Angry Planet - Does the U.S. Need an Independent Cyber Force?
Episode Date: August 29, 2025Listen to this episode commercial free at https://angryplanetpod.comIf the internet is a battlefield, does that mean the United States needs a new military force to dominate it?On this episode of Angr...y Planet, retired U.S. Army Lieutenant General Edward Charles Cardon and former House Armed Services Committee staffer Joshua Stiefel make the case for spinning off the Cyber Force into an independent branch. Both are part of a new commission at the Center for Strategic and International Studies — partnered with Jason’s new bosses at Foundation for Defense of Democracies — with the goal of preparing for a new branch that both feel is inevitable.It’s a wild and wandering conversation that touches on Neuromancer, AI, and fighting a cyber war against the Islamic State.“A Cyber Force is inevitable”How cyber works nowFrom Army Air Service to Air Force to Space ForceVolt Typhoon as warningIt’s hard to recruit hackersThe Goldwater-Nichols Act mentioned, drinkBasic training for hackers?A retired Lt. General at DefconThe weird nebulous thinking of AI and cyberThe Army has soldiers, the Space Force has Guardians, what about Cyber Force?Neuromancers? Hackers?“The leaders of this domain have to understand the people they’re talking to.”Change is only possible in the aftermath of something cataclysmic“AI is gonna put the offense on steroids”Glowing SymphonyIslamic State as the model conflictCSIS Launches Commission on Cyber Force Generation in Partnership With Cyber SolariumUnited States Cyber Force: A Defense ImperativeVolt TyphoonGoldwater-Nichols Act of 1986The Rise of ‘Vibe Hacking’ Is the Next AI NightmareRussia Is Suspected to Be Behind Breach of Federal Court Filing SystemOperation Glowing SymphonySupport this show http://supporter.acast.com/warcollege. Hosted on Acast. See acast.com/privacy for more information.
Transcript
Discussion (0)
Love this podcast.
Support this show through the ACAST supporter feature.
It's up to you how much you give, and there's no regular commitment.
Just click the link in the show description to support now.
Hey there, Angry Planet listeners, Matthew here.
Did you know that Angry Planet is almost entirely listener supported?
It's true.
If you like what you hear, go to AngryPlanet.com and consider becoming a subscriber.
You'll get early versions of the mainline episodes,
and they're all commercial free over at Angry PlanetPod.com.
Hello and welcome back to another conversation about conflict on an angry planet.
I am Matthew Galt.
And in a surprise guest appearance, it's Jason Fields.
You've been kicking around.
We've been talking.
You've been here, present, accounted for, editing everything.
Yeah, well, it's sad to actually be full-time employed in a place where I have to go into an office.
It's just changed my life in all sorts of negative ways.
I'm so sorry for you.
Thank you.
I'm sorry for your loss.
So you want to talk about cyber?
This is something that you're actually pretty up on, right?
This is something you guys are working on over there?
Yeah.
So I think we mentioned one earlier episode.
I work in a place called Foundation for Defense of Democracies.
And, yeah, cyber is actually a very big element of what we write about and talk about.
We have two guests here today.
I'm going to ask them to introduce themselves.
Joshua, will you start?
Sure.
I'm Josh Steeffle.
For the last six and a half years, I served on the professional staff of the House Armed Services Committee.
And prior to that, I spent 10 years in the executive branch across the Department of Defense and Treasury.
And to Ed, sir.
Hi, Ed Cronome.
I retired after 36 years in the Army.
Retired in 2018 and have worked hard to stay current in the cyber world, if that's possible.
but it is on fire right now with, you know, not just from threat, but the technology of artificial intelligence, obviously.
Yeah, I'll be very, I mean, we'll get into that.
Put a pin in artificial intelligence, because I am very interested in your thoughts and like what you think is going to happen in the next five, ten years with that.
I've got some of my own that are perhaps cynical and pessimistic, but we'll compare notes.
So the reason we have both of you on today is that CSIS has announced this new thing called the Cyber Force Commission.
You were both on it.
And the main thrust, and please correct me if I'm wrong, is that y'all think we need an independent branch of the American military that is cyberfocused.
So a cyber force, basically.
So what I'd argue is that a cyber force is actually inevitable.
And the problems that are resident today are not problems that we as a country have been dealt with before.
In the case of aviation through the 20s and 30s, there's remarkable parallels between that scenario and the Air Force's management and issues and working on space issues from the 2000s to the 2010s.
All those same factors are in play with cyber.
I'd say the issues are actually magnified, whereas in the case of those historical antecedents,
it was an issue of within one service.
Here, they're magnified because they're presenting themselves as issues across four services.
So they're more visible than they have.
And so, you know, my view is that we're inevitably going to get there.
I certainly believe we ought to get there before the next war rather than apt of effect.
the operational, the organizational truth of the U.S. military is that our military services are built to align to the warfighting domains.
And we have five recognized domains, and we have services aligned to four out of those five.
Do you mind if I ask how things actually work now?
I mean, it's, from what I do understand, it's kind of scattershot.
Everybody has their own cyber force of a different kind, and then they all sort of get together
to work in sort of a, like a special operations command?
If one of you guys could explain how it really works now, that'd be great.
So the services are responsible for man training and equipping forces that they then present
to the combatant commands.
So the combatant commands are responsible for the actual operational, the mission side
of the Department of Defense.
So that's why, you know, Central Command, Pacific, Indo-Pacific, etc., they're all in charge
of, you know, everything to do with Mitch and surrounding that from the, across the entire
spectrum of conflict.
The services are responsible for man training and equipping forces, which are then presented
to those commands.
So today, how does it work for cyber, which is what you ask?
So starting in 2010, when Cyber Command was established, the services had a responsibility to present
a certain number of forces.
to cyber command.
