Irregular Warfare Podcast - Do we need a Cyber Force? Part 1: Arguments for a Seventh Service

Episode Date: July 12, 2024

Episode 109 examines a recent report from the Foundation for Defense of Democracies on the arguments for a United States Cyber Force. This episode is a two part series of Project Cyber that looks at t...he arguments for and against a Cyber Force.   Our guests delve into their long-standing experiences with U.S. Cyber Command and detail the current challenges in cyber force readiness, recruitment, training, and retention. They then discuss how despite significant funding, cyber force readiness hasn't progressed as expected, citing adversaries like Russia and China as examples of rapidly evolving cyber capabilities. They highlight the inadequacies of current service structures in cyber operations and suggest that a dedicated cyber force could better meet the demands of modern cyber warfare. The conversation also touches on the potential integration of existing units and the implications for relationships with organizations like the NSA and DISA.

Transcript
Discussion (0)
Starting point is 00:00:00 The skills are really uneven across the services. The pay and the renumerations are uneven, the development is uneven. It is a reasonable assessment at the end of this to say that this current system can't continue to function. Our adversaries and that that we should necessarily emulate them, but they've got more than just their intelligence services and their military forces operating against us. Welcome to episode 109 of the regular warfare podcast.
Starting point is 00:00:39 I'm your host, Matthew Mullering, and today I'll be joined by my co-host, Louie Taberton. In today's episode, we are joined by Rear Admiral retired Mark Montgomery and Lieutenant Colonel retired Kurt Singer. This episode is produced in collaboration with IWI's special project on cyber, and this will be part of a two-part series looking at the arguments for and against standing up a new cyber service. With this podcast looking at the arguments for establishing a seventh separate service for cyber.
Starting point is 00:01:06 Our guests delve into their long-standing experiences with U.S. Cyber Command and detail the current challenges in cyber force readiness, recruitment, training, and retention. They then discuss how despite significant funding, cyber force readiness hasn't progressed as expected, while adversaries like Russia and China have rapidly evolving cyber capabilities. Finally, they highlight the inadequacies of current service structures in cyber operations and suggest that a dedicated cyber force could better meet the demands of modern cyber warfare. Rear Admiral retired Mark Montgomery is a senior director at the Center on Cyber and Technology Innovation at the Foundation for the Defense of Democracies.
Starting point is 00:01:41 He directs Cyberspace Solarium Commission 2.0, focusing on implementing recommendations from the Cyberspace Solarium Commission, where he previously served as Executive Director. With a distinguished 32-year career in the U.S. Navy, Mark retired as a Rear Admiral in 2017, having held key roles including Director of Operations at U.S. Pacific Command and Commander of Carrier Strike Group 5. Lieutenant Colonel Retired Kurt Sanger is a cyber security and data privacy attorney with Buchanan Ingersoll and Rooney, P.C. He served in the US Marine Corps for over 23 years as a cyber operations attorney, criminal defense counsel and prosecutor, advisor to the Afghan National Army, international law instructor at the Marine Corps University
Starting point is 00:02:20 and National Defense University, and is a planning officer with US Central Command. You are listening to a special series of the Irregular Warfare podcast supported by the Princeton empirical studies of conflict project and the modern war institute at West Point, dedicated to bridging the gaps between scholars and practitioners to support the community of irregular warfare professionals. Here's our conversation with rear Admiral retired Mark Montgomery and Lieutenant Colonel retired Kurt Singer. Mark, Kurt, it's a pleasure to have you on the Irregular Warfare podcast. Hey, thank you very much for having me.
Starting point is 00:02:48 Thanks for having me as well. Mark, you recently helped write a report on the need for the establishment of a new cyber force. Can you let us know why you decided to write this report? And additionally, why now? Thanks, yeah, the timing this is purposeful, right? Where we've been watching, a number of us have been watching
Starting point is 00:03:04 the development of the cyber force over 10 years. For me, I was at Navy when we were making the original agreements of how many troops, how many soldiers, sailors, airmen, marine to contribute to the cyber operating forces, or the cyber mission force, you know, way back in 2010, 2011. I then was at UCOM in the J5 when we were trying to figure out how to first employ it, and then PACOM in the J3 when we were really along the way in employing it. And then finally, I was working for Senator John McCain on the Senate Armed Services Committee and cyber was under my portfolio. So I've been watching this for a while and look, it's fair to say over the last 10 years,
Starting point is 00:03:37 despite significant increases in resourcing and money into the problem, We have not seen the cyber force readiness increase at the pace we would expect with that, as you would in any other service, where if I gave money to F22 readiness, I'd see a mathematical change that was reasonably predictable. We're not getting that in cyber force. And certainly we're not growing the force in a way that we're kind of near team-wise and operator-wise.
