You might not think of military planners as the authors of fairy tales, but unfortunately many of us are. As a planner at U.S. Cyber Command (and assorted other headquarters in warmer climates), I have worked on a variety of planning teams building cyber plans and orders. Unfortunately, most of those planning efforts were divorced from the real-world capabilities of friendly forces, agnostic towards the actual vulnerabilities of enemy forces, and premised on fundamental misunderstandings of the cyber domain.
This gap between cyber planning and reality is driven by three foundational problems. A balkanized and parochial command-and-control structure for operational headquarters makes planning inconsistent and disjointed, while use of doctrine and processes not aligned to the realities of the cyber domain causes repeated problems. The most critical problem is a failure to invest in cyber professionalism among the mid-career military personnel filling those headquarters and doing the operational-level planning. These problems often prevent or distort the alignment of tactics and strategy, leaving Cyber Command and its Cyber Mission Force incapable of achieving strategic goals.
Congress and the Department of Defense are unhappy with the current state of Cyber Command and the Cyber Mission Force. In the Fiscal Year 23 National Defense Authorization Act, Congress demanded multiple reports on problem areas and directed changes to the Cyber Mission Force. The Department of Defense responded by creating “CYBERCOM 2.0” to review how the U.S. military conducts cyber operations and recommend changes to the force. However, these efforts will struggle to make an impact on cyber readiness and effectiveness until they address the Cyber Mission Force’s core problems disconnecting cyber strategy from cyber tactics.
Cyber Command has a strategy of “persistent engagement“ (actively contesting adversary cyber threats) expounded by Gen. Paul Nakasone (now retired) and other senior leaders. Cyber Command’s guidance on persistent engagement and the national-level cyber strategy documents the Department of Defense and national leaders have published add up to a robust vision of how the Department of Defense should utilize cyber forces at the strategic level. At the tactical level, there are serious grounds for concern over Cyber Mission Force training and readiness, but there is a pool of tactical and technical experts capable of executing assigned missions. At the operational level, the problems are more profound: Joint forces lack joint headquarters, doctrine is suboptimal, experience is limited, formal training and education are minimal, and few lessons are being learned effectively.
Balkanized Command and Control
The first issue driving dysfunction at the operational level of the cyber force is the structure of operational-level headquarters. Today, the Cyber Mission Force (with fewer than 7000 personnel) has seven three-star operational headquarters between Cyber Command and the teams or task forces at the tactical level. Two of those headquarters, the Cyber National Mission Force and Joint Force Headquarters-Department of Defense Information Networks, have unique missions and make sense as joint operational-level commands. The other five “joint force headquarters-cyber” have similar missions, but are not joint despite commanding joint forces (the joint force headquarters are essentially dual-hatted service cyber component headquarters).This structure was originally chosen in Cyber Command’s early days as a sub-unified command in order to minimize the number of cyber officers required to build out the Cyber Mission Force, but its continued use today is negatively impacting joint operations.
Splitting this operational planning across five service headquarters rather than one joint headquarters staff makes planning parochial based on the quirks of service cultures and limits the joint force’s ability to learn from successful and unsuccessful approaches to planning and operations. While separating operational planning from traditional service “man, train, and equip” functions at the service cyber commands will be disruptive, disruption is preferable to the current dysfunction. Policymakers should consider consolidating the five joint force headquarters to one operational cyber command, able to join the Cyber National Mission Force and Joint Force Headquarters-Department of Defense Information Networks in a more rational structure. This new organizational structure would streamline command and control, with three joint operational-level commands overseeing Cyber Mission Force operations.
This restructuring of responsibilities would allow the existing service cyber components to focus on force generation (manning and training the cyber teams the services provide to the Cyber Mission Force). It would also create a truly joint operational command to plan and lead Cyber Command’s operations supporting joint forces around the globe. Even with these changes, some researchers and members of Congress have questioned if the existing services and service cyber components can solve the Cyber Mission Force’s current training and force generation problems. If those concerns prove correct, this structure could be a first step toward the creation of a cyber service to replace the current service cyber components in carrying out the “man, train, and equip” role for offensive and defensive cyber forces.
