Irregular Warfare Podcast - Do we need a Cyber Force? Part 2: Arguments Against a Seventh Service

Episode Date: August 9, 2024

Episode 111 examines the arguments against a United States Cyber Force. This episode is a two part series of Project Cyber that looks at the arguments for and against a Cyber Force.   Our guests shar...e their backgrounds and the history of the U.S. Cyber Command. They express their skepticism towards forming a new cyber force, advocating instead for continued evolution within the current framework. They then argue that cyber operations should remain integrated with existing service structures and emphasize the critical role of cyber in national security, and public safety. Our guests conclude by discussing the evolving digital landscape while urging policymakers to comprehend the gravity of cyber threats and the need for a more agile and integrated approach.

Transcript
Discussion (0)
Starting point is 00:00:00 I want to see cyber fully seamlessly integrated into military operations, not just strategic level operations, but down at operational and tactical levels as well. I haven't given up on that notion. I think the Army still has more aircraft in the Air Force and I believe more watercraft than the Navy. When you separate out of force, each service tends to just replicate what it needs to take care of itself. And it ends up just expanding the need for similar skill sets, which we don't have.
Starting point is 00:00:42 Welcome to episode 111 of the regular warfare podcast. I'm your host, Matthew Mollering. And today I'll be joined by my co host, Don Edwards. In today's episode, we are joined by Major General retired John Davis and Mr. Robert Schreier. This episode is produced in collaboration with IWI special project on cyber and is the second part of our two part series looking at the arguments for and against standing up a new cyber service.
Starting point is 00:01:05 Our guests share their backgrounds and the history of the U.S. Cyber Command. They expressed their skepticism towards forming a new cyber force, advocating instead for the continued evolution within the current framework. They then argued that cyber operations should remain integrated with the existing service structure and emphasized the critical role of cyber in national security and public safety. Major General Retired John Davis is a Vice President of Public Sector for Palo Alto Networks. Prior to joining Palo Alto Networks, John served as a Senior Military Advisor for Cyber to the Under Secretary of Defense for Policy and served as the Acting Deputy Assistant Secretary of Defense for Cyber Policy.
Starting point is 00:01:45 Prior to this assignment, he served in multiple leadership positions in Special Operations, Cyber, and Information Operations. General Davis is also a plank holder and part of the original team who established the U.S. Cyber Command. Mr. Rob Schreier is the Chief of Staff of the Asymmetric Operations Sector at Johns Hopkins Applied Physics Laboratory. He moved to the laboratory from the DoD Senior Executive Service after a 36-year career. His final DoD position was serving as the Deputy to the Commander of the Cyber-National Mission Force, U.S. Cyber Command. Mr. Schreier was a plank holder and part of the team who established U.S. Cyber Command and then served as the initial Deputy
Starting point is 00:02:26 Director for current operations. You're listening to a special series of the Irregular Warfare Podcast, supported by the Princeton Imperical Studies of Conflict Project and the Modern War Institute at West Point, dedicated to bridging the gap between scholars and practitioners to support the community of irregular warfare professionals. Here's our conversation with Major General Retired Davids and Mr. Robert Shrier. John, Rob, it's a pleasure to have you on the regular warfare podcast.
Starting point is 00:02:50 Thanks, Matt. Pleasure to be here. Same here, pleasure to be here. John, we recently had Admiral Montgomery and Kirk Singer on the podcast to discuss the decision to have a report to look in the creation of a new cyberforce. And before we go on your thoughts on what your take on the case against having a cyber force, can you quickly just give a background on what your relationship is with both Cyber
Starting point is 00:03:11 Command and how you got to where you are today? Sure, Matt. I'm currently vice president of public sector at Palo Alto Networks, which is an international cybersecurity company based in the US. Been there for almost nine years now. And I want to make sure upfront, I am not representing a Palo Alto Networks position security company based in the U.S. Been there for almost nine years now. I want to make sure upfront, I'm not representing a Palo Alto Networks position on this, just my own personal assessment based on my background
Starting point is 00:03:32 and experiences in the military cyber-related assignments. Before joining Palo Alto Networks, I had more than 35 years in the military. I know I don't look like it anymore, but the first half to maybe two thirds of that was in airborne infantry, ranger infantry, and special operations organizations. But the last decade was in cyber operations, including US Cyber Command and Joint Task Force Global Network Operations before US Cyber Command, which is why I'm wearing this shirt, which has got the cyber comm logo on it for inspiration. Also involved in cyber strategy, cyber policy, interagency and international cyber coordination issues.