And so every service created a service component command, which is typical in every domain.
And then the forces are presented.
It was done fast.
A lot of authorities have been ironed out over the last 15 years.
I'd argue that's still a work in progress.
A lot of progress made still ways to go.
But the real challenge is the presentation of forces,
the training of the forces has all been problematic, meaning we don't have enough, we can't sustain
the force, we have troubles assessing the force, et cetera. And the services are all very different
in this respect. It is complicated because it overlaps with the intelligence functions,
it overlaps with that communications, information, technology functions. This idea of a service
is not new. Creating a service creates its own complications. And,
You know, I think the FDD did some good work here with Mark Montgomery, right, publishing paper on this.
So what Josh and I are working is actually not on the decision to stand up a service, but what happens next?
So let's assume that the National Academies who are going to make a recommendation to this administration on what to do.
Let's make an assumption that the administration decides we're going to create a cyber force or cyber service.
well then the implementation of this will take another five years because what's the first thing we'll do we'll study it we will relitigate the decision i mean it's classic it's it's just the way the government works you know and so what
uh josh came to me and the other commissioners was about hey what if we did something a little different let's make an assumption that that this decision is made what would have to be done to implement this
decision. And what that would do is if the decision's made, it could truncate the ability to
actually execute it in a way that we could get a lot more capability, a lot faster for both
the Department of Defense, but more importantly for the defense in the United States.
Can you walk me through why you think this is like a fait accompli, like why this is going to
happen? So for all the reasons,
why institutions sort of behave in a certain way, right? When you have someone who, you know,
views their job responsibilities, you know, from a service chief level, from an operational
commander level, there are certain incentives that are built into that. And for all the
reasons why aviation was persistently treated as a support function to ground operations
in the 20s and 30s, even though we would come to realize there was something.
thing called strategic air operations. There was operational effect, strategic effect to air operations
independent of a ground maneuver. Those same principles apply. So we as a country, it's like we've
seen this movie twice before. It always ends the same one. And when you see so many similarities
here, it's hard to believe that the conclusion or the outcome is going to be all that different.
you know, before Ed and I and others,
there were other people who occupied these roles, right?
And their behaviors, their decisions were somewhat predictable, right?
You try to fix it, but you ultimately can't get out of your own way.
The Air Force was warned innumerable times.
There could be something like a Space Force or Space Corps at some point
if they didn't get their act together, right?
Those warning shots sort of went unanswered and ultimately culminating in the decision to create a space force.
Again, going back to this idea of five warfighting domains, and we've built services for each of them, with the exception of one, where we are actively engaged with our adversary and essentially have troops in contact every day.
I don't know why this domain that's so complex, so pervasive in Americans' lives is somehow undeserving of a dedicated force to as well.
and our partners and allies, they've done this, right?
I'd argue that Israel has the world's first independent cyber fools, right?
The Chinese built theirs, like, nine years ago.
Right.
So there's some goodness that other countries are starting to see.
And again, drawing to that historical parallel, the U.S. was not the world's first
independent Air Force.
The British were when they founded the Air Force in 1918, right?
We sort of waffled and debated this first.
you know, a number of years ultimately culminating in the realization after World War II that this
should stand alone, right? But going into that conflict, I'd argue the Brits were far better prepared
from an aviation perspective than the U.S. was because it was consistently diminished, under-leverage,
underutilized, and underled. Again, you see those dynamics in play today for cyber.
Well, so what doesn't work now? Just so people understand it,
Ed, do you want to take this?
I normally bucket this in a couple of different ways.
The first challenge, so maybe I'll back up a little bit first, Jason, if I could.
So when Cybercom was created, it was created to support the Department of Defense.
Like, there's no authority at the time when it was created to do anything inside the United States.
So when people say cybercom, oh, it's going to protect, you know, our banks and our critical infrastructure,
that wasn't its mandate.
Its band-aid was to support the warfighting missions of the Department of Defense, right?
And so, and like, well, who was responsible for that back when this was created?
Well, the FBI is responsible for the criminal side.
And then SISA has been up and down on how powerful or not powerful it is.
but most people would say has a lot of mandates but doesn't have a force, right?
It operates with what are called, you know, information sharing agreements, ISACs,
and some of those are really effective, like finance,
but they're effective because, you know, cyber criminals go where the money is,
and that's the finance sector.
So the finance sector band it together,
but it's not like the Department of Defense is directly helping.
the finance sector.
So now back out, here we are, you know, in 2025.
And I would say there's been a couple of big wake-up calls, but the most recent one is Volt Typhoon.
And I'll pick on Volt Typhoon more than Salt Typhoon.
They're different.
But let's just take Volt Typhoon.
So the Chinese Cyber Corps is basically embedded in the critical infrastructures, the United States,
that could directly impact the power projection capabilities of the Department of Defense.
Okay, whose responsibility is that?
Because a lot of that is what?
Commercial infrastructure.
It's not owned by the department.
So this whole thing over authorities has been problematic and gets sorted out.
So you have that problem.
Now let's go to the cyber force that's created, roughly when it was created half were offensive teams,
half were defensive teams
they struggle to remain
we struggle to fill them
we struggle to retain the force
and the force that has a lot
the force has a lot of talent
but the talent gets burned out
right because they're doing
as in a lot of sectors
or
you know when you use your top end to
operators all the time, they get tired after a while.
The J-Soc problem.
So I'll go back to the Army experience.
You know, I made a great case in 2015 to the Chief of Staff of the Army at the time,
General Odierno, about we need a cyber branch.
And he asked me why.
And I said, because, sir, cyber doesn't control the people.
So they're actually not cyber functionality.
They're intelligence officers.
their infantry officers, their, you know, communication NCOs or communication warrant officers.