Starting point is 00:04:06 We're very close to the numbers that we intended to have in 2012. Here in 2023, or 2024 now, where the adversaries changed a lot. I think it's fair to say Russia, China, North Korea, Iran, but particularly Russia, China have developed significant capacity over that timeframe. And look, we've watched the challenge with not being able to separate US Cyber Command from NSA. And if you read General Dunford's, the limited discussion of that that's happened in public, it's clear that Cyber Command did not have the infrastructure necessary, the infrastructure being the people and the equipment, to operate alone away from NSA. And that tells you a lot. And a lot of that has to do with intelligence.
Starting point is 00:04:49 Some has to do with operations. But it tells you a lot. And I think General Dunford's basically said this is more of a four or five, review this issue again in four or five years. And so for me, looking at all those kinds of indicators, you then start to research and that, you know, cyber, the development of the cyber force isn't the number one priority in any service. The skills are really uneven across the services. The pay and the renumerations are uneven. The development is uneven.
Starting point is 00:05:15 It is a reasonable assessment at the end of this to say that this current system can't continue to function. In fact, I think even General Lacasone, who would not attach himself to the idea of a cyber force, would tell you the way forward in fourth generation is not the status quo. So because of that, we studied it. And then myself and Dr. Erika Borgaard, Dr. Erika Lonergan now, but a pretty well-respected cyber policy and strategy professor at Columbia University, formerly of the Army Cyber Institute, formerly of the Cyber Space Salarium Commission with me, and someone who's written a lot, who DOD relies on a lot when they're trying to write products that can be read by academics.
Starting point is 00:05:53 We've studied this issue. We had interviews with 75 out-processing or on-active duty personnel across a range of ranks and not one of them said things are okay. Not all of them said we need a cyber force, but not one of them said things are okay. When you have that kind of condition, you absolutely have to research it. And that was the genesis of us deciding to proceed on this. We talked about it with Representative Mike Gallagher, Chairman of the Cyber Subcommittee on the House Armed Services Committee. And he agreed that taking a look at it was a useful, useful part of our time. And so we at the foundation for defensive democracies went ahead and
Starting point is 00:06:33 studied this issue over about five months and produced this report. Thank you for that background. And Kurt, you serve with the U S cyber command for eight years. What was your experience there? And why do you think now might be a time to look at changing how we conduct cyberspace operations? I spent my first three of eight years under Cyber Command with the Marine Corps Forces Cyber Command component and there we did a lot of defense to start out. The offensive capability was growing and we also had the defensive responsibility because the Marine Corps owns its own network
Starting point is 00:07:05 as the other services do. Cyber Command has the defend mission, but the services still own the networks that they defend. Very interesting issues on the defensive end, but of course, much more exciting on the offensive end. And as we grew during my eight years there into doing more offensive operations, very proud of the accomplishments we had.
Starting point is 00:07:26 I think we did some really incredible things, very creative things you wouldn't have even thought of when I first got there. We got to do by the time I left. But my experience there basically showed me that there's more talent out there in America than what the military services can produce. If you want to be an offensive soccer space operator, you basically have to come through the military to do that. And among the talent that America has, I'm not sure that everyone who would want to contribute is willing to go through the traditional military experience of the Marine Corps boot camp or Marine Corps officer training or that of any of the other services.
Starting point is 00:08:06 And so really my driving interest in this issue is how are we going to win on game day? And that depends on who is going to be there on game day. And of course in cyberspace, every day is game day. We have a steady state condition where we are engaging with multiple adversaries every day. But then we also have crises that we can anticipate and some that we've already been through. And what I'm hoping for is an organization that can recruit, train, and retain the people that we need for that steady state, everyday fight and for the big crises that we might face.
Starting point is 00:08:44 And I believe that there is a different type of organization that America can come up with that will not put the people that are going to be on keyboard, make them sleep in the mud before they get on keyboard, make them fire a rifle necessarily. They need to have some sort of offensive mindset and something like the joint planning process in order to conduct cyberspace operations, but they need a different type of entry program in order to come to the aid of America for cyberspace. Awesome. That really frames the experience of what our cyber operators deal with. So back to the report, Mark, can you summarize some of the key findings in the report and
Starting point is 00:09:24 what your recommendations are for setting it up? Yeah, absolutely so looks first of all, let me just say what it isn't this report is not some kind of condemnation of of US cyber command I want to make clear this we're talking about force generation here not force employment There are probably force employment problems of cyber command I'm almost sure that they would stipulate that part part of their new CSC 2.0s to get at that. And they should be working on those. But that is not what this report is about. And I don't think that's the core issue. I think US Cyber Command is doing an adequate job with the forces they're given and the resources are given to employ those forces. So we'll set that aside.
Starting point is 00:10:00 What this is an argument for a more trained, ready and agile cyber force. And it is an absolute criticism of the current methodology that the services employ for recruiting, onboarding, training, maintaining, developing, and retaining our cyber force operators. And it is broadly a statement that the current force generation model does not work and will not suffice for the kind of growth that we're going to need and the capability and capacity we're going to need to get the maximum capability out of our cyber effects and to make sure that our cyber effects are adequately supporting our broader kinetic and joint efforts.
