Join War on the Rocks and gain access to content trusted by policymakers, military leaders, and strategic thinkers worldwide.
What if I told you a major U.S. Department of Defense component assumed responsibility for building a critical warfighting capability negligently disregarded this duty, and ultimately allowed this capability to reach a point of failure? Well, that’s exactly what happened with U.S. Cyber Command.
Leading into 2017, there was an ongoing debate regarding whether the U.S. Department of Defense should establish a cyber service to generate cyber forces or if cyber force generation responsibilities should be formally given to U.S. Cyber Command. Ultimately, that year, Cyber Command was given force generation responsibilities, which are to organize, equip, train, and provide forces for employment in Cyber Command or other combatant command joint force operations. Since being given these responsibilities, which include sustained unit readiness, Cyber Command’s stewardship of the cyber force generation mission has been counterproductive, resulting in a force generation “model” that has devolved to a point where it cannot be fixed.
The Department of Defense cyber force generation effort has failed. The acting Cyber Command commander recently asserted that this could be corrected going forward by emulating the U.S. Special Operations Command force generation model. This contention tacitly acknowledges that the Cyber Command “model” has failed. In addition, the implication that there is a Special Operations Command “model” that Cyber Command can readily ease into is misleading.
Special Operations Command may be considered a “model” for force generation in the sense that it is a combatant command that has effectively executed service-like force generation responsibilities for nearly 40 years, which is a measure of effectiveness that Cyber Command should have aspired to emulate from the beginning. However, the Department of Defense should not allow the illusion of this symbolic “model” to misdirect from the facts. With only one specific exception, the Special Operations Command model would not apply to the nuances of the Cyber Mission Force. In addition, authorizing Cyber Command to adopt a new model would portend that the command would retain its force generation responsibilities, which would extend these authorities and give Cyber Command a “redo” after at least seven years of failure.
The cyber service debate still lives, with a major think tank launching a new commission to establish a cyber service. An examination of the preceding 13-year cyber force generation effort provides the empirical evidence necessary to decisively support the argument for a cyber service.
The Genesis of Cyber Command’s Force Generation Responsibilities
There are three military force operations: force generation, force projection, and force employment. Based on the Goldwater-Nichols Department of Defense Reorganization Act of 1986, the services are responsible for force generation, the combatant commands are responsible for force employment, and force projection is a shared service/combatant command responsibility. Until the establishment of Cyber Command, the only exception to this model was the 1987 establishment of Special Operations Command.
In 2009, Cyber Command was established as a sub-unified command under the U.S. Strategic Command. In 2017, the decision was made to elevate Cyber Command to a combatant command. During that period, there was an active debate over whether the Department of Defense should establish a cyber service or formally designate Cyber Command as the component ultimately responsible for the force generation functions that the services had primarily managed since the force build began in 2012. At the time, Cyber Mission Force units were being effectively built by the services, nominally under Cyber Command’s oversight, and the process appeared to be working. This led to an assumption that after attaining full operational capability for the total force, the process of sustaining the forces would be equally effective. Since giving a combatant command force generation responsibilities was not unprecedented, and it was the path of least resistance relative to establishing a cyber service, the decision was made to give Cyber Command these service-like responsibilities upon elevation. However, there were divergent dynamics that combined to eventually prove this to be the wrong decision.
In 2017, the Department of Defense erroneously conflated the scope of Cyber Command’s 10 U.S. Code § 167b force generation responsibilities with Special Operations Command’s 10 U.S. Code § 167 force generation authorities originally established in 1987. Almost comically, the drafters simply copied whole sections from the Special Operations Command Title 10 responsibilities, many with the only change being to replace the term “special” with the term “cyber.” The cut-and-paste draft version presented to Congress did not reflect the stark differences between the Special Operations Command model, which had matured over a 30-year period, and the unique challenges of generating Cyber Mission Force units relative to special operations forces. Cyber Command was tasked with responsibilities for which it was not postured to execute and should not have been given. This began a period of cyber force decline that was marked by a misunderstanding and neglect of the responsibilities the command had been given.