And so they get incentivized by being in that branch.
We do not control the cyber branch.
So that means we could spend four years training up the highest end cyber operator you could
imagine.
And somebody will say, oh, but wait a minute, she's an intelligence functionality.
She has to be promoted in the intelligence world.
There's no promotion rate in the cyber world.
She's not doing the right functions to get promoted,
even though they could be super talented over here.
General Ordei Arnaudel saw that problem and, you know,
worked with Secretary McHugh at the time and, you know,
we established a cyber branch.
That then gave control.
And actually, I would argue, you know,
really helped the army develop.
us. That is not common across all the services. They've all continued to do it very different.
They get presented at very different levels. They buy different tools that don't interoperate with
each other. And increasingly what's happened is they're giving cybercom more and more authority,
meaning, okay, you're sort of going to a SOCOM model, right? Like, you'll be responsible for the training.
you'll be responsible more enhanced, where they call enhanced budget control, you'll be responsible for, you know, buying things now.
What's interesting when you start giving those authorities to a combatant command that's responsible war fighting, those authorities look like what?
They're service functions.
That's what a service is supposed to do.
So it's, this has been the debate because there's a downside to create a service.
And the downside is you have to create all the mechanisms for that service to be able to integrate with the other services and with the other co-crumbs.
So there's going to be a overhead cost of this of some degree.
And I think, you know, Mark Montgomery led some good work on trying to figure out how we could mitigate some of that.
But, you know, so I go back to the speed of threat.
Our inability to grow forces fast enough to not just grow, to not just grow,
to grow it and retain it to handle this threat is insufficient.
And I think there's a wide recognition of this,
what there's not agreement on is how to fix it.
So everything Ed said is right.
I mean, we have had a model where we built our operational force,
what's called the Cyber Mission Force,
which is these teams that Eddow talked about from all the different services.
we've had that construct since 2012.
In the, you know, almost 15 years,
the issues at play today are the same ones we were dealing with five years ago
as we were 10 years ago, as we were in inception.
We're not resolving these core dilemmas.
So training disparities has been a problem over the lifespan of the sports, right?
The inability to recruit, the inability to retain,
the inability to promote them, right?
We have wasted 15 years being unable to resolve problems.
Meanwhile, our plate is getting morpulled with new problems we had never considered when we
first designed the force in 2012.
So it's not that we're proposing this or talking about this because we think it's a
great model that ought to be put into place.
It's because the current model is broken.
The failures are quite evident, right?
No one is satisfied, but at the same time, there's not an ability in the department to work
genetically reformed.
And so taking this, you know, esteemed panel of experts, putting them together outside of the
constraints of the department and the cultures and the budget battles to say, what is the
best way to design this force should the president decide that it's necessary?
these issues ought to have resolved themselves.
Socom was not stood up overnight, but it did not take 30 years to get a highly functioning
organizational construct in place.
We have been struggling with tech, with these technology anchored issues for 15 years.
we're the country that invented the iPhone, right?
You don't have the same cell phone you had two years ago or three years ago.
I'm going to go out, I don't know what I'm saying that.
But somehow we can't figure out the people side of our cyber warfare capabilities after 15 years.
That's emblematic of a problem.
And so we're looking at this construct and saying,
we made a decision in 1986 with the Goldwater Nipples were born to separate,
institutionally, what Ed talked about.
Force generation and force employment.
Services, man, train, and equip,
that's their statutory responsibility.
Combat and commanders are responsible for force employment.
How do you operationalize the force that's presented by the services?
So without an organization of man training and equip,
you're persistently hobbled in your ability to employ
because you're not building capabilities for that long-term.
and fun. By
imbealing one organization
like CyberCommam with both,
you actually are
creating a
unique case. It's not even Socom
does that. And that's the really
interesting sort of nuance is that
SOCOM does not do both force generation
and force employment.
But saying Cyber Command ought to,
well, that's like saying we
should go back to a pre-Goldwater
Nichols view of the military services.
It didn't work then.
It won't work to them.
What does basic training look like for a fresh-faced cyber recruit in, say, 2030?
In your, like what, in, should the service happen?
For whatever you're pitching, what is basic training look like?
So, I'm on a limb here, right?
but I have very strong opinions on some of this because I believe in selection.
Right.
Like just because you say you're in cyber, that doesn't mean you're good at it.
Right.
And so I believe there's some form of basic testing.
It's not based on your education.
You don't not need a computer science degree.
There's plenty of hackers out there working that are high school, right?
We just have to find them.
Right?
So what are their skill sets?
Well, we got to have some sort of test on, you know, what can you do?
And then more importantly to me is, you know, are you fit for this work?
Meaning do you have the grit, the stamina, the ability to work in a team?
Like contrary to popular belief, you know, cyber is not an individual sport.
I just came back from deathcon.
There were 22,000 people there, right?
They form these villages.
They work together.
on these problems. Even, you know, even, you know, one of the greatest intelligence failures we had,
you know, Snowden, when you go back and read it, he got help on the outside to get through some of the
problems he had. And he went out to the hacker world and said, I have this problem. So it's a team
sport. So you have to be able to be a team member. So to me, that basic training is we determine
if you have, if your bottom eye in view of session is, are you trainable? We're very good at training.
but we got to make sure you're trainable, if that makes sense.
Tangent, what were you doing at DefCon?
I went there for a couple reasons,
but the main reason I went there is for the Cyberbrand Challenge.
So I went to the first one, which you may know David Brumway,
now the CEO for Furrell Secure.
That was an automated, it was so impressive,
an automated capture the flag where seven supercomputers on stage, 100 turns.
What was so impressive about his machine called mayhem is it crashed and like turn 50 something
and rebooted itself by turn 90 something and he's still the one.