Starting point is 00:10:43 And so to me, I start with recruiting and just say, we're not recruiting the right force. I don't think that the leaders of any of our cyber forces on a polygraph would be able to pass saying, I'm comfortable with who we're bringing in. That doesn't mean we're not bringing in great Americans, right? I thank God for the young men and women who are joining our military today.
Starting point is 00:11:02 My son's getting commissioned in a couple of weeks, and it's a hard thing now to convince this generation to join. You can see the polling and statistics and show that not only are 75% of broadly, about 75% not eligible for military service because of fitness, mental issues, academia, things like that, but about 75% don't want to join the military. Luckily, and they're not the same 75%, so we're working from a lower than 25% to get at right away. Our recruiters are working their butts off and we know the Army missed numbers by a lot.
Starting point is 00:11:33 The Navy very wisely snuck its numbers a couple hours later, a day later, and the Navy quantitatively did, had less of a miss than the Army, but as a percentage of what they needed, it was even higher. And I'm just telling you, two of our services, I'm not sure how they, the Marine Corps recruits differently. They usually do pretty well, but that doesn't, we'll talk about it.
Starting point is 00:11:54 It still doesn't get the right operators in because they're recruiting from the, a pool that's looking for an infantryman first, first, second, and last. And then I'm not sure about the Air Force, but what I'll say right now is the services have got a normal traditional recruiting, which is sitting outside the locker rooms of all the men's and women's sports teams and trying to get those best athletes coming out. And I mean, we hit other places, but let's be clear, that's the focus. The focus is for a, you know, to get that kind of soldier, sailor, airman, Marine in. I don't think they're sitting outside the E-gaming hovel down in the basementman, Marine in. I don't think they're sitting outside the E-gaming hovel down in the basement of the high school.
Starting point is 00:12:27 I don't think they're sitting outside the robotics club, not in the right way. So what happens is we're bringing kids in and we interview squadron commanders and multiple certain battalion commanders and multiple services who told us, hey, my job is to do something really complex. Maybe it's develop malware for something or else. And I get my hundred young men and women in to do this. And I'm using less than 10% for to achieve about 95% of my mission. That doesn't make the other 90% of people bad.
Starting point is 00:13:00 It makes them frustrated, but they're not able to do their job. They were not, they probably couldn't even write Python when they come in. I'm imagining how people become cyber at the processing place for the enlisted men and women coming in. They're like, Hey, how are you? Do you know cyber? You know what I mean? I don't think it's that they're like, ah, we've got the person with
Starting point is 00:13:16 Python, these three certificates. They work two other things. You're going into this kind of suspect in the cyber force. Instead, if they're in the Navy, first pick is going to be SEAL. Second pick is going to be the Nukes or maybe the Navy, first pick is going to be SEALs. Second pick is going to be the nukes or maybe rotate those. Third pick is going to be the Aegis fire control technicians. Then cyber might get a person that said, by the way, I'm cyber capable.
Starting point is 00:13:33 You know what I mean? If they're got the good ASVABs, they're going elsewhere. My point on all this is that the recruiting is not tailored to developing a cyber force. So right off the bat, you're really handicapping yourself. What if I told you, here's our group of SEALs for the first night of the first day of hell week. By the way, about 80% of them didn't make the, couldn't pass the normal Navy PFA. Let's see how you do chief. It's going to be a complete cluster. So we're recruiting the wrong
Starting point is 00:13:58 people. We're not training them consistently across the services. Some do better than others. Some are investing in that training program better than others. And we're certainly not compensating them consistently. Way too many of our reports where you have E5 sitting side by side, same mission. They've been in the service the same amount of time. In theory, they're in the same job. And it doesn't matter which one's better than the other. One of them randomly is compensated significantly more than the other.
Starting point is 00:14:24 You can't have that. That does not help either. It certainly makes the person making the less money uncomfortable. The other one worries, what's my future going to be when things twist a little bit? So to me, that's bad. And we're just, we're not getting the retention. What rank of person we do in certain jobs is different across the services. One of the services, adamantly refused to create an officer, basically a cyber warfare officer, until Congress forced them as a Navy. And I do appreciate that Navy once they did it said, didn't we have a great idea
Starting point is 00:14:55 we're creating this cyber warfare? I'd be like, whatever, you fought it for nine years, but now you got it. Something's wrong with this system when we're doing this. And so for me, I have to believe that with that recruitment, onboarding, training, retaining, that core force generation is the thing impacting readiness and really it's preventing cyber, cyber command from being what it needs to be.
