Irregular Warfare Podcast - Do we need a Cyber Force? Part 1: Arguments for a Seventh Service
Episode Date: July 12, 2024Episode 109 examines a recent report from the Foundation for Defense of Democracies on the arguments for a United States Cyber Force. This episode is a two part series of Project Cyber that looks at t...he arguments for and against a Cyber Force. Â Our guests delve into their long-standing experiences with U.S. Cyber Command and detail the current challenges in cyber force readiness, recruitment, training, and retention. They then discuss how despite significant funding, cyber force readiness hasn't progressed as expected, citing adversaries like Russia and China as examples of rapidly evolving cyber capabilities. They highlight the inadequacies of current service structures in cyber operations and suggest that a dedicated cyber force could better meet the demands of modern cyber warfare. The conversation also touches on the potential integration of existing units and the implications for relationships with organizations like the NSA and DISA.
Transcript
Discussion (0)
The skills are really uneven across the services.
The pay and the renumerations are uneven, the development is uneven.
It is a reasonable assessment at the end of this to say that this current system can't
continue to function.
Our adversaries and that that we should necessarily emulate them, but they've got
more than just their intelligence services and their military forces operating against
us.
Welcome to episode 109 of the regular warfare podcast.
I'm your host, Matthew Mullering, and today I'll be joined by my co-host, Louie Taberton.
In today's episode, we are joined by Rear Admiral retired Mark Montgomery and Lieutenant
Colonel retired Kurt Singer.
This episode is produced in collaboration with IWI's special project on cyber, and this
will be part of a two-part series looking at the arguments for and against standing
up a new cyber service.
With this podcast looking at the arguments for establishing a seventh separate service
for cyber.
Our guests delve into their long-standing experiences with U.S. Cyber Command and detail
the current challenges in cyber force readiness, recruitment, training, and retention.
They then discuss how despite significant funding, cyber force readiness hasn't progressed
as expected, while adversaries like Russia and China have rapidly evolving cyber capabilities.
Finally, they highlight the inadequacies of current service structures in cyber operations
and suggest that a dedicated cyber force could better meet the demands of modern cyber warfare.
Rear Admiral retired Mark Montgomery is a senior director at the Center on Cyber and
Technology Innovation at the Foundation for the Defense of Democracies.
He directs Cyberspace Solarium Commission 2.0, focusing on implementing recommendations
from the Cyberspace Solarium Commission, where he previously served as Executive Director.
With a distinguished 32-year career in the U.S. Navy, Mark retired as a Rear Admiral in 2017,
having held key roles including Director of Operations at U.S. Pacific Command and Commander
of Carrier Strike Group 5. Lieutenant Colonel Retired Kurt Sanger is a cyber security and data privacy attorney
with Buchanan Ingersoll and Rooney, P.C. He served in the US Marine Corps for over 23
years as a cyber operations attorney, criminal defense counsel and prosecutor, advisor to
the Afghan National Army, international law instructor at the Marine Corps University
and National Defense University, and is a planning officer with US Central Command.
You are listening to a special series of the Irregular Warfare podcast supported by the
Princeton empirical studies of conflict project and the modern war institute at West Point,
dedicated to bridging the gaps between scholars and practitioners to support the community of
irregular warfare professionals. Here's our conversation with rear Admiral retired Mark
Montgomery and Lieutenant Colonel retired Kurt Singer. Mark, Kurt, it's a pleasure to have you
on the Irregular Warfare podcast.
Hey, thank you very much for having me.
Thanks for having me as well.
Mark, you recently helped write a report
on the need for the establishment of a new cyber force.
Can you let us know why you decided to write this report?
And additionally, why now?
Thanks, yeah, the timing this is purposeful, right?
Where we've been watching,
a number of us have been watching
the development of the cyber force over 10 years. For me, I was at Navy when we were making the original
agreements of how many troops, how many soldiers, sailors, airmen, marine to contribute to the
cyber operating forces, or the cyber mission force, you know, way back in 2010, 2011. I
then was at UCOM in the J5 when we were trying to figure out how to first employ it, and
then PACOM in the J3 when we were really along the way in employing it.
And then finally, I was working for Senator John McCain on the Senate Armed Services Committee
and cyber was under my portfolio.
So I've been watching this for a while and look, it's fair to say over the last 10 years,
despite significant increases in resourcing and money into the problem, We have not seen the cyber force readiness increase
at the pace we would expect with that,
as you would in any other service,
where if I gave money to F22 readiness,
I'd see a mathematical change that was reasonably predictable.
We're not getting that in cyber force.
And certainly we're not growing the force
in a way that we're kind of near team-wise and operator-wise.
We're very close to the numbers that we intended to have in 2012.
