Pages

20 May 2023

Many believe it’s time for an independent uniformed cyber service. Here’s what it could look like

MARK POMERLEAU

While the idea has been kicked around for more than a decade, discussions for an independent cyber service — akin to the Army, Navy, Marine Corps, Air Force and Space Force — have intensified in the last few months. Lawmakers have taken time during congressional hearings to ask top Department of Defense cyber officials about the prospect of a cyber force and, increasingly, there are more questions from attendees at conferences for military officials.

As it currently stands, each of the military services is responsible for providing personnel for a set number of teams to U.S. Cyber Command, which then employs those forces in operations for the other geographic combatant commands.

Proponents of an independent cyber service argue the cyber operators have no distinct identity — as they are still members of their respective services — there are readiness issues associated with each service resourcing their cyber contributions differently, lexicon and pay scales are different for the members of each service and the command and control structures are confusing.

Those teams — both offensive and defensive — were initially designed to be joint from the very outset, trained to the same standards so they could be interchangeable and operate alongside one another.

“For over a decade, each service has taken their own approach to providing United States Cyber Command forces to employ and the predictable results remain inconsistent readiness and effectiveness,” says a March memo signed by the Military Cyber Professionals Association, a non-profit dedicated to advocating for military cyber issues, and sent to both congressional Armed Services Committees urging the creation of a United States Cyber Force in this year’s annual defense policy bill.

The memo notes that its thousands of members across the nation and comprise the broad military cyber community believe a cyber service is needed and inevitable.

“Only a service, with all its trappings, can provide the level of focus needed to achieve the optimal results in their given domain. This is why we have a Navy, for example, that heavily invests in manning, training, and equipping to fight and win at sea. Cyberspace, being highly contested and increasingly, so, is the only domain of conflict without an aligned service. How much longer will our citizenry endure this unnecessary risk,” the memo continued.

There is too much at stake to continue going down the same path, others argue.

“The risk is that we will continue to build, plod along and probably survive to the superhuman effort above and beyond by individuals. We will not optimize our force generation for the really high-intensity fight we’re about to be in in cyber,” Mark Montgomery, a senior fellow at the Foundation for Defense of Democracies and the director of the Cyberspace Solarium Commission 2.0, told DefenseScoop. “Your other two choices are a massively overburdened Cyber Command trying to do this, plus by the way also be NSA, or a very inconsistent performance from three services … A separate service will give you, when properly established and resourced, the agility, the platform to ask for resources and the focus to ensure that force generation is optimized for whatever Cyber Command demands for force employment.”

Montgomery noted it’s been almost a decade with the services performing the man, train and equip functions for Cybercom, but, he adds, they have not progressed appropriately for the threat.

“That 5,000-6,000 people that come from the services, they’re not being trained consistently, their readiness over the last half a decade has been flat despite increased attention … and some would argue that the readiness has been flat while the standards have been subtly lowered,” he said. “Really, that means you either have a flat or declining readiness in your national cyber mission forces.”

As the argument goes, each of the services has its own identity, culture, and way of classifying and providing forces to Cybercom. Many have argued that this has been to the detriment of cyber warriors given they are soldiers or airmen or sailors first, with a focus on cyber second.

Additionally, the readiness levels of the teams the services provide to Cybercom has ebbed and flowed over the years as the services have sought to address how they present forces. Most recently, the Navy has faced significant criticism based on the readiness of its teams. Congress has forced the Navy to create specific work roles for cyber officers and enlisted personnel as it was the only service that had not done so. Personnel, as a result, would cycle in and out of the cyber mission force.

Congress has danced around the issue while not explicitly demanding the creation of a cyber force. It asked the DOD to include an assessment of the costs, benefits and values of establishing a uniformed cyber service in the 2022 cyber posture review. And in the most recent defense policy bill, Congress also asked for a study, which among many aspects, called for an examination of the current cyber enterprise, requested how the services should man, train and equip for cyber, and inquired if a single military service should be responsible for basic, intermediate and advanced cyber training of the cyber mission force and if the DOD should create a separate service.

The DOD did not include the assessment in the posture review, instead opting to include it in the report demanded by the fiscal 2023 policy bill, much to the chagrin of some members of Congress.