Starting point is 00:15:20 General Akasone rightly recognized two years ago, he needed to grow the number of teams. I think he said 14, but I think his real goal was in the 30 to 40 over a half a decade. But he couldn't really do it. We don't have the people for the current teams. So this is a criticism. And the service performances are inconsistent.
Starting point is 00:15:37 When we first did this in 2010, 2011, I think you just said the Navy was in a pretty good position. I would now say they're the anchorman of the grouping of services. So things move within them. I will say right now, the Army has challenges, but they're probably the top performing service in this. And some services still don't have general officers with actual cyber operator experience as a field grade officer. They just randomly become cyber at the point of conception as a flag officer. That's probably not a good system. So we really need to work on it. So a heavy criticism of
Starting point is 00:16:10 the force generation. And again, to me, cyber force is the natural solution. Others may see different, but no one can argue that the status quo is functioning properly. Kurt, did you see any issues along those lines in your time in the cyber units that you worked in? Sure. So this is a mental exercise to highlight what the Admiral has been discussing. Just for a second, picture what your ideal Marine recruit or any service, your soldier, sailor, airman, cruise guard, guardian, what the ideal recruit would look like, what the ideal mid-career professional looks like. And then think about what your ideal cyber operator might
Starting point is 00:16:46 look like, and what your ideal mid-career cyber operator would look like. I don't think they will look like. And not just physically. I'm talking about think about the discussions you would have with them. How they make decisions, what they think is important, what their creative minds think of in terms of operating.
Starting point is 00:17:05 These are the skills that we need, especially in cyberspace, which allows for a lot of creativity, and which isn't always encouraged by the services. There are a lot of creative people in the services, but sometimes those services also prefer conformity. The cyber domain demands something different. The threat demands something different. And there were some really creative people at Cyber Command. The cyber domain demands something different. The threat demands something different. And there were some really creative people at Cyber Command, and like the Admiral, no criticism of Cyber Command there.
Starting point is 00:17:32 Like I mentioned, very proud of what we did there. But we're an organization, Cyber Command, we were a combatant command. Combatant commands mostly carry out military missions. We support other DOD assignments and responsibilities. We support other organizations and their missions. But there are also much broader issues at stake, and some of those are law enforcement issues. Some of them are economic.
Starting point is 00:17:58 And the type of force that we need needs to incorporate their expertise at an operational level. There are joint and interagency teams that were very successful, but for the breadth of what cyberspace interests represent to America and the types of personalities that need to be involved, not just in the government, but also in the private side, because a lot of the battlefield, so to speak, is owned by the private sector, that we need to have a much broader representation in whatever America's premier organization for cyberspace offensive operations is. Kurt made me think of something there. Marines are a perfect example. I think the Marine Corps
Starting point is 00:18:38 ethos is every Marine a rifleman. I get it. And no for every cyber operator, right? We don't need cyber operators as riflemen. I mean, they may be kick ass at call of duty, but we don't need every cyber operator as a rifleman. And that's exactly why you need a unique cyber service. This is a much different argument than Space Force. Space Force was a cleaving of a mission set from the Air Force and separating it because there was a decision made that maybe the Air Force wasn't focusing its resources properly on space. I mean, Space Force was 88 or 90% of what came from Air Force. This is about pulling from each of the services that capability. I'll give you, we can talk about some more things later on, but I'll just say that the,
Starting point is 00:19:20 the, we will just having a focus on cyber and recruiting the right young men and women to join that service is going to have an amazingly impactful role and amazing impact on readiness, I think overall and on cyber comes ability to operate going forward. So to me, just with that, and we can talk about the other advantages further on in this, but I'm very comfortable with this recommendation. U.S. Cyber Command has been progressively getting service-like authorities, controlling team structure, training requirements, budgets. There's often, when you have this conversation, there's some analogies to U.S. SOCOM, you already mentioned Space Command as well. What impacts do these efforts have on the appetite for cyber service?
Starting point is 00:20:04 And how would a new service change this progression? So let's be clear. Some of these changes that Congress has been doing have been because there wasn't a cyber force, the frustration with the services led to the transfer of these authorities to cyber command. I think this is, it was the right thing to do. Not a cyber force, not being an option, but it's the wrong thing to do when you just clean sheet it and say,
Starting point is 00:20:25 what is this how I would want to do it? Transferring acquisition, then the EBC enhanced budget control, the acquisitions go into cyber command is fraught with risk. We are really transferring things outside of the traditional civilian military oversight of acquisition. You get a service structure. There are a lot of things about a service structure
Starting point is 00:20:42 that made all of us want to leave the service, right? But one of the things that's right about it, one of the things we all understand deeply is that civilian oversight of certain military, the performance of certain military duties. And acquisition is one of the heaviest ones. This particularly is due to the rapid rotation of military personnel through their tours, right? We don't make them sit in a job for four or five years at the Pentagon doing acquisition. You need that civilian oversight. I am very worried about, I both understand why Congress moved those over. A lot of it was done with Cyber Salary Commission recommendations. Working with Representative Jim Langevin, Senator Angus King, Representative Mike Gallagher, pushed those authorities over to cyber command,
Starting point is 00:21:26 but that was because there was an absence of another option. I do want to pick up the SOCOM one, because I hear this all the time. And first I want to say, I think I have a good alliterative on this in terms of the people. There is a unique thing about a soft special operator on the ground, air, in the maritime.
