US defense tech veterans call for a separate Cyber Force
A seventh branch of the military is needed to address rising threats
Analysis There is a growing push inside and outside of Washington DC for a new branch within the military dedicated to cybersecurity, with proponents citing the need to protect against growing threats from China, Russia, and other nation states to American national security.
A Cyber Force would essentially be the Department of Defense's (DoD) arm for pushing back against online threats. Supporters argue it would create a more consistent approach, with greater military readiness, than what is seen with the current Cyber Command, which is reliant on personnel and input into its operations from other military branches. It would be the seventh branch of the military, if created.
The pressure to create such a branch within this year's National Defense Authorization Act has increased in recent weeks. In a statement on March 26, the Military Cyber Professionals Association (MCPA) argued that, while the US has for decades held the advantage in cyberspace, modern threats are "significant, dynamic, ever-present, and consequential."
They can no longer be addressed in a hodgepodge fashion, according to the MCPA, which turns 10 this year and has more than 3,000 members.
"For a decade, each service has taken its own approach to providing United States Cyber Command Forces to employ and the predictable results remain inconsistent readiness and effectiveness," the group wrote. "Only a service, with all its trappings, can provide the level of focus needed to achieve optimal results in their given domain."
In a column for Boston Herald earlier in March, James Stavridis, a retired Navy admiral and former supreme allied commander of NATO, pointed to two recent cyber incidents that are fueling his call for a US Cyber Force.
First Albania, then the Marshals Service
The first involved two cyber attacks on Albania that shut down the NATO member's online public services and websites, and were subsequently blamed on Iran. The US Treasury Department issued sanctions against Iran's intelligence service in retaliation, and later US Cyber Command worked with Albanian cyber experts to track digital threats and detect vulnerabilities in the country's online defenses.
Stavridis said the attacks – which emptied personal bank accounts, unmasked government and police informants, and damaged the country's command-and-control networks – was in retaliation for Albania refusing to prosecute the Mujahadeen Khaleq, an anti-Iranian group with a presence in Albania.
The second, more recent incident was the ransomware attack in February on the US Marshals Service, which compromised data on law enforcement operations, high-security people, and fugitives, he wrote. Information about some employees was also accessed, according to the Marshals Service.
"The US has very competent armed forces defending us 24/7 – the Army, Navy, Marine Corps, Air Force and Space Force within the Department of Defense, and the Coast Guard in the Department of Homeland Security," Stavridis wrote. "A US Cyber Force is now also necessary."
Space Force as a model
The creation of a Cyber Force could be modeled on what the US did when establishing the Space Force in late 2019.
It's a relatively small military branch, with fewer than 10,000 uniformed personnel, but it runs almost 100 spacecraft and a global network that supports US satellite systems. A Cyber Force could have half the personnel and be housed in the DoD or Homeland Security Department, according to Stavridis.
"Most important, the creation of a US Cyber Force would move America beyond the current 'pick-up team' approach to cybersecurity, wherein each of the armed forces has a small number of cyber experts (most of whom rotate in and out of pure cyber jobs)," he wrote.
- DoD taps Apple exec to lead commercial tech adoption unit
- Why a top US cyber spy urges: Get religious about backups
- US cyber spymaster calls TikTok China's 'Trojan horse'
- Sensitive DoD emails exposed by unsecured Azure server
What everyone seems to agree on is that cyberspace is an increasingly crucial part of the country's larger defense posture – particularly given the ongoing actions by China, Russia, Iran, and North Korea, as well as for-profit independent groups.
The Biden administration, which has been aggressively pushing to bolster the country's cyber defenses, has not yet committed to creating another military service for cybersecurity. The White House's National Cybersecurity Strategy [PDF], released last month, doesn't touch on it.
Where's the study?
The MCPA pushed in its statement for the government to act quickly, but cautioned that the idea needs a "thorough study" first.
Congress asked the DoD for such a study three years ago, according to Representative Michael Gallagher (R-WI), chair of the House Cyber, Information Technologies, and Innovation (CITI) Subcommittee. During a hearing of the subcommittee last month, Gallagher said an analysis of the costs, benefits, and value of a Cyber Force was to have been included in the latest Cyber Posture Review and he criticized the DoD for not producing it.
John Plumb, Assistant Secretary of Defense for Space Policy, told Gallagher that the DoD is looking at the issue as part of a larger force generation study.
Plumb noted that President Biden's recent budget proposal calls for $13.5 billion for DoD cyberspace efforts – a $1.8 billion increase from the current budget – and $3 billion for US Cyber Command. He added that "these investments will enhance the department's cybersecurity, the increased capacity for cyberspace operations, and will advance research and development activities for new cyber capabilities."
The US established Cyber Command in 2009, with service components created for some military branches. In 2018, its stature was elevated to a full unified combatant command – comprising units from two or more service branches.
Within Cyber Command is the Cyber Mission Force – the "action arm" that includes more than 6,000 people from different military branches. General Paul Nakasone, commander of Cyber Command and director of the National Security Agency (NSA), said during the CITI hearing that the Cyber Mission Force currently has 133 teams – including Cyber Protection, Cyber Combat Mission, and Cyber Support teams – but is expected to expand to 147.
However that's not enough at this point, according to Stavridis. During his time as NATO's supreme allied commander, the alliance created the Cooperative Cyber Defence Centre of Excellence in Estonia to coordinate the alliance's cyber capabilities.
"It has since grown in importance," he wrote in his argument for a US Cyber Force. "As I watch the level of cyber threat continue to grow exponentially – matching the enormous surge of devices connected to the 'Internet of Things,' which is topping 50 billion – I worry about how to protect America's and Americans' cyber assets." ®