operations are not distinct from the physical domains and do not require distinct procurement or operating constructs. They are instead a new layer or medium of weapons and vulnerabilities that need to be prioritized and integrated within the existing domains, rather than bureaucratically separated. Like other emerging weapons systems from missiles to drones to special operations forces, they would benefit from greater awareness and emphasis within the existing services.
Cyber as a medium for military operations, vulnerabilities, and power projection poses further problems for U.S. military policy as it, by its nature, eliminates the foreign/domestic divide and thus poses significant obstacles to U.S. laws and norms of military employment. The 2014 Sony Pictures hack illustrates this problem best, when an American mass media conglomerate, with a subsidiary in Japan, had its overseas servers hacked over a period of months, with information from the hack released to coerce the company not to release a movie to Americans. The dubious questions surrounding national sovereignty, proprietary ownership, private sector network security, and lack of a brute force element demonstrates the inherently whole-of-government, public-private sector cooperation necessary to thwart this type of threat.
Finally, as with the Space Force versus Space Command confusion, a second case where a unified combatant command heavily overlaps with an individual service will potentially undermine the cyber mission due to bureaucratic infighting. As a domain defined by operating constructs and not unique physical constraints, the unified combatant command model with quasi-service authorities, much like U.S. Special Operations Command, is better suited to the military challenges of cyber integration than a distinct service.
What’s more, the reaction of Google employees to the Air Force’s Project Maven demonstrated the cultural tensions between the military and technology sector, and the authority to direct commission cyber professionals to senior military ranks raises questions about the profession of arms relative to technical expertise. Tech company CEOs may undoubtedly be subject-matter experts and proven leaders in the private sector, but direct commissioning such individuals to senior military ranks remains a bridge too far for the military services.
For all these reasons, embracing a purely military framing for this challenge and addressing it only in the “warfighting domain” will artificially restricts thinking and harm, rather than help. U.S. policymakers and allies should instead think differently about the relationship of cyber operations to governments and national sovereignty.
Alternative Models
Naming “cyberspace” a warfighting domain, as the U.S. Department of Defense did in 2010, has led many analysts to the natural conclusion that a military cyber service is the logical next step in the progression of cyber operations. This framing, however, omits alternative models beyond the Department of Defense that are better suited for the unique demands of cyber. Beyond the five Department of Defense uniformed services, the U.S. Coast Guard, U.S. Public Health Service Commissioned Corps, and National Oceanic and Atmospheric Administration Commissioned Officer Corps, and the U.S. Merchant Marine Academy provide valuable alternatives to the uniformed service models that can shape a non-Department of Defense Cyber Service.
The U.S. Coast Guard, as part of the Department of Homeland Security, is the most obvious alternative model. Officially a maritime security, search and rescue, and law enforcement service, the Coast Guard both maintains a global military presence, in partnership with the U.S. Navy, and a domestic law enforcement and humanitarian role overseeing activities in U.S. territorial waters and Exclusive Economic Zone. The Coast Guard has in its history been assigned to the Department of Treasury, Transportation, and now Homeland Security. Due to its broad law enforcement mission it is explicitly exempted from the restrictions of other uniformed military services imposed by the Posse Comitatus acts. These unique authorities readily make the Coast Guard a critical force-multiplier for military operations, notably in the Indo-Pacific Command and in the Global War on Terrorism.
At the same time, the Coast Guard’s status as a military service may pose normative challenges when it comes to domestic cyber needs. The Department of Health and Human Services’ Public Health Service Commissioned Corps and Department of Commerce’s National Oceanic and Atmospheric Administration Commissioned Officer Corps provide models of non-military, profession-centric uniformed services for critical public missions. These services are comprised of 6,000 and 330 officers, respectively, who are driven by the public-service applications of their core professions.