The decision to give Cyber Command force generation responsibilities was made during the final months of a six-year process wherein the services had a tangible Department of Defense mandate to build a total of 133 Cyber Mission Force units. The services’ efforts to reach full operational capability had high-level Department of Defense interest, and there was a strong sense of urgency to meet the mission and be done with it. Cyber Command Cyber Mission Force units attained full operational capability in May 2018, just months after the command had been formally established as the component responsible for cyber force generation. Coincidentally, Cyber Command was officially elevated to a combatant command that same month. The elevation and declaration of the Cyber Mission Force as at full operational capability marked an inflection point at which Cyber Command miscalculated its lines of effort.
After the services trained individuals and formed them into Cyber Mission Force units, the units were then assigned under the combatant command authority of Cyber Command. After units were assigned to Cyber Command, the command had the force generation responsibility for sustained unit readiness. Although the services remained responsible for providing trained individuals, Cyber Command was responsible for sustained individual and collective readiness. Force generation is a continuous process. However, Cyber Command reacted to the May 2018 full operational capability declaration as though the force generation phase had ended, and the force employment phase had begun. This was the point at which Cyber Command (wrongly) assumed the services and service cyber components would sustain the force as effectively as they had built it, without any overarching guidance or oversight. The command mentality shifted after an extended period of building the force to a point at which the command could then employ this robust cyber capability in global operations. What followed was perhaps the worst-ever case of a Department of Defense component neglecting its military force operation responsibilities.
The Void in Cyber Force Generation Policy and Process Guidance
Department of Defense policy specifies that Cyber Command is a combatant command with unique functions, responsibilities, and authorities similar to a number of authorities exercised by the military departments. Department of Defense policy further specifies that Cyber Command, in coordination with the Military service Chiefs, has the responsibility to organize, train, equip, and provide cyber operations forces. After having been given these responsibilities, it does not appear that the command ever conducted a detailed mission analysis to understand the implications.
The services (and Special Operations Command) have comprehensive policies and processes to guide the generation of forces to meet service-specific force employment requirements. Conversely, Cyber Command never developed a unifying force generation process, nor did it establish a dedicated staff structure to centrally manage what should have been a robust program. A force generation process that is dependent on external partners (such as the services) for support can only be effective if there is Department of Defense-level policy directing the external partners to comply with process requirements. Since there was never a comprehensive process developed for the Department of Defense to promulgate in policy, cyber force generation proceeded without a compass or a hammer.
Although the policy guidance regarding Cyber Command’s responsibilities is clear, a common source of confusion as it applies to cyber force generation responsibilities is the tendency to conflate the services and the service cyber components due to the incestuous relationships they have been allowed to establish over the years (more on that later). Cyber Command has neglected to act as the direct interface with the services on key force generation issues, so it is difficult to distinguish when the service cyber components are performing as Cyber Command components or as co-opted extensions of the services. This leads to a tendency to label a service cyber component’s responsibility as a “service” responsibility, but the service cyber components are under the combatant command authority of Cyber Command, so any service cyber component’s responsibility is a Cyber Command responsibility. Again, articulate policy would have clarified roles and responsibilities.
Rather than taking the necessary measures to meet the responsibilities it was given, Cyber Command focused on its force employment mission and accepted risk in force generation by largely ignoring how the services and service cyber components were developing cyber forces in a very non-standardized and unbalanced manner. This approach was also reflected in the developing command culture.
A Command Culture That is Not Conducive to Force Generation
By the point at which Cyber Command was formally given responsibilities for cyber force generation, a command culture had developed that reflected a bias toward the force employment mission (real-world operations), to the detriment of the force generation mission.
When Cyber Command was established at Fort Meade, Maryland, there was no core cadre of cyberspace operations personnel. Therefore, Cyber Command’s manning was initially made up of signals intelligence and communications personnel, because they were considered to be the most compatible specialties. There was a large pool of military personnel with these specialties at the National Security Agency and the Defense Information Security Agency at Fort Meade who would readily transfer to Cyber Command rather than having to relocate to another posting. While these categories of personnel may have been the most appropriate fits for offensive and defensive cyberspace operations, they are not the types of expertise that a command with force generation responsibilities would rely on most heavily for success in that mission area. Predictably, with little understanding of, or interest in, the methodical grind of force generation, the signals intelligence and communications personnel had a bias toward emergent operations. This dynamic led to a command culture that focused on force employment operations while relegating force generation responsibilities to the Cyber Command service cyber components without unifying processes or four-star level command oversight.