Here in 2023, or 2024 now, where the adversaries changed a lot.
I think it's fair to say Russia, China, North Korea, Iran, but particularly Russia, China
have developed significant capacity over that timeframe. And look, we've watched the challenge with not
being able to separate US Cyber Command from NSA. And if you read General Dunford's, the limited
discussion of that that's happened in public, it's clear that Cyber Command did not have the
infrastructure necessary, the infrastructure being the people and the equipment, to operate alone
away from NSA. And that tells you a lot. And a lot of that has to do with intelligence.
Some has to do with operations. But it tells you a lot. And I think General Dunford's basically
said this is more of a four or five, review this issue again in four or five years. And
so for me, looking at all those kinds of indicators, you then start to research and that, you know,
cyber, the development of the cyber force isn't the number one priority
in any service.
The skills are really uneven across the services.
The pay and the renumerations are uneven.
The development is uneven.
It is a reasonable assessment at the end of this to say that this current system can't
continue to function.
In fact, I think even General Lacasone, who would not attach himself to the idea of a cyber force, would tell you the way forward
in fourth generation is not the status quo. So because of that, we studied it. And then myself
and Dr. Erika Borgaard, Dr. Erika Lonergan now, but a pretty well-respected cyber policy and
strategy professor at Columbia University, formerly of the Army Cyber Institute, formerly
of the Cyber Space Salarium Commission with me, and someone who's written a lot, who DOD
relies on a lot when they're trying to write products that can be read by academics.
We've studied this issue.
We had interviews with 75 out-processing or on-active duty personnel across a range of
ranks and not one of them said things are okay. Not all of them said we need a
cyber force, but not one of them said things are okay. When you have that kind of condition,
you absolutely have to research it. And that was the genesis of us deciding to proceed on this.
We talked about it with Representative Mike Gallagher, Chairman of the Cyber Subcommittee
on the House Armed Services Committee. And he agreed that taking a look at it was a useful, useful part of our time.
And so we at the foundation for defensive democracies went ahead and
studied this issue over about five months and produced this report.
Thank you for that background.
And Kurt, you serve with the U S cyber command for eight years.
What was your experience there?
And why do you think now might be a time to look at changing how we conduct cyberspace operations? I spent my first three of eight years
under Cyber Command with the Marine Corps Forces Cyber Command component and there we did a lot
of defense to start out. The offensive capability was growing and we also had the defensive
responsibility because the Marine Corps owns its own network
as the other services do.
Cyber Command has the defend mission,
but the services still own the networks that they defend.
Very interesting issues on the defensive end,
but of course, much more exciting on the offensive end.
And as we grew during my eight years there
into doing more offensive operations,
very proud of the accomplishments we had.
I think we did some really incredible things, very creative things you wouldn't have even thought of when I first got there.
We got to do by the time I left.
But my experience there basically showed me that there's more talent out there in America than what the military services can produce.
If you want to be an offensive soccer space operator, you basically have to come through
the military to do that.
And among the talent that America has, I'm not sure that everyone who would want to contribute
is willing to go through the traditional military experience of the Marine Corps boot camp or
Marine Corps officer training or that of any of the other services.
And so really my driving interest in this issue is how are we going to win on game day?
And that depends on who is going to be there on game day.
And of course in cyberspace, every day is game day.
We have a steady state condition where we are engaging with multiple adversaries every day.
But then we also have crises that we can anticipate and some that we've already been through.
And what I'm hoping for is an organization that can recruit, train, and retain the people
that we need for that steady state, everyday fight and for the big crises that we might
face.
And I believe that there is a different type of organization that America can come up with
that will not put the people that are going to be on keyboard, make them sleep in the
mud before they get on keyboard, make them fire a rifle necessarily.
They need to have some sort of offensive mindset and something like the joint planning process in order to conduct cyberspace operations, but they need a different type of entry program
in order to come to the aid of America for cyberspace.
Awesome.
That really frames the experience of what our cyber operators deal with.
So back to the report, Mark, can you summarize some of the key findings in the report and
what your recommendations are for setting it up? Yeah, absolutely
so looks first of all, let me just say what it isn't this report is not some kind of condemnation of of
US cyber command I want to make clear this we're talking about force generation here not force employment
There are probably force employment problems of cyber command
I'm almost sure that they would stipulate that part part of their new CSC 2.0s to get
at that. And they should be working on those. But that is not what this report is about. And I
don't think that's the core issue. I think US Cyber Command is doing an adequate job with the
forces they're given and the resources are given to employ those forces. So we'll set that aside.
What this is an argument for a more trained, ready and agile cyber force.
And it is an absolute criticism of the current methodology that the services
employ for recruiting, onboarding, training, maintaining, developing,
and retaining our cyber force operators.