The Public Health Service Commissioned Corps’ mission is to protect, promote, and advance the health and safety of the United States, accomplished rapid reaction to public health needs, leadership in public health practices, and advancement of public health science. The National Oceanic and Atmospheric Administration Commissioned Officer Corps’ mission is to develop a coordinated approach to oceanographic and atmospheric research in order to provide critical environmental intelligence to the nation both in times of war and peace. The public health service is relatively high visibility to most Americans owing to the leadership of the Surgeon General and crisis response to events from Ebola to COVID-19. But the professional reputation of National Oceanic and Atmospheric Administration can also be seen in it being one of the few U.S. entities able to regularly overfly Cuba in pursuit of vital public information. Its officers are generally professionals focused on engineering, earth and marine sciences, and other related disciplines. Due to their expertise and dual-professional nature, most serve in the field grade officer ranks (usually lieutenant commander).
A final uniformed option, without a formal uniformed service, is the U.S. Merchant Marine Academy and the Merchant Marine fleet. The Merchant Marine is comprised of civilian mariners and both civilian and federally-owned merchant vessels, managed jointly by the U.S. government and private sector. Its purpose is primarily commerce and transportation of goods in U.S. territorial waters during peacetime, while in wartime it can be called up as an auxiliary to the Navy. Governed today under the Department of Transportation’s Maritime Administration, the Merchant Marine Academy seeks to educate leaders inspired to serve the national security, marine transportation, and economic needs of the United States. Those graduates do so in a variety of functions, from active-duty military officers to Coast Guard-licensed mariners while on reserve status.
Building a Better Cyber Service
These examples, alongside many non-uniformed agencies where these officers are employed, illustrate that there are many potential models for a future cyber service. Further, the history and evolution of these entities demonstrate a gradual but determined path that U.S. cyber professionals can embark on rapidly, without precluding alternative agencies in the future.
To start, a U.S. Cyber Academy and reserve officer training program modeled on the Merchant Marine Academy, the Uniformed Services University of the Health Sciences, and the military’s Reserve Officers’ Training Corps program can be implemented almost immediately. This in turn will promote a core of public sector-oriented cyber professionals similar to the Public Health Service’s Ready Reserve Corps and the Merchant Marine, potentially administered under the Department of Commerce. This model can lay a more solid foundation for developing cyber professionalism integrated across the government, operating in cooperation with critical allies and private-sector partners, and unconstrained by the potential stigma of military operations.
A further step would be the creation of a uniformed U.S. Cyber Service, modeled more closely on the Health Service Commissioned Officer Corps than on military services. The new Cyber Academy proposed in the first step could provide undergraduate and graduate degrees in the computer sciences, cyber operations, cyber policy, and cyber law with the goal of commissioning uniformed cyber professionals who can specialize in government, military, and private-sector security applications in support of national security objectives. Such a service, emphasizing cyber professionalism over military professionalism, would further enable direct commissioning of cyber professionals to the highest echelons of leadership, much as the Surgeon General will not often rise through the ranks of the uniformed service.
As with the Health Service Commissioned Officer Corps, who readily fill critical positions in agencies throughout the federal government, and Coast Guard officers who readily fill critical positions and bring key authorities to joint military commands, Cyber Service personnel could be empowered to bring key expertise and authorities to U.S. military operations and commands as cyber professionals with military expertise, rather than service-trained military professionals with cyber expertise.
This path forward would allow for the growth of cyber professionals within the U.S. government and the building of public-private partnerships, all without limiting future changes to the mission and character of the service or other new services. Just as the Coast Guard has changed what federal department it belonged to over time, the Cyber Service could similarly transfer as needed. Or should policymakers determine that a military service is still necessary, transitioning the Cyber Service to the Defense Department or standing up a wholly new service would still be possible. And for the immediate military needs of today, a greater emphasis on Cyber Command is preferrable to the creation of Cyber Force. Ultimately, cyber is too big, too dynamic, and too important to be constrained in a military service.
Michael P. Kreuzer is the director of Emerging Technology Programs at the U.S. Marine Corps Command and Staff College. A career Air Force intelligence officer, he holds a Ph.D. in international security from Princeton University. All views expressed herein are his own and do not represent the views of the U.S. government or Department of Defense.
