The Case for a Prospective U.S. Cyber Force

2024 Cyber Expo Brings Cyber-Resilient Capabilities to SSC

 Imagine a scenario in which a junior Army captain is taking command of an airborne infantry company. This officer has never been to airborne or ranger school or completed an infantry field problem. But the officer has conducted countless offensive cyber operations, maneuvering through hostile networks to close with and destroy a digital adversary — and the Army has determined that kind of experience is the best preparation to lead an infantry company.

Now imagine a different scenario. Google has just announced new minimum qualifications to be considered for an entry-level software engineer role. In addition to specific educational and technical skills, applicants will be expected to demonstrate that they can throw a ten-pound medicine ball backward over their heads a certain number of meters as part of a physical fitness test.

These hypotheticals likely sound ridiculous to anyone who has served in an Army infantry battalion or a technical role at a technology company. When it comes to the U.S. military, none of the services would accept, let alone celebrate, a leader who lacks the foundational domain expertise to lead critical operational formations at the heart of each service’s mission. And yet, as military personnel have expressed in recent testimonials, this approach to selection and assignment of personnel is commonplace across the cyber formations within the Army, Navy, Air Force, and Marine Corps.

There is one clear solution to address the military’s current approach to generating forces for cyberspace operations: creating a new branch of the armed forces for cyberspace.



Why Is a New Service Needed Now?

Since U.S. Cyber Command’s 2010 establishment, its authorities, resources, and operations have significantly matured. In recent Congressional testimony on the military’s cyber posture, Gen. Timothy Haugh noted how the command is “[making] the most of the authorities, resources, and support that USCYBERCOM has received since its elevation to a unified combatant command in 2018,” including “[optimizing] our force and operations to contest adversaries working to gain strategic advantage in and through cyberspace below the level of armed conflict.” This includes 22 “hunt forward” operations conducted by the Cyber National Mission Force in 2023, full-spectrum cyber operations in support of Ukraine’s defense, and continuing efforts to defend the upcoming 2024 elections.

However, while there has been significant progress in how the military employs its cyber forces, its ability to generate forces for operations in and through cyberspace — effectively recruiting, training, and retaining personnel for key cyber work roles and missions — remains a persistent problem.

That the military suffers from cyber force generation challenges is not a controversial proposition. Many practitioners, experts, and policymakers are acutely aware of the current limitations. A 2022 Government Accountability Office report found a variety of issues with the services’ approach to cyber force generation. Similarly, a recent monograph uncovers systemic readiness challenges across all services, including recruitment and retention shortfalls, inconsistent skill development and training, promotion process pitfalls, and the degradation of units’ full operational capability.

Senior military leaders also recognize this problem. Regarding the military’s future organization for cyberspace, Gen. (ret.) Paul Nakasone shared last year that “all options are on the table except the status quo.” U.S. Cyber Command leaders recently announced a “CYBERCOM 2.0” effort — a complete review of the organization, including force generation models. At the congressional level, Rep. Mike Gallagher noted at a recent hearing that for the past decade, Congress has “tried to address force design and readiness through 24 different pieces of legislation. And yet … workforce issues remain as challenging as they have the past ten years.” Developing an effective approach to cyber force generation is an acute challenge for the United States in the face of adversaries that are continuing to evolve.

Scoping the Problem

The current approach to cyber force generation within the Department of Defense relies on every service to recruit, train, and retain cyber forces. Each service is free to apply its individual selection criteria, informed by its core mission competencies, toward selecting cyber personnel and defining cyber work roles. Each service then develops and conducts distinct training and educational programs. Finally, each designs and implements promotion and retention programs for their cyber personnel. As a result, there is not a consistent, effective, or reliable approach to force generation across the services.

Moreover, force generation for cyberspace presents a unique challenge for military organizations. Having the right tools, capabilities, organization, and authorities is important for effective cyber operations. However, the single most critical factor is highly skilled and technically competent personnel, especially leaders. Yet such personnel are difficult for the military to recruit (especially when taking into account restrictive physical fitness, grooming, and other standards), expensive to train, and harder to retain.

Because no single organization is primarily responsible for organizing, training, and equipping for cyberspace operations, force generation for cyberspace is every service’s responsibility and no one’s priority. Cyber force generation is a secondary consideration at best for the services, whose primary concern is, rightly, force generation in their primary domains. Therefore, each service simply adapts its existing personnel management systems to address cyberspace, with varying success.