Starting point is 00:04:17 Thanks John. And Rob, you have a long history in this as well. Can you give a little bit about your background in cyber too? Yeah, absolutely. Like John, I had a long, long service history, like 36 years in the DOD. And it was in the last full third of my career that I ended up focusing on cyber. I actually started helping and led the standup of the operations in U.S. cyber command as early as June, 2009, a year before the command stood up coming
Starting point is 00:04:43 over from the IC. And along with John, I helped lead current operations the first couple of years of cyber command. And that's when we didn't have viable components at the time. So we were actually operating at the strategic, operational, and sometimes tactical level at the same time, which is not something I would recommend for any military organization to do. I then came back and finished my career, the last two years of my career, as the deputy
Starting point is 00:05:11 to the commander of the Cyber National Mission Force, as a deputy both first to General Nakasone and then the vice admiral, T.J. White. Where I sit now is I'm on the executive leadership team of the asymmetric operations sector at Johns Hopkins Applied Physics Lab. And my views today are not the labs, they're my personal views. In my current role, Cyber is one of the missions we support, but we also have major Intel support mission, ChemBio mission. We do a lot of support, the special forces.
Starting point is 00:05:47 We were critical in the recent pandemic. John, what are your thoughts on the necessity of a separate service for cyber? Let me start out by giving a little context. I think there's no question that cyber is increasingly critical to not only national security, but our economic stability, and even public safety on a massive scale. When you look at some of the more recent ransomware impacts on hospitals, schools, government functions, et cetera, it absolutely needs to continue to
Starting point is 00:06:18 evolve. And I think it makes a difference whether we're talking about another military service or more of a national force. And I don't want to derail're talking about another military service or more of a national force. And I don't want to derail the conversation about a separate service, but I consider the real issue that we should be looking at is beyond the military role for the nation, because our real critical blind spot is our national critical infrastructure, which is a much broader problem than only the military can help solve. But I'll start with the military question. So the bottom line for me is what is the outcome that we want?
Starting point is 00:06:55 What exactly do we mean by cyber force? Because depending on how you scope that, that could be hundreds of thousands across the cyber functional landscape today. Operate the network, defend the network, conduct offensive cyber operations, provide intelligence support for cyber operations of all of those types. And some people have said, and I think you probably see this with Mark Montgomery
Starting point is 00:07:18 and Kurt Sanger's discussion, they're really only talking about the cyber mission force, national mission force, national mission force, combat mission teams, cyber protection teams, cyber support teams. So a couple of thousand people, it was 6,200 at my last count, but I think maybe now it's going to be grown to a few more. And you got to ask yourself, is that worth creating the seventh service? And what problem are we trying to solve?
Starting point is 00:07:46 And why can't we solve it by maturing the path that we're on now? Instead of asking if we should create a separate cyber force, wouldn't the better question be how can we evolve and mature cyber organizations and capabilities into the most effective function for the military within the cyber domain. A separate cyber service might represent one option, but I believe there are less dramatic and traumatic options to consider to evolve cyber for the military than to create a separate cyber service or cyber force. What I would like to do is just take a couple of minutes and explain why I think the way I do and what my position is. And I think that it's based
Starting point is 00:08:34 on my experience in the evolution of both the special operations community as well as the cyber community. And I think the special ops evolution is a relevant story that I have some personal history with. Back in the 60s and 70s, we had a history of service fragmentation from a siloed approach, and especially lack of service priority for manning, training,
Starting point is 00:08:59 equipping its special operations forces, and especially in the inability to integrate special ops into joint operations. And it led to a national disaster and tragedy just about 44 years ago, Operation Eagle Claw, which was the failed hostage rescue in Iran. As a nation, we tried to integrate what were essentially separate special operations forces and capabilities at the last minute. And it had disastrous repercussions for the nation. And I see a separate cyber service potentially heading
Starting point is 00:09:34 in the same direction with the same outcome. Following that failed catastrophe in Iran, we had the Holloway Commission report, then Congress stepped in and mandated the stand up of US Special Operations Command and the establishment of JSAW, a Joint Operational Subunified Command. And SOCOM was given service-like responsibilities. They had the authority to man, organize, train, equip, and provide special operations forces to the regional combatant
Starting point is 00:10:07 command so that those commands could command and control and direct the operations of those forces. So my personal experience includes almost 12 years of assignments in the Army Rangers at JSOC and at SOCOM. And the result was that starting in 1980, we built, the US military built a force that played a critical role in combating terrorism and other special ops missions, especially following 9-11. I was also involved in the evolution of US Cyber Command, the establishment of the service and joint cyber component commands, the creation of the cyber mission force, and the evolving command and control structure for the various cyber missions. Rob and I were on the front end of that. I believe there are many similarities between the evolution of special ops
Starting point is 00:10:56 forces and our current cyber forces. Both of them were born out of disaster or near disaster for special ops. It was Operation Eagle Claw in Iran. For cyber command, it was Operation Buckshot Yankee in 2008, where malicious software was discovered by Rob's organization and our most sensitive military networks, causing the decision to change our cyber organizational structure. And both saw the need for accountability and responsibility within a clear chain of command,
Starting point is 00:11:29 US SOCOM, US Cyber Command. Both saw the evolution of those unified combatant commands. Both established a joint operational sub-unified command, JSOC for SOCOM, the Cyber National Mission Force for Cyber Command. Both address service components, Army, Navy, Air Force, and Marines, and the same for cyber. Both address the support to an integration
Starting point is 00:11:56 into the other combatant commands. And both of them have highly unique skill sets and individual unit service and joint education, training, and certifications. So I see the similarities and there are also some distinctions and we can talk about those later but that background and that perspective is why I believe that there are probably less dramatic and traumatic options to get what we need for the US military in the cyber domain.