And my takeaway at the time was it's not enough to have the best technology.
You have to have a superior strategy.
this one was very different.
This is can we build a capability that can analyze code,
determine a vulnerability and automatically patch it?
stunning work over the last two years.
I mean, first, could it be done?
They determined it could.
You know, the last year and the midpoint was, you know, it's okay, it's possible, but, you know, the rates were like at 50%, 40.
The top one here is like at 70.
They found 18 zero days.
These are machines doing this.
Now, put your hat on the future of cyber, like, oh my gosh.
Okay, how do we use this?
Right.
And to me, what's most important about this, the technology is awesome and it's going to be open source.
but what did I spend my time doing, talking to the teams, right?
This is, the technology is great, but what's super great is we had these teams put together
that built this.
See, to me, that's a cyber force.
That is a cyber force, because if they can build this, they can build other things.
And you can tell I get pretty excited about this, but that's why I went out there, my primary
purpose.
There's, there's a unique sort of concept.
here that is special.
We don't have Air Force recruiters hang out around flight schools to recruit pilots, right?
We don't have Army recruiters hang out around paintball fields to find, you know,
potential infantry all-stars, right?
They're hanging out around.
I think they do do some of that.
Yes, sure, on a microscale, right?
But that's just not the model for recruitment in the military.
here in a cyber context, you can recruit recruiter.
You can recruit hackers, people that have not just a propensity, but also a record to show for it.
And so these are really interesting dynamics and problems that we can think through over the course of this commission.
And Matt, I'm going to go back to a question you had earlier.
Like, why do we think this, not that it's a fait accompli, I certainly believe it's inevitable.
but why could this administration take this on, right?
This is the administration, you know, this president led the drive to establish the
Space Force in December of 2019.
And we look back and there might be some people that are upset about how it happened,
but in general, we're not all that upset that we have a cadre of people thinking about
the space domain 24-7, right?
Like, no one has buyers remorse today.
You had a guest a few weeks ago talking about the case against an Air Force.
I heard that episode.
Generally speaking, I don't think people have buyers' remorse about the establishment of an Air Force.
No one, you know, 70, 80 years later is thinking, I was proven right.
It was very expensive.
It was such a mistake that we created this thing called the U.S. Air Force, right?
Like cost, and no one's thinking like that.
They're glad that there's people who are, you know, developed.
developing new tactics, new doctrine, applying that for the benefit of the joint force.
All that promise of potential exists for cyberspace.
And a unique piece of this is that Donald Trump could be the first president since George Washington to have created two military services.
No other president can say that.
Well, you haven't actually seen what I'm going to do.
But, so one thing, though, that we talked a little bit about training.
We talked a little bit about, you know, who's going to be in this, make up this cyber force.
And we talked about the Air Force.
The Air Force is kind of an interesting thing to me because let's say you have an aptitude for planes, flight, interest in it.
You want to be in the Air Force.
Why?
Because they have the best machines you can possibly play with.
I mean, by far the best toys.
I mean, commercial aviation has nothing to offer you by comparison.
On the other hand, when you're talking about any aspect of cyber, you're looking at, you know, you may get great tools, but are they going to be better than what you get in Silicon Valley?
You may get an okay salary, but now they're paying some of the AI people $100 million a year or more.
Yeah, but there's, I would argue that the tide is turning on a lot of,
that. Well, I certainly hope that, you know, I mean, the $100 million will be spread a little bit more broadly. But no, but okay, Matthew, what do you explain that? No, no. I think you're, you've got a good question, which is like, how do you get people that can go to Silicon Valley and make a bucket load of money get signed on for Cyberforce? But also, I would say that right now there is a unique opportunity because unless you are narrowly focused on AI,
A lot of those people are getting computer science degrees coming out and then working at Chipotle because they can't get a job.
I've got software engineer friends that have been like, it's brutal.
When I last checked on this, the number of cadets at the Air Force Academy that were seeking appointments and commissions to the Space Force had tripled in three years.
I'm sure that number has gone up since then, right?
If you create a military service, yes, you can't compete with the private sector pay.
But if you want to put a uniform on, you're not doing it for the pay in the first place.
You're doing it because you're going to be afforded the opportunity to do things that no one will let you do in the private sector.
And you want to have that experience.
You want to serve your country.
And you would be able to do that.
So I think we actually tap into a whole new set of people that may not normally.
be attracted to military service because what they see on the commercials are, you know,
army commercials of, you know, humvees going fast over, you know, ridge lines. You know,
you have Navy commercials on TV about, you know, forged by the sea, carriers at, you know,
carriers and fighters launching off of them. There are kids in this country that are excited about
tech, that are excited about, you know, what they can do from a terminal, what they can do from a terminal,
they can do from their computer, the creativity it sparks.
A cyber force could attract that crowd that would not otherwise be pulled towards, you know,
service in the Air Force or service in the Marine Corps, service in the Army.
And the historical record proves that out, at least with the Space Force.
Build it, they will come.
Well, we have a little bit of that.
I mean, the way I work on the hacker's side, the way when we stood up the branch,
I said there's three things you get, right?
First off, you can do things with us that you can't do legally, right?
You can do it here, right?
Second is you have mission, you have purpose, right?
You're not, you know, and I'm not denigrating anything.
You're not working on how do I improve the number of clicks?
That's not what you're working on.
You're working on real mission.
And then the last one is, which I think is critical,
You're working with people just like you.
It's the culture.
It's the team.
Right?
And so this, and I believe in permeability,
I think you have to come in and out of the force, in and out of the government,
because you have to stay current.
Because when you see it, you'll see it from a defense side.
But those, because of the commoditization of those people training for advanced persistent threats
and how they're moonlighting in the criminal side
and how these are slowly merging together, right?
