Irregular Warfare Podcast - Do we need a Cyber Force? Part 2: Arguments Against a Seventh Service
Episode Date: August 9, 2024Episode 111 examines the arguments against a United States Cyber Force. This episode is a two part series of Project Cyber that looks at the arguments for and against a Cyber Force. Our guests shar...e their backgrounds and the history of the U.S. Cyber Command. They express their skepticism towards forming a new cyber force, advocating instead for continued evolution within the current framework. They then argue that cyber operations should remain integrated with existing service structures and emphasize the critical role of cyber in national security, and public safety. Our guests conclude by discussing the evolving digital landscape while urging policymakers to comprehend the gravity of cyber threats and the need for a more agile and integrated approach.
Transcript
Discussion (0)
I want to see cyber fully seamlessly integrated into military operations, not just strategic
level operations, but down at operational and tactical levels as well.
I haven't given up on that notion.
I think the Army still has more aircraft in the Air Force and I believe more
watercraft than the Navy.
When you separate out of force, each service tends to just replicate what it
needs to take care of itself.
And it ends up just expanding the need for similar skill sets, which we don't have.
Welcome to episode 111 of the regular warfare podcast. I'm your
host, Matthew Mollering. And today I'll be joined by my co
host, Don Edwards. In today's episode, we are joined by Major
General retired John Davis and Mr. Robert Schreier. This
episode is produced in collaboration with IWI special
project on cyber and is the second part of our two part
series looking at the arguments for and against standing up a
new cyber service.
Our guests share their backgrounds and the history of the U.S. Cyber Command.
They expressed their skepticism towards forming a new cyber force, advocating instead for the
continued evolution within the current framework. They then argued that cyber operations should
remain integrated with the existing service structure and emphasized the critical role of cyber
in national security and public safety. Major General Retired John Davis is a Vice President
of Public Sector for Palo Alto Networks. Prior to joining Palo Alto Networks, John served as a
Senior Military Advisor for Cyber to the Under Secretary of Defense for Policy and served as the
Acting Deputy Assistant Secretary of Defense for Cyber Policy.
Prior to this assignment, he served in multiple leadership positions in Special Operations,
Cyber, and Information Operations. General Davis is also a plank holder and part of the original
team who established the U.S. Cyber Command. Mr. Rob Schreier is the Chief of Staff of the
Asymmetric Operations Sector at Johns Hopkins Applied Physics Laboratory.
He moved to the laboratory from the DoD Senior Executive Service after a 36-year career.
His final DoD position was serving as the Deputy to the Commander of the Cyber-National Mission
Force, U.S. Cyber Command. Mr. Schreier was a plank holder and part of the team who established
U.S. Cyber Command and then served as the initial Deputy
Director for current operations.
You're listening to a special series of the Irregular Warfare Podcast, supported by the
Princeton Imperical Studies of Conflict Project and the Modern War Institute at West Point,
dedicated to bridging the gap between scholars and practitioners to support the community
of irregular warfare professionals.
Here's our conversation with Major General Retired Davids and Mr. Robert Shrier.
John, Rob, it's a pleasure to have you
on the regular warfare podcast.
Thanks, Matt.
Pleasure to be here.
Same here, pleasure to be here.
John, we recently had Admiral Montgomery
and Kirk Singer on the podcast to discuss the decision
to have a report to look in the creation of a new cyberforce.
And before we go on your thoughts on what your take on the case against having a cyber
force, can you quickly just give a background on what your relationship is with both Cyber
Command and how you got to where you are today?
Sure, Matt.
I'm currently vice president of public sector at Palo Alto Networks, which is an international
cybersecurity company based in the US.
Been there for almost nine years now.
And I want to make sure upfront, I am not representing a Palo Alto Networks position security company based in the U.S. Been there for almost nine years now.
I want to make sure upfront, I'm not representing a Palo Alto Networks
position on this, just my own personal assessment based on my background
and experiences in the military cyber-related assignments.
Before joining Palo Alto Networks, I had more than 35 years in the military.
I know I don't look like it anymore, but the first half to maybe two thirds of that was
in airborne infantry, ranger infantry, and special operations organizations.
But the last decade was in cyber operations, including US Cyber Command and Joint Task
Force Global Network Operations before US Cyber Command, which is why I'm wearing this shirt, which has got the cyber comm logo on it for inspiration.
Also involved in cyber strategy, cyber policy, interagency and international
cyber coordination issues.
Thanks John.
And Rob, you have a long history in this as well.
Can you give a little bit about your background in cyber too?
Yeah, absolutely.
Like John, I had a long, long service history, like 36 years in the DOD.
And it was in the last full third of my career that I ended up focusing on cyber.