Starting point is 00:21:43 I'm going to just stipulate that I suspect neither one of you should be flying like an Air Force Pave Low as a side hustle, right? We didn't train you for it, we didn't get you for it. I'll also say I've sat down on my submarine and 50 miles off, I wanna blow up a train trestle in Pyongyang, I'm looking around and there's an Air Force
Starting point is 00:21:59 Helo pilot or a Navy SEAL, who's jumping in that little Scooby-Doo to go 50 miles ashore and blow up the train trestle? Probably I'm picking the SEAL, right? There's a unique service nature to the special operators. If I then say, let's take that train trestle out with a cyber tool, I'm not like, hey, where's that Navy guy? Because it doesn't really matter, right? It could be any service. And so the SOCOM model kind of breaks down when there's not this service specific value to things. I'll also tell you the SOCOM acquisition model is not like five stars on Yelp, right?
Starting point is 00:22:32 It's had some real challenges. My spider sense is that acquisition is best handled by the services. By the way, the service acquisition has a lot to do with smart people like General Dunford saying, hey boys, we need to hope we need to slow down our role on separating NSA and cyber command because of the inability to get that kind of infrastructure, the cyber specific infrastructure that's necessary out there. So look, there's this angst ridden reach to find some other way to do things other than the services just reinforces my belief that you need a cyber force.
Starting point is 00:23:03 And when you have it, you can pull some of those authorities back. In the meantime, they're best held by cyber command. Sometimes we'd have someone come into our office at the cyber command staff judge advocate office, particularly one of my first boss, probably somebody who's well known to West Point and to the listeners of the podcast, Colonel Gary Corn. We'd have someone come into the office and say,
Starting point is 00:23:23 we need this operational authority or we need this administrative budgetary personnel authority. And he'd say, all right, suppose we had that authority today, do we have what we need to execute it? And we'd get a lot of silence in return four times out of five, because we didn't have the personnel to carry out that activity. And one of those things was in line with budget concerns. We get enhanced budget authority, or we get an additional contracting authority,
Starting point is 00:23:53 new method to contract with the defense industrial base, but we wouldn't have enough people, or potentially any people, to actually run the processes necessary to get those contracts approved. So just because you're given an authority or in a responsibility doesn't mean that you're prepared to take advantage of it. And when you tell a combatant command that you now have this authority, that doesn't change the the table of
Starting point is 00:24:20 organization for the organization automatically with it. You also have to get the people in who have the expertise and you also have to implement the processes. And then you have to get all the people outside the organization. You have to get them used to doing business with this organization, the type of which they haven't had to dealt with in this way before. And one other thing I want to mention that's different about special operations can from Cyber Command and from every other organization that I've observed throughout my career, and I've never heard anyone say it, but I've discussed it with others and I think that
Starting point is 00:24:53 it's true. Special Operations Command has a moral force behind it that drives a lot of decision making and a lot of support, and that is because special operators are closest to the danger. And being that close to the danger, they're able to get Congress's attention, they're able to get the administration's attention and the Office of the Secretary of Defense. And that drives a lot of things in their favor and they deserve it, of course, because they are the ones closest to the danger. No other organization generally has the same level
Starting point is 00:25:26 of urgency and moral persuasion ability behind it. I pick up on that and say, I think the same thing applies in inter-service arguments. Like I think SEALs have done better than information warfare personnel are in and getting money and acquisition things. And just in general, I think that's true in particularly in the army,
Starting point is 00:25:44 but it's also true in the Navy and Air Force, where the special operators are just more successful at gaining access to resources and capabilities. Awesome. That's fascinating conversation back and forth. And I'm learning a ton throughout today. So I know our audience will as well. Moving on next portion. So both DISA and the NSA play significant roles in cyberspace. How would the cyber force change the relationship with these organizations? For example, should the cyber service assume responsibility for protecting and operating the Dodin information network?
Starting point is 00:26:14 I'll give it a first whack at this. So first, I'm gonna be clear again, we're not changing cyber command. So that role, that element stays the same and they have a role with both of those. Look, if I had my way over time, or the Dodin would be a sub-unified command of cyber command. I think that's much like we've set up a sub-unified command on the offensive side. I'd set up one on the defensive side.
Starting point is 00:26:34 Let's take that issue set aside. Will it have an impact? Yes. The NSA cyber command split's not going to happen under the current model. I can guarantee you that. Five years from now, they'll either ask General Dunford to come back and do it again, or they'll find another retired chairman say, could you take a look at the, maybe CQ Brown will take a look at it, but they'll come back and say, Hey, we're not ready. But this is interesting. And we're going to talk later. I think about how you break forces up.