When you come out and you start working with,
you know, J.P. Morgan, and you look at it and you're like,
oh, my gosh, these are the same people I would see it on the other side, right?
You would, that helps us, helps the economy,
helps the defense of the country, etc.
So I think you have to have this ability to come in and out.
Like, we shouldn't hire some young, brilliant,
you know,
a person with, you know,
unbelievable skills in some facet of information technology
and say, okay, you're going to do this for the next 20 years.
That's not this culture, right?
I mean, you have to encourage them with new problems all the time.
You have to tell them, I don't think this could be done.
You have to do, like, this is how you motivate this group.
It's not like you motivate other aspects.
of the military. That is one area where I feel, you know, very passionate about this.
If we could get them in a group and get them organized, man trained, and equipped correctly,
you're going to see some unbelievable capability. There are pockets of that now inside the
department, but it's not scaled to Josh's earlier point.
So organizationally, after this thing, again, we're like in a world where this happens,
where the cyber forces stood up,
do you go grab all those pockets
and reintegrate them into this new force?
Kind of like the way that when Space Force
pulled people out of the Air Force
and kind of rebranded them, do you do that?
So we created the Air Force,
but we didn't take planes away from the Navy and the Marine Corps.
There's still a need for those services
to have aircraft in support of maritime
and littoral objectives.
Why? Because the Navy cares about achieving maritime objectives. The Marine Corps cares about achieving
the littoral objectives. If you were to create a cyber force that doesn't absolve the need
of the services to have technically inclined people to build and sustain their own networks,
which are required for war fighting, right? The Army's network is not the same as the Air Force's
network. You need the – the Army is never going to feel comfortable that he's someone else own and manage that
on their behalf, right? They want to have it in-house. So you're going to need to have people that
can do that kind of work. But when we're talking about the man, train, and equip side,
what we're talking is about who has the responsibility to build capacity people towards
achieving cyber objectives, which then allows the services, the existing services, to think about,
okay, I want to think about building cyber capabilities in support of tactical ground objectives, right?
Or the Air Force might think about, you know, how do I apply cyber power to my air objectives?
That's very different, and it doesn't say that one doesn't merit the other.
I think this is something that has to be, to me it gets, I think for it in terms of offensive capabilities,
most people would say that makes a lot of sense, right?
and what we call defensive cyberspace operations
I think a lot of people would say,
yeah, I could see that.
That makes a lot of sense.
And I just basically summed up
what the Cyber Mission Force is, right?
It gets complicated when you get to what Josh was talking about
where there's this intersection
between the CIOs and the sixes of the world
that are responsible.
for the networks that the services need, right?
And there's actual congressional authorities on these, right?
So it's, but you, there is an integration component to this.
Because why would you let a CEO build a network that's not secure, right?
And then once you build it, how do you keep it secure?
So you can see there's two sides of the coin.
The question is, how do you do it?
The problem is, this is not just on this side, we have the same problem in intelligence.
So when I ran Joint Task Force Ares, which was a top secret offensive cyber task force against ISIS,
which is now publicly out there, right?
At that time, the challenge was over intelligence.
Do we preserve access for access for intelligence or do we use it for operations?
And this is that it's taken years to resolve these kind of, how do we resolve these kind of challenges?
That's what this commission wants to print a series of options with a recommendation, and I think it's important to lay out all options so that people see it's because this is why it's been frozen, right?
Because it's like we're going to create a force and people start saying, oh, well, does it include the intelligence side?
What's the role of the NSA?
Oh, what's the role of the CIO?
And what happens, we get frozen.
and this has been going on for over a decade on sorting out where are the lines in this and
and you know you you cover the Department of Defense it's a big animal and there's a lot of
process in bureaucracy and silos and strong opinions and things and so someone that can come in
and just lay out all here's all the landscape if there was a decision it would be a
recommend a course of action. But here's all the options we looked at. I think you could,
if the decisions made, this could be implemented a lot faster as opposed to a decisions made.
Now we're going to relitigate all this again, right? And that's going to take forever.
So you lit on one of my questions, actually. What is the role of the intelligence community in this?
Where do you see NSA and the other, you know, the other pieces?
Yeah, so I'm big in combined arms, right?
So I've done a former division commander, you know, you're responsible for bringing capabilities together in time and space to accomplish missions.
I see it's no difference here.
It's, I often use a word, I learned something from, you know, a very senior general one.
And he told me when there's confusion, the problem is there's no boundary.
And when you don't have a boundary, everybody thinks they own that turf.
And that's why there's a turf war.
But if you have a boundary, now everybody knows, oh, I have to coordinate to go across it.
It's not meant to be a silo.
It's meant to be a coordination line.
So there's clearly, and we've worked hard in the Army to finally stand up a intelligence capability for Army cyber.
It was the only one without one because people say, well, you have the NSA.
Well, the NSA is critical, but what's their mission?
Signals intelligence, right?
What cybercoms commission, a mission, right?
Cyber operations.
Well, guess what?
Sometimes there has to be a decision made like, okay, we're just going to burn this down
because we're doing operations and we're going to have to figure it out.
And right now, this is a big function of the dual hat, which we're not discussing at all, by the way.
we're not touching this, right? It's sitting right where it needs to be. But it comes down to,
you know, this exists in a couple different areas. And so for me, it's all about combined arms.
Rather than a turf war, it's like, does cyber need intelligence? Absolutely. It's not,
when I first came to cyber, I came there from second infantry division, and I realized,
we're not doing cyber for the sake of cyber. Like people would talk about, oh, we got this great thing.
we worked here. We're here. I said, I got it. What are we doing? Like, what are we doing? What's the mission?
Well, look, we're right here. I got that part. It's great. We're fantastic. What are we doing?
