Join War on the Rocks and gain access to content trusted by policymakers, military leaders, and strategic thinkers worldwide.
The U.S. military is rushing toward a software-defined future, one where networks are unified, platforms are cloud-connected, and the fight is shaped by code as much as steel. Marine Gen. Christopher Mahoney, nominated to serve as vice chairman of the Joint Chiefs of Staff, has made clear he supports this vision. But his remarks about unifying networks and letting software drive hardware reveal a gap in the conversation. What’s often missing from the public-facing discussion is serious consideration of what happens when those networks are contested, degraded, or attacked: what the military terms “denied, degraded, intermittent, and limited bandwidth” conditions. Without hardened, resilient systems, a software-defined force won’t just underperform, it will fail at the moments that matter most.
In a recent statement, Mahoney remarked:
There are more networks out there than probably a Cray computer can count. There needs to be unification of a network concept. And there needs to be a change in the way we think about hardware so that … it’s the software that drives the hardware, not the hardware that drives the software.
This software-first approach reflects a broader shift that has been building inside the Department of Defense for more than a decade. As early as 2017, Project Maven introduced machine learning into operational targeting workflows, signaling a future in which software and algorithms would shape tactical outcomes. By 2020, leaders at the Joint Artificial Intelligence Center were publicly describing future war as a “software problem,” setting the stage for a strategic and architectural transformation. The department formalized this direction in its 2022 Software Modernization Strategy, which called for the development of software factory ecosystems, secure DevSecOps pipelines, and continuous delivery capabilities at scale. That same year, Lt. Gen. (ret.) Jack Shanahan and Nand Mulchandani argued that U.S. military dominance would depend on a software-first re-architecture of warfighting systems.
This mindset is now fully embedded in current programs. The Joint All-Domain Command and Control Strategy outlines a department-wide effort to connect sensors, shooters, and decision-makers through a unified, cloud-enabled infrastructure. The Defense Innovation Unit’s Replicator initiative aims to field thousands of autonomous systems in less than two years. Think tanks have reinforced this direction. The Atlantic Council’s Commission on Software-Defined Warfare advocates for modular, upgradeable, software-driven capabilities. The Center for Strategic and International Studies has called for a full re-architecture of how the Pentagon designs, acquires, and deploys military systems. Together, they herald a future where digital integration is no longer aspirational, it is assumed.
That shift is now driving real organizational change inside the Pentagon. The Chief Digital and Artificial Intelligence Office is leading much of this transformation, driving AI adoption through enterprise cloud and data infrastructure, forming the backbone of many modernization efforts. That momentum has been echoed by outside voices.
Recent commentary, including the June 2025 War on the Rocks podcast episode The Future of Software‑Defined Warfare has reinforced the urgency behind this transformation. The episode’s guests, co-authors of the Atlantic Council’s Commission on Software-Defined Warfare, emphasized that success in this space depends as much on people and process as on technology. They highlighted the need for integrated technical teams across services, agile software development cycles, and governance structures that allow commanders to trust, update, and control the software they rely on in real time.
They also underscored that existing acquisition models remain too slow and fragmented to support the kind of modular, upgradeable, and threat-responsive capabilities the strategy demands. Without reforms to how software is developed, fielded, and secured, the department risks building a digital force on foundations that are operationally brittle and procedurally outdated.
These challenges are not theoretical. They will define whether software-defined warfare becomes a force multiplier or a vulnerability in future conflicts.
The military’s growing dependence on cloud-based services, mesh networking, and software-defined systems represents a fundamental shift in how warfighters will command, communicate, and coordinate. But this transformation is occurring without sufficient investment in the cybersecurity infrastructure, defensive talent, or survivability measures needed to secure it. In short: The network may be fast, but it’s not ready to fight.
To be sure, I have an interest in cyber defense, as I lead efforts in the private sector to identify and reduce cyber vulnerabilities and manage the attack surface of large organizations. I should note that neither I nor my employer has any business with the Department of Defense or defense companies, and the views expressed here are my own. I also come to this issue as a former U.S. Marine Corps CH‑53 pilot and forward air controller, with first‑hand experience of what happens when systems fail.
America’s warriors of today and tomorrow cannot afford to wait. Policymakers and defense leaders are obligated to confront and resolve the faulty assumptions that digital systems will remain reliable in denied, degraded, intermittent, and limited bandwidth environments that define modern warfare.
Problematic Assumptions
What began as a push for faster innovation and greater interoperability has evolved into a belief that military networks should function like commercial infrastructure: cloud-native, always on, and software-defined by default. But these assumptions collapse in environments that are denied, degraded, intermittent, and limited in bandwidth, conditions that are not hypothetical but are the reality of peer conflict. In such conditions, satellites can be jammed or destroyed, electromagnetic spectrum can be denied or spoofed, and networks can fragment under cyber and kinetic attack. Authentication systems fail without constant connectivity, targeting data becomes stale or inaccessible, and autonomous systems may become unreliable or even hazardous. Seamless integration may work in procurement diagrams or during peacetime exercises, but a force built on these assumptions risks breaking under fire. Software-defined architectures risk centralizing failure and assuming ideal network conditions, which contradicts the very principles that have guided modern maneuver warfare.
