NDIA POLICY POINTS CYBER
U.S. Can’t Wait Any Longer for a Cyber Force
In 1947, the United States acknowledged that air power had fundamentally changed warfare by creating the Department of the Air Force.
Lawmakers saw the need for a service that could independently train, equip and prepare for the full spectrum of air operations.
They foresaw that controlling the air domain had become one of the ends of war, not just a means of controlling land and sea. Despite the “Revolt of the Admirals” — prompted in part by the planned creation of the department — the re-organization succeeded. Today, the lack of an independent air domain service would be unthinkable to most policymakers.
And yet, war changed again as space became a key area of operation. Congress authorized the “Commission to Assess United States National Security Space Management and Organization” to investigate the military’s posture in space in 2000. When its own report was released in 2001, the idea of an independent space force gained new traction.
However, policymakers did not establish the Space Force until 2019. The 2000 space commission’s predictions had finally become a reality.
The work required to prepare the nation for future conflicts remains incomplete. The cyber realm has rapidly morphed from an auxiliary theater of operations into a constantly shifting domain of warfare that requires its own offensive and defensive capabilities. The United States faces threats to its public, military and private infrastructure that can emerge instantaneously, far before warfare ever materializes in a traditional domain. Future geopolitical events, especially during this era of growing great power conflict and advanced threats, may very well be influenced by cyber actions — or by the leverage produced by cyber threats.
Against that backdrop, policymakers should urgently consider designing a more robust cyber infrastructure such as a “Cyber Force” or “Cyber Guard” that can join the existing roster of uniformed services, or a new combat support agency.
Today, the U.S. Cyber Command and its cyber mission force work alongside the National Security Agency and the Central Security Service to organize, train, and equip cyber warfighters. They also act operationally through the combatant commands and the intelligence community.
However, according to the congressionally mandated Cyberspace Solarium Commission, the rapidly growing cyber mission requires ambitious government reform and reorganization that creates a nimble, less disjointed force structure that can take on more in both “scope and scale.”
Above all else, the commission’s final report published in March 2020 calls for big, actionable ideas, ranging from a re-evaluation of the division of labor between the NSA and the rest of the U.S. cyber warfare apparatus to the creation of a military cyber reserve.
A small new cyber service could be the best home for fostering the next generation of innovative leaders. It would enable the organizational perspective necessary to identify which cyber capabilities the military will need to fight in the domain in decades to come. It would also create new acquisition and procurement structures that produce innovative technologies. With the long-term mission in mind, the new service could also look ahead towards cyber-domain strategy that exceeds supporting operations taking place within other domains.
There are numerous available options to achieve this objective. The most drastic re-organization would be the creation of a cyber force within one of the three military departments of the Defense Department. For example, the force could reside within the Army in accordance with its multi-domain operations reform framework, which advocates for an all-domain deterrence and warfighting model to address near-peer adversaries.
As the Army continues its reorganization toward these theater-level adjustments, a cyber service could help the Army succeed in what it calls its narrative, direct and indirect competitions with rising powers.
The Defense Department is not the only potential home for a cyber service. Just as the Department of Homeland Security hosts the Coast Guard in peace time, it would be a plausible host for a similarly established “Cyber Guard” with similar global security and law enforcement capabilities to be transferred to the Army or Air Force in wartime.
While not the only federal department that hosts a uniformed service, a home in DHS would put the cyber service close to agencies with similar society-wide protection mission areas such as the Cybersecurity and Infrastructure Security Agency and the Federal Emergency Management Agency.
A third way of achieving this objective is to forgo creating a service and instead design a new combat support agency modeled on the Missile Defense Agency and the Defense Threat Reduction Agency.
The commission called for a layered deterrence structure for cyber warfare, and the MDA’s own focus on layered deterrence to prevent a missile attack could be used by a new agency to “shape behavior, deny benefits, and impose costs.”
The new agency could also incorporate DTRA’s mandate to prepare for a worst-case-scenario and ensure nuclear deterrence by preparing for an artificial intelligence-enabled, persistent cyber attack against the nation while working to establish cyber deterrence.
While these ways forward are non-exhaustive and imperfect, U.S. national security would be well-served by designing a more ambitious cyber infrastructure. Policymakers should heed the warnings of the Cyberspace Solarium Commission that we are not prepared for looming confrontations in the cyber domain. The United States must take steps to reorganize in a way that reduces fragmentation, mobilizes industry to take on the problem, and articulates a future-focused cyber strategy for U.S. security.
Unlike the delay between space commission and Space Force, we cannot wait 18 more years to address the cyber domain.
Jacob Winn is a strategy associate on NDIA’s Strategy and Policy Team. Reach him at: JWinn@NDIA.org.
Topics: Cyber, Cyber-augmented Operations, Cybersecurity
This idea is big on vision, very low on workable details. The actual working of offensive and defensive cyberspace operations is more complex than "we should have one agency responsible for it" as every organization has their own IT/OT requirements and technology. The Social Security Administration has legacy mainframe systems that the deployable Army Divisions don't even have to think about. The Department of Energy needed a super computer and so repurposed old desktops into a Beowulf Cluster at Oak Ridge National Laboratories years ago...James Armstrong at 8:35 AM
Each agency, department, etc, has to have a mission focused cyberspace capability. Most of that should be defensive in nature, as only the Title 10 and Title 50 communities have a mission requirement for "offensive" capabilities....
There may be a time for a unified cyberspace service in the future, but until the legal structures and requirements change to enable that sort of service, it would be a "disabled enabler." Without a clear blueprint for the legislative changes that would enable such as structure, it's a castle in the sky idea.