I actually started helping and led the standup of the operations in U.S.
cyber command as early as June, 2009, a year before the command stood up coming
over from the IC.
And along with John, I helped lead current operations the first
couple of years of cyber command.
And that's when we didn't have viable components at the time.
So we were actually operating at the strategic, operational, and sometimes
tactical level at the same time, which is not something I would recommend for
any military organization to do.
I then came back and finished my career, the last two years of my career, as the deputy
to the commander of the Cyber National Mission Force, as a deputy both first to General Nakasone
and then the vice admiral, T.J.
White.
Where I sit now is I'm on the executive leadership team of the asymmetric
operations sector at Johns Hopkins Applied Physics Lab. And my views today are not the labs,
they're my personal views. In my current role, Cyber is one of the missions we support, but we
also have major Intel support mission, ChemBio mission.
We do a lot of support, the special forces.
We were critical in the recent pandemic.
John, what are your thoughts on the necessity
of a separate service for cyber?
Let me start out by giving a little context.
I think there's no question that cyber
is increasingly critical to not only national security, but our economic stability,
and even public safety on a massive scale. When you look at some of the more recent ransomware
impacts on hospitals, schools, government functions, et cetera, it absolutely needs to continue to
evolve. And I think it makes a difference whether we're talking about another military service or
more of a national force. And I don't want to derail're talking about another military service or more of a national
force. And I don't want to derail the conversation about a separate service, but I consider the real
issue that we should be looking at is beyond the military role for the nation, because our real
critical blind spot is our national critical infrastructure, which is a much broader problem
than only the military can help solve.
But I'll start with the military question.
So the bottom line for me is what is the outcome that we want?
What exactly do we mean by cyber force? Because depending on how you scope that, that could be hundreds of thousands
across the cyber functional landscape today.
Operate the network, defend the network,
conduct offensive cyber operations,
provide intelligence support for cyber operations
of all of those types.
And some people have said,
and I think you probably see this with Mark Montgomery
and Kurt Sanger's discussion,
they're really only talking about the cyber mission force,
national mission force, national mission force, combat
mission teams, cyber protection teams, cyber support teams.
So a couple of thousand people, it was 6,200 at my last count, but I think maybe now it's
going to be grown to a few more.
And you got to ask yourself, is that worth creating the seventh service?
And what problem are we trying to solve?
And why can't we solve it by maturing the path that we're on now?
Instead of asking if we should create a separate cyber force, wouldn't the better question
be how can we evolve and mature cyber organizations and capabilities into the most effective function
for the military
within the cyber domain. A separate cyber service might represent one option, but I
believe there are less dramatic and traumatic options to consider to evolve cyber for the
military than to create a separate cyber service or cyber force. What I would like to do is just take a couple of
minutes and explain why I think the way I do and what my position is. And I think that it's based
on my experience in the evolution of both the special operations community as well as the cyber
community. And I think the special ops evolution is a relevant story
that I have some personal history with.
Back in the 60s and 70s,
we had a history of service fragmentation
from a siloed approach,
and especially lack of service priority
for manning, training,
equipping its special operations forces,
and especially in the inability to integrate special ops
into joint operations.
And it led to a national disaster and tragedy just about 44 years ago, Operation Eagle Claw,
which was the failed hostage rescue in Iran.
As a nation, we tried to integrate what were essentially separate special operations forces and capabilities at the last minute.
And it had disastrous repercussions for the nation.
And I see a separate cyber service potentially heading
in the same direction with the same outcome.
Following that failed catastrophe in Iran,
we had the Holloway Commission report,
then Congress stepped in and mandated the
stand up of US Special Operations Command and the establishment of JSAW, a Joint Operational
Subunified Command.
And SOCOM was given service-like responsibilities.
They had the authority to man, organize, train, equip, and provide special operations forces to the regional combatant
command so that those commands could command and control and direct the operations of those
forces. So my personal experience includes almost 12 years of assignments in the Army
Rangers at JSOC and at SOCOM. And the result was that starting in 1980, we built, the US military built a force
that played a critical role in combating terrorism and other special ops missions,
especially following 9-11. I was also involved in the evolution of US Cyber Command,
the establishment of the service and joint cyber component commands, the creation of the cyber mission force,
and the evolving command and control structure for the various cyber missions. Rob and I were
on the front end of that. I believe there are many similarities between the evolution of special ops
forces and our current cyber forces. Both of them were born out of disaster or near disaster for special ops.
It was Operation Eagle Claw in Iran.
For cyber command, it was Operation Buckshot Yankee in 2008,
where malicious software was discovered by Rob's organization
and our most sensitive military networks, causing the decision
to change our cyber organizational structure.
And both saw the need for accountability
and responsibility within a clear chain of command,
US SOCOM, US Cyber Command.