And it is broadly a statement that the current force generation model does not work and will
not suffice for the kind of growth that we're going to need and the capability and capacity
we're going to need to get the maximum capability out of our cyber effects and to make sure
that our cyber effects are adequately supporting our broader kinetic and joint efforts.
And so to me, I start with recruiting and just say,
we're not recruiting the right force.
I don't think that the leaders of any of our cyber forces
on a polygraph would be able to pass saying,
I'm comfortable with who we're bringing in.
That doesn't mean we're not bringing in great Americans, right?
I thank God for the young men and women
who are joining our military today.
My son's getting commissioned in a couple of weeks,
and it's a hard thing now to convince this generation to join. You can see the polling
and statistics and show that not only are 75% of broadly, about 75% not eligible for military
service because of fitness, mental issues, academia, things like that, but about 75%
don't want to join the military. Luckily, and they're not the same 75%,
so we're working from a lower than 25% to get at right away.
Our recruiters are working their butts off
and we know the Army missed numbers by a lot.
The Navy very wisely snuck its numbers
a couple hours later, a day later,
and the Navy quantitatively did,
had less of a miss than the Army,
but as a percentage of what they needed, it was even higher.
And I'm just telling you, two of our services, I'm not sure how they, the Marine Corps recruits
differently.
They usually do pretty well, but that doesn't, we'll talk about it.
It still doesn't get the right operators in because they're recruiting from the, a pool
that's looking for an infantryman first, first, second, and last.
And then I'm not sure about the Air Force, but what I'll say right now is the services have got a normal traditional recruiting, which is sitting outside the locker
rooms of all the men's and women's sports teams and trying to get those best athletes coming out.
And I mean, we hit other places, but let's be clear, that's the focus. The focus is for a,
you know, to get that kind of soldier, sailor, airman, Marine in. I don't think they're sitting
outside the E-gaming hovel down in the basementman, Marine in. I don't think they're sitting outside the E-gaming
hovel down in the basement of the high school.
I don't think they're sitting outside the robotics club, not in the right way.
So what happens is we're bringing kids in and we interview squadron commanders
and multiple certain battalion commanders and multiple services who told us,
hey, my job is to do something really complex.
Maybe it's develop malware for something or else.
And I get my hundred young men and women in to do this.
And I'm using less than 10% for to achieve about 95% of my mission.
That doesn't make the other 90% of people bad.
It makes them frustrated, but they're not able to do their job.
They were not, they probably couldn't even write Python when they come in.
I'm imagining how people become cyber at the processing place for the enlisted
men and women coming in.
They're like, Hey, how are you?
Do you know cyber?
You know what I mean?
I don't think it's that they're like, ah, we've got the person with
Python, these three certificates.
They work two other things.
You're going into this kind of suspect in the cyber force.
Instead, if they're in the Navy, first pick is going to be SEAL.
Second pick is going to be the Nukes or maybe the Navy, first pick is going to be SEALs.
Second pick is going to be the nukes or maybe rotate those.
Third pick is going to be the Aegis fire control technicians.
Then cyber might get a person that said, by the way, I'm cyber capable.
You know what I mean?
If they're got the good ASVABs, they're going elsewhere.
My point on all this is that the recruiting is not tailored
to developing a cyber force.
So right off the bat, you're really handicapping yourself.
What if I told you, here's our group of SEALs for the first night of the first day of hell week.
By the way, about 80% of them didn't make the, couldn't pass the normal Navy PFA.
Let's see how you do chief. It's going to be a complete cluster. So we're recruiting the wrong
people. We're not training them consistently across the services. Some do better than others. Some
are investing in that training program better than others.
And we're certainly not compensating them consistently.
Way too many of our reports where you have E5 sitting side by side, same mission.
They've been in the service the same amount of time.
In theory, they're in the same job.
And it doesn't matter which one's better than the other.
One of them randomly is compensated significantly more than the other.
You can't have that. That does not help either. It certainly makes the person making the less
money uncomfortable. The other one worries, what's my future going to be when things twist a little
bit? So to me, that's bad. And we're just, we're not getting the retention. What rank of person
we do in certain jobs is different across the services. One of the services, adamantly refused to create an officer,
basically a cyber warfare officer,
until Congress forced them as a Navy.
And I do appreciate that Navy once they did it said,
didn't we have a great idea
we're creating this cyber warfare?
I'd be like, whatever, you fought it for nine years,
but now you got it.
Something's wrong with this system when we're doing this.
And so for me, I have to believe that with that recruitment,
onboarding, training, retaining, that core force generation is the
thing impacting readiness and really it's preventing cyber, cyber
command from being what it needs to be.
General Akasone rightly recognized two years ago, he needed to grow the
number of teams.