Any Plan to Adopt the Special Operations Command Model is a Red Herring
The notion that Cyber Command could emulate the Special Operations Command model is not grounded in an understanding of the disparate variables that dictate how the two dissimilar models must operate.
The most notable distinction between Cyber Command and the Special Operations Command, as it applies to force generation, is the contrast between the combatant commands’ relationships with the services. The Special Operations Command receives inherently service capabilities (ground, air, naval/marine) presented by the services and further specializes these capabilities through the Special Operations Command service components. These service-centric capabilities are organized, trained, and equipped to form special operations forces-specific capabilities that are integrated and interoperable with other Joint Force Commands. Cyber Command, in contrast, is responsible for generating a modular force that has no service-unique attributes. Cyber Command receives individuals presented by each of the services that do not benefit from (nor require) inherently service characteristics. Service-trained personnel are integrated into organizations having no direct correlation with a service warfighting domain-centric function or traditional force structure. The services do have applicable feeder skill specialties (e.g., intelligence, communications/signal), but the personnel trained to man Cyber Mission Force units are trained in cyber domain skills and not skills that are inherently related to the core service warfighting domains (land, sea, air, space). Objectively, a cyber force team provided by the Army or sustained by the Army service component command will have the same organization and perform the same functions as those provided by the Air Force, Navy, or Marine Corps. This distinction demonstrates that the Special Operations Command model and a Cyber Command model could never be interchangeable.
The fundamental strength in the Special Operations Command model that Cyber Command should have emulated from day one is an appreciation for how critical the force generation mission is to the overall success of the Cyber Command mission. The only other applicable imperative in the Special Operations Command model that Cyber Command should have emulated is the rigid bifurcation of force generation and force employment responsibilities. Upon elevation, Cyber Command immediately fell into the very trap that the Goldwater-Nichols Department of Defense Reorganization Act was enacted to prevent. Cyber Command is the only organization that attempts to manage both force generation/sustainment and force employment responsibilities from the same headquarters staff directorates. The dysfunctional organizational approach that Cyber Command adopted was vulnerable to a command culture that prioritized force employment efforts in a manner that accepted risk to force generation. The Cyber Command responsibilities also diverge from those of the Special Operations Command’s in that Cyber Command-generated forces are almost exclusively employed by the command in Cyber Command cyberspace operations, making the dereliction in force generation responsibilities even more confounding. Unlike falsely generalizing how Cyber Command should emulate the Special Operations Command model, the construct of rigidly separating the force generation and force employment missions is the singular variable that Cyber Command should have adopted. Other than that example, the two models would have nothing in common. That stated, the Special Operations Command force generation model does incorporate attributes that mirror those of the services (e.g., enhanced acquisition authorities, advanced education institutions), but these are not unique to the Special Operations Command model and merely reflect the command’s service-like responsibilities, which would have equally applied to an effectively developed Cyber Command model.
The Results of Having No Process, No Policy, No Oversight, and No Culture
In Cyber Command’s defense, the deck was stacked against it from the beginning. However, the command refused to accept advice regarding the implications of the force generation mission that had been dubiously pushed upon it. In retrospect, it is evident that the only prospect for success would have been to immediately establish a process that facilitated the integration of service-provided resources without allowing the services to impose undue influence within the command. Instead, Cyber Command focused on its force employment mission while the service component commands steadily contributed to the devolution of the command in deference to parochial service equities. In contrast to a modular structure, the service cyber components have developed into diverse, service-centric cylinders of excellence, which would now render an effort to deconstruct and establish a standardized force generation process time-, effort-, and cost-prohibitive.
Cyber Command and its subordinate command elements were established to generate forces, to command and control forces, and to execute cyberspace operations as a combatant command or in support of other combatant command operational requirements. Over time, however, the service cyber components have become the services’ “everything cyber” components and have been given either command or control of service-retained organizations to accomplish service-mandated requirements. This presents a convoluted command authority relationship wherein the service cyber components are nominally under Cyber Command combatant command authority, while there are organizations assigned under the operational control of the service cyber components that are categorized as service-retained forces and not considered to be under Cyber Command combatant command authority.