Both saw the evolution of those unified combatant commands.
Both established a joint operational sub-unified command,
JSOC for SOCOM,
the Cyber National Mission Force for Cyber Command.
Both address service components,
Army, Navy, Air Force, and Marines, and the same for cyber.
Both address the support to an integration
into the other combatant commands.
And both of them have highly unique skill sets
and individual unit service and joint
education, training, and certifications.
So I see the similarities and there are also some distinctions and we can talk about those
later but that background and that perspective is why I believe that there are probably less
dramatic and traumatic options to get what
we need for the US military in the cyber domain.
And I see a lot of disadvantages when you're talking about standing up a separate cyber
service or cyber force.
So I'll just stop there and I'll let Rob take a whack at it.
Oh, good.
Hard act to follow.
Now that's perfect.
I'm going to end up foot stomping a lot of what John said.
John Maydor, very important.
He talked about putting this in a national context.
I do think that's important.
That's not what we're talking about today.
And the one thing I'll say is I've documented my views on the need for us to have a national
level cyber operational capability, by the way, without any new laws or authorities, and if anybody's
actually interested in that, back in 2019, I actually published my opinion
in the cyber defense review up at West Point.
So it's out there, but I do think it's important, as John said, there
is a national context, and even though we're not, we're talking about one piece of that, we shouldn't forget that we are not
prepared as a nation right now. And that is something in maybe your future episodes that
you should address. Next, I also want to agree with John, I do believe doing a study is still the right,
is the right idea, even though I have my own opinions. He said something that I just want to make sure
just wasn't lost. I am only in favor of the government doing a study if it includes a
significant number of people on the roster doing that study that have current or former experience
leading and actually executing military cyber operations. It's hard to talk about a topic
if you actually haven't been in it.
So I would just push that.
So next, again, in agreement with John,
but I wanna put a little wrinkle on it.
Everything stems from a vision.
And when I'm talking about why I don't believe
there should be a dedicated separate cyber force created,
part of my vision is I want to see cyber fully
seamlessly integrated into military operations, not just strategic level operations, but down
at operational and tactical levels as well. I haven't given up on that notion. I think
there's ways to do it. I think that's very important. So I'm even including phase three operations. I'd like this, I'd like to see cyber a part of that.
And that's a lot of what, so when I'm thinking about there shouldn't be
a separate cyber service, I am thinking of that.
And I do have a bias toward that.
John mentioned the authorities issue and I'm an ops guy.
I'm not an authority guys, but looking at it, the cyber com new authorities
that were assigned to it are fairly new and it looks like this year
was the first year that they were actually given their full budget.
And so one thing I would just suggest, since I know all the people involved is
I would like to see a little grace given to General Hawk and General
Hardman and his new Jane, a little bit of time, they can figure out how to
execute these authorities
effectively and do something.
Tim Hawks has only been in the job a couple of months
and we're already talking about changing the landscape
of the way people would come to them.
The other thing is, and this is a nominal number
and you can get all kinds of numbers out there,
but a lot of times when I talk to senior military leaders,
we could start having a really bad day as early as 2027, and we're really worried about things in the far east.
And with that as a context, is this really a good time for the level of upheaval,
disruption that John talked about of creating a separate service as a way to
solve the problem and evolve things?
of creating a separate service as a way to solve the problem and evolve things. 2027 is just around the corner and we have to have commands gearing up to do it. So those are
my opening thoughts. And again, all of them dovetail with what John already provided.
John, that was really good information. I really enjoyed the history of how our cyber forces
got to the structure we're living today and how that looks at,
how that's similar to other commands, whether it be SOCOM or other shows that evolved as well.
Jonathan, you're really talking about kind of the timeliness of both being concerned about threats
that may be coming in 2027, but just also like the authorities of cyber security. Do you see any
reasons why advocates for cyber force are making this argument now?
Do you think it's a reversal in what you're saying or you think it's just
the conversations evolving now?
John, I really enjoyed the history of our cyber forces and how we got the
structure we're living in today and the similarity between both cyber command
and SOCOM and how both those evolved as well.
Rob, something that you talked about, I want to tie the question to John, but
at the time we miss of 2027, I think kind of ties this whole discussion of
advocating for a new cyber force.
Do you see any reason why advocates are advocating right now for a new cyber force?
Do you think it might just be the reverse of what you were saying earlier
about not wanting to restructure?
Or do you think it's just an evolution of how important
cyber has become to the joint force?
I think that the, I've talked with Mark Montgomery about this before, and I've talked with Kurt
a little bit about it, but I believe that the primary reason, and I think that there's
some truth to this.