Starting point is 00:26:57 If you create a cyber force, it's hard to say. I understand the cyber operating force to be about 6,200 will say, but the, the DISA part, the DODIN CPT cyber protection teams, to me, they would probably be part of the cyber force, right? There's things you could take a look at in there, but there's other functions DISA does that have nothing to do, that are really about CIO responsibilities for the department of Fed.
Starting point is 00:27:21 They contribute to the CIO's mission, things like that. It's a thing you'd split up iteratively. You make a first cut, work with it, see if you need to do more. My recollection is that Space Force started out with 16 or 17,000. I think it's gonna end up with about 24, 25,000 as they continue to maneuver people around.
Starting point is 00:27:37 My gut reaction is we'd start out with about 10,000 because there's more than just the Cyber-Operating Forces training units and recruiting and things like that that would have to come over a little bit from each service. Start at around 10,000 and maybe grow. And here, how far you grow, I think is going to be different to Space Force because there is a growing adversary capability. There's going to be a broader demand signal for both CMT mission teams and protection teams, both at a national level, combat and command level,
Starting point is 00:28:05 and DODE level. So it would grow to 17, 18. Some of that growth might just be growing more people, which you have a much better chance with if you have cyber recruiters, by the way, and not relying on services to go grab people. But some of it might be that you say, hey, we took these people,
Starting point is 00:28:21 we probably should have taken those. I will tell you there's a large amount of Department of Defense retained and then service retained, IT management, even some cyber protect capabilities that are unique to the services that will be retained. This isn't moving everything over, but it's moving a lot over that allows you to better equip, operate, maintain, retain the cyber operating force. Which I think is only going
Starting point is 00:28:45 to increase. As you see, cyber is a percentage of a military operation going back all the way to Kosovo to some future conflict 15, 20 years from now. It's a linear verging on exponential growth curve. And to be ready for that exponential growth, we're going to need a pretty fulsome cyber operating force. I'm not sure with regard to DISA, they're the defensive organization. I completely endorse Amel Montgomery's thought that they should be a sub-unified command. It just gives them extra emphasis and authority and ability to move the needle for the things that they need. But in cyberspace, offense informs and improves defense and defense informs and improves offense.
Starting point is 00:29:25 Whether that's best done under the same organization, under the same commander, I would assume it would be best that way, but I think it's something worth exploring. With regard to NSA, NSA is a DOD organization, but they also have national missions that go beyond the DOD. They're informing intelligence needs across the executive branch and leave with members of Congress as well. And so they're gonna continue to support cyber, whatever the cyber force looks like,
Starting point is 00:29:55 they're gonna have that responsibility as well. NSA and Cyber Command have a special relationship, a special partnership, partially because they have a dual command, also because they were told essentially to have a special relationship by Secretary Mattis, better known as General Mattis to the Marine Corps. But that drove the members of NSA
Starting point is 00:30:17 and the members of Cyber Command to work together to solve problems so that we didn't have to bring them up to our common parent or so that we could provide solutions that both sides, both organizations could live with. That was very helpful to Cyber Command in addition to all the practical support in terms of personnel and platforms and tools and such. But I would imagine that NSA and whatever the new cyber organization would be best served, both of them, if they had a special relationship as well. There's a bunch of different units that play a role in cyber domain.
Starting point is 00:30:49 And each service has units that do things in tech that might not be considered cyber units. And for example, is like the Signal Core, any sort of communications unit, all include some of the software factories that are actually doing development, would your version of a cyber force include these units? And as all of our units become more reliant on both artificial intelligence and just software to conduct military operations, what's the danger in separating them from the other services?
