The Defense Department (DoD) is in the process of sifting through options to develop the next iteration of the military’s cyber forces, a senior Pentagon official said on Jan. 17.
“In the cyber domain, we’re undergoing several efforts to shape the future of our cyber forces, including how we generate, train and organize for maximum effect, what some of us have started calling Cyber Command 2.0,” said Dr. John Plumb, assistant secretary of defense for space policy, during a press briefing.
“We’re developing options for the Secretary of Defense that will be informed by multiple independent studies, many of which have been requested through the Congress, and we’ll also be developing those options in coordination with the COCOMs [combatant commands] and the services,” Plumb said.
“And while that’s under way, we continue to disrupt and degrade malicious cyber actors’ capabilities and forge deeper cooperation with allies and partners,” he said. “We’re learning how to work more closely with them in the cyber domain, and we’re also working to enhance their own capacity to do so.”
Gen. Paul Nakasone, who has headed both the National Security Agency (NSA) and U.S. Cyber Command (CYBERCOM) since 2018 but soon will hand those duties over to Gen. Timothy D. Haugh, spoke about the Cyber Command 2.0 concept in December.
“I think all options are on the table except status quo,” Nakasone said at an event hosted by the Intelligence and National Security Alliance (INSA). “We have to have ‘Cyber Force 2.0,’ but we call it Cyber Command, ‘CYBERCOM 2.0.’”
“We built our force in 2012 and 2013. We’ve had tremendous experience, but the scope, scale, sophistication, of the threat has changed,” he added. “The private sector has changed, our partners have changed. I think that we’ve got to be able to take a look at how we’re going to change as well.”
As mandated by the National Defense Authorization Act (NDAA) for fiscal year (FY) 2023, Nakasone said he was working with DoD on an independent study that looks at the prospect of a new force generation model for CYBERCOM.
Similarly, Congress included a similar provision in FY2024 NDAA language earlier this year, which called for “an independent assessment of creating a Cyber Force or further evolving the existing force development and management model.”
Currently, each military service is responsible for providing personnel for a set number of teams to the U.S. Cyber Command, which then employs those forces in operations for the other geographic combatant commands.
However, in the conference report filed in December for the reconciled version of the FY2024 NDAA, lawmakers noted that they removed the provision that called for “an evaluation regarding the advisability of establishing a separate armed force dedicated to operations in the cyber domain, or refining and further evolving the current organizational approach for U.S. Cyber Command.”
Nevertheless, Nakasone said that whether or not CYBERCOM looks at a new generation model, “that’s a decision that the secretary will make,” but it’s important to provide “a series of options,” to Defense Secretary Lloyd Austin.
Plumb referred to the congressional mandates to study options for the next iteration of Cyber Command during his Jan. 17 remarks.
“Congress has laid on … multiple studies over the past few years to look at what things should the department do or could be doing to improve our ability to generate cyber forces, train cyber forces, retain cyber forces for maximum effect,” he said.
“One study in particular from, I think, the ’23 NDAA is Section 1533, which had the advantage of giving us enough time to actually work on the problem and think about it, and not just come back in three months or six months, which is great,” Plumb said.
“We have been slowly working through various options, and the question is how much would need to change, what should you look at? They have asked us to specifically look at a cyber service, for example,” he said.
“But I really think, like, what are we after for readiness? How can we make readiness better? We have this issue where it takes us a long time to train operators, and then they time out,” Plumb said. “So how can we get more return on that training investment? And also, how can we make sure that they aren’t just languishing in quals because one magical thing didn’t happen the day they were on watch?”
“So we’re trying to figure out, how are all the tools we could get at that,” Plumb said. “And it turns out that when you look at all the things that are coming, we know we have to present the Secretary a set of options, really, to this one large kind of significant study.”
“We’ve got a bunch of other studies coming in,” Plumb continued. “So the point is, we should absorb all of those studies, find the best recommendations, and then try to present a more comprehensive set of options to the Secretary so we stop doing these things piecemeal and absorb or reject recommendations or options as they come … How can we do this altogether?
“Because the timelines work out, we’re starting to think about this could be a really great opportunity for us to go to that next level of evolution for Cyber Command,” he said.