I'll admit that Mark Montgomery's point about the services inability thus far to elevate cyber priorities for manning, training,
and equipping is valid and may be the single most important advantage associated with creating
a separate force.
But in Mark's mind, I understand it's all about force generation and he sees a significant
disadvantage in the current structure, especially with support from the services.
It's very uneven. You got people in the cyber national mission force that are doing the same job,
but being paid differently across the services.
But I think that there are ways to make the services do what's required to elevate cyber in importance
based on its absolute criticality in the digital age.
And I know that's possible because even though today,
we're getting away from the counterterrorism
and counterinsurgency model that has dominated
the military's structure, thinking,
building capabilities for the past 20 years, and we're getting back
into great power conflict and competition. And so there's a significant interest from
the Army, Navy, Air Force, and Marine Corps to build tanks, fighter aircraft carriers.
That is the priority. And in my opinion, like Rob said, that's not where we're getting our ass handed to us.
I don't think our adversaries, I don't think Russia, China, Iran, or North Korea want to
take on the US and its major allies in the traditional physical domain.
I think that they believe they would lose.
And what they're using is they're
using information and influence rather than bullets and bombs to manipulate behavior,
cause division, both politically and in societies for not just the US, but for the West in general.
And they're doing it through cyber, artificial intelligence,
And they're doing it through cyber, artificial intelligence, influence, and both traditional, but especially social media.
And they're causing us to tear ourselves apart.
And what they're doing is they're doing this to create an advantage, to give them an advantage
over us, to slow us down, to cause us to stumble over ourselves.
And to me, that's getting back, not that I want to get off track with a military
cyber force, that's the fight we're in today.
And it's a fight.
It is not, that is modern warfare and we are not engaged in it to
the degree that we should be.
I know that there are things that the cyber national mission force is doing
in conjunction with other agencies and other forces throughout the military
to get more engaged in that fight.
But it's a real struggle for, I think,
our primary military decision makers,
but even more so our political decision makers,
to see what's happening in the information environment
as an existential threat to democracy,
which I believe that it is. It's an exit threat
that our adversaries are leveraging against us, never having to cross that traditional threshold
of physical warfare, and they're leveraging this to gain an advantage over us, and it's working.
And we have to combat that. Cyber is an important arrow in the quiver
to be able to fight fire with fire
and to undermine those capabilities
that our adversaries are using
to wage information warfare against us.
In answering the question,
yes, I absolutely agree the services are not stepping up
to what they need to do.
The Army is doing a pretty good job of trying to do that. What Major
General Paul Stanton has been doing down at the Cyber Center of Excellence at what was Fort Gordon
and now Fort Eisenhower, really positive steps. Is it enough? No, it's not enough. I bet he would
agree with that. The other services, I think, are struggling to be able to bring cyber up to the preeminent
role that it needs to be.
And like I said, I think this is a national problem, not a military problem, but certainly
the military has a large role in it.
And who cares about whose authority we need to use?
DHS has many authorities over the military when it comes to the civilian sector, but military has a long
history of providing capabilities to other agencies under their authorities to act when it's of
national significance. And so that's why I believe this is bigger than a military problem.
But that's why the other argument for doing this, it's all about making cyber more,
giving it more of a priority role
in the struggles that we're facing today.
John, thank you for that.
Rob, John briefly mentioned how other actors,
state and non-state,
are operating throughout the information environment.
So with that, U.S. Cyber Command
has been increasingly granted service
like authorities, controlling team structure, training requirements and budgets.
What are the benefits of the structure and why it might it be preferable or
not to having its own service?
Hey to do's to you.
I'm going to turn this question on your head a little bit.
And as part of that, I am going to tell like old people do, I'm going to tell
a story for a
second from John and I in the early days of Cyber Command, because part of the answer that I want
to give you that might be a little unique from what John's been giving, but he'll agree with it,
is I want to talk about service culture a little bit. I think culture is a very important aspect
of military operations and combat. So the story is, in the early days of Cyber Command,
he and I are running operations.
And our overall charge was to try to make cyber
the business of commanders and J3s,
not just of NIT professionals.
And several months into the command,
it dawned on both of us that the orders we were issuing
were called communications orders,
and were actually a separate order structure to the conventional orders process of the U.S.
military, which is a very easy, flexible structure, which can be used for almost all situations.
It wasn't popular among all of, particularly the communications community at the time,
but we threw out that communications order process.
We just threw it out and we just transform
pretty much overnight into issuing conventional orders so that
an actual COCOA commander, a Joint Force commander,
or one of their J3s or a G3 or an N3 would be able to understand what was going on, why it was important.
If we said there's this bad thing out there and everybody has to drop everything
and patch all their systems in the next 72 hours, the commander doesn't care
about what the nomenclature of the equipment being patched and exactly
what that CVE is, means nothing to them.
