The U.S. military is hemorrhaging talent in cyber warfare, which national security experts warn could lead to America being outgunned and outsmarted by adversaries such as China, Russia, or Iran, who could use cyber weapons to wreak havoc on American military and civilian infrastructure.
The only way to fix it may be to start a seventh branch of the military: a Cyber Force.
There are currently about 225,000 service members, civilians, and contractors who work in cyber fields across the Defense Department. Most of them build, operate, patch, maintain, and do routine security for the 4 million computers and 34 billion IP addresses that make up the larger Department of Defense Information Network.
Each of the military services manages its own information networks and defends them against run-of–the-mill cybersecurity threats. They also recruit and train cyber troops and present them to U.S. Cyber Command, a combatant command that provides cyber support to troops conducting real-world operations.
Top Stories This Week
There is some overlap here between what Cyber Command, or CYBERCOM, does and what the services do, but generally, if it’s offensive operations, or if the threat being defended against is really heavy-duty, that is usually CYBERCOM’s business.
But the services have not coordinated how they train cyber troops. That means service members come to CYBERCOM with different training for the same job, using different terms to refer to the same thing, and bringing their service-specific approaches to cyberspace.
That’s bad because CYBERCOM’s Cyber Mission Force — the 6,000 or so people who actually perform cyberspace operations — is designed to be modular, where teams from different services can swap in and do the same job. That’s according to Aden Magee, a retired Army cyber officer who wrote about this for War on the Rocks in September.
CYBERCOM is often compared with U.S. Special Operations Command, or SOCOM, which oversees real-world special operations and is the only other combatant command also charged with guiding how the services train units for it.
Special operations encompasses sea, air, land, and other domains, so it makes sense for the services to train different types of special operations troops who then bring their unique skillsets to the field. But CYBERCOM focuses solely on the cyber domain, so a cyber soldier should have the same skills as a cyber Marine, experts say.
Plus, SOCOM has also been more proactive than CYBERCOM in telling the services what it wants from them, according to Magee, which means SOCOM actually has what it needs to do its mission.
Multiple think tanks agree that the current approach isn’t working. In August, the RAND Corporation published a report saying that the Defense Department can’t recruit and retain the right people for cyber jobs, and that a lot of cyber troops aren’t fully trained or qualified before they show up to operational units.
The Center for Strategic and International Studies, CSIS, pointed out that operational planning is split among the five services, each with its own approach to cyber, which leads to an incoherent strategy. That’s worrying when Chinese hackers have stolen important secrets like F-35 designs and the sensitive personal data of more than 22 million Americans, while Iran and Russia have attacked everything from U.S. pharmaceutical companies to oil pipelines and water treatment plants.
A specialized cyber force may help. CSIS proposed that other services would secure their own systems and networks while the cyber force would focus on organizing, training, and equipping troops for those specialized skills that CYBERCOM and the other combatant commanders need in order to collect intelligence, take offensive action, or think of big-picture defensive capabilities.
That focus would keep the cyber force lean. The Foundation for the Defense of Democracies think tank estimated that it would start at 10,000 members and grow over time. For comparison, the smallest service today is the Space Force, with about 14,000 members.
There would be costs to standing up a cyber force, namely the legal and bureaucratic hurdles of establishing a new organization, figuring out which units would transfer in and which wouldn’t, then shifting resources away from other services towards this new one. There would also likely be some duplication between what the cyber force does and what the services continue doing.
RAND recommends a middle-of-the-road option, where CYBERCOM would control advanced cyberspace training and education. That could address some of the underlying problems with today’s system while leaving the option of a separate cyber force.
But CSIS and the Foundation for the Defense of Democracies recommend a separate service. On the cost front, they say the cost of setting up a Cyber Force is a lot less than the cost of losing a cyber war. And for duplication, they point out that nearly every service has aircraft for their own needs, but that doesn’t mean there shouldn’t be an Air Force, whose sole purpose is to secure the skies.
Dive even deeper into this topic by checking out our YouTube video here.