I mean, it'd be like, you're in the attack position. And it's like, look, we're here. Yeah, but when do we assault the objective over here?
There's a lot of that. And not just in the military, but I think, like, in the computer space in general, there's a lot of that attitude. And, like, it is something.
that I'm seeing compounded in the AI space right now.
I 100% agree with you, right?
And so, so Josh and I've had that.
This is why, you know, in a weird way, people when they first got to work in cyber,
they viewed it as fires.
And when I stood up the branch, I made a case to General O'Diano.
I didn't stand it up.
When they made the, when they made the decision on my race.
recommendation, right, to stand up this branch, I argued that it was a maneuver branch.
And that's why it has a number 17, which is significant for the Army, because that's
where all the combat arms are in the teens.
And I was successful in making that argument because you maneuver in cyberspace.
And so I view it as it's not, it's not just something you shoot in there.
That's not.
You actually maneuver.
And so it's an operation.
And, you know, I think this, all the offensive cyber commanders in the Army and a lot of the senior leaders, they talk a lot now about operations.
I mean, even from General Nakasone's comments about persistent engagement, what is that continuous operations, right?
So that type of, that type of thinking is permeated.
It's not just me, but, you know, I was able to accelerate that.
What do you call?
So this is a stupid question maybe, but it's one that I think is interesting.
Army has soldiers.
You know, Marines have Marines.
Space Force has guardians.
What do you call someone that is part of the Cyber Force?
One of the fun questions we'll get to decide as part of the commission.
Not sure that there's much thought that we put on it.
No, but, you know, it is a...
No, this is a culture thing, right?
You have to build culture.
And so, you know, when you look at the Space Force, you know, former Navy Reserve officer, right, friends from the Army, everyone can look at their uniforms and crack jokes or whatever.
If it builds a spree to core, if it makes them feel better, it makes them better at their jobs, does it really matter what color the uniform is?
Does it matter what they call it, what name there is?
If it helps achieve the objective,
then isn't that sort of worth it?
And so, you know, I remember people saying,
well, we shouldn't have a cyber force.
They'd have to have their own song.
Well, you know, the Cyber National Mission Force are tier one unit inside the CMO.
They have a song.
When someone did that already, right?
And so these are not the right reasons to say, like,
oh, we shouldn't be going to be talking.
Yeah, yeah, no, I'm not saying,
I'm not throwing that out there as an argument again.
I actually have a suggestion.
I think they should be neuromancers.
Let's bring in William Gibson.
There's no way they're doing that.
I love that.
But there's no way we could use neuromancers.
Do you bring up a good point that the leaders of this domain have to understand the people that they're talking to?
I'll never forget the first selection document that we made for,
basically picking, I started with the offensive side and one of my subordinates came in and made a strong case.
And so they showed me the written test.
I said, I don't want to see this.
I want to make sure we're not making some, you know, CS, you know, computer science graduate test here.
And I'm looking.
I said, you know, I don't understand this question.
I have no idea where you're asking they go.
So that's because you're not one of us.
If you were one of us, you'd completely understand what that meant.
And I'm like, very.
point, right? But what I realized is, okay, what book is that out of? Right. And so I need to read
these books so I understand what they're talking about, right? And so, you know, and over time,
as you grow people up in the force, they obviously grow from the force. That's another big
complaint is that we bring people in from the side to lead cyber forces and they don't
understand the domain. And, you know, and it's just not good. I think the Army,
He's done a great job at that with the branch because we are actually, you know, when I was up there about a year ago, I noticed a line of colonels on the wall there.
And I was like, they were all captains when I was the R cyber commander.
So I did make a funny joke, which is, you know, inside kind of very, very military to say, no, I'm really worried about our future.
But, you know, that was all in jest.
It was absolutely the right people that got selected.
do it. All the
high water marks that Ed's pointed out
that the Army has had, right?
When we're talking about this Joint Force,
the issue is
the successes at the Army
are
counterbalance by the
shortcomings of the Air Force
and the Navy and the Marine Corps in this
domain. Because when you go fight,
you're not happy if
you're 25% or 30%
of your force is ready to go
and is, you know, ready to take
on, you know, the operational contract that you lay out for them.
If you're not at 80%, you know, you're very concerned.
And where you do have, you know, the story of this is not told by the successes of the army
in this domain, which are notable, right?
But I think it's going to be told by the failures and the others, because those are going
to be the most visible.
You know, it took an act of Congress to force the Navy to create a career field for
cyber personnel at the officer and enlisted levels.
The Space Force and Coast Guard had reached that determination on their own.
The Navy resisted it to the point that it took outside intervention.
As someone who worked on Capitol Hill, let me tell you, there is nothing the military hates
more than being told how to do their jobs.
They fought that, they resisted it tooth and nail, despite 12 years of evidence that it was not
working, that their model was not working, right? So when it comes to change, people might say and hear
what we're talking about, I said, well, if it were so obvious, or if it needed to be done,
the military, we're just going to do it already. So what are you complaining about? What I'd say is,
look at the last 80 years, five big reforms since World War II, desegregation, establishment of
the Air Force, Goldwater Nichols reforms, establishment of Special Operations Command, and establishment of the
Space Force. The Department of Defense has a perfect record of having opposed all five of them.
This is not an organization that has a good track record of organic reform.
You said it earlier, you know, it's a giant, it's this big bureaucracy, it resists change,
it kind of trundles along until it's forced by something on the outside. And that's something
I worry about, I think, with this, with cyber specifically, is that the American government
and its military, I think, tend to be pretty reactionary.
Not in like the political sense, but in the, like, they react to bad inputs.
So I worry that it is going to take a high-profile disaster of some kind in the cyberspace
to really get this thing stood up.