Starting point is 00:12:30 And I see a lot of disadvantages when you're talking about standing up a separate cyber service or cyber force. So I'll just stop there and I'll let Rob take a whack at it. Oh, good. Hard act to follow. Now that's perfect. I'm going to end up foot stomping a lot of what John said. John Maydor, very important.
Starting point is 00:12:48 He talked about putting this in a national context. I do think that's important. That's not what we're talking about today. And the one thing I'll say is I've documented my views on the need for us to have a national level cyber operational capability, by the way, without any new laws or authorities, and if anybody's actually interested in that, back in 2019, I actually published my opinion in the cyber defense review up at West Point. So it's out there, but I do think it's important, as John said, there
Starting point is 00:13:22 is a national context, and even though we're not, we're talking about one piece of that, we shouldn't forget that we are not prepared as a nation right now. And that is something in maybe your future episodes that you should address. Next, I also want to agree with John, I do believe doing a study is still the right, is the right idea, even though I have my own opinions. He said something that I just want to make sure just wasn't lost. I am only in favor of the government doing a study if it includes a significant number of people on the roster doing that study that have current or former experience leading and actually executing military cyber operations. It's hard to talk about a topic if you actually haven't been in it.
Starting point is 00:14:08 So I would just push that. So next, again, in agreement with John, but I wanna put a little wrinkle on it. Everything stems from a vision. And when I'm talking about why I don't believe there should be a dedicated separate cyber force created, part of my vision is I want to see cyber fully seamlessly integrated into military operations, not just strategic level operations, but down
Starting point is 00:14:34 at operational and tactical levels as well. I haven't given up on that notion. I think there's ways to do it. I think that's very important. So I'm even including phase three operations. I'd like this, I'd like to see cyber a part of that. And that's a lot of what, so when I'm thinking about there shouldn't be a separate cyber service, I am thinking of that. And I do have a bias toward that. John mentioned the authorities issue and I'm an ops guy. I'm not an authority guys, but looking at it, the cyber com new authorities that were assigned to it are fairly new and it looks like this year
Starting point is 00:15:08 was the first year that they were actually given their full budget. And so one thing I would just suggest, since I know all the people involved is I would like to see a little grace given to General Hawk and General Hardman and his new Jane, a little bit of time, they can figure out how to execute these authorities effectively and do something. Tim Hawks has only been in the job a couple of months and we're already talking about changing the landscape
Starting point is 00:15:34 of the way people would come to them. The other thing is, and this is a nominal number and you can get all kinds of numbers out there, but a lot of times when I talk to senior military leaders, we could start having a really bad day as early as 2027, and we're really worried about things in the far east. And with that as a context, is this really a good time for the level of upheaval, disruption that John talked about of creating a separate service as a way to solve the problem and evolve things?
Starting point is 00:16:05 of creating a separate service as a way to solve the problem and evolve things. 2027 is just around the corner and we have to have commands gearing up to do it. So those are my opening thoughts. And again, all of them dovetail with what John already provided. John, that was really good information. I really enjoyed the history of how our cyber forces got to the structure we're living today and how that looks at, how that's similar to other commands, whether it be SOCOM or other shows that evolved as well. Jonathan, you're really talking about kind of the timeliness of both being concerned about threats that may be coming in 2027, but just also like the authorities of cyber security. Do you see any reasons why advocates for cyber force are making this argument now?
Starting point is 00:16:47 Do you think it's a reversal in what you're saying or you think it's just the conversations evolving now? John, I really enjoyed the history of our cyber forces and how we got the structure we're living in today and the similarity between both cyber command and SOCOM and how both those evolved as well. Rob, something that you talked about, I want to tie the question to John, but at the time we miss of 2027, I think kind of ties this whole discussion of advocating for a new cyber force.
Starting point is 00:17:12 Do you see any reason why advocates are advocating right now for a new cyber force? Do you think it might just be the reverse of what you were saying earlier about not wanting to restructure? Or do you think it's just an evolution of how important cyber has become to the joint force? I think that the, I've talked with Mark Montgomery about this before, and I've talked with Kurt a little bit about it, but I believe that the primary reason, and I think that there's some truth to this.