Starting point is 00:31:14 So first, I hear this a lot from the services. I love to hear this from the services that maintain four independent aviation elements and an army that has more ships than the Navy. You've got to have, you've got to be pure as the driven snow on this separation. I look at them like, you've got to be kidding me, but I'll set aside the hypocrisy of the kind of, I can't believe you can't answer this question perfectly. Now I generally say, we'll have to figure it out. My gut reaction is from the software factory development, where it leads
Starting point is 00:31:42 directly to tool development, particularly on the offensive side, on a kind of sec dev model that probably would belong in the cyber force. Some would not. AI broadly, there'd be some elements there. There'd be some trimming of the amount to account for what was doing AI in a service and it would go over. Then a second iteration, I think. And look, we don't solve the problem. We make a recommendation in our report, a broad one, the biggest of which is that I would put it for civilian management purposes in the Secretary of the Army. We can talk about that in a later question. We obviously do this in a way, if a service is adamant, they need to have it and watch that and then determine over a few years whether that was an accurate assessment or not. I don't think we have to be, I definitely want to measure twice and cut once the first time,
Starting point is 00:32:27 but I recognize that first cuts not the final cut. At first cuts to get it started, get it moving. Look, the goal here is to improve readiness. We will improve readiness creating this. And the longer we delay, by the way, we just make this problem worse. I do not think the current status quo, it can compete with the adversary
Starting point is 00:32:45 development in any way, shape or form. From my perspective, I think this is a good opportunity. My perspective, I think this is a good opportunity to make a first cut, get moving, and then figure it out on a second cut, the final details. I know large organizations like the Pentagon don't like to hear that, but I think that's realistic. I have two observations regarding this question. The first is that an organization is best served when it has everything it needs organically. There were times that we were beginning offensive operations, really the very first significant ones that were not part of a larger conflict, OEF or OIF, where the organization discovered that we might need air assets,
Starting point is 00:33:27 or we might need a drone, or even potentially might need special operators. And at that point, you've got to go to another commander and that commander has probably stretched in with his or her own mission using those assets and you've got to ask to borrow those. And that commander's mission is always going to be the most important thing to them. So if your cyberspace
Starting point is 00:33:49 operations requires aviation assets and you've got to borrow them somewhere, it's obviously better if you have them yourself. Other thought is that the separate organization does not mean that what Cyber Command does stops happening. Cyber Command has three missions, defend the Doden, support other commands, and defend the nation. I think the defend the nation mission would be the one that would go to this other organization, but Cyber Command and its military personnel having gone through learning the military planning process, a lot of the people in those organizations having served at the type of missions that
Starting point is 00:34:31 they will still be supporting an infantry mission with a cyberspace capability. That you still need to have those same people who understand the position, those military traditional military activities, the context that they're conducting their missions in, that they still need to be part of that. And so this other organization, I don't envision it subtracting that support to other combatant commands mission from Cyber Command. Maybe it will in some regard, but we still need to have military operators and we'll still need to have service members learning we'll still need to have service members
Starting point is 00:35:05 learning cyberspace operations in order to support those other types of military operations in some way. And again, I think our report and in general, we don't try to resolve, look, there are existing problems between cyber command and the combatant commands about the employment of force and things like that.
Starting point is 00:35:20 I think they're working hard. They've worked hard to correct a lot, get it aligned properly. I think they're much closer than they've ever been. But we don't try to address that as much. And I'm comfortable, sometimes people say to me, how can someone do something if they weren't that? Look, I'm going to say right now that if I was an Army Special Operator up there and they said, hey, we got an A-10 pilot up there, he spent all his time as an Army Special Operator, he's flying this week. Or I got an A-10 operator up there. He's been training to drop bombs in a close proximity to
Starting point is 00:35:47 friendly forces for the last 10 years. You're going with number two. You don't need an Army guy. You know what I mean? You're okay with another service providing a capability and capacity when it's their expertise. Hey, Mark, you've forgot all about electronic warfare. And I'm like, me and the Department of Defense, right? What they're really saying to me is, hey, as a department, we suck in electronic warfare. Yes, we do. But it's not being solved by keeping cyber in the services or keeping this. The reason we suck in electronic warfare is we took a 25-year holiday from it while we fought a couple adversaries that didn't have electronic warfare capabilities. And now we're left with a couple of these C-130s that wouldn't last a minute in a
Starting point is 00:36:25 high-end war, broadcasting signals, and some jammers on E-18 Navy growlers. And by the way, the delivery of the next generation jammer has been like, I like to say it's like the Phoenix Sons of jamming. It's always two years away from being two years away. Let's just be clear. We suck at electronic warfare because we made a conscious decision to suck at electronic warfare. And telling me that's hampering, creating a cyber force is ludicrous. Whether we have a cyber force or four separate forces, we're going to suck at electronic warfare until we collectively as an apartment say, we're not going to suck at electronic warfare and start investing it.
Starting point is 00:36:59 By the way, China and Russia don't suck at electronic warfare. What we're hearing from anyone who drives through the top 10 miles of Israel right now understands that neither the Israelis nor Hezbollah suck at electronic warfare. Try getting a GPS signal up there, right? I'm just telling you there's an electronic warfare problem out there. The Department of Defense has done crap about it. And telling me that has something to do with the cyberforce paper is ludicrous. Now, I do want to fix electronic warfare. Maybe we'll do a separate report on that. It's not going to be this. And we're not going to create, I'm not saying create electronic warfare core. That is
Starting point is 00:37:31 something that is done by a growler naval flight officer and our weapon system officer in the back seat. Right. That's, and unfortunately we're down to just the Navy doing that. The air force and Marine Corps have fled that mission over the last 15 years. In case we need proof of this, and I do get we're pretty good at like counter IED jamming. That's another mission set, but unfortunately not a mission set for China or Russia in the world we find ourselves in. So what I would say is I'd set that aside and when people bring up electronic warfare, it's just a red herring on this argument.
