Former CYBERCOM Commanders Urge Caution on Push for New Military Cyber Service

Creating a new military service to wage war in the cyber domain would take too long, risk creating a top-heavy bureaucracy, and create confusion about the defense of other services’ IT networks, two former leaders of U.S. Cyber Command told a congressionally chartered research committee looking into the question. 

Retired Air Force Gen. Timothy Haugh and his predecessor, Army Gen. Paul Nakasone, both testified last month at the first hearing of the National Academies’ committee conducting a “consensus study” on “alternative organizational models for the cyber forces of the U.S. Armed Forces,” as directed in the 2025 National Defense Authorization Act. 

The committee expects to finish its work and report to Congress sometime next year, a National Academies staffer told Air & Space Forces Magazine on condition of anonymity. 

In testimony Nov. 20, both men argued that the CYBERCOM 2.0 reforms that Defense Secretary Pete Hegseth signed off on last month should be given time to bear fruit before embarking on the massive organizational lift of creating a whole new service. 

“This is all about time,” Haugh told Air & Space Forces Magazine after his testimony. CYBERCOM 2.0 was designed to provide the maximum increase in warfighting capability with the minimum delay and institutional friction, he said.  

“The faster you get at the meat of the issue, the faster the Secretary of Defense and the President have more capability, versus ending up in a conversation that’s about how we organize,” he said. 

The creation of a new military service would require an act of Congress and years to stand up, Haugh noted, citing the example of the Space Force   

“We should start with the steps that can be done aggressively with the least cost and the most rapid return. … We want to be focused on producing more tooth and not focused on growing bureaucracy,” he said. 

Leveraging existing authorities “to the greatest extent possible,” as in CYBERCOM 2.0 would “one, be the most rapid and two, the least cost,” he said. Creating a new service “brings in a whole other series of works that may be required down the line but aren’t necessarily contributing in the short term” to warfighting capability. 

Asked how long it might take the reforms in CYBERCOM 2.0 to bear fruit, Haugh said it will depend on how they are resourced by Congress and implemented by the Pentagon. “We measured readiness rates and other metrics. There is an annual readiness report that CYBERCOM owes to Congress annually which will provide benchmarks.”   

Haugh noted that CYBERCOM 2.0 had been approved by under President Joe Biden’s Defense Secretary Lloyd Austin, but that his successor in President Donald Trump’s administration, Hegseth, signed off on the implementation plan for the reforms. 

“I think it’s pretty unique in our environment that this concept has been endorsed by both administrations,” he said. 

There were widely acknowledged issues with the Pentagon’s cyber forces, Haugh said, but CYBERCOM 2.0 addresses them, and allowing its reforms to flower would create the building blocks for a new service if one were eventually deemed necessary.  

​​”The way you get the most rapid return was to build Cyber Command on the SOCOM-like model that already exists in the law and in the [Unified Command Plan]. … And none of it precludes the build towards a future service if it doesn’t prove adequate, all those [reforms in CYBERCOM 2.0] are still required if you’re going to do it within a service.”  

His predecessor, Nakasone, laid out his worries about the creation of a new service more bluntly. 

“One of the things that I have always been concerned about moving to a cyber service is this idea of service bureaucracy,” he told the commission. “Service bureaucracy is one of the great killers of ingenuity and agility within the domain of cyberspace. … You want to avoid [it] at all costs.”

“One of the nice things about being retired is that my filter has come off a bit,” added Nakasone, who is now director of Vanderbilt University’s Institute of National Security.

CYBERCOM 2.0 will implement some of the “service-like” authorities—staffing, training, and equipping forces—granted to U.S. Cyber Command by Congress, he said. 

“The most challenging element of man, train, and equip [for Cyber Command] is training,” said Nakasone, because it is so reliant on “the bureaucracy of the services,” where 2-3 year development cycles are the norm.

“We could not get the services to line up and make sure that they were training to a standard … that I needed on a continual basis,” Nakasone said. “Oh, my goodness, that was rough. And that was one of the areas where CYBERCOM 2.0 came in and said, ‘OK, all advanced training was going to be headquartered in CYBERCOM.’”  