So I agree that, like, typically when America's sort of,
arms of government change. It's in the aftermath of something that's cataclysmic. I've been doing
cyber issues for over a decade now. And I've been through, I think, nine quote unquote watershed moments.
You know, the thing about a watershed is it's not supposed to be more than one of them, right?
So we've had a number of them in cyberspace. And the frustration is, why haven't those changed?
Does that mean that the effect that the cataclysmic catalyst is so,
significant that results in significant loss of life, I hope not.
Especially for something that is so intellectually grounded in American, you know,
in American military history, what we're talking about is, I don't want, I don't want
people to have to die for us to learn this lesson to put in place what we know to be true
today.
There's an interesting sort of prelude to the story of Israel's cyber force with 8200, which
is that a big sort of shaping event was this thing called the Agronaut Commission that was formed
after the Yom Kippur War to study the failures of the first phase of the war, right?
Why did Israel fall short in that first phase of the war?
And one of the things the Agronaut Commission found was that the Egyptians had done a pretty good
job employing Soviet-supplied EW capabilities, and the Israelis lost the tech bite.
and it resulted in a lot of casualties and fatalities.
Right?
But then Israelis died first for the Agronaut Commission to find what it found,
to then be an impetus to creating what 8200 is today.
I don't want to have to repeat those lessons.
It does sound like we're in a very precarious situation right at this moment.
There may not have been lots of deaths yet,
but when we talk about vault typhoon, salt typhoon,
I mean, the way that we've been, our defenses and our very, you know, infrastructure has been penetrated, it seems like the only thing that hasn't turned into a mass watershed is the fact that the Chinese haven't flipped the switch necessarily.
A New York Times story yesterday. Russia suspected of being behind a breach of the federal court filing systems.
It's like it's happening. It's here. We are living in it.
But people are numb to it because it's not resulted in, I mean, massive financial losses, massive technical theft.
But the point is it's like we just tend to move along.
So to me, it's just going to ratchet up.
I mean, the barrier has not been hit.
And so where when Josh first came to me with this idea, for me, it's like, okay, look,
Let's just assume that there's lots of people working on this decision.
The National Academies have been passed by the Congress to put a report together on whether this should be done.
But I, as I talked to John, the decision isn't the real problem.
The real problem is the implementation, right?
And so let's get ahead on that because even if a decision's made some of the points we led out earlier,
that's going to relitigate everything, right?
Which, by the way, we've litigated a lot of this over the last.
since 2010, the cyber command was stood up.
But I go back to where I started.
The threat is not slowing down.
Like there's a, I think Ann Newberger just put an article out today about we have to do something about deterrence in cyberspace.
There's no deterrence.
Like there's no penalty.
And so to me it's like, oh, they're in the federal court system.
So I start, Matthew, I start with this question.
Why are they there?
What are looking for?
Right? Like there's a purpose.
You know, I understand, like, you ship High Mars of the Ukraine and the Russians are working on, how do we hack high mars?
I understand that completely, right?
Because I'd be doing the same thing if it was on us.
But here it's like, why are they in the federal court system?
What are they doing?
Epstein files.
Yeah.
I'm sorry, that popped into my hand immediately.
I mean, like, looking for Compromot or perhaps information.
about what your rivals know about your assets in country, I would imagine.
Well, you know, together with Salt Typhoo, put it together with other hacks.
You know, it's so this is why I think AI is going to, in some ways, it's really going to help us in other ways it's going to put the offense on steroids.
Okay, so walk me through your thoughts, like your high-level thoughts on AI then.
like over overhyped important um i'm a believe like tech ebbs and flows right i always go back to
remember prior to november 23 oh we're so far behind the chinese and AI it's terrible we're
losing open i i releases chat gbt it explodes the entire AI world and to which i remind my friends
who were telling me this at the time of said
why didn't the Chinese were so far ahead of us why didn't they invent this right now the problem is they copied it they're good at that right well it's like i have a saying anything that gets exposed in the tech world open uh you know it becomes a race and the reason i bet on the u.s is the u.s up to this point is much better at implementing fast innovation right we can make stuff like crazy may not be able to scale it like
others yet and that's something we can have a longer conversation on. So I look at this from the
defensive side. Now from the defense, it's been weak, always been weak. I don't buy this argument,
though, that it can't be fixed. It can. And AI is going to help this like crazy because it's
going to expose all these vulnerabilities. People are going to be held liable for them. There's
going to be, you know, our system will take care of this in the way that they work on the
offensive side. Offensive operations, by the way, are a lot harder than people think, right?
They're actually really hard, but they can be quite effective. It's going to make that, like,
today where it might take, well, just use an example, as a division commander, I will
we normally have them create three courses of action.
Most of the time, one is fairly well developed, one is partially developed, and one is a throwaway.
I'm overstating that, but in generally, today you can have an AI create 350 and risk score
those things for me, right?
And it'll do it in 10 minutes, right?
So now you take that kind of logic and put that on the offense.
I mean, look, I've got a thousand accesses.
tell me which one would be best.
This would take months to sort out.
It'll take minutes from AI to do that.
If you program it correctly.
So I always have these caveats, right?
If you understand it, so the positive sides can really, to me, the new point of the realm
of speed, AI is speeding everything up, right?
Because it's speeding up the decision making.
And so that's what we have to guard against.
and it can do other things too.
I got it, but this is a much longer conversation.
We do a separate weeks.
I spend a lot of time on AI.
I want to talk to you a minute after we finish.
Just a second.
Let me ask you this then as a way to kind of go out
because we're at the end of an hour.
And this is another big question.
But what are your biggest lessons learned from
Glowing Symphony
from hacking ISIS
Yes, for you.
How would you
apply those lessons to
a future cyber force?