I think he said 14, but I think his real goal
was in the 30 to 40 over a half a decade.
But he couldn't really do it.
We don't have the people for the current teams.
So this is a criticism.
And the service performances are inconsistent.
When we first did this in 2010, 2011,
I think you just said the Navy was in a pretty good position.
I would now say they're the anchorman
of the grouping of services. So things move within them. I will say right now, the Army has challenges, but they're
probably the top performing service in this. And some services still don't have general officers
with actual cyber operator experience as a field grade officer. They just randomly become cyber
at the point of conception as a flag officer.
That's probably not a good system. So we really need to work on it. So a heavy criticism of
the force generation. And again, to me, cyber force is the natural solution. Others may
see different, but no one can argue that the status quo is functioning properly.
Kurt, did you see any issues along those lines in your time in the cyber units that you worked
in?
Sure. So this is a mental exercise to highlight what the Admiral has been discussing.
Just for a second, picture what your ideal Marine recruit or any service,
your soldier, sailor, airman, cruise guard, guardian, what the ideal recruit would look like,
what the ideal mid-career professional looks like. And then think about what your ideal cyber operator might
look like, and what your ideal mid-career cyber operator
would look like.
I don't think they will look like.
And not just physically.
I'm talking about think about the discussions
you would have with them.
How they make decisions, what they think is important,
what their creative minds think of in terms of operating.
These are the skills that we need, especially in cyberspace, which allows for a lot of creativity,
and which isn't always encouraged by the services.
There are a lot of creative people in the services, but sometimes those services also prefer conformity.
The cyber domain demands something different.
The threat demands something different.
And there were some really creative people at Cyber Command. The cyber domain demands something different. The threat demands something different.
And there were some really creative people at Cyber Command, and like the Admiral, no
criticism of Cyber Command there.
Like I mentioned, very proud of what we did there.
But we're an organization, Cyber Command, we were a combatant command.
Combatant commands mostly carry out military missions.
We support other DOD assignments and responsibilities.
We support other organizations and their missions.
But there are also much broader issues at stake,
and some of those are law enforcement issues.
Some of them are economic.
And the type of force that we need needs to incorporate
their expertise at an operational level.
There are joint and interagency teams
that were very successful, but for the breadth of what cyberspace interests represent to America
and the types of personalities that need to be involved, not just in the government, but also
in the private side, because a lot of the battlefield, so to speak, is owned by the private sector, that we need to have a much broader
representation in whatever America's premier organization for cyberspace offensive operations
is. Kurt made me think of something there. Marines are a perfect example. I think the Marine Corps
ethos is every Marine a rifleman. I get it. And no for every cyber operator, right? We don't need cyber operators as riflemen.
I mean, they may be kick ass at call of duty, but we don't need every cyber operator as a rifleman.
And that's exactly why you need a unique cyber service. This is a much different argument than
Space Force. Space Force was a cleaving of a mission set from the Air Force and separating it
because there was a decision made that maybe the Air Force wasn't focusing its resources properly on space.
I mean, Space Force was 88 or 90% of what came from Air Force.
This is about pulling from each of the services that capability.
I'll give you, we can talk about some more things later on, but I'll just say that the,
the, we will just having a focus on cyber and recruiting the right young men and women to join that service is going to have an amazingly impactful role and amazing impact on readiness, I think overall and on cyber comes ability to operate going forward.
So to me, just with that, and we can talk about the other advantages further on in this, but I'm very comfortable
with this recommendation.
U.S. Cyber Command has been progressively getting service-like authorities, controlling
team structure, training requirements, budgets.
There's often, when you have this conversation, there's some analogies to U.S. SOCOM, you
already mentioned Space Command as well.
What impacts do these efforts have on the appetite for cyber service?
And how would a new service change this progression?
So let's be clear.
Some of these changes that Congress has been doing have been because there
wasn't a cyber force, the frustration with the services led to the transfer
of these authorities to cyber command.
I think this is, it was the right thing to do.
Not a cyber force, not being an option, but it's the wrong thing to do when you
just clean sheet it and say,
what is this how I would want to do it?
Transferring acquisition,
then the EBC enhanced budget control,
the acquisitions go into cyber command is fraught with risk.
We are really transferring things outside
of the traditional civilian military oversight of acquisition.
You get a service structure.
There are a lot of things about a service structure
that made all of us want to leave the service, right? But one of the things that's right about it,
one of the things we all understand deeply is that civilian oversight of certain military,
the performance of certain military duties. And acquisition is one of the heaviest ones.
This particularly is due to the rapid rotation of military personnel through their tours, right? We
don't make them sit in a job for four or five years at the Pentagon doing acquisition. You need that
civilian oversight. I am very worried about, I both understand why Congress moved those
over. A lot of it was done with Cyber Salary Commission recommendations. Working with Representative
Jim Langevin, Senator Angus King, Representative Mike Gallagher, pushed those authorities over to cyber command,
but that was because there was an absence of another option.