Starting point is 00:17:38 I'll admit that Mark Montgomery's point about the services inability thus far to elevate cyber priorities for manning, training, and equipping is valid and may be the single most important advantage associated with creating a separate force. But in Mark's mind, I understand it's all about force generation and he sees a significant disadvantage in the current structure, especially with support from the services. It's very uneven. You got people in the cyber national mission force that are doing the same job, but being paid differently across the services. But I think that there are ways to make the services do what's required to elevate cyber in importance
Starting point is 00:18:22 based on its absolute criticality in the digital age. And I know that's possible because even though today, we're getting away from the counterterrorism and counterinsurgency model that has dominated the military's structure, thinking, building capabilities for the past 20 years, and we're getting back into great power conflict and competition. And so there's a significant interest from the Army, Navy, Air Force, and Marine Corps to build tanks, fighter aircraft carriers.
Starting point is 00:19:01 That is the priority. And in my opinion, like Rob said, that's not where we're getting our ass handed to us. I don't think our adversaries, I don't think Russia, China, Iran, or North Korea want to take on the US and its major allies in the traditional physical domain. I think that they believe they would lose. And what they're using is they're using information and influence rather than bullets and bombs to manipulate behavior, cause division, both politically and in societies for not just the US, but for the West in general. And they're doing it through cyber, artificial intelligence,
Starting point is 00:19:48 And they're doing it through cyber, artificial intelligence, influence, and both traditional, but especially social media. And they're causing us to tear ourselves apart. And what they're doing is they're doing this to create an advantage, to give them an advantage over us, to slow us down, to cause us to stumble over ourselves. And to me, that's getting back, not that I want to get off track with a military cyber force, that's the fight we're in today. And it's a fight. It is not, that is modern warfare and we are not engaged in it to
Starting point is 00:20:15 the degree that we should be. I know that there are things that the cyber national mission force is doing in conjunction with other agencies and other forces throughout the military to get more engaged in that fight. But it's a real struggle for, I think, our primary military decision makers, but even more so our political decision makers, to see what's happening in the information environment
Starting point is 00:20:41 as an existential threat to democracy, which I believe that it is. It's an exit threat that our adversaries are leveraging against us, never having to cross that traditional threshold of physical warfare, and they're leveraging this to gain an advantage over us, and it's working. And we have to combat that. Cyber is an important arrow in the quiver to be able to fight fire with fire and to undermine those capabilities that our adversaries are using
Starting point is 00:21:11 to wage information warfare against us. In answering the question, yes, I absolutely agree the services are not stepping up to what they need to do. The Army is doing a pretty good job of trying to do that. What Major General Paul Stanton has been doing down at the Cyber Center of Excellence at what was Fort Gordon and now Fort Eisenhower, really positive steps. Is it enough? No, it's not enough. I bet he would agree with that. The other services, I think, are struggling to be able to bring cyber up to the preeminent
Starting point is 00:21:46 role that it needs to be. And like I said, I think this is a national problem, not a military problem, but certainly the military has a large role in it. And who cares about whose authority we need to use? DHS has many authorities over the military when it comes to the civilian sector, but military has a long history of providing capabilities to other agencies under their authorities to act when it's of national significance. And so that's why I believe this is bigger than a military problem. But that's why the other argument for doing this, it's all about making cyber more,
Starting point is 00:22:26 giving it more of a priority role in the struggles that we're facing today. John, thank you for that. Rob, John briefly mentioned how other actors, state and non-state, are operating throughout the information environment. So with that, U.S. Cyber Command has been increasingly granted service
Starting point is 00:22:46 like authorities, controlling team structure, training requirements and budgets. What are the benefits of the structure and why it might it be preferable or not to having its own service? Hey to do's to you. I'm going to turn this question on your head a little bit. And as part of that, I am going to tell like old people do, I'm going to tell a story for a second from John and I in the early days of Cyber Command, because part of the answer that I want
Starting point is 00:23:10 to give you that might be a little unique from what John's been giving, but he'll agree with it, is I want to talk about service culture a little bit. I think culture is a very important aspect of military operations and combat. So the story is, in the early days of Cyber Command, he and I are running operations. And our overall charge was to try to make cyber the business of commanders and J3s, not just of NIT professionals. And several months into the command,
Starting point is 00:23:40 it dawned on both of us that the orders we were issuing were called communications orders, and were actually a separate order structure to the conventional orders process of the U.S. military, which is a very easy, flexible structure, which can be used for almost all situations. It wasn't popular among all of, particularly the communications community at the time, but we threw out that communications order process. We just threw it out and we just transform pretty much overnight into issuing conventional orders so that
Starting point is 00:24:13 an actual COCOA commander, a Joint Force commander, or one of their J3s or a G3 or an N3 would be able to understand what was going on, why it was important. If we said there's this bad thing out there and everybody has to drop everything and patch all their systems in the next 72 hours, the commander doesn't care about what the nomenclature of the equipment being patched and exactly what that CVE is, means nothing to them. In a regular order, you can explain in plain English what the nature of the thread is, what the consequences are of you don't take the action, that the
Starting point is 00:24:51 tasks and the orders are clear. So commanders stopped just taking comms orders. And as soon as they saw them, just like passing it off to their sticks without reading it. And they started paying attention. The reason I say that is backdrop is I think service culture matters. I think it matters a great deal. I think it's the diversity of thought in the military that makes us an effective fighting force. And as part of that, and I know we're not talking about all cyber people
Starting point is 00:25:17 being computer scientists, and I know Paul's done a great job with the army school down at Fort Eisenhower, but I just want to roll back and remind people of the importance, John just being one of many of kinetic operators and people who you would never think of as cyber people being absolutely critical in the formation and the evolution of cyber command. And we had fighter pilots and carrier group and task territory group commanders. We had special forces operators, a couple of key astronauts, a couple of key astronauts. We have to remember even Admiral Gilday who ended up a fleet cyber command commander.