“It’s not the prerogative of the department to decide which part of the congressional mandate you get to comply with, or will answer it in a different report at a different time. We wanted that assessment in the cyber posture review. I would appreciate getting back to my team on why that didn’t happen, just so we can improve this process of reporting and answering going forward,” Rep. Mike Gallagher, R-Wisc., chairman of the House Armed Services Subcommittee on Cyber, Information Technologies and Innovation, said during a March hearing.

Other members were vocal, sounding the alarm bells and equating this current moment in time to the birth of the Air Force by Army Gen. Billy Mitchell, who was eventually court-martialed for his disruptive, forward-thinking criticism of the U.S. military’s investment in naval ships instead of aircraft.

“When you think about how inexpensive it is, relative to the potential impact and damage that cyber can do today, it harkens, for me, Billy Mitchell comes to mind. Gen. Billy Mitchell, who rang the alarm in the 1920s about the importance of air and got court-martialed for it because he saw the future. We can’t fight the war today, we got to fight the war tomorrow, prepare for that,” Rep. Patrick Fallon, R-Texas, said at the same hearing. “I strongly feel that we should be creating a seventh branch and making a cyber service … We have over $800 billion budget and $13.5 billion is going to cyber. Less than two percent. It’s one thing that I really want to ring the alarm bells and I think that’s something that we should be seriously considering.”

On the Senate side, one top cyber lawmaker is still undecided on the matter.

“I’m open to it, but I don’t have a bias either way on it right now. I just simply don’t have enough good data about what the future brings on this to determine that it’s necessarily a good idea to create an additional service branch specifically for this particular piece,” Sen. Mike Rounds, R-S.D., the ranking member on the Senate Armed Services Subcommittee on Cybersecurity, told DefenseScoop. “Whether or not we should have a separate branch for me is still up in the air. I don’t want to make a major change in something unless I know that there’s a really high degree of certainty that we improve our capabilities and not detract from our ability to respond right now in an immediate fashion when the need arises.”

He added that at a certain point, there needs to be some buy-in from the administration. The studies Congress has directed are a way of drawing the department’s attention to an issue that Congress might be frustrated with.

“It gauges interest in a way, but it also gives them a heads up that we perhaps are not happy with all the different branches in terms of what they’re delivering to the cyber forces today,” Rounds said, adding the issue will continue to be an item of discussion at hearings and in oversight.

Congress still receives classified briefings on the issue, Rounds noted, explaining there are shortcomings in the current system, especially when it comes to the way some services conduct training and cycle their cyber forces in and out.

As a result, he said to expect changes in consolidating training to standardize it more across all the services.

What would an independent cyber service or cyber force look like?

One outside organization has been developing a broad proposal that not only articulates the vision for a new and separate cyber service but also establishes a new agency and U.S. Code to house a cyber force along with many other cyber functions of government.

The Association of U.S. Cyber Forces (AUSCF) – a nonprofit founded in 2019 with the number one desire being to create an independent cyber force due to frustrations with the current status quo – believes that there has not been enough investment in the information domain as a whole, which includes cyber. Along with all the other issues some see with the current structure of military cyber forces, AUSCF wants a more robust information posture, and creating an agency dedicated to that – which includes an independent military cyber force – gives the U.S. a better posture.

“The challenge that the U.S. must address, and quickly, is to provide the same level of prominence within the government on the Information domain” as others, according to an AUSCF whitepaper. “[S]pecific Departments have been established to support what historically have been the most effective elements of power for the U.S. Therefore it makes sense to institute a separate Department to manage and address the challenges within the Information sector of national security.”

To govern the activities of a separate department, AUSCF has been advocating for the creation of Title 55 in the U.S. Code to govern its activities. A separate military entity would still perform its warfighting functions under Title 10, the part of U.S. law that governs the armed forces, but Title 55 would provide the left and right limits of what those forces would do domestically.

Under current law, the military has very strict limits regarding operations it can conduct within the borders of the U.S. This new structure would help clarify that for the active, Guard and Reserve forces as well as establish a national cyber auxiliary that could aid in the broader defense of the nation, not just focusing on external actors. Title 55’s national auxiliary of volunteers could be deputized in the event of a national cyber emergency as no such thing exists in the cyber realm.

This would be a similar arrangement to the Coast Guard, which while a uniformed military service, it is housed within the Department of Homeland Security. As a result, it has unique law enforcement authorities that make it an effective tool for combating a raft of malicious activity in the physical and virtual domains.

