After prodding from lawmakers, Cyber Command readies a plan for the future
To revamp itself to combat future threats, U.S. Cyber Command must streamline its partnerships with industry, envision a new system for how the military services recruit and retain talent, and overhaul its own hiring practices, according to an extensive internal review.
Those recommendations, and others, are expected to surface in a far-reaching examination dubbed “Cyber Command 2.0,” according to four sources who explained its general concepts to Recorded Future News but requested anonymity because they were not authorized to speak publicly about the process.
The review is meant to meet various requirements that lawmakers have inserted into defense policy bills in recent years. It comes as some on Capitol Hill have grown so frustrated with the command’s readiness woes and inability to attract and keep personnel that they favor the idea of creating an independent cyber service on par with the other armed forces.
Cyber Command officials have begun holding meetings on how to put the review’s five proposals into action, with the goal of fixing problems that have plagued the command since its creation in 2010. In the meantime, though, it remains unclear if they will be substantive enough to satisfy Capitol Hill or live up to the vision laid out by its most recent former chief, Paul Nakasone.
“As we’re trying to look at the future of U.S. Cyber Command, I want to have a bold move forward,” Nakasone told reporters in January during a media roundtable at Fort Meade, Maryland, just days before his retirement from the dual-hat job of running the command and the NSA. For now, there is no timeline for when the command will send the review to lawmakers.
The conclusions of Cyber Command’s self-appraisal — which have been shared with Deputy Defense Secretary Kathleen Hicks and Michael Sulmeyer, the Pentagon’s new top official for cyber plans and policy, according to the sources — could still change.
For now, the initiative’s five core tenets include:
- Establish a cyberwarfare innovation center.
- Set up a talent management task force.
- Create a new force generation model within the military branches.
- Form an advanced cyber training center.
- Follow five “pillars of readiness.”
Speaking at the Billington Cybersecurity Conference in Washington last month, current Cyber Command chief Air Force Gen. Timothy Haugh described the evaluation as “an opportunity for us to really examine what is the future of cyber in the department, how we generate forces, how we generate capability, how we produce mastery, but also agility,” whether it’s responding to new crises or battlefield threats, or working with industry to acquire technology.
A Department of Defense spokesperson declined to comment.
Breaking down the suggestions
Of the study’s five proposals, the innovation hub is the one most likely to have “teeth,” according to a former U.S. official.
The intent is to solidify how to get cutting-edge cyber capabilities and technology into the hands of the military’s digital warriors, something Haugh has emphasized to keep pace with cyberspace peers like China and Russia.
The former official speculated it would draw on the lessons learned during the Nakasone era, with its attention on team-ups with nonprofit entities and others, to make the process more efficient.
“It'll gain some traction in a meaningful way,” according to the former official, who spoke on the condition of anonymity to freely discuss the pending proposals. It’s unclear what form the innovation hub would take or where it would be housed.
The idea for a cyber training center “probably piggybacks” on the innovation hub, with the command’s own instruction curriculum beefed up by the private sector.
“We, the government, can do a lot of great training and you've got your ‘unicorns’ — those are your master cyber operators — but it's really hard to scale that,” the former official told Recorded Future News. “If you talk about advanced cyber training, it's probably going to be not solely relying on but enhanced by our industry partners that have a cutting-edge understanding of the problem.”
A proposal that could cause friction between the command and the services is the imposition of a new force-generation model on their digital warfighting branches.
Since 2013, each service provides Cyber Command personnel to conduct offensive and defensive operations as part of its Cyber Mission Force (CMF). While different teams perform different missions, with slightly tweaked structures and rosters, they are mostly cookie cutter copies of one another.
The new model under consideration would see each service hone a speciality in the digital domain. For instance, the Army could focus on cloud security, while the Marine Corps could handle radio frequency-enabled cyberattacks and so on. The goal is to provide the command greater agility so that when a crisis erupts, or there is a confrontation with a particular adversary, it will know which pockets of speciality to draw from quickly.
That model could be considered a response to a congressional mandate included in the fiscal 2023 defense policy bill that directed DOD to evaluate the existing cyber enterprise and different models for how cyber personnel should be trained and equipped, including the impact of establishing a uniformed cyber branch. However, that mandate, known as the Section 1533 study, included additional elements that may not be in the forthcoming review.
The Pentagon outsourced the work to the RAND Corporation. The results were due to Defense Secretary Lloyd Austin on June 1; the department won’t make any decisions based on its findings until June 2025.
Meanwhile, the proposed talent management task force would be aimed at alleviating some of the hiring headaches imposed on senior leaders, according to the former official. The panel would be responsible for spotting and assessing potential staff, as well as shepherding them through byzantine hiring and transfer processes, including federal security clearance hurdles, that can often take several months.
The former official said the least is known about the proposed “pillars of readiness.” But it could be an acknowledgement that the command’s doctrine of “persistent engagement” — where American operators constantly interact with adversaries in cyberspace — has contributed to its low readiness numbers and that the CMF teams should be rated at different levels, from low to high, based on their most recent level of activity.
What’s next?
The sources who are tracking the study cautioned not to read too much into the command’s implementation meetings, noting that ideas tend to evolve as they move through the military’s bureaucracy.
While the initial work was led by Maj. Gen. Ryan Janovic, who now heads the Army’s Cyber Center of Excellence and is viewed as a contender to one day lead the command and NSA, the task of assigning the ideas to be carried out has likely fallen to the command’s chief of staff.
The former official conceded that, at first glance, the ideas might not sync with Nakasone’s original vision.
“The metrics of ‘bold’ will be defined in execution, which we're not at yet,” the official said, adding the cyberwarfare innovation center could remove some of the cultural friction between the public and private sectors but “the rest of it are things that just need to happen.”
Jason Kikta, who served under Nakasone and Haugh as a Marine, was less optimistic about the potential changes.
“It sounds like they’re trying to reanimate the corpse of ideas that have been tried multiple times before,” said Kikta, now the chief information security officer at cybersecurity software firm Automox, who has not seen the study’s initial results.
“Without knowing what would be different this time, compared to all the other attempts, it's hard to say that any of it would have a chance at success.”
The “repackaged” suggestions “essentially proves the point that a cyber service is the only way out of this quagmire,” he said.
Martin Matishak
is the senior cybersecurity reporter for The Record. Prior to joining Recorded Future News in 2021, he spent more than five years at Politico, where he covered digital and national security developments across Capitol Hill, the Pentagon and the U.S. intelligence community. He previously was a reporter at The Hill, National Journal Group and Inside Washington Publishers.