Starting point is 00:25:58 He came from a kinetic Navy background and then his next job after fleet cyber was to see of the Navy. Going back to the very beginning days and I won't wheel off all the people, but those kinetic war fighters were absolutely critical. We had a couple of key Marine Fires officers that were critical in our early days of Cyber Command. We did not have a fires process. And they came to me and said, we need to create a fires process.
Starting point is 00:26:23 And I admit at the time I was like, what's a fires process? Explain it to me. And as soon as they explained it to me, I was like, absolutely. We have to get it. And I understand that if you create a separate service, eventually it'll have a culture. But when I think of, if I want to project power into, and someday give a carrier strike group commander, the ability to do some cyber that he has authority for within his carrier strike group. If I want to
Starting point is 00:26:49 give that to an army brigade commander or let's even go more tactical, if I need to put a couple cyber operators in an army-numbered special forces group that's going out to do a particular mission, I want it to be similar to the Marine model where the cyber folks that are supporting them understand that service, understand that culture, have experience in dealing with that kind of a unit and can be integrated as being a Marine. That's how the Marines do integrate a warfare all the time. Back in the day that I was in the IC, the Marine model of having the rad bin totally integrated into the, with the rest of the operational
Starting point is 00:27:26 force was a successful model. So I want to make sure I'm afraid that we would lose that as we transform to an operational force. The other thing is there's a lot you can do under the existing structure. There was actually my boss, Vice Admiral White, who was then Rear Admiral White, and in late 2016 in the Cyber National Mission Force, that we looked at our 39 teams that we owned at the time, and we suddenly realized we were not getting optimized value out of the 39 teams with them operating solely in a team structure. And we reorganized into four primary fighting task forces. And that reorganization exists to this day.
Starting point is 00:28:11 And once we did that, we would give our task force commanders that were really highly functioning 05s or 04s, they then each had hundreds of people under them. That, you know, the day could task organize any way they needed to do to get after this threat. Particularly as John mentioned, just growing peer or near peer competitors threat. We did that. We didn't have to change any authorities. It caused a ripple with the services initially with the AdCon commanders. What we did is we brought all the AdCon commanders under the tent and we would even invite AdCon
Starting point is 00:28:44 commanders to our weekly operational meetings. And we ended up coming up with an effective way to reorganize our force. We didn't change any authorities. We didn't, we didn't create anything new that took new policy to do. Going back to John's very original point, without getting too much into the weeds of it, we should just look at a calendar. We should look at the level of threat. We should look at where military's role is with the broader government in trying to defend
Starting point is 00:29:12 our nation from strategic cyber attacks or cyber and information operations being used against us, by the way, both in conflict or to deter us from coming into a fight. And we should think for the next three to five years, what makes sense that keeps us moving forward where we don't take a bump and start moving backwards. And we have some looming threats potentially on the calendar. And there's some real volatility in the Far East, in Europe, and in the Middle East right now. There seems to be a bit of a rise again of terrorist groups. And that's why I'm an advocate for staying the course.
Starting point is 00:29:54 And again, staying the course doesn't mean, as John said, it doesn't mean we can't compel the services to put way more priority on this as they do now. But that's all within the current structure. Hey, Rob, let me follow up on some of the things you said. And I can't agree more with your comment about the importance that the various service cultures bring to, not only bring to the cyber dimension, but also connect it back to the services and combatant commands that they support. So let me talk about some, I talked about the similarities between Socom and Cybercom.
Starting point is 00:30:30 Let me talk briefly about some of the distinctions and then some of the, some more of the disadvantages that a cyber force might create, building on what Rob said. Okay. So first we're only a year 14 of the current cyber evolution. Before 2010, we didn't even use the term cyber. We had terms like network operations and network warfare. And unlike US SOCOM, Cybercom has the authority not only to man, organize, train, equip, and provide cyber mission forces to other combatant commands and all of them to include the functional commands, not just the regional commands like SOCOM.