Refocusing the service cyber components on building the force risks some short-term disruption as planners and operations are shifted to a new joint headquarters, and it also risks introducing friction in some intra-service multidomain missions. Most significantly, centralizing cyber forces supporting other combatant commands under one operational headquarters removes the fiction that those combatant commands have a dedicated three-star cyber headquarters functioning as their “cyber component command.” These regional commanders are likely to have concerns about the responsiveness of a consolidated operational-level cyber headquarters. Addressing those concerns will require careful coordination, maintaining the teams of embedded Cyber Command planners at each combatant command, and applying lessons learned from the Cyber National Mission Force’s experiences coordinating operations with commanders across the world.
Doctrine and Process
The second issue degrading planning at the operational level is the immature state of cyber doctrine and planning processes. Today most operational-level planning is done at Cyber Command or the Joint Force Headquarters based on the Joint Planning Process outlined in Joint Publication 5-0, Joint Planning, and the principles laid out in Joint Publication 3-12, Cyber Operations. The Joint Planning Process is based on simplifying operational problems down to a small number of thoroughly developed courses of action. While it can be a good way to plan ground operations and prioritize aspects of multidomain operations, it is not a good fit for cyber operations. The Joint Planning Process is a good fit for deciding which of three available roads should be the primary axis of advance for an armor brigade, or which of four available ports will be the primary logistics hub. It is much less useful for deciding how to attack a complex system of systems. This is why air operations heavily modify the Joint Planning Process: At the operational level, air planners focus heavily on targeting dependencies in the adversary system, whereas the joint planning process focuses most planning towards maneuvering the friendly force. In cyber operations, like in air operations, simplifying complex, multidimensional systems of systems into two to five courses of action erases many issues operational-level cyber planners need to remain aware of. While a knowledge of joint planning is important when integrating cyber operations into multidomain operations, rigidly following the Joint Publication 5-0 sequence in planning cyber operations is often problematic. Far too often, the resulting cyber plans and orders have represented a triumph of doctrine over reality.
This mindset (often reinforced by the cyber-specific doctrine in Joint Publication 3-12) encourages thinking simplistically about cyber operations — thinking in terms of point targets rather than achieving effects at scale, conceptually focusing on the physical layer almost to the exclusion of network and application layers, and largely thinking about cyber operations in two dimensions rather than the multidimensional reality of modern networks. Perhaps the biggest doctrine-based failing is a tendency to focus on oversimplified “centers of gravity.” While some cyber operations do find real centers of gravity and effectively target them, usually the search for centers of gravity leads to fixation on inappropriate (but easy to identify) targets and objectives: networks and functions that are difficult to reach, easily replaced, or not true system failure points; or goals too broad or vague for execution, against national policy, or not relevant to strategic objectives.
It is arguably true that an expert in both joint doctrine and cyber operations can map the principles of joint planning onto cyber reality — however, current doctrine read plainly provides a very poor map of that reality to the majority of planners who lack such expertise. Cyber Command and its operational headquarters need to reframe how planners look at cyber problems. A better paradigm is needed, emphasizing understanding and impacting (or protecting) highly complex systems of systems rather than pretending that, with enough PowerPoint panache, the domain’s inherent complexity can be wished away by enterprising staff officers.
China’s cyber forces give one example of such planning in the recently discovered “Volt Typhoon” intrusions into critical infrastructure networks across Guam, widely believed to be preparations to disrupt America’s flow of military forces toward China in case of war. Chinese doctrine on systems confrontation and systems destruction warfare guides network attack planning based on the need to disrupt enemy systems of systems in order to break critical military functions. Perhaps even more importantly, China’s creation of an independent cyber force has resulted in more professionalized and experienced cyber planners.
People
If there is a primary driver of the operational-level problems with Department of Defense cyber operations, it is the failure to build and retain experienced cyber professionals. Cyber field grade officers and senior non-commissioned officers (i.e., mid-career military personnel with 10–20 years of experience) are not being given the experience and education needed to solve these hard problems. There are many tactical training programs for junior cyber troops, and the Computer Network Operations Development Program, Air Force Institute of Technology, and Naval Postgraduate School offer excellent technical education for early-career personnel. But these options do not extend to mid-career cyber officers and non-commissioned officers — planners are not being effectively trained or educated on the operational level of cyber. This gap is even more problematic when considering the Cyber Mission Force’s issues with retention and talent management. With many cyber planners stepping into planning positions with zero cyber experience, the failure to teach staff officers the nature of the cyber domain leads to serious difficulty connecting strategic guidance and tactical execution.