The assignment of service-retained, cyber-related force elements to Cyber Command service cyber components creates a competitive dynamic between the services and Cyber Command and burdens the service cyber components to deconflict or adjudicate competing requirements. An example of the competing requirements is that the services do not have units identical to those in the Cyber Mission Force, but they do have manning requirements that must draw on the same pool of personnel as the Cyber Mission Force. Service feeder specialties that qualify personnel for Cyber Mission Force entry are the personnel needed to man service-retained, cyber-related organizations. Cyber Mission Force-assigned personnel remain under the administrative control of the services and can therefore be reassigned by the services to service-retained units. In a zero-sum game among low-density specialties, the assignment of Cyber Mission Force-qualified personnel to service-retained units directly degrades Cyber Mission Force readiness. The Office of the Secretary of Defense did not establish policy to compel the services to support a unified force generation process, and Cyber Command did not demand that such policy be promulgated. Therefore, there was no binding guidance to compel the services to prioritize the sustainment of the Cyber Mission Force above (or even equal to) service priorities.
The most glaring example of the incestuous relationships between the services and the service cyber components occurred during the Cyber Mission Force build, which culminated with “full operational capability” in 2018. To meet milestones leading up to full operational capability, the Army employed a deceptive method of unit personnel strength reporting to make it appear as though they were meeting their objectives. As was discovered years later, the units generated by the Army were declared as fully capable at 67–75 percent manning, which was well short of the required end-strength. It was apparent that the Army Cyber Command had been complicit and reported the vastly exaggerated numbers to Cyber Command, demonstrating that the service cyber component was more loyal to its service headquarters than the command it was a component of.
Another key component of cyber force generation that has devolved beyond Cyber Command’s control is training. Although the Cyber Mission Force was structured to be a modular force, the services have differing names/designations for work roles, and individuals assigned to the Cyber Mission Force to fill these work roles are trained differently. The services train cyber personnel at service-specific training centers; training pipelines differ by service, and misalignments persist. Consequently, service members often arrive at Cyber Command with skill sets that are inconsistent and insufficient to fulfill their basic work roles.
A Cyber Service is the Only Viable Course of Action
In 2017, Cyber Command was advised regarding the consequences of not taking decisive, proactive measures to sustain cyber force generation after the Cyber Mission Force was declared fully operational. This warning was validated relatively early on when it became apparent that Cyber Command did not have a process by which to monitor and assess unit readiness progress and manage risks to mission readiness before units reached the point of failure. By this point, however, the command was not organized for success and could only address isolated causes, lacking the ability to address issues in a comprehensive manner. Due to the command culture and the personnel staffing the command, there was a void of a service-like force generation perspective that would have been necessary to effectively pivot. The underlying frictions involving the services and service cyber components were simply bypassed as irreconcilable limiting factors, which further exacerbated the degradation of force generation effectiveness.
When the debilitated posture of the Department of Defense’s force generation effort became apparent, the cyber service debate was reignited with fervor.
Even if Cyber Command had a viable model to pivot to today, the command would be unable to do so due to the current staff structure, the command culture, gaps in staff expertise, and the organizations that the service cyber components have been allowed to become. There is no existing model that corrects those and other contributing factors.
When the Defense Department elevated Cyber Command to a combatant command with concurrent force generation and force employment responsibilities, it violated the Goldwater-Nichols principle that had been proven effective and still stands to this day. The strength of a service is that it is dedicated to only one military force operation. A cyber service is the only viable course of action to correct and sustain cyber force generation. In addition, this will enable Cyber Command to singularly focus on its critical force employment mission, as it should.
Aden Magee has performed as a senior joint operations advisor at the highest levels of the Department of Defense, including the Office of the Secretary of Defense, the Joint Staff, and multiple combatant commands, including U.S. Cyber Command and U.S. Special Operations Command. He is a retired U.S. Army officer and a veteran of foreign wars. The views in this article are those of the author and do not represent those of the Department of Defense or any part of the U.S. government.
Image: Skyler Wilson via U.S. Cyber Command