Starting point is 00:31:10 But CyberCOM has the operational authority to employ its own cyber mission forces for its strategic mission to defend the nation from adversary cyber attack and influence, which is, I think, a larger problem, cyber being a part of it. This is a unique mission for US Cyber Command and its cyber national mission forces, Rob said, and they are uniquely positioned and prepared to accomplish this mission and they're actively engaged in shaping the ability to do this every single day. So this leads me to believe that if there was a separate cyber force, and this is the role of a separate service that mans, organizes, trains, and equips,
Starting point is 00:31:51 and provides cyber forces to the other combatant commands, including cyber command, so that they can command and control and operate those separate forces, how would that work? Wouldn't that chop up the cohesion that we enjoy under the SOCOM-like model that we've been evolving since the beginning? Think of how that would work today for a separate special operations force instead of the model we have now. I think it would be very disruptive and likely if we were to do that, there are some other disadvantages. We don't have nearly enough specially trained cyber manpower today. So every service has unique requirements, and it's no different with cyber.
Starting point is 00:32:33 Like the Army has when the Army didn't want to lose the Army Air Corps. That was forced upon them. I think the Army still has more aircraft in the Air Force, and I believe more watercraft than the Navy. When you separate out of force, each service tends to just replicate what it needs to take care of itself and its own unique requirements. And it ends up just expanding the need for similar skill sets, which we don't have. Where would the trained, skilled cyber people come from to create a separate cyber force? I think it's very likely each service and joint cyber component and cybercom will keep what it needs and gives the scraps to a
Starting point is 00:33:17 separate force and only when forced to, if mandated, they might do it in a half-hearted way just to appease the mandate. And there's a reason that they would do this. Cyber is fundamentally different. It connects everything and it runs through every military mission like blood runs through our bodies. And I fear that if we separate out cyber as a separate function in force, and if everybody ends up not hoarding what they need
Starting point is 00:33:45 for their own unique requirements, the other option might be everyone says, okay, cyber's not my responsibility anymore. It's somebody else's problem. In my experience, cyber is one of those functions that's so interconnected with everything else, and not just other military capabilities, but everything about our entire digital landscape
Starting point is 00:34:06 in both the public and private spheres, every organization plays a role, has certain responsibilities, and it should be held accountable. I see a lot of potential harm if the services and commands wipe their hands of cyber and it becomes consolidated in a separate force. So I think that's a danger. I believe that Space Force might be a different model. That is unique. It touches everything, but it does require a special cadre. But I think when the former commander of the Space Force was asked this question about should there be a separate cyber force, even he said no. I'm pretty sure that was his response.
Starting point is 00:34:46 I don't know. Cyber has got to be seamlessly integrated with other kinetic and non-kinetic fires and maneuvers on the battlefield and having operators from all services buys a lot of credibility in accomplishing that integration, like Rob said. And not all cyber operational people should be cyber experts. Rob brings up a good point. So if we study the advantages and disadvantages of a separate cyber force,
Starting point is 00:35:10 I think we need to ensure that we capture the strength of both integrating the diverse individual service cultures into joint fighting, into this joint fighting force, as well as ensuring that cyber is not a narrow set of skills, but a wider array of skills that require deep technical training and understanding of operational war fighting, and continued training and proficiency,
Starting point is 00:35:35 not unlike other examples that we have in the military. One of the concerns when you think about creating a separate service for cyber is just how integral cyber is to core functions of what's going on. And you can really see that with these units that are not classified as cyber units, but fully integrated technology. And especially with your time in the private sector, after your time in the military, you kind of notice that like when you look at like tech companies, security, as well as
Starting point is 00:36:00 the operations of the technology, all that's integrated together. And in the army, we separated that in with our signal cores, the various communication units, but also these emerging software factories that really exist for development. And you see this with this, the acquisition of software as well with our acquisition sides that handles technology. So I think one of the real arguments against cyber services,
Starting point is 00:36:22 do you feel like this could detract from the evolution of this technology while it's still evolving? And what aspects do you think the cyber force advocates are overlooking in this regard? When we talk about the phrase, fully integrating into combat operations is not a slogan. To be fully integrated into something, you have to fully understand the mission that's going on, the functions all the individuals have to do in that mission, and how they have to execute it. If you ask me, and also, and I want to be a responsible citizen and save as much money for the military and US government as possible, too often we have capabilities that are created
Starting point is 00:37:04 for the military. And I'll just use the cyber ones, but you extend cyber to cyber, like communications and all the software which you set associated with it. You have capabilities created, but they don't like really work. And then, and often this comes out of the contractor community, you then have to spend untold money and hours trying to figure out how to integrate something that didn't get integrated naturally from the get-go.