I do want to pick up the SOCOM one,
because I hear this all the time.
And first I want to say,
I think I have a good alliterative on this
in terms of the people.
There is a unique thing about a soft special operator
on the ground, air, in the maritime.
I'm going to just stipulate that I suspect
neither one of you
should be flying like an Air Force Pave Low
as a side hustle, right?
We didn't train you for it, we didn't get you for it.
I'll also say I've sat down on my submarine
and 50 miles off, I wanna blow up a train trestle
in Pyongyang, I'm looking around and there's an Air Force
Helo pilot or a Navy SEAL, who's jumping in that little
Scooby-Doo to go 50 miles ashore and blow up the train trestle? Probably I'm picking the SEAL, right?
There's a unique service nature to the special operators. If I then say, let's
take that train trestle out with a cyber tool, I'm not like, hey, where's that Navy
guy? Because it doesn't really matter, right? It could be any service. And so
the SOCOM model kind of breaks down when there's not this service specific value
to things.
I'll also tell you the SOCOM acquisition model is not like five stars on Yelp, right?
It's had some real challenges.
My spider sense is that acquisition is best handled by the services.
By the way, the service acquisition has a lot to do with smart people like General Dunford
saying, hey boys, we need to hope we need to slow down our role on separating NSA and
cyber command because of the inability to get that kind of infrastructure, the
cyber specific infrastructure that's necessary out there.
So look, there's this angst ridden reach to find some other way to do things
other than the services just reinforces my belief that you need a cyber force.
And when you have it, you can pull some of those authorities back.
In the meantime, they're best held by cyber command.
Sometimes we'd have someone come into our office
at the cyber command staff judge advocate office,
particularly one of my first boss,
probably somebody who's well known to West Point
and to the listeners of the podcast, Colonel Gary Corn.
We'd have someone come into the office and say,
we need this operational authority
or we need this administrative budgetary
personnel authority. And he'd say, all right, suppose we had that authority
today, do we have what we need to execute it? And we'd get a lot of silence in
return four times out of five, because we didn't have the personnel to carry out
that activity. And one of those things was in line with budget concerns.
We get enhanced budget authority,
or we get an additional contracting authority,
new method to contract with the defense industrial base,
but we wouldn't have enough people,
or potentially any people,
to actually run the processes necessary
to get those contracts approved. So just
because you're given an authority or in a responsibility doesn't mean that
you're prepared to take advantage of it. And when you tell a combatant command
that you now have this authority, that doesn't change the the table of
organization for the organization automatically with it. You also have to get the people in who have the expertise
and you also have to implement the processes.
And then you have to get all the people outside the organization.
You have to get them used to doing business with this organization,
the type of which they haven't had to dealt with in this way before.
And one other thing I want to mention that's different about special operations
can from Cyber Command and from every other organization that I've observed throughout my career,
and I've never heard anyone say it, but I've discussed it with others and I think that
it's true.
Special Operations Command has a moral force behind it that drives a lot of decision making
and a lot of support, and that is because special operators are closest to the danger.
And being that close to the danger, they're able to get Congress's attention,
they're able to get the administration's attention and the Office of the Secretary of Defense.
And that drives a lot of things in their favor and they deserve it, of course,
because they are the ones closest to the danger.
No other organization generally has the same level
of urgency and moral persuasion ability behind it.
I pick up on that and say,
I think the same thing applies in inter-service arguments.
Like I think SEALs have done better
than information warfare personnel are in
and getting money and acquisition things.
And just in general, I think that's true
in particularly in the army,
but it's also true in the Navy and Air Force, where the special operators are just more successful at
gaining access to resources and capabilities. Awesome. That's fascinating conversation back
and forth. And I'm learning a ton throughout today. So I know our audience will as well.
Moving on next portion. So both DISA and the NSA play significant roles in cyberspace.
How would the cyber force change the relationship
with these organizations?
For example, should the cyber service assume responsibility
for protecting and operating the Dodin information network?
I'll give it a first whack at this.
So first, I'm gonna be clear again,
we're not changing cyber command.
So that role, that element stays the same
and they have a role with both of those.
Look, if I had my way over time,
or the Dodin would be a sub-unified command of cyber command. I think that's much like we've
set up a sub-unified command on the offensive side. I'd set up one on the defensive side.
Let's take that issue set aside. Will it have an impact? Yes. The NSA cyber command split's
not going to happen under the current model. I can guarantee you that. Five years from now,
they'll either ask General Dunford to come back and do it again, or they'll find another
retired chairman say, could you take a look at the, maybe CQ Brown will
take a look at it, but they'll come back and say, Hey, we're not ready.