So you've listened to Dina's podcast?
I just want to know where you're...
Oh, no, I'm immersed in this.
I'm more of a tech journalist now, so I'm like
I think I did a so obviously I was the a Arias commander at the time not when it happened though because I had changed command so Paul Nekosone was the commander for that but intimately involved and I worked with him to get a lot of this declassified because I think the American people need to understand offensive operations more so it's not so scary right and also nebulous I think there's like a problem with and this is something I run into writing about it.
like there's a problem with like metaphors and description.
You know what I mean?
Like it's hard to communicate exactly what's going on sometimes in this space.
So for that operation, I used a lot of stuff that I learned in Iraq.
And with working with special operations in Iraq.
So, you know, I had a ground combat, brigade combat team.
And so bottom on it goes like this.
To me, it was an operational concept.
We're going to figure out the.
network. And then what we're going to do is we're going to enumerate that network as much as we can.
And then we're going to destroy the entire thing. Because just working on an edge node,
you destroy the edge. They just built another one. Right. This is the problem of cyber.
They just, what are they going to do? reboot their computer and they're back in business.
Right? Like, what is that? So let's create something big. Right? And, you know, I learned this actually
out of the New York Counterterrorism Center 2004
when I went up to visit them
and they talked to me a lot
about how you defeat networks
and I changed the entire way
I operated in Iraq which was successful
and then General McChrystal did it in
spades with J-Soc
right
and did that in a much more massive
scale so I took those ideas and
brought them to glowing symphony
so that's operational
but what Dina was
surprised at was
she goes
it was actually like a PFC that came forward with the idea.
And when I created Task Force areas, it's a very different structure.
It doesn't look like a traditional military organization.
It looks like a hacker organization.
So it's very flat, right?
And it's all based on capability.
Right.
It's who's in charge is who has the expertise at that moment in time.
And expertise could also be operational.
operational expertise, right? And so, you know, I'll kind of go there because it's still operational and
some com, et cetera. But the point is, is this is a case where it was the operational construct that
led to that success. And some people say it wasn't that successful or, you know, they were able to
redo it. It had a definite impact. As importantly, it showed our forces what was possible.
And if you notice like all that stuff that was going on in 2015-16 about or actually 15 to 16 recruiting Americans to go work for ISIS, you know that was all gone within a year, right?
That didn't happen by accident.
Right.
Yeah, I think an under little understood aspect of the Islamic State is how good they were at cyber and like social media.
And we think, you know, like you look at their propaganda and kind of think of them as,
this almost medieval force,
but that propaganda was
like very purposefully designed
and like got to people
along these channels that they had built.
They were very good at that.
And yeah, and it was
eliminated.
No.
This, I think,
ties to saying we could kind of end
where you'd see fit, right?
No country in the world
is better prepared for a 20th century
conflict than we are. The issue that you raised with the Russians and the Chinese, that's not the
war we're fighting. We're in a conflict and we're acting as if we're not. We have leaders talk about
2027 around the corner and we have to accelerate our investments in new weapon systems. We've got to
move faster. We've got to improve our shipyard capacity, all these things. It's really interesting
that when Ed and I and others are talking about this, we hear this strange sort of
note of caution.
Like, no, no, no, we should take our time with this.
We really shouldn't rush into anything.
Like, that would be like saying we should stop buying new aircraft and just double down
on the ones we have.
For some reason, when it comes to cyber, there's this, like, fear of getting it right.
And, you know, we don't have this time.
We don't have this time horizon to sit and analyze and study it to death.
Right.
And so that's why, you know, what's so exciting is that.
that, you know, Ed heard this crazy idea, like, yeah, I think we should do this too, right?
And then we went to a bunch of other folks, and they also said the same thing, right?
So there's a momentum here that hopefully, you know, we can get out of the malaise we find
ourselves in and, like, actually get down what everyone expects is already happening today.
Because, you know, my big fear is like, if this were, you know, a naval situation, you know,
president says send the aircraft carrier and someone's going to have to, you know, lean over to the
president and say, sir, our aircraft carrier doesn't have a nuclear reactor, it doesn't have any
aircraft and has half a crew.
It's like, well, what do we spend all that money on?
Right.
Like, that's kind of what it feels like cyber kit is today, but we know what the potential can
be, you know, moving forward.
I do think that that is a great place to end on.
And yeah, it was the perfect segue.
So you've been listening.
So thank you, Ed, Joshua.
Thank you both for coming on to Angry Planet and walking us through this.
I think this was absolutely fascinating.
Where can people follow the progress of this thing?
War Commission is going to launch on September 16.
We're going to have a site within the CSIS domain where they can follow what we're doing
and an explainer of how this is happening.
and we're going to continue to try to talk through exactly what it is we're doing so that we're ahead of the curve,
as opposed to Space Force, which was still very much explaining to people what this would be after it had already been created.
Oh, could I ask one other thing just for a recommendation?
Is there anything, just if you're a layperson or just not very immersed in this stuff?
Is there anything that people should read as a backgrounder help people understand what's the state of things?
Yeah, I think the Foundation for Defense of Democracy's paper from April 2024 about a cyber force is a great explainer for the why.
Why are we doing this?
Moreover, it also summarizes very well what the operational community, what the actual operators think about this.
So that's probably the best place that I've directed people to explain the context to it.
We can put that in the show notes.
Thank you both so much for coming on.
That's all for this week. Angry Planet listeners. As always, Angry Planet is me, Matthew Galt, Jason Fields, and Kevin O'Dell. It's created by myself and Jason Fields. If you like the show, Angry Planet pod.com, get yourself early commercial-free versions of the mainline episodes, some written work, and some bonus episodes. We will be back again soon with another conversation about conflict on an Angry Planet. Stay safe until then.