In a regular order, you can explain in plain English what the nature of the
thread is, what the consequences are of you don't take the action, that the
tasks and the orders are clear.
So commanders stopped just taking comms orders.
And as soon as they saw them, just like passing it off to their
sticks without reading it.
And they started paying attention.
The reason I say that is backdrop is I think service culture matters.
I think it matters a great deal. I think it's the diversity of thought in the military that makes us
an effective fighting force. And as part of that, and I know we're not talking about all cyber people
being computer scientists, and I know Paul's done a great job with the army school down at Fort
Eisenhower, but I just want to roll back and
remind people of the importance, John just being one of many of kinetic operators and
people who you would never think of as cyber people being absolutely critical in the formation
and the evolution of cyber command. And we had fighter pilots and carrier group and task
territory group commanders.
We had special forces operators, a couple of key astronauts, a couple of key astronauts.
We have to remember even Admiral Gilday who ended up a fleet cyber command commander.
He came from a kinetic Navy background and then his next job after fleet
cyber was to see of the Navy.
Going back to the very beginning days and I won't wheel off all the people,
but those kinetic war fighters were absolutely critical.
We had a couple of key Marine Fires officers that were critical in our
early days of Cyber Command.
We did not have a fires process.
And they came to me and said, we need to create a fires process.
And I admit at the time I was like, what's a fires process?
Explain it to me.
And as soon as they explained it to me, I was like, absolutely.
We have to get it.
And I understand that if you create a separate service, eventually
it'll have a culture.
But when I think of, if I want to project power into, and someday give
a carrier strike group commander, the ability to do some cyber that he has authority for within his carrier strike group. If I want to
give that to an army brigade commander or let's even go more tactical, if I need
to put a couple cyber operators in an army-numbered special forces group
that's going out to do a particular mission, I want it to be similar to the
Marine model where the cyber folks that are supporting them understand that service, understand that culture, have experience
in dealing with that kind of a unit and can be integrated as being a Marine.
That's how the Marines do integrate a warfare all the time.
Back in the day that I was in the IC, the Marine model of having the rad
bin totally integrated into the, with the rest of the operational
force was a successful model. So I want to make sure I'm afraid that we would lose that
as we transform to an operational force. The other thing is there's a lot you can do
under the existing structure. There was actually my boss, Vice Admiral White, who was then Rear Admiral White, and in late
2016 in the Cyber National Mission Force, that we looked at our 39 teams that we owned
at the time, and we suddenly realized we were not getting optimized value out of the 39
teams with them operating solely in a team structure.
And we reorganized into four primary fighting task forces.
And that reorganization exists to this day.
And once we did that, we would give our task force commanders that were really
highly functioning 05s or 04s, they then each had hundreds of people under them.
That, you know, the day could task organize any way they needed to do to get after this threat.
Particularly as John mentioned, just growing peer or near peer competitors threat.
We did that.
We didn't have to change any authorities.
It caused a ripple with the services initially with the AdCon commanders.
What we did is we brought all the AdCon commanders under the tent and we would even invite AdCon
commanders to our weekly operational meetings.
And we ended up coming up with an effective way to reorganize our force.
We didn't change any authorities.
We didn't, we didn't create anything new that took new policy to do.
Going back to John's very original point, without getting too much into the weeds
of it, we should just look at a calendar.
We should look at the level of threat.
We should look at where military's role is with the broader government in trying to defend
our nation from strategic cyber attacks or cyber and information operations being used
against us, by the way, both in conflict or to deter us from coming into a fight. And we should think for the next three to five years, what makes sense
that keeps us moving forward where we don't take a bump and start moving backwards.
And we have some looming threats potentially on the calendar.
And there's some real volatility in the Far East, in Europe, and
in the Middle East right now.
There seems to be a bit of a rise again of terrorist groups.
And that's why I'm an advocate for staying the course.
And again, staying the course doesn't mean, as John said, it doesn't mean we can't compel
the services to put way more priority on this as they do now.
But that's all within the current structure.
Hey, Rob, let me follow up on some of the things you said.
And I can't agree more with your comment about the importance that the various service cultures bring to,
not only bring to the cyber dimension, but also connect it back to the services and combatant commands that they support.
So let me talk about some, I talked about the similarities
between Socom and Cybercom.
Let me talk briefly about some of the distinctions and then some of the, some
more of the disadvantages that a cyber force might create, building on what Rob said.
Okay.
So first we're only a year 14 of the current cyber
evolution. Before 2010, we didn't even use the term cyber. We had terms like network operations
and network warfare. And unlike US SOCOM, Cybercom has the authority not only to man, organize, train,
equip, and provide cyber mission forces to other combatant commands and all of them
to include the functional commands, not just the regional commands like SOCOM.
