It’s been a little over three years since Congress created a dedicated military service to focus on space. Lawmakers are wondering whether it’s time to do the same thing for cyber.
The Defense Department hasn’t yet taken a position on that question — officials say they’re still studying the topic of military cyber force design. But some members of Congress are getting impatient.
Lawmakers have asked DoD for its recommendations on whether there ought to be a separate military services just for cyber forces more than once. In the 2020 Defense authorization bill, Congress explicitly required the department to include an assessment of the costs, benefits and value of setting up a separate cyber force in its 2022 cyber posture review.
But DoD skipped that part of the assignment, said Rep. Mike Gallagher (R-Wis.), the chairman of the House Armed Services subcommittee on cyber, information technologies and innovation.
“It’s not the prerogative of the department to decide which part of the congressional mandate you get to comply with — or to decide to answer it in a different report at a different time,” Gallagher said during a hearing last week. “We wanted that assessment in the cyber posture review.”
John Plumb, the assistant secretary of Defense for space policy, who also serves as the department’s principal cyber advisor, said DoD wasn’t intentionally ignoring the law. Officials are now exploring the same question in response to a separate mandate Congress issued in the 2023 Defense bill, he said.
That provision told DoD to conduct a detailed study on its existing cyber mission forces, including which military services should contribute personnel to those forces, how they’re currently trained, organized and compensated, and, once again, whether a separate service would make sense for cyber.
“We are working hard on answering that problem,” Plumb said. “I think it’s a good study, and I think it gives us enough time to look at the issue, one of the things it requires us to explore — among other options for force generation — is a cyber service.”
But the department is already growing its cyber forces under the current organizational construct, where each of the existing military services contribute forces to their cyber component commands, each of which reports to U.S. Cyber Command.
Gen. Paul Nakasone, who leads USCYBERCOM, said the command is in the middle of building 14 new cyber mission teams to complement the 133 teams it started with.
“The first part is greater capacity, and we are on a road to have more teams to be able to do more missions,” he said. “Secondly, we are able to play to our strengths and our competitive advantage, which is information, and further leveraging artificial intelligence and machine learning. And the third piece is it’s all about our partnerships. It’s not only the partnerships with the National Security Agency, but broadly, how we partner with the FBI and [the Cybersecurity and Infrastructure Security Agency] and our international partners. And most importantly, perhaps, is how we partner with the private sector. This is what we’ve learned in Russia and Ukraine: The power of partnering with the private sector provides our nation a tremendous advantage that no other nation has.”
And Nakasone said the teams have already started proving out their capabilities in new ways, including by using some of the service-like authorities Congress has already given to Cyber Command. Those include the ability to conduct its own acquisitions, direct cyber budgets, and conduct “hunt forward” operations that try to defeat cyber threats before they affect networks in the U.S.
“The authorities, policies and capabilities are coming together on our teams, and we demonstrated that in the defense of the 2018 midterm elections,” he said. “One of the big things that we were the beneficiaries of was Congress’s decision in the FY 2019 NDAA to call cyber a traditional military activity, which allowed us to conduct hunt forward operations. But the work isn’t done. We also need to make sure that a simulation capability — much in the same way we have in other domains — is resident within cyber to reinforce the advances we’ve already made.”
But some members of Congress hold the view that if cyber really is its own warfighting domain, it deserves its own military service, just like the maritime, land, air and space ones.
“We’re talking about cyber being the fastest growing domain, and we need a leader for this, because it’s going to be the frontlines of the next conflict,” said Rep. Pat Fallon (R-Texas). “When I look at CYBERCOM’s mission statement, it’s defend the Department of Defense Information Network, to strengthen the nation’s ability to withstand and respond to cyber attacks, and conduct full spectrum cyber operations to assist combat commanders and the joint force. The third one is the one that concerns me, because the Navy is going to be concerned about the sea with a side of cyber, the Air Force, the air with a side of cyber, and the Army, land, with a side of cyber. I strongly feel that we should be creating a seventh branch and making a cyber service.”
Nakasone noted that’s ultimately a decision for Congress. But he said there’s already a strong precedent for the model CYBERCOM is using, with service-like authorities concentrated in a combatant command: U.S. Special Operations Command.
“Special Operations is not run by any specific service, yet it is the elite service in capability that our nation has,” he said. “That’s what we have modeled U.S. Cyber Command after: this idea of having special and unique authorities, and that we’re able to train and man and equip our force with the agility to maneuver. Having commanded now for five years, that’s a really good place to emulate. We’re making sure that our focus is on doing operations against our adversaries, and continuing to build our capability.”
But while Congress waits for an official DoD position whether there should or shouldn’t be a cyber service, Gallagher said the delay is part of a broader frustration lawmakers feel when it comes to how quickly the department has responded to the dozens of statutory changes and reporting requirements in the cyber arena over the past several years.
Another example, he said, is a requirement in the 2023 NDAA that requires DoD to create the new position of Assistant Secretary of Defense for Cyber Policy. Before it implements the change, the department has decided to hire a federally-funded research and development corporation to study exactly what roles and responsibilities the office should have and how it should operate.
That report isn’t expected until September, so the White House wouldn’t appoint a new official to lead the cyber policy office until sometime after that.
Gallagher told Plumb that timeline is “disappointing.”
“We sat down a few weeks ago, and you talked about the huge number of reports that are foisted on you by Congress. On one level, I agree. I think we insert far too many reporting requirements into the NDAA, and it just sort of grows and grows without sort of cleaning out of the requirements for reports that don’t actually get read,” he said. “On the other hand, we do it to draw attention to significant issues that we think are important without actually having to micromanage the department with statutory language. And the best way to avoid reports is to provide us quick, but comprehensive answers to the questions we’re asking the department. There’s got to be a better way we can get answers to these questions. I’m happy to work with DoD to come up with that solution, because the current posture, in my view, is unacceptable.”
According to Gallagher, at the moment, DoD is “delinquent” on 15 separate statutorily-required reports dealing with cyber issues.