While some may argue that there are current laws and policies on the books that govern these activities, AUSCF believes that various mechanisms such as Title 10, Title 32 (which governs the National Guard ), and Title 50 (which primarily governs intelligence matters), among others, all predate the digital age. It’s difficult to try to amend these into something that would fit congruently into the cyber domain, AUSCF says, equating it to fitting a round peg in a square hole.

According to materials AUSCF has presented to Congress advocating for a new construct, and briefed to DefenseScoop, an independent cyber service would do away with Cybercom, creating a standalone force that would provide personnel to the combatant commands, just like each of the services do now in their respective domains. The Army provides land forces to each geographic command, for example, the Air Force provides air forces, and the Navy provides naval forces.

For cyber, those set number of teams that each service currently provides to Cybercom are then employed for operations through what’s known as Joint Force Headquarters-Cyber, for particular combatant commands to conduct operations for. Each service cyber component commander is also the commander of a Joint Force Headquarters-Cyber team. JFHQ-C Army is responsible for Northern Command, Africa Command and Central Command, JFHQ-C Air Force is responsible for European Command, Space Command and Strategic Command, JFHQ-C Navy is responsible for Southern Command, Indo-Pacific Command and U.S. Forces Korea, and JFHQ-C Marines is responsible for Special Operations Command.

That whole structure goes away under AUSCF’s proposal, creating more streamlined command and control. But Cybercom would be used as the nucleus to carve out a service headquarters. Moreover, this new construct would decouple the NSA from Cybercom and cyber forces, returning it to a separate three-star command.

AUSCF believes the structure Congress created in 2019 when it established Space Force, in addition to Space Command, is redundant and thus it does not advocate for a cyber service and Cybercom to exist together.

For the Military Cyber Professionals Association’s part, its memo didn’t provide a legislative roadmap or recommendations. Rather, it offered that a thorough study be conducted to determine what the uniformed service should look like so as to not establish it too hastily and have the opposite effect it’s aiming to solve.

Montgomery said the Cyberspace Solarium Commission 2.0 is working on a study examining the pros and cons of establishing a new service.

He offered three potential options DOD has: continue on the current track, develop a system where the services just provide personnel to Cybercom with Cybercom performing the real man, train and equip function, or create an independent cyber service.

Montgomery noted the preferred method he’s advocating for is a separate cyber force along with a Cyber Command, similar to the Space Force and Space Command model.

Under this construct, the uniformed cyber service would provide the troops, training and equipment – along with the recruiting aspect – to Cybercom, who would then employ them.

“I’m telling you, readiness will increase, retention will increase,” Montgomery said.

The Cyberspace Solarium Commission is also examining something similar to the special operations construct, with a combatant command – Special Operations Command – that has certain service-like authorities and a service secretary-like office – the Assistant Secretary of Defense for Special Operations/Low-Intensity Conflict – over it that exists at the Pentagon.

Last year, Congress directed the creation of an assistant secretary of defense for cyber. However, the DOD has not nominated someone for the position yet. The department commissioned a study to determine what that office should look like and encompass.

“We’re going to look at all of them. There’s pros and cons to both, make a recommendation and then if we make a recommendation for the cyber force, go further down that recommendation, like, where do you cut the deck of cards, what’s cyber force, what’s service retained forces, that kind of stuff and how do you optimize it for success,” Montgomery said, adding it is expected to be completed in September.

Rounds posited on reevaluating the mix of uniformed and civilian personnel going forward.

“That’s something that I think has some really good possibilities, because you need cybersecurity experts in the private sector as well. If we can get folks that have a good background and then understand what our capabilities are with regard to our military capabilities and they are also then in as part of the private sector, if there’s a way to maintain that type of a reserve setup, that might very well provide additional interest in creating a separate cyber force that would be different than one of the current branches itself,” he said.
‘Now’s not the time’

Opponents of a cyber force argue that now is not the time because the current mechanisms haven’t had a chance to succeed or fail.

In 2007 when DOD was developing mechanisms to envision cyber as a warfighting domain, those in the offensive cyber organization precursor to Cybercom argued for a cyber service while Gen. Keith Alexander, the first commander of Cybercom, argued for a Socom-like model, wrote Michael Clark, director for cyber acquisition and technology at Cybercom, on LinkedIn in April.