But this is interesting.
And we're going to talk later.
I think about how you break forces up.
If you create a cyber force, it's hard to say.
I understand the cyber operating force to be about 6,200 will say, but
the, the DISA part,
the DODIN CPT cyber protection teams, to me, they would probably be part of the cyber force,
right?
There's things you could take a look at in there, but there's other functions DISA does
that have nothing to do, that are really about CIO responsibilities for the department of
Fed.
They contribute to the CIO's mission, things like that.
It's a thing you'd split up iteratively.
You make a first cut, work with it,
see if you need to do more.
My recollection is that Space Force started out
with 16 or 17,000.
I think it's gonna end up with about 24, 25,000
as they continue to maneuver people around.
My gut reaction is we'd start out with about 10,000
because there's more than just the Cyber-Operating Forces
training units and recruiting and things like that that would have to come over a little bit from each service.
Start at around 10,000 and maybe grow.
And here, how far you grow, I think is going to be different to Space Force because there
is a growing adversary capability.
There's going to be a broader demand signal for both CMT mission teams and protection
teams, both at a national level, combat and command level,
and DODE level.
So it would grow to 17, 18.
Some of that growth might just be growing more people,
which you have a much better chance with
if you have cyber recruiters, by the way,
and not relying on services to go grab people.
But some of it might be that you say,
hey, we took these people,
we probably should have taken those.
I will tell you there's a large amount
of Department of Defense
retained and then service retained, IT management, even some cyber
protect capabilities that are unique to the services that will be retained.
This isn't moving everything over, but it's moving a lot over that allows
you to better equip, operate, maintain, retain the cyber operating force.
Which I think is only going
to increase. As you see, cyber is a percentage of a military operation going back all the
way to Kosovo to some future conflict 15, 20 years from now. It's a linear verging on
exponential growth curve. And to be ready for that exponential growth, we're going
to need a pretty fulsome cyber operating force.
I'm not sure with regard to DISA, they're the defensive
organization. I completely endorse Amel Montgomery's thought that they should be a sub-unified command.
It just gives them extra emphasis and authority and ability to move the needle for the things
that they need. But in cyberspace, offense informs and improves defense and defense informs and improves offense.
Whether that's best done under the same organization, under the same commander,
I would assume it would be best that way, but I think it's something worth exploring.
With regard to NSA, NSA is a DOD organization, but they also have national missions that go beyond
the DOD. They're informing intelligence needs
across the executive branch
and leave with members of Congress as well.
And so they're gonna continue to support cyber,
whatever the cyber force looks like,
they're gonna have that responsibility as well.
NSA and Cyber Command have a special relationship,
a special partnership,
partially because they have a dual command,
also because they were told essentially
to have a special relationship by Secretary Mattis,
better known as General Mattis to the Marine Corps.
But that drove the members of NSA
and the members of Cyber Command to work together
to solve problems so that we didn't have to bring them up
to our common parent or so that we could provide solutions that both sides, both organizations could live with.
That was very helpful to Cyber Command in addition to all the practical support in terms
of personnel and platforms and tools and such.
But I would imagine that NSA and whatever the new cyber organization would be best served,
both of them, if they had a special relationship as well.
There's a bunch of different units that play a role in cyber domain.
And each service has units that do things in tech that might
not be considered cyber units.
And for example, is like the Signal Core, any sort of communications
unit, all include some of the software factories that are actually doing
development, would your version of a cyber force include these units?
And as all of our units become more reliant on both artificial intelligence
and just software to conduct military operations, what's the danger in
separating them from the other services?
So first, I hear this a lot from the services.
I love to hear this from the services that maintain four independent
aviation elements and an army that has more ships than the Navy.
You've got to have, you've got to be pure as the driven snow on this separation.
I look at them like, you've got to be kidding me, but I'll set aside the
hypocrisy of the kind of, I can't believe you can't answer this question perfectly.
Now I generally say, we'll have to figure it out.
My gut reaction is from the software factory development, where it leads
directly to tool development,
particularly on the offensive side, on a kind of sec dev model that probably would belong in the cyber force. Some would not. AI broadly, there'd be some elements there. There'd be some trimming
of the amount to account for what was doing AI in a service and it would go over. Then a second
iteration, I think. And look, we don't solve the problem. We make a recommendation in our report, a broad one, the biggest of which is that I would put it for civilian management
purposes in the Secretary of the Army. We can talk about that in a later question. We obviously do
this in a way, if a service is adamant, they need to have it and watch that and then determine over
a few years whether that was an accurate assessment or not. I don't think we have to be, I definitely
want to measure twice and cut once the first time,
but I recognize that first cuts not the final cut.