Starting point is 00:38:06 So building on that discussion we just had there, how have the existing services responded to the concept of a new cyber force and how would you envision the cyber force integrating with the existing services and their organizations such as the US Army Cyber Command? I'll give you two thoughts. There's the public thought of would I expect any senior military official to say, I think this is a good idea. What's my next promotion board? No, nothing. Now, privately, do I get some of them call me? Look, some call me and say, I'm not on with you. I accept the status code doesn't work, but that's not the solution. That's fine. I respect that. Some have called me
Starting point is 00:38:38 and said, I'm with you. I ride herd on services on this, and's not cyber service like looks like the right idea. The official DOD position is going to be, we don't even want an outside study. This is how insane the point we're at. We're recommending an outside study. They're like, we do not want an outside study. When someone tells you in the face of all other evidence that everything's fine, we don't need outside study, I feel that they're like that Army ROTC guy in National Lampoon getting run over by the band. Like they have no idea what's coming at them, right? It is unreasonable for the DOD to do what they're gonna do, which is try to give it to Congress
Starting point is 00:39:14 to not even ask for an outside study. And people should understand that lack of transparency is a killer. What kind of force structure alternatives or what kind of policy moves do you expect to watch for the next year or so on this issue? I don't start with the assumption that whatever this other organization should be a Department of Defense organization. It may very well be the right answer, but I don't start with that assumption. I'm trying to start with no assumptions and just start with the threat. And we need to look at the successes and failures of the United
Starting point is 00:39:48 States in cyberspace, those of our allies, as well as where our adversaries have been successful against us. Our adversaries, not that we should necessarily emulate them, but they've got more than just their intelligence services and their military forces operating against us. And so I would entertain all the possibilities with regard to what this organization should look like based on what is the best way for the United States to defend its interests and its homeland. Kurt, thanks for that. I take a slightly different take. And I do appreciate you mentioning our adversaries because just as a data point, 10 years ago, China looked at this and went with it as part of their
Starting point is 00:40:29 strategic forces reorganization, created a unique cyber force in their military service. I first want to stipulate, and I think we've all made this clear, we have great operators at Cyber Command. And Cyber Command is the most capable, I think, offensive force in the world. It's a hard thing to assess when you look at capability and capacity added together, you know, offensive cyber force in the world. And we shouldn't take that for granted, but we should also need to recognize that we're not saying we don't have good people now. We're not saying that cyber force isn't the right force employment model now.
Starting point is 00:41:03 We agree with that. Where the argument we're trying to make is, how do you make our force generation capability and capacity, one that can service the cyber command we need five and seven years from now? And I think the only way to do that is with a unique force. I don't give myself the luxury that Kurt does of thinking outside the Department of Defense, because I have the history of working in the Hill to say, at no point ever would the Senate Armed Service and House Armed Service Committee allow anything to leave. Maybe they should have better imagination than that, but I don't stipulate it won't happen. So from my point of view, I think this is the most significant thing we can do. We need to do significant things. And that a cyber force in the long term, a dedicated force generation capability that
Starting point is 00:41:49 recruits, onboards, trains, maintains and retains our cyber, the men and women that do off this kind of cyber operation force missions, both offensive and defensive, a unique service dedicated that is worthwhile. It'll allow us to conduct the missions we need to conduct five and 10 years and defensive, a unique service dedicated that is worthwhile. It'll allow us to conduct the missions we need to conduct five and 10 years. And now particularly against China, but against Russia, even North Korea and Iran, by the way, even are like lesser included adversaries like Iran and North Korea. They can't touch us with a physical tool easily, but they can touch us with cyber tools. So from my perspective, this is the way forward for us. And this is the way. Mark Kurt, thank you for joining us on the Irregular Warfare podcast.
Starting point is 00:42:30 Thank you, gentlemen. Hey, you've got a little Star Wars in there. All right, thanks. Thank you again for joining us on episode 109 of the Irregular Warfare podcast. We release a new episode every two weeks. Our next two episodes will tackle illicit financing within the conflict in Sudan, followed by our second part of this series, the argument against a cyber service. Be sure to subscribe to the Irregular Warfare Podcast so you don't miss an episode. This podcast is a product of the Irregular Warfare Initiative.
Starting point is 00:43:00 We are a team of all volunteer practitioners and researchers dedicated to bridging the gap between scholars and practitioners to support the community of our regular warfare professionals. You can follow and engage with us on Facebook, Twitter, Instagram, YouTube, or LinkedIn. You can also subscribe to our monthly newsletter for access to our content and upcoming community events. The newsletter signup is found at ourregularwarfare.org. Please leave a comment and positive rating wherever you listen to the Regular Warfare
Starting point is 00:43:26 podcast. And one last note, all the two here in this episode are the views of the participants and do not represent those at Princeton, West Point, or any agency of the United States government. Thanks again, and we'll see you next time.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.