But CyberCOM has the operational authority to employ its own cyber mission forces for
its strategic mission to defend the nation from adversary cyber attack and influence,
which is, I think, a larger problem, cyber being a part of it.
This is a unique mission for US Cyber Command and its cyber national mission
forces, Rob said, and they are uniquely positioned and prepared to accomplish
this mission and they're actively engaged in shaping the ability to do
this every single day. So this leads me to believe that if there was a separate cyber force,
and this is the role of a separate service that mans, organizes, trains, and equips,
and provides cyber forces to the other combatant commands, including cyber command,
so that they can command and control and operate those separate forces,
how would that work?
Wouldn't that chop up the cohesion that we enjoy under
the SOCOM-like model that we've been evolving since the beginning? Think of how that would work
today for a separate special operations force instead of the model we have now. I think it
would be very disruptive and likely if we were to do that, there are some other disadvantages. We don't have nearly enough specially trained cyber manpower today.
So every service has unique requirements, and it's no different with cyber.
Like the Army has when the Army didn't want to lose the Army Air Corps.
That was forced upon them.
I think the Army still has more aircraft in the Air Force, and I believe more watercraft than the Navy.
When you separate out of force, each service tends to just replicate what it needs to take care of itself and its own unique requirements.
And it ends up just expanding the need for similar skill sets, which we don't have.
Where would the trained, skilled cyber people come from
to create a separate cyber force? I think it's very likely each service and joint
cyber component and cybercom will keep what it needs and gives the scraps to a
separate force and only when forced to, if mandated, they might do it in a
half-hearted way just to appease the mandate. And there's a reason that they would do this.
Cyber is fundamentally different.
It connects everything and it runs through
every military mission like blood runs through our bodies.
And I fear that if we separate out cyber
as a separate function in force,
and if everybody ends up not hoarding what they need
for their own unique requirements,
the other option might be everyone says,
okay, cyber's not my responsibility anymore.
It's somebody else's problem.
In my experience, cyber is one of those functions
that's so interconnected with everything else,
and not just other military capabilities,
but everything about our entire digital landscape
in both the public and private spheres, every organization plays a role, has certain responsibilities,
and it should be held accountable. I see a lot of potential harm if the services and commands wipe
their hands of cyber and it becomes consolidated in a separate force. So I think that's a danger.
I believe that Space Force might be a different model.
That is unique. It touches everything, but it does require a special cadre.
But I think when the former commander of the Space Force was asked this question about
should there be a separate cyber force, even he said no.
I'm pretty sure that was his response.
I don't know.
Cyber has got to be seamlessly integrated with other kinetic and non-kinetic
fires and maneuvers on the battlefield and having operators from all services
buys a lot of credibility in accomplishing that integration, like Rob said.
And not all cyber operational people should be cyber experts.
Rob brings up a good point.
So if we study the advantages and disadvantages
of a separate cyber force,
I think we need to ensure that we capture the strength
of both integrating the diverse individual service cultures
into joint fighting, into this joint fighting force,
as well as ensuring that cyber is not a narrow set of skills,
but a wider array of skills that require
deep technical training and understanding
of operational war fighting,
and continued training and proficiency,
not unlike other examples that we have in the military.
One of the concerns when you think about creating
a separate service for cyber is just how integral cyber is to
core functions of what's going on.
And you can really see that with these units that are not classified as cyber units, but
fully integrated technology.
And especially with your time in the private sector, after your time in the military, you
kind of notice that like when you look at like tech companies, security, as well as
the operations of the technology, all that's integrated together.
And in the army, we separated that in with our signal cores,
the various communication units,
but also these emerging software factories
that really exist for development.
And you see this with this, the acquisition of software
as well with our acquisition sides that handles technology.
So I think one of the real arguments against cyber services,
do you feel like this could detract from the evolution
of this technology while it's still evolving? And what aspects do you think the cyber force advocates
are overlooking in this regard? When we talk about the phrase, fully integrating into combat
operations is not a slogan. To be fully integrated into something, you have to fully understand
the mission that's going on,
the functions all the individuals have to do in that mission, and how they have to execute it.
If you ask me, and also, and I want to be a responsible citizen and save as much money
for the military and US government as possible, too often we have capabilities that are created
for the military.
And I'll just use the cyber ones, but you extend cyber to cyber, like communications
and all the software which you set associated with it.
You have capabilities created, but they don't like really work.
And then, and often this comes out of the contractor community, you then have to spend
untold money and hours
trying to figure out how to integrate something that didn't get integrated naturally from
the get-go.