Persistent Connectivity
As detailed in the 2023 Department of Defense China Military Power Report, China has invested heavily in space denial, electronic warfare, and cyber operations designed to disrupt electromagnetic dominance across all domains. Recent events in the Strait of Hormuz underscore this vulnerability. There, commercial vessels reportedly experienced navigational interference likely caused by Iranian GPS jamming, leading to confusion and prompting warnings to ships in the area.
U.S. forces operating under distributed maritime or expeditionary concepts ought to treat these disruptions as the norm, not the exception. Platforms and architectures should be autonomous, resilient, and tactically adaptable, built to function in denied, degraded, intermittent, and limited bandwidth conditions rather than depending on continuous connectivity.
Scaling Security
Integration at scale increases exposure. Software-defined systems, cloud-native applications, and autonomous platforms dramatically expand the attack surface.
Yet the Department of Defense faces a severe shortage in the very workforce needed to defend this infrastructure. More than 25 percent of cyber workforce roles remain unfilled across the department. Recruiting and retaining cyber talent, particularly blue team operators, security architects, and defensive analysts, remains a top concern.
At the same time, the Department of Defense has continued to prioritize offensive cyber capabilities by investing in hunt-forward operations, persistent engagement, and digital weapons (U.S. Cyber Command’s mission), while leaving the defensive side of the house underpowered.
Strategic Consequences and Recommendations
Modernization and consolidation are not optional. They are essential to maintaining a competitive edge. But they need to reflect the realities of modern combat. Operational resilience depends on designing, testing, and defending systems for those conditions. Modernization ought to reinforce those principles, not create brittle dependencies hidden behind elegant interfaces.
The Department of Defense should treat network defense and resilient communications as core operational capabilities. These are not enablers or overhead information technology. They are essential components of modern warfighting. That shift requires more than new funding lines. It demands a different mindset. Four things should change.
Defense Isn’t Secondary
The military’s cyber investment strategy has long prioritized offense by building tools to hunt, disrupt, and destroy. But a networked force can’t operate, much less win, if its infrastructure is exposed. It’s time to put real weight behind defensive cyber: resilient architecture, secure-by-design systems, and the teams that defend them. This means resourcing, not just retaining, security engineers, vulnerability analysts, and blue teams with the same seriousness given to offensive platforms.
Design for the Fight, not the Demo.
Too many modern systems are built for garrison environments and contractor testbeds, not for contested battlefields. Future warfighting systems should assume degraded or denied conditions. That means enabling operations when disconnected, not just synchronizing when connected. Local compute, autonomous edge functionality, and pre-positioned data need to be baseline, not bolt-on.
Doctrine Should Shape Design, Not Dictate It
Modernization should reflect warfighting realities, not just technical possibilities. U.S. joint doctrine emphasizes that command and control should function despite friction, chaos, and degraded communications. Joint Publication 3‑0: Joint Operations highlights the importance of mission command, enabling subordinates to act decisively within their commander’s intent even in the absence of direct orders or connectivity. Our systems should reinforce these principles by supporting decentralized execution and mission continuity when higher authority is unavailable, rather than depending on pristine network conditions to function.
Test it Like it’s Wartime
The systems the U.S. military fields need to survive contact with the enemy, not just excel in controlled environments. That means pushing prototypes and concepts into red team exercises, denied-spectrum wargames, and cyber-contested environments before they scale. If a networked system cannot survive jamming, spoofing, or targeted intrusion, it doesn’t belong in the next war.
Conclusion
It is certainly true that the future fight will be shaped by software, data, and connectivity, but a software-defined, network-dependent force will not survive its first contact with a peer adversary if its architecture is fragile, its assumptions are untested, and its cybersecurity is underfunded.
Connectivity is not a given. Control will be contested. And the systems we rely on should be built for that reality, not for peacetime efficiency or technical elegance. Doctrine reminds us that war is defined by friction, chaos, and uncertainty. Our networks, and the people who defend them, should be ready to fight through all three.
This is not just about technology. It is about delivering operational resilience in the face of environments that are denied, degraded, intermittent, and limited in bandwidth. Anything less isn’t just a design flaw. It’s a vulnerability that could cost the fight, and cost lives.
Anthony Quitugua is a former U.S. Marine Corps officer, CH-53 pilot, and forward air controller with operational experience in Iraq, Afghanistan, and the Indo-Pacific. He is a cybersecurity professional specializing in attack surface management and network defense in the private sector.
Image: Midjourney