At first cuts to get it started, get it moving.
Look, the goal here is to improve readiness.
We will improve readiness creating this.
And the longer we delay, by the way,
we just make this problem worse.
I do not think the current status quo,
it can compete with the adversary
development in any way, shape or form. From my perspective, I think this is a good opportunity.
My perspective, I think this is a good opportunity to make a first cut, get moving, and then figure
it out on a second cut, the final details. I know large organizations like the Pentagon don't like
to hear that, but I think that's realistic. I have two observations regarding this question. The first is that an organization is best served
when it has everything it needs organically. There were times that we were beginning offensive
operations, really the very first significant ones that were not part of a larger conflict,
OEF or OIF, where the organization discovered
that we might need air assets,
or we might need a drone,
or even potentially might need special operators.
And at that point, you've got to go to another commander
and that commander has probably stretched in
with his or her own mission using those assets
and you've got to ask to borrow those.
And that commander's mission is always going to be
the most important thing to them. So if your cyberspace
operations requires aviation assets and you've got to borrow them somewhere, it's
obviously better if you have them yourself. Other thought is that the
separate organization does not mean that what Cyber Command does stops happening.
Cyber Command has three missions, defend the Doden, support other commands,
and defend the nation.
I think the defend the nation mission would be the one that would go to this
other organization, but Cyber Command and its military personnel having gone through
learning the military planning process, a lot of the people in those organizations having served at the type of missions that
they will still be supporting an infantry mission with a cyberspace capability. That
you still need to have those same people who understand the position, those military traditional
military activities, the context that they're
conducting their missions in, that they still need to be part of that.
And so this other organization, I don't envision it subtracting that support to other combatant
commands mission from Cyber Command.
Maybe it will in some regard, but we still need to have military operators and we'll
still need to have service members learning we'll still need to have service members
learning cyberspace operations
in order to support those other types
of military operations in some way.
And again, I think our report and in general,
we don't try to resolve,
look, there are existing problems between cyber command
and the combatant commands about the employment of force
and things like that.
I think they're working hard.
They've worked hard to correct a lot,
get it aligned properly.
I think they're much closer than they've ever been. But we don't try to address that as
much. And I'm comfortable, sometimes people say to me, how can someone do something if they weren't
that? Look, I'm going to say right now that if I was an Army Special Operator up there and they
said, hey, we got an A-10 pilot up there, he spent all his time as an Army Special Operator, he's
flying this week. Or I got an A-10 operator up there. He's been training to drop bombs in a close proximity to
friendly forces for the last 10 years. You're going with number two. You don't
need an Army guy. You know what I mean? You're okay with another service
providing a capability and capacity when it's their expertise. Hey, Mark, you've
forgot all about electronic warfare. And I'm like, me and the Department of
Defense, right? What they're really saying to me is, hey, as a department, we suck in electronic warfare. Yes, we do. But it's not being solved by
keeping cyber in the services or keeping this. The reason we suck in electronic warfare is we took a
25-year holiday from it while we fought a couple adversaries that didn't have electronic warfare
capabilities. And now we're left with a couple of these C-130s that wouldn't last a minute in a
high-end war, broadcasting signals, and some jammers on E-18 Navy growlers. And by the way,
the delivery of the next generation jammer has been like, I like to say it's like the Phoenix
Sons of jamming. It's always two years away from being two years away. Let's just be clear. We
suck at electronic warfare because we made a conscious decision to suck at electronic warfare.
And telling me that's hampering, creating a cyber force is ludicrous.
Whether we have a cyber force or four separate forces, we're going to suck at electronic
warfare until we collectively as an apartment say, we're not going to suck at electronic
warfare and start investing it.
By the way, China and Russia don't suck at electronic warfare.
What we're hearing from anyone who
drives through the top 10 miles of Israel right now understands that neither the Israelis
nor Hezbollah suck at electronic warfare. Try getting a GPS signal up there, right?
I'm just telling you there's an electronic warfare problem out there. The Department
of Defense has done crap about it. And telling me that has something to do with the cyberforce
paper is ludicrous. Now, I do want to fix electronic warfare. Maybe we'll do a separate report on that. It's not going to
be this. And we're not going to create, I'm not saying create electronic warfare core. That is
something that is done by a growler naval flight officer and our weapon system officer in the back
seat. Right. That's, and unfortunately we're down to just the Navy doing that. The air force and
Marine Corps have fled that mission over
the last 15 years. In case we need proof of this, and I do get we're pretty good at like
counter IED jamming. That's another mission set, but unfortunately not a mission set for
China or Russia in the world we find ourselves in. So what I would say is I'd set that aside
and when people bring up electronic warfare, it's just a red herring
on this argument.