Even when it has to do with how you develop software, how you test the assurance of software,
things that people don't always think of as traditional cyber functions, you really need
that integrated with the people who are going to execute those functions. I know this back when we were in the command in the early days of command,
so it may have changed since then, I pray it has.
But when we would issue a global order to patch something critically that had to be
patched, that won't talk about any specific things that might be classified, but whenever
we'd issue an order, the original way that the military used to do it is you were considered green and good if
either A, you actually did what you had to do, you patched it, or B, you had a
poem that said, I can't patch it for the next three years because there's some
kind of contractual obligation.
We put that as green.
Now it shouldn't be green and that used to drive me crazy, but in fairness, you're going
to go patch some, you issue a global patch.
There are other people out there that are responsible for these thousands of different
combat systems actually being able to operate and do their functions every day.
And it's not trivial for them to make sure that system can keep functioning.
And that patch, which might seem simple to someone issuing an order is very simple to do,
might be very complicated to apply to that combat system without actually derailing that system.
So what's the best way to do that is to have the people that are coming up with the solution to try to make that system safe, be actually knowledgeable about that system.
That happens more often if you're part of the same service, you're part of the same system,
you're part of the same headspace.
You're not an outside pro from Dover that is called in to do it.
As John said, and the military has some pretty simple,
slick processes, when we have to,
we bring people together in joint task forces
where we bring individual elements from different services
and we now know how to blend them together
on the battle space to make them work.
And even when, and I used to do
the counterterrorism mission for years,
and even when I was working with, most often when you were working with a joint service, at any given moment in time that joint service was largely staffed by just one military service.
It was a joint component, but one service would take the job and the next service would take the job. Because as John said at the very beginning, everybody remembers, at least old people, I'll remember what happened in 1980
and you don't ever want to create that again. So I don't know if that answers your question,
but that's the best, that's just the way that I look at the problem.
I'm all for finding ways to best leverage the scarce resources in terms of people and capabilities
to address these increasingly serious threats to our digital way of life. I'll tell you just from an industry
perspective, what I'm seeing, there's a lot of innovation happening in industry. And one of the
main efforts that I see is a increased emphasis on leveraging automation and software-based advanced
analytics like machine learning, both structured and unstructured or unsupervised,
behavioral analytics, big data analytics, deep learning, neural networking, and AI,
including generative AI and large language models. Combining machines and advanced software
so that you reduce the need for people. We are never going to, if we stay in the model that we're in today,
where we have a gap of millions of skilled people
for this, what's required,
we're never gonna get it.
We're never gonna build all those people.
We need to reduce the number of people that we need
and the skill sets to things that people can do better
than machines and software
and use machines to fight machines
and software to fight software.
Because the threat is largely machine-based and software-based. So I
think that we need to... the military could take great lessons from what's
happening in industry in terms of innovation in order to reduce the need
for the skilled people that it has and to increase the capabilities that our
threats are using against us.
And John, I agree with everything you say, but I just want to make sure that no
one who's listening misunderstands it.
You're absolutely right about the software to software and machine to machine.
But I still call cyber in some ways, the most human endeavor, because all of
those machines and all of that software are created by people and the human
aspects of that are important.
So we don't need lots of people,
but I just want to make sure people don't lose sight.
I think this is ever something that we're going to be able
to win the fight with just solely using technology
without human beings in the loop.
I agree with that.
Thank you, gentlemen.
So Rob briefly mentioned the procurement
and integration effect shortfalls
that have historically existed
in the deployment of cyber effects. What specific capabilities do you believe cyber domain currently
lacks such as new acquisition authorities or personnel recruitment constraints?
Oh, okay. Yeah, I tell you what, in my current role, I go out and try to advise strategic
leaders across the military and the rest of government,
both nationally and internationally, folks at the operational level, folks at the technical level.
And they all get this, they all understand it. But when it comes to the acquisition and
procurement communities, in my view, people making decisions in those separate lanes,
and what's the military, what's each service going to buy, what's the military going to buy when it comes to capabilities,
they're stuck in a legacy model that is way too lengthy and way too risk averse.
If I look at my experience today in this domain, the information domain, the cyber domain,
your model for how long things are going to last is anywhere from six months to 18 months.
Whatever you design and whatever you try to get after that time frame is going to be OBE by the
time you get it. And I think our acquisition and procurement officials need to move towards a shorter
time frame to buy things that the military needs in this domain, which is largely software,
but it also includes hardware and they need to reduce the, their risk
thresholds are way too high certifications.
They take way too long to get there.
They're way too expensive.
It's actually introducing more risk because our adversaries are more agile.
So that's my view on what we need to change when it comes to
acquisition and procurement models.