Cyber training for field grade officers and other staff planners comes in several formats, but all are either too small or too cursory to solve this problem. Widely attended courses like the Army’s “Cyber Operations Planners Course” and the Air Force’s “Cyber 300” teach the basics well, but at less than a month they are too short to effectively teach cyber operations and strategy at the depth operational planners need. Some service staff colleges include courses on cyber operations or policy, but these struggle to cover topics effectively. Faculty rarely understand the cyber domain, venues rarely support appropriate discussion of classified case studies or lessons learned, and a single 1–4 credit course is still a short format for the breadth of what operational-level planners need to know about the domain. While many of these courses are good introductions to cyber strategy for non-cyber officers, they do little to address the gap in education for cyber planners. Unfortunately, even these limited offerings are shrinking — the Air Force recently cut back on cyber professional military education courses at its staff and war colleges. The closest thing the Department of Defense currently has to effective cyber professional military education for operational planners is the National Defense University College of Information and Cyber in Washington. This institution offers a year-long in-residence course focused on military information technology and cyber policy issues, but admits fewer than 30 late-career officers each year (for demographic context, the Department of Defense’s information technology to cyber workforce ratio is roughly 6:1). It also offers online programs, including one focused on cyber policy (which I am in the process of registering for), but this course is not widely advertised to the cyber community, in addition to the issues with unclassified venues that most other cyber professional military education courses share.
A more focused and in-depth cyber professional military education program is needed. Whether an expansion of current National Defense University programs, a Space Force-style partnership with a civilian university, or a new institution, mid-career cyber professionals need their own “cyber staff college.” The cyber workforce needs a school teaching joint doctrine in combination with the unique challenges of military cyber operations (a “joint professional military education level one” course, in doctrinal terms). This course should be a cyber equivalent to the existing staff colleges each service sends mid-career officers to: roughly a year long, in-person, and split between joint doctrine and cyber topics, equipping planners to design effective cyber operations and integrate cyber activities into joint operations. The course should offer classified spaces to discuss relevant case studies, and both faculty and topics should draw from a mixture of national security academia, computer science, and hands-on experience with cyber operations. It should also be more open to civilian and senior non-commissioned officer planners than existing service staff colleges.
Establishing a rigorous and in-depth staff college for experienced cyber officers is critical to improving Department of Defense cyber planning and thinking. But more flexible options are also needed, particularly for junior and non-cyber personnel serving in cyber headquarters. A broader set of short cyber operations and strategy classes like Cyber 300 should be created for the many less experienced people working as cyber planners and offered in online or remote formats where feasible.
Today, a senior cyber officer is likely to have spent six to 18 months in formal classes studying operations and strategy in their service’s primary domain — and less than six weeks formally studying cyber operations and strategy. If the Department of Defense wants to build cyber thinkers and leaders who can create the plans, doctrine, and culture to defeat increasingly capable adversaries, it ought to make serious investments in teaching those thinkers and leaders to understand the domain.
These investments mean real tradeoffs. The budget implications of adding dozens of students and faculty to an existing school (or civilian campus) are modest, and even building a new institution from scratch would require less than 2 percent of the current cyber budget, but the personnel involved are a more painful resource tradeoff. The current critical shortage of experienced cyber officers means that the people going to cyber staff college will leave significant gaps in tactical leadership and staff planning positions across the cyber force.
Why accept these tradeoffs? Because the strategic and operational costs of leaving cyber planning as a self-taught gaggle of amateurs are potentially catastrophic. The problem is not merely that many planners are inexperienced and need more study. The collective knowledge of Cyber Command is also dangerously deficient. Professionalizing the community of planners requires putting rising cyber leaders, planners, and thinkers in the same space for months of rigorous and intense study.
The collective knowledge of the force — cyber doctrine, history, and theory — is so shallow and flawed that even those who have studied it are not equipped to understand the operational level of cyber. Deep, sustained dialogue and debate among experienced cyber planners and professionals is urgently needed to fill these gaps in collective understanding, and a cyber staff college is the venue to create, sustain, and promulgate those conversations between cyber planners and thinkers. There is always a strong temptation to prioritize short-term manning needs over educating leaders and staff officers. But relegating planners’ education to two-week classes or asynchronous online courses will deprive the cyber force of the critical mass of experience and brainpower needed to fully understand the domain and guide more effective planning. The Department of Defense’s failure to invest in educating cyber leaders and planners means the status quo squanders the billions of dollars and enormous amounts of talent invested in the Cyber Mission Force’s tactical teams on missions that all too often do not add up to operational impact or strategic success. Until the Department of Defense builds better cyber professional military education for operational planners, Cyber Command will continue to see strategy disconnected from tactical execution.