There is a vibrant debate about how to address these problems. One camp argues for an incremental approach: slow and steady changes to improve U.S. Cyber Command’s authorities, capabilities, and resources, while retaining the distributed (or disjointed) force generation model. Others call for a more fundamental revision of the military’s approach to cyber force generation, echoing calls by leaders, such as Col. (ret.) Greg Conti and Adm. (ret.) James Stavridis to establish an independent military service for cyberspace. Both groups tacitly agree that the authorities of a military service are needed for cyber force generation — they just disagree about who should hold those authorities.

This debate tends to evaluate the military’s performance thus far against where it started. By this measure, there have been remarkable improvements. However, our analysis begins from first principles. We articulate what an ideal cyber force generation model within the Department of Defense must accomplish to meet America’s stated national security requirements. We then make the case for establishing a new, independent branch of the armed forces: a U.S. Cyber Force.

Fundamentals of Force Generation

Since the 1986 Goldwater-Nichols Act, the U.S. government has defined distinct roles and responsibilities for the military services and combatant commands. Department of Defense policy stipulates the military services are responsible for providing the forces for military operations to “organize, train, equip, and provide land, naval, air, space, and cyberspace forces.” The services are also responsible for developing concepts, doctrine, and tactics, techniques, and procedures, determining force requirements, and assessing readiness.

In contrast, the combatant commanders “[exercise] authority, direction, and control over the commands and forces assigned to that command.” The combatant commands employ forces and carry out missions under their purview. One exception is U.S. Special Operations Command, which has “service-like” authorities to “organize, train, equip, and provide Special Operations Forces, doctrine, procedures, and equipment” for specific missions that pertain to special operations.

These distinctions matter because there are specific responsibilities, especially with respect to recruiting, training, educating, assessing, and promoting military personnel, that only a military service is able to accomplish. Even the exception proves the rule. While U.S. Special Operations Command is uniquely endowed with greater control, it still relies on the military services to select, train, and present forces for employment. Unlike in the cyber domain, each of the military services is uniquely situated to generate forces for the distinct characteristics of special operations within each warfighting domain needed by the command.

The Case for a Cyber Service

The military’s current structure is premised on the idea that the environments in which military personnel engage in warfighting are defined by unique logics and requirements. The services’ primary responsibility is to prepare the forces needed to compete and win in the land, air, sea, and space domains. With the decision to establish the Space Forcein 2019, each of the warfighting domains — with the exception of the cyberspace domain — is matched to a military service responsible for generating forces with the appropriate expertise for military missions within their respective domains.

Two critical factors drove the decision to construct a new military service for the space domain: first, the recognition that space was essential for modern warfighting and, second, that space possessed unique requirements for force generation that could not be met under the existing structure. The same factors hold for cyberspace, which is alreadya critical part of modern competition and conflict and has seen consistent force generation challenges.

Over the past 14 years, the services have demonstrated that they are unable to generate sufficient forces, leaving the department with “a recognized shortage of skilled cyber personnel that could potentially impact operational readiness across the Department and put national security at risk.” Given this record, it is unrealistic to expect services with competing priorities to become not merely adequate, but to generate overmatch in the cyber domain. Only an independent and dedicated service, a U.S. Cyber Force, can address the core of force generation considerations in cyberspace: the focused recruitment, training, and retention of skilled, qualified personnel for cyber operations.

While domain-specific warfighting competency is essential for all military personnel, the quality of personnel consistently has a more substantial and direct impact on cyberspace operations. As General Nakasone noted in a 2019 interview, the most effective cyber personnel “are often exponentially better than their peers —10 or 20 times better.” As a result, effective cyber force generation requires identifying the right personnel, with a focus on quality over quantity, for recruitment. This includes the ability to define the necessary skills and quantity of personnel to meet the cyber mission. From this baseline, the cyber force generator must identify personnel with technical skill and proficiency who are comfortable with taking the initiative and experimenting and are “passionate about technology and [enjoy] creatively overcoming or circumventing limitations.”

Next, the generating force must train and educate personnel and provide them with adequate career progression opportunities. This requires establishing viable career paths for cyber personnel with opportunities for personal growth, progression of knowledge, skills, and abilities, and positions of increased responsibility across all cohorts. Professional cyber education should mirror the mission requirements, career progression, and personnel growth of the force, offer opportunities for personnel to expand their knowledge and expertise within the cyber domain, and foster both a technical and a leadership perspective as cyber personnel advance in rank and responsibility. Currently, professional education is generally aligned to the preponderance of each services’ specific needs rather than to cyber personnel requirements. For example, the Army’s professional education for junior officers is designed for tactical echelons, while cyber personnel at those ranks are typically engaged at joint and national echelons.