Starting point is 00:37:31 Even when it has to do with how you develop software, how you test the assurance of software, things that people don't always think of as traditional cyber functions, you really need that integrated with the people who are going to execute those functions. I know this back when we were in the command in the early days of command, so it may have changed since then, I pray it has. But when we would issue a global order to patch something critically that had to be patched, that won't talk about any specific things that might be classified, but whenever we'd issue an order, the original way that the military used to do it is you were considered green and good if either A, you actually did what you had to do, you patched it, or B, you had a
Starting point is 00:38:13 poem that said, I can't patch it for the next three years because there's some kind of contractual obligation. We put that as green. Now it shouldn't be green and that used to drive me crazy, but in fairness, you're going to go patch some, you issue a global patch. There are other people out there that are responsible for these thousands of different combat systems actually being able to operate and do their functions every day. And it's not trivial for them to make sure that system can keep functioning.
Starting point is 00:38:48 And that patch, which might seem simple to someone issuing an order is very simple to do, might be very complicated to apply to that combat system without actually derailing that system. So what's the best way to do that is to have the people that are coming up with the solution to try to make that system safe, be actually knowledgeable about that system. That happens more often if you're part of the same service, you're part of the same system, you're part of the same headspace. You're not an outside pro from Dover that is called in to do it. As John said, and the military has some pretty simple, slick processes, when we have to,
Starting point is 00:39:29 we bring people together in joint task forces where we bring individual elements from different services and we now know how to blend them together on the battle space to make them work. And even when, and I used to do the counterterrorism mission for years, and even when I was working with, most often when you were working with a joint service, at any given moment in time that joint service was largely staffed by just one military service. It was a joint component, but one service would take the job and the next service would take the job. Because as John said at the very beginning, everybody remembers, at least old people, I'll remember what happened in 1980
Starting point is 00:40:05 and you don't ever want to create that again. So I don't know if that answers your question, but that's the best, that's just the way that I look at the problem. I'm all for finding ways to best leverage the scarce resources in terms of people and capabilities to address these increasingly serious threats to our digital way of life. I'll tell you just from an industry perspective, what I'm seeing, there's a lot of innovation happening in industry. And one of the main efforts that I see is a increased emphasis on leveraging automation and software-based advanced analytics like machine learning, both structured and unstructured or unsupervised, behavioral analytics, big data analytics, deep learning, neural networking, and AI,
Starting point is 00:40:52 including generative AI and large language models. Combining machines and advanced software so that you reduce the need for people. We are never going to, if we stay in the model that we're in today, where we have a gap of millions of skilled people for this, what's required, we're never gonna get it. We're never gonna build all those people. We need to reduce the number of people that we need and the skill sets to things that people can do better
Starting point is 00:41:19 than machines and software and use machines to fight machines and software to fight software. Because the threat is largely machine-based and software-based. So I think that we need to... the military could take great lessons from what's happening in industry in terms of innovation in order to reduce the need for the skilled people that it has and to increase the capabilities that our threats are using against us.
Starting point is 00:41:44 And John, I agree with everything you say, but I just want to make sure that no one who's listening misunderstands it. You're absolutely right about the software to software and machine to machine. But I still call cyber in some ways, the most human endeavor, because all of those machines and all of that software are created by people and the human aspects of that are important. So we don't need lots of people, but I just want to make sure people don't lose sight.
Starting point is 00:42:10 I think this is ever something that we're going to be able to win the fight with just solely using technology without human beings in the loop. I agree with that. Thank you, gentlemen. So Rob briefly mentioned the procurement and integration effect shortfalls that have historically existed
Starting point is 00:42:25 in the deployment of cyber effects. What specific capabilities do you believe cyber domain currently lacks such as new acquisition authorities or personnel recruitment constraints? Oh, okay. Yeah, I tell you what, in my current role, I go out and try to advise strategic leaders across the military and the rest of government, both nationally and internationally, folks at the operational level, folks at the technical level. And they all get this, they all understand it. But when it comes to the acquisition and procurement communities, in my view, people making decisions in those separate lanes, and what's the military, what's each service going to buy, what's the military going to buy when it comes to capabilities,
Starting point is 00:43:09 they're stuck in a legacy model that is way too lengthy and way too risk averse. If I look at my experience today in this domain, the information domain, the cyber domain, your model for how long things are going to last is anywhere from six months to 18 months. Whatever you design and whatever you try to get after that time frame is going to be OBE by the time you get it. And I think our acquisition and procurement officials need to move towards a shorter time frame to buy things that the military needs in this domain, which is largely software, but it also includes hardware and they need to reduce the, their risk thresholds are way too high certifications.