So building on that discussion we just had there, how have the existing services responded
to the concept of a new cyber force and how would you envision the cyber force integrating
with the existing services and their organizations such as the US Army Cyber Command?
I'll give you two thoughts.
There's the public thought of would I expect any senior military official to say, I think
this is a good idea. What's my next promotion board? No, nothing. Now, privately,
do I get some of them call me? Look, some call me and say, I'm not on with you. I accept the status
code doesn't work, but that's not the solution. That's fine. I respect that. Some have called me
and said, I'm with you. I ride herd on services on this, and's not cyber service like looks like the right idea.
The official DOD position is going to be, we don't even want an outside study. This is how insane
the point we're at. We're recommending an outside study. They're like, we do not want an outside
study. When someone tells you in the face of all other evidence that everything's fine,
we don't need outside study, I feel that they're like that Army ROTC guy in National Lampoon getting run over by the band.
Like they have no idea what's coming at them, right?
It is unreasonable for the DOD to do what they're gonna do,
which is try to give it to Congress
to not even ask for an outside study.
And people should understand
that lack of transparency is a killer.
What kind of force structure alternatives
or what kind of policy moves do you expect to watch for the next year or so on this issue?
I don't start with the assumption that whatever this other organization should be a Department of Defense organization.
It may very well be the right answer, but I don't start with that assumption.
I'm trying to start with no assumptions and just start with the threat. And we need to look at the successes and failures of the United
States in cyberspace, those of our allies, as well as where our adversaries have
been successful against us. Our adversaries, not that we should necessarily
emulate them, but they've got more than just their intelligence services and
their military forces operating against us. And so
I would entertain all the possibilities with regard to what this organization should look like
based on what is the best way for the United States to defend its interests and its homeland.
Kurt, thanks for that. I take a slightly different take. And I do appreciate you mentioning our
adversaries because just as a data point, 10 years ago, China looked at this and went with it as part of their
strategic forces reorganization, created a unique cyber force in their military service.
I first want to stipulate, and I think we've all made this clear, we have great operators
at Cyber Command. And Cyber Command is the most capable, I think, offensive force in
the world. It's a hard thing to assess when you look at capability and capacity added together,
you know, offensive cyber force in the world.
And we shouldn't take that for granted, but we should also need to recognize that we're
not saying we don't have good people now.
We're not saying that cyber force isn't the right force employment model now.
We agree with that.
Where the argument we're trying to make is, how do you make our force generation capability and capacity, one that can service the cyber command we need five and seven years from now? And I think
the only way to do that is with a unique force. I don't give myself the luxury that Kurt does of
thinking outside the Department of Defense, because I have the history of working in the Hill to say, at no point ever would the Senate Armed
Service and House Armed Service Committee allow anything to leave. Maybe they should have better
imagination than that, but I don't stipulate it won't happen. So from my point of view,
I think this is the most significant thing we can do. We need to do significant things.
And that a cyber force in the long term, a dedicated force generation capability that
recruits, onboards, trains, maintains and retains our cyber, the men and women that
do off this kind of cyber operation force missions, both offensive and defensive, a
unique service dedicated that is worthwhile. It'll allow us to conduct the missions we need to conduct five and 10 years and defensive, a unique service dedicated that is worthwhile.
It'll allow us to conduct the missions we need to conduct five and 10 years. And now particularly against China, but against Russia, even North Korea and Iran,
by the way, even are like lesser included adversaries like Iran and North Korea.
They can't touch us with a physical tool easily, but they can touch us with cyber
tools. So from my perspective, this is the way forward for us. And this is the way.
Mark Kurt, thank you for joining us on the Irregular Warfare podcast.
Thank you, gentlemen.
Hey, you've got a little Star Wars in there. All right, thanks.
Thank you again for joining us on episode 109 of the Irregular Warfare podcast.
We release a new episode every two weeks.
Our next two episodes will tackle illicit financing within the conflict in Sudan, followed
by our second part of this series, the argument against a cyber service.
Be sure to subscribe to the Irregular Warfare Podcast so you don't miss an episode.
This podcast is a product of the Irregular Warfare Initiative.
We are a team of all volunteer practitioners and researchers dedicated to bridging the
gap between scholars and practitioners to support the community of our regular warfare
professionals.
You can follow and engage with us on Facebook, Twitter, Instagram, YouTube, or LinkedIn.
You can also subscribe to our monthly newsletter for access to our content and upcoming community
events.
The newsletter signup is found at ourregularwarfare.org.
Please leave a comment and positive rating wherever you listen to the Regular Warfare
podcast.
And one last note, all the two here in this episode are the views of the participants
and do not represent those at Princeton, West Point, or any agency of the United States
government.
Thanks again, and we'll see you next time.