Scoping the Prospective Cyber Force 

Beyond the problems with time and bureaucracy, a new cyber service would also face a “critically important” scoping challenge, Haugh told Air & Space Forces Magazine: What would be the exact dimensions and limitations of its responsibilities and authorities?  

The Space Force had an easy and clean “physics-based definition to draw upon: everything that operates above this altitude is the purview of the Space Force. … You have no definition that’s going to make it easy or clean in what would be in or out of a cyber service.”   

The DOD has 225,000 cyber personnel, broadly defined, and 15,000 IT networks. Defending all of them would be a huge responsibility if it fell upon the new service, said Haugh, who has worked in cyber operations for almost two decades—perhaps to the detriment of its responsibility to develop warfighting capability in the cyber domain.  

“If I were currently the CYBERCOM commander and somebody stood up a cyber service that owned the networks of the department, my concern would be that that would be their focus. And would it be a distraction from those things that are core to developing combat capacity in the cyber domain?” he told the NAS committee. 

The 12-member National Academies’ committee is chaired by Richard Murray, an engineering professor at the California Institute of Technology. Its members include former NSA officials like John “Chris” Inglis, David Luber and David Dorsey; former admirals Jan Tighe and Timothy White; and retired Army Col. Natalie Vanatta and retired U.S. Marine Corps MGySgt Scott Stalker, both long-time cyber operators. There is one former Air Force official, Timothy Booher. Currently senior vice president of special projects at technology giant Leidos, Booher worked for the service until a decade ago, in a variety of technical leadership positions, according to his LinkedIn page. 

Their initial hearing also included testimony from supporters of a new military service, including retired Rear Adm. Mark Montgomery and former House Armed Services Committee staffer Josh Steifel. The two are members of the Commission on Cyber Force Generation, launched earlier this year by the Center for Strategic and International Studies to provide the White House and Pentagon with the policy framework they will need if the administration decides to go ahead and establish a separate cyber force. 

Steifel told the committee the move to a separate cyber service is long overdue. 

“In the decade-plus that I’ve been part of the cyber community,” Steifel said, “I’ve experienced at least seven quote-unquote, watershed moments in cyberspace. … Each one was described as the moment when the U.S. would finally get serious about cyber. And yet, we are still talking about readiness problems, manpower shortages, recruiting deficiencies, and training disparities, the same issues that we were talking about five years ago and 10 years ago and 15 years ago.” 

Steifel pointed out that “the organizing principle of the U.S. military is that we build our services to align to the warfighting domains.” He said it didn’t make sense that cyber was the only domain without a dedicated military service, by contrast with land, sea, air and space.  

The arguments against a service had been discredited by history, he said. 

Opponents had been arguing since the stand-up of CYBERCOM in 2010 “that an independent cyber service is not necessary because the existing services can adequately manage the job of generating forces for the cyber domain. It’s difficult to ignore that the military also made the same arguments against an independent air force in the ’20s and ’30s and an independent Space Force through the 2000s for 15 years.” 

Current Assistant Secretary of Defense for Cyber Policy Katherine Sutton also testified and began her remarks with a plea to the committee not to go “prematurely jumping to solutions without a well-defined problem statement.” 

“I encourage you to commit your initial efforts to creating a comprehensive problem definition that will guide our subsequent solution finding process,” she added. “Improving the current system … [and] alternative or hybrid organizational models” should be considered alongside the creation of a new cyber service, she added.

One former senior CYBERCOM officer told Air & Space Forces Magazine he endorsed that advice.

“I would say the problem is not clear,” he said. Many of those advocating for a new cyber force were “very clear about the solution, but a whole lot less clear about what the problem is.” 

That matters, he explained, because if the key problem is talent management and the challenge of retaining highly skilled and exquisitely trained cyber operators, that wouldn’t automatically be solved by setting up a new service. “You’re just taking a new organization and handing it a problem that hasn’t been solved yet. They’re going to have the same problem CYBERCOM does,” the former senior officer said. 

“What [advocates of a new service] never talk about is, how is the service going to solve that [talent management problem.] And how is it going to solve it on the time horizon that we’re on,” where U.S. intelligence believes Chinese President Xi Jinping has told his military to be ready to invade Taiwan by 2027. 

“You can’t just take a knee for a couple of years while you spin this thing up,” he said.