“The SOCOM-like model was the right one then and remains so today,” he said.

Current Cybercom Commander Gen. Paul Nakasone, when asked by members of Congress as well as those in the general public about the prospect of a cyber service, has also harkened back to the Socom model saying that Cybercom has tried to emulate that.

“In my perspective, my experience, what we’re focused on is being able to do operations all the time. Being able to have a series of agile authorities like acquisition or personnel or force provision or training. Again, it comes back to what I have seen with Special Operations Command,” he said at the Cybercom legal conference in April. “They didn’t create a service for Special Operations Command. What they did is they focused on a command and providing it the necessary authorities to be agile and be speedy and be able to work across a series of different services, which I think is really important. That’s where I’m at with it in terms of looking at it.”

Montgomery noted that the services still provide service-unique special operations forces to Socom as opposed to the cyber mission force teams the services provide to Cybercom, which were designed to be joint, trained to the same standards and be interoperable together from inception.

“The services still have a [Navy] SEAL team training, [Army] Ranger training, [Air Force Special Operations Command] training, makes perfect sense,” he said. “Those forces aren’t the same as cyber forces because they are unique to their services. If you told me ‘Hey, we got to launch some special forces guys from a submarine 100 miles out to sea and go blow up a railhead,’ you don’t think to yourself, ‘Man, I want AFSOC helo pilots.’ You think to yourself, ‘Hey I want some SEALs,’ right?”

Clark argued that Cybercom, beginning in October, will just begin to function with its service-like authorities Congress granted them last year, known as enhanced budget authority.

“I accept that there are certain aspects of a Cyber Service that maybe attractive … but we’ve yet to prove that the SOCOM model won’t also be effective,” he wrote. “Before we start thinking about another organization, let’s give the current model the opportunity to prove itself with the [Cyber Mission Force] and then increase to include the [Cyber Operations Forces] in FY25. I’m absolutely confident the Command can succeed.”

Additionally, the Cyber Mission Force reached full operational capability five years ago with approved growth of its forces from 133 teams to 147 in the next couple of years.

Other officials want more studies done to determine the optimal outcome, especially given resources are scarce.

“Until there is really a study that looks at that, the kind of broad open question that hey, should we establish a cyber service without really articulating and studying, is it going to solve all of those problems or is it going to create additional problems, because at the end of the day, there aren’t a whole lot of additional resources out there,” Maj. Gen. William Hartman, commander of the Cyber National Mission Force, said at the Joint Service Academy Cybersecurity Summit in April.

Some worry about duplicating efforts across a cyber force and what the services will inevitably still need for their own internal cyber and IT needs.

“I think if you create a cyber force, you are going to have a duplicative force. The Army is still going to need cyber people to handle their cyber missions, the Navy is still going to have cyber things that are specifically for fleet defense that are not covered by Cybercom,” Vice Adm. Craig Clapperton, commander of Fleet Cyber Command/10th Fleet, said at the same conference. “You’re going to create a duplicative force and that force is not going to be optimized to meet neither the joint fight needs nor the needs of the individual services. I don’t think it’s the right time.”

Similarly, others have argued that they’re building to meet their own service needs, especially in the more tactical sphere.

“We are growing a significant amount of capacity within the Army and so my concern would be, first and foremost, how will we be able to conduct integrated [information operations], [electronic warfare] and cyber operations in support of the land component commander [if there’s a separate cyber force]? How are we going to do that with these forces and where does that cyber force extend to? Does it stay with the strategic CMF forces that we all represent here today or is it going to go extend down into the tactical, because I’m going to tell you, they’re building that in the Marines” too, Lt. Gen. Maria Barrett, commander of Army Cyber Command, said at the conference. “We’re focused on Army 2030 of laying in all of our capabilities and structure changes before that point. If we have to stop what we’re doing and reintegrate how we’re doing cyber, I think that’s going to be disruptive in this time, that’s not a lot of time. So, I’m no.”

Under the AUSCF-proposed model, the services would still maintain some of their service-retained cyber capabilities. Just like each service has an aviation component, they could still possess some type of cyber capability, especially for unique mission sets such as the Army’s cyber and electromagnetic activities concept, which is unique to land warfare. But in total, AUSCF is proposing around 85 percent of cyber forces and capability from the services migrate to a new uniformed force.

No comments:

Post a Comment