Starting point is 00:43:53 They take way too long to get there. They're way too expensive. It's actually introducing more risk because our adversaries are more agile. So that's my view on what we need to change when it comes to acquisition and procurement models. Hey, I just want to follow up on John. I agree with him 100%. And I would urge you to talk to our mutual friend, retired Lieutenant General Ben Hodges, who's over in Europe right now. But if you look at the war in Ukraine in the last several years, A, from the very beginning, many of the
Starting point is 00:44:23 capabilities that the Ukrainians have been using on the battlefield didn't even exist before that war started. They started jerry-rigging and creating new capabilities. And in the new phase of the war, they probably have capabilities that they weren't even using in the first year of the war, because that's how quick, as John said, the OODA loop you have to be in for developing new capabilities and fielding them right now. So the service model today is so out of whack with the reality in the world
Starting point is 00:44:55 that it's going to take radical change. And I know people aren't ready to hear that in many cases, but John is absolutely right, you cannot do it the way you do it today. Hey, this has been a fantastic discussion. Great conversation. Wrapping up before we move to our final section, can you guys just give your quick elevator pitches on, on your arguments against establishing a new cyber force?
Starting point is 00:45:17 We'll start with John. I've got, I'm, I'm going to say that, uh, I won't advocate against it because like I said, I think you need to look at everything and that's an option. I will just say there are other options that are less, like I said, dramatic and traumatic than everything that would go into the creation of the cyber force. And as Rob said, during a period of great peril.
Starting point is 00:45:39 So my argument would be, let's look at this very carefully. Let's look at all the options. Let's don't just focus on whether or not we should create a separate force. But let's take the lessons learned that we've had with the evolution of cyber command, what space force lessons we can learn that might be applicable.
Starting point is 00:45:59 And then let's just go into this with open eyes. And if the solution is a separate cyber force, so be it. But I think there are better ways to do it than that from my personal experience. Yes. Go ahead and study the problem to give General Hawk and General Hartman and his team a little time to let the existing authorities work. Bear in mind that we're in a very dangerous time for our nation and it's a very dangerous time
Starting point is 00:46:30 to do a major disruption that you don't have to do. Remember that you have the Cyber National Mission Force as a successful model and they're now standing up. Now JFHQ Dodin is gonna be a full component command and you'll have a second model, I believe very soon. And finally, do not discount the absolute criticality of individual service cultures bringing their best to the flight and how that important it is eventually to the joint
Starting point is 00:46:57 flight. Thank you for that. Lastly, what advice do you offer policymakers and practitioners in the field of cyber, John? Policymakers. What should we be doing? I think step one is a deep understanding for the true importance of cyber when it comes to not only national security, but our economy, our public health and safety on a massive scale.
Starting point is 00:47:21 This is a big problem. And like I said before, I think that the education, the understanding needs to include what our major adversaries are doing right now against us below the traditional threshold of warfare. And I think that's the real danger. So I would suggest that policymakers take a serious look at the legacy model that we've had in the past for how you use the military,
Starting point is 00:47:47 which is after that break glass response to armed aggression and hostile acts and realize that maybe our adversaries don't wanna go there and they think they can accomplish an advantage by staying short of war. Some people call it the gray zone. And the primary arrows in the quiver in the gray zone are information and influence and cyber plays a
Starting point is 00:48:11 particularly important role in both of those information and influence. Okay. I'll just make two quick points. One, I want to, I didn't agree. I didn't come on before, but I want to make sure I agree with John on the absolute criticality of including information and influence as part of what you think about as cyber. And that's important for policymakers. If we keep our head in the sand much longer, we're really going to be in trouble. And second, it's interesting we talk about notions of gray zones, because if we had uniform military personnel of another country physically hanging around or breaking into electrical power grid stations or water plants or places like that, we would consider
Starting point is 00:48:55 that an absolute act of war. But we have uniform military cyber operators of other nations doing that on a daily basis. And we need to wake up and focus on how we actually get after those threats, both in the military and nationally, and just not how we should reorganize from scratch in a sense to try to figure out how to get this going in the next five, seven years. John, Rob, thank you both for joining us on the Irregular Warshare podcast. It was a pleasure. It was a pleasure. It was a pleasure.
Starting point is 00:49:26 Thank you again for joining us on episode 111 of the Irregular Warfare Podcast. We release a new episode every two weeks. Our next two episodes will cover how the Afghanistan conflict has changed in the last three years and what SALF's role is in conflict. Be sure to subscribe to the Regular Warfare Podcast so you don't miss an episode. This podcast is a product of the Regular Warfare Initiative. We are a team of all volunteer practitioners and researchers dedicated to bridging the gap between scholars and practitioners to support the community of a regular warfare professional. You can follow and engage with us on Facebook, Twitter, Instagram, YouTube,
Starting point is 00:50:09 or LinkedIn. You can also subscribe to our monthly newsletter for access to our content and upcoming community events. The newsletter sign up is found at irregularwarfare.org. Please leave a comment and a positive rating wherever you listen to their regular WordPress podcasts. And one last note, all you hear in this episode are the views of the participants, and do not represent those at Princeton, West Point, or any agency of the U.S. government. Thanks again, and we'll see you next time. Music

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.