Hey, I just want to follow up on John. I agree with him 100%. And I would urge you to talk to
our mutual friend, retired Lieutenant General Ben Hodges, who's over in Europe right now. But if you
look at the war in Ukraine in the last several years, A, from the very beginning, many of the
capabilities that the Ukrainians
have been using on the battlefield didn't even exist before that war started.
They started jerry-rigging and creating new capabilities.
And in the new phase of the war, they probably have capabilities that they weren't even using
in the first year of the war, because that's how quick, as John said, the OODA loop you
have to be in for developing new capabilities
and fielding them right now.
So the service model today is so out of whack with the reality in the world
that it's going to take radical change.
And I know people aren't ready to hear that in many cases, but John is absolutely
right, you cannot do it the way you do it today.
Hey, this has been a fantastic discussion.
Great conversation.
Wrapping up before we move to our final section, can you guys just give
your quick elevator pitches on, on your arguments against establishing
a new cyber force?
We'll start with John.
I've got, I'm, I'm going to say that, uh, I won't advocate against it because
like I said, I think you need to look at everything and that's an option.
I will just say there are other options that are less,
like I said, dramatic and traumatic
than everything that would go into the creation
of the cyber force.
And as Rob said, during a period of great peril.
So my argument would be, let's look at this very carefully.
Let's look at all the options.
Let's don't just focus on whether or not
we should create a separate force.
But let's take the lessons learned
that we've had with the evolution of cyber command,
what space force lessons we can learn
that might be applicable.
And then let's just go into this with open eyes.
And if the solution is a separate cyber force, so be it.
But I think there are better ways to do it than that from my personal experience.
Yes.
Go ahead and study the problem to give General Hawk and General
Hartman and his team a little time to let the existing authorities work.
Bear in mind that we're in a very dangerous time
for our nation and it's a very dangerous time
to do a major disruption that you don't have to do.
Remember that you have the Cyber National Mission Force
as a successful model and they're now standing up.
Now JFHQ Dodin is gonna be a full component command
and you'll have a second model, I believe
very soon.
And finally, do not discount the absolute criticality of individual service cultures
bringing their best to the flight and how that important it is eventually to the joint
flight.
Thank you for that.
Lastly, what advice do you offer policymakers and practitioners in the field of cyber, John?
Policymakers.
What should we be doing?
I think step one is a deep understanding for the true importance of cyber when it comes
to not only national security, but our economy, our public health and safety on a massive
scale.
This is a big problem.
And like I said before, I think that the education,
the understanding needs to include
what our major adversaries are doing right now against us
below the traditional threshold of warfare.
And I think that's the real danger.
So I would suggest that policymakers take a serious look
at the legacy model that we've had in the past for how you use the military,
which is after that break glass response
to armed aggression and hostile acts
and realize that maybe our adversaries
don't wanna go there
and they think they can accomplish an advantage
by staying short of war.
Some people call it the gray zone. And the primary
arrows in the quiver in the gray zone are information and influence and cyber plays a
particularly important role in both of those information and influence. Okay. I'll just make
two quick points. One, I want to, I didn't agree. I didn't come on before, but I want to make sure
I agree with John on the absolute criticality
of including information and influence as part of what you think about as cyber.
And that's important for policymakers.
If we keep our head in the sand much longer, we're really going to be in trouble.
And second, it's interesting we talk about notions of gray zones, because if we had uniform military personnel of another country physically hanging around or
breaking into electrical power grid stations or water plants or places like that, we would consider
that an absolute act of war. But we have uniform military cyber operators of other nations doing
that on a daily basis. And we need to wake up and focus on how we actually get after those
threats, both in the military and nationally, and just not how we should
reorganize from scratch in a sense to try to figure out how to get this
going in the next five, seven years.
John, Rob, thank you both for joining us on the Irregular Warshare podcast.
It was a pleasure. It was a pleasure.
It was a pleasure.
Thank you again for joining us on episode 111 of the Irregular Warfare Podcast.
We release a new episode every two weeks.
Our next two episodes will cover how the Afghanistan conflict has changed in the last three years
and what SALF's role is in conflict.
Be sure to subscribe to the Regular Warfare Podcast so you don't miss an episode.
This podcast is a product of the Regular Warfare Initiative.
We are a team of all volunteer practitioners and researchers dedicated to bridging the gap between scholars and practitioners
to support the community of a regular warfare professional. You can follow and engage with us on Facebook, Twitter, Instagram, YouTube,
or LinkedIn. You can also subscribe to our monthly newsletter for access to our content
and upcoming community events. The newsletter sign up is found at irregularwarfare.org.
Please leave a comment and a positive rating wherever you listen to their regular WordPress
podcasts.
And one last note, all you hear in this episode are the views of the participants, and do
not represent those at Princeton, West Point, or any agency of the U.S. government.
Thanks again, and we'll see you next time. Music