Finally, cyber force generation must sustain its workforce. For one, continuous adversary engagement creates an imperative for a cyber force structure optimized to be deployed mostly in place, similar to the U.S. Space Force (however, like U.S. Space Force, some elements are forward-deployed, such as “hunt forward” teams or cyber operators deployed with special operations forces). The strain of constant engagement affects the morale and mentalhealth of the force, causing burnout and poor personnel retention. The retention challenges are further exacerbated by competition with the private sector for the in-demand skills of cyber personnel. Therefore, the generating force must have a coherent and consistent strategy to sustain its workforce through tailored support programs, readiness cycles, and retention strategies that include additional incentive and bonus pays.

Organizations around the world and in the private sector that value a talented cyber workforce are implementing targeted talent management policies. These actions are within the ability and authority of the services to implement. Why have the services restricted their use and not taken these steps?

In practice, each of these decisions would require an exception to every service’s standard personnel practices and systems. Therefore, developing a dedicated service designed for cyber force generation is more feasible than relying on every service to voluntarily develop, implement, and sustain numerous exceptions, especially when the services’ priorities remain force generation for their core domain of responsibility. The only way to achieve the consistency and scalability necessary to adequately organize, train, and equip an operational cyber force is by creating a central, unified organization to manage all facets of force generation.

Limitations of Continuing the Current Approach

Proponents of the current approach argue that continuing to make incremental improvements will resolve the present cyber force generation shortfalls. The basic logic is that seeing positive results will take time and that the United States is “held somewhat hostage to the path that we are on right now.” Many reference the provision of incrementally more “service-like” authorities to U.S. Cyber Command as an indication of continued improvement, mirroring the calls for U.S. Cyber Command to adopt the U.S. Special Operations Command model.

This view misses the two central points. First, U.S. Cyber Command’s increased service-like responsibilities are due to the services’ lack of improvement. Second, the service-like authorities will not address many of the personnel issues at the heart of the existing force generation challenges. For example, enhanced budgetary control, like the additional authorities granted to U.S. Special Operations Command, provides U.S. Cyber Command with greater control over acquisitions and training. Codified in law in 2022, these additional authorities have only gone into effect in the past several months, so they have not yet been fully tested. Yet even when fully implemented, these authorities will only enable U.S. Cyber Command to improve the training for the personnel already presented by the services. This additional authority does not enable the command to address services’ decisions that negatively impact cyber force readiness. For example, it would not constrain the services’ consistent rotation of cyber personnel out of cyber units, leaving U.S. Cyber Command to “execute cyber operations with a constantly rotating bench.” Similarly, it would not stop the Army from shifting its manning and training priorities toward electronic warfare at the expense of cyber readiness.

Advocates for the current approach also argue that a cyber service would be duplicative. This is a counterintuitive argument considering that the current system relies on five services all generating forces to different interpretations of a joint mission standard by different means and, in some instances, competing against each other for the same individuals.

Another U.S. Cyber Force counterpoint is that the services will continue to need some cyber forces, especially relating to defensive cyberspace operations. This is related to the concern some have expressed about the implications for the technical integration of cyber into domain-specific equipment or the broader consequences for multi-domain operations. These concerns would benefit from further analysis to delineate responsibility for defensive cyberspace operations versus network operations. This concern is also addressed through a historical strength of the Department of Defense: the ability to conduct joint operations.

Next Steps

The establishment of a U.S. Cyber Force is not a foregone conclusion. However, given the broad consensus that the current model for cyber force generation is not optimized to meet current and future strategic challenges, a significant change from the status quo is necessary. Looking ahead, Congress has an opportunity in the next National Defense Authorization Act to direct an independent evaluation or assessment that articulates a clear path forward for cyber force generation. Such an assessment will need to address the full range of necessary decisions about and changes to the full complement of doctrine, organization, training, materiel, leadership and education, personnel, facilities, and policy. Improving cyber force generation is essential now, before the United States finds itself in a potential crisis or contingency with a near-peer rival.



Erica D. Lonergan is an Assistant Professor in the School of International and Public Affairs at Columbia University, and previously served as a Senior Director on the U.S. Cyberspace Solarium Commission. She is the co-author, with Shawn W. Lonergan, of Escalation Dynamics in Cyberspace (Oxford University Press, 2023).

Todd Arnold is a U.S. Army officer who currently serves as an Academy Professor in the Army Cyber Institute at West Point and an associate professor in the Department of Electrical Engineering and Computer Science. As a former Army cyber officer, he was a key contributor to the establishment of the Army’s cyber branch.

Nick Starck is a U.S. Army cyber officer currently serving as a research scientist at the Army Cyber Institute and an instructor at the US Military Academy. His research focuses on data privacy and information operations.

The views expressed by the authors are personal and do not reflect the policy or position of any U.S. government organization or entity with which they may be affiliated.

Image: Van Ha