These disconnects are even more problematic because of the military’s cyber retention and talent management problems. These personnel problems severely limit the experience field grade officers and senior non-commissioned officers bring to cyber staff positions. Retention of experienced cyber personnel is a well-documented problem, with low pay, poor leadership, and frustration with talent management frequently cited as important factors. In contrast, cyber talent management problems are less widely understood. Detailed data on military personnel assignment trends in the Cyber Mission Force is not yet available due to disconnects between how Cyber Command and the services define cyber roles and career fields. However, the available numbers suggest that for every Cyber Mission Force member retiring or leaving the military, two members are reassigned from military cyber units to non-cyber units. This drain of people out of cyber teams and headquarters leads to dangerously high turnover.
Resolving these issues is not simply a matter of updating service assignment policies. They reflect an entrenched combination of formal and informal career progression requirements, promotion board expectations, and ultimately failure to adapt services’ talent management priorities and processes to the needs of the cyber mission. At the operational level, this means most planners have little or no cyber operations experience. Instead, most cyber staff billets are filled by communications, all-source intelligence, or random officers and non-commissioned officers. In theory, the Department of Defense civilian workforce could provide some of the missing knowledge and continuity. In practice, civilian hiring often prioritizes joint planning experience in other domains while deemphasizing cyber experience.
Today, operational-level planners are expected to learn advanced cyber principles on the job. Planners are expected to do this without adequate education, on an operational planning team where few if any people have meaningful cyber experience, and understanding of historical lessons learned is limited or nonexistent. This is not a recipe for effective staff planning in a complex and fast-moving operational and technological environment. Nakasone noted the importance of cyber as a profession — building competent joint operational planners is a key part of creating that profession.
Conclusion
Today, Department of Defense cyber forces have a viable strategy and a growing number of competent tactical teams. However, the operational-level planners responsible for linking the two are not structured or equipped for success. A balkanized and insufficiently joint command structure leads to significant problems at the operational level; doctrine and planning practices dangerously oversimplify the cyber environment; and the people assigned to operational-level headquarters lack the education and experience required to effectively manage the policy and technological complexities inherent to military cyber operations.
As Congress and the Department of Defense consider new ways of building and structuring military cyber forces, they should include correcting this lack of effective operational-level planning in their criteria for evaluating solutions. Key steps include creating dedicated, in-depth cyber professional military education for the mid-career cyber officers and non-commissioned officers responsible for operational planning; forcing changes to the services’ talent management, career progression, and promotion practices that prevent the growth of experienced cyber professionals; and replacing the five service-run joint force headquarters with a single joint operational headquarters. Whether the solution is an independent U.S. Cyber Force, consolidating current service-run headquarters and training organizations, or realigning responsibilities among the existing services, a real solution to the Cyber Mission Force’s problems should include rationalizing command structures, maturing cyber doctrine, and — most critically — investing in building cyber officers and senior non-commissioned officers with the experience, training, and education to accurately understand the cyber domain’s complex policy, technological, and operational problems. Until the void between cyber strategy and cyber tactics is filled, Department of Defense cyber operations will be a series of disjointed pinpricks unable to effectively impact adversaries or defend the nation.
John “Strider” Cobb is an Air Force offensive cyber officer with over a decade of experience in military and intelligence community cyber operations. He recently completed an assignment at Cyber Command working planning and readiness policy, and previous experiences have ranged from laboratory researcher to deployed special operations planner. He is a graduate of the Air Force Institute of Technology (M.S. Computer Science), Air Command and Staff College (online), and Joint Forces Staff College (in residence).
The opinions expressed are personal and do not reflect the official positions of Cyber Command, the U.S. Air Force, the Department of Defense, NATO, and/or the Patth director-general.
Image: Airman 1st Class Jade M. Caldwell via U.S. Cyber Command.
Jesus Christ is King
