An Insider’s Guide to Cyber Readiness
Despite the Department of Defense spending $14 billion a year on cyber forces and technology, U.S. military cyber forces have never met the department’s readiness standards. This decade-long failure has motivated Congress, the military cyber community, and a variety of national security thinkers to debate major structural changes to Cyber Command and its Cyber Mission Force (a joint force with teams provided by each service).
In late 2022, Cyber Command responded to these concerns by creating a readiness campaign to attack the structural problems keeping Department of Defense military cyber forces from meeting training and readiness standards, and I was selected to lead the first phase of the effort. That experience revealed that the problems with cyber readiness are deeper, more severe, and more structural than most of the leaders and thinkers discussing cyber readiness realize.
Fundamentally, Cyber Command has been unwilling to face the reality that the current structure of the Cyber Mission Force cannot generate mission-effective cyber forces at scale. Instead, Cyber Command and service readiness practices have tried to hide the problem from themselves and Congress by lowering cyber readiness standards far below actual mission requirements, double-counting mission-qualified personnel in readiness metrics, and obfuscating catastrophic levels of turnover. Protecting the status quo has been prioritized over revealing an honest picture of the failure to build a Cyber Mission Force able to keep pace with increasingly dangerous adversaries.
Why is cyber readiness so challenging? The core problem is that service mismanagement of career progression and assignments has led to high turnover and low retention in the Cyber Mission Force’s most critical roles and missions. Overcoming these challenges and building a ready Cyber Mission Force requires a dedicated cyber service focused on growing a sustainable, highly skilled force of military cyber professionals.
Cyber Readiness in Historical Context
Cyber Command measures two types of readiness: the readiness of its assigned cyber forces and the readiness of all Department of Defense networks (conducting network security inspections known as “Cyber Operational Readiness Assessments”). Military networks generally meet these readiness standards and military cyber forces do not.
Cyber security inspections are important in managing risks to military networks, but they are not directly related to the readiness of offensive and defensive cyber forces to execute missions. Well-configured firewalls and sophisticated threat-detection tools can slow down cyber intrusions, but skillful adversaries will find ways to evade them and must be hunted down across military networks by cyber protection teams. Without highly skilled cyber personnel, even the networks with perfect inspection scores will fall to adversary attacks.
The Department of Defense’s traditional measures of readiness include assessments of units’ personnel strength, equipment status, supply, and training, but the Cyber Mission Force’s readiness shortfalls are nearly all training issues. Training has continuously been at failing levels since Cyber Command first established training standards. As Mark Montgomery and Erica Lonergan discuss in their recent work advocating an independent cyber force, when Cyber Command has claimed to have reached milestones like initial operating capacity, the training numbers have been artificially inflated. Some services rapidly rotated their two to four teams’ worth of qualified personnel across 10 to 12 teams. Some local units issued unauthorized training waivers, and some simply quadruple-billeted all qualified personnel. My experience with Cyber Command readiness has been that claims about readiness milestones were based on deeply misleading contortions and pervasive double-counting.
Readiness Challenges
A core factor in the challenge of creating a ready cyber force is the unavoidable fact that new personnel need multiple years of training and experience to gain the skills needed to be effective operators or cyber analysts against hard targets. Reaching full proficiency usually takes about 10 years.
Fighter pilots and special operators require similar timelines for training and proficiency. However, the services generally do not leave personnel in critical cyber roles (cyber operator, cyber analysts, and capability developer) long enough to create a high-skill force capable of executing the Cyber Mission Force’s assigned missions. Instead, service promotion and career progression requirements typically pull operators out of tactical missions after six to nine years and usually pull cyber analysts out within four to six years. This high turnover creates a cycle of perpetual amateurism in the Cyber Mission Force. With most personnel on their way out the door by the time they become fully mission-effective, the pool of fully trained and skilled personnel is always a small fraction of the force. This limits operational capacity, creates severe burnout and retention problems, and puts the Cyber Mission Force at a significant disadvantage when competing with adversaries who manage their cyber talent with a focus on building cyber lethality rather than meeting traditional Army or Navy promotion requirements.
The end result of these practices is the problematic state of readiness that Montgomery and Lonergan describe in their recent report. A typical cyber mission team is roughly equivalent to a dysfunctional fighter squadron where one pilot is an elite TOPGUN graduate, four pilots are fully trained and mission-effective, six pilots are listed as fully trained but are only qualified to fly in a threat-free environment, and eight pilots are still in initial pilot training and have never flown a real fighter jet.
Readiness Metrics
While Cyber Command’s detailed readiness numbers are classified, both Congress and Cyber Command commanders have repeatedly voiced alarm at the Cyber Mission Force’s readiness rating. However, most leaders seeing Cyber Command readiness reports do not realize that the readiness numbers causing disquiet are based on standards that list two “fully trained and qualified” personnel for every single truly mission-capable member. Personnel in the most critical work roles on Cyber Mission Force teams are counted as “fully trained and qualified” more than a year before their training is complete and they are actually qualified to perform their teams’ primary missions.
Cyber operations require extremely high skill levels for teams to succeed against critical military and intelligence targets reliably and effectively. Low-skill cyber personnel can opportunistically attack soft targets and sometimes break something. On the defensive side, they can update firewalls and follow cyber security checklists. But if the need is for forces that can bring down specific targets at specific times to support operations in other domains, attack hard targets, or effectively react to adversary intrusions, then higher training standards are required. Consequently, the Cyber Mission Force’s standards required for executing real missions are mostly based on equivalent National Security Agency standards.
Many defenders of the status quo argue that Cyber Mission Force personnel should be trained to lower standards. However, the justification is nearly always based on the current military services’ difficulty meeting current operational standards, not operational requirements. With the complexity of tools and targets, the skills that better trained adversaries bring to the fight, and the fact that many missions require the ability to work with partners, a cyber operator or analyst who is at the minimum “fully trained and qualified” readiness standard is usually dead weight for their team’s wartime mission.
This issue is distinct from the historical issues discussed above — not only did past readiness assessments double-count each “fully trained and qualified” member, but many of those being double-counted were only halfway through the training required to perform routine missions. Today, Cyber Command has built new readiness reporting systems allowing both Cyber Command and subordinate commands to see individual training across the Cyber Mission Force. This prevents some previous forms of cooking the books in readiness reports, but the improved visibility only confirms that the force’s training numbers remain more deeply troubling than most cyber thinkers and commentators realize. To give one example, an elite unit recently requested that all of its cyber operators be fully mission-qualified operators on their second operational assignment. Cyber Command responded that all of those people across the Cyber Mission Force would fill less than half of the unit’s billets.
Structural Failure
This is ultimately a structural problem — the current military services are extremely reluctant to change their promotion and talent management processes to accommodate the long timelines required for mission effectiveness in the cyber domain. Even when formal rules are changed, informal cultural expectations often deter junior and mid-career personnel from applying for the assignments and training that would make them elite cyber operators, analysts, or developers.
This structural bias against tactical proficiency and mission effectiveness does not just reduce the supply of trained and ready personnel by prematurely forcing operators and analysts out of tactical roles. It dramatically reduces the supply of qualified trainers for new operators and analysts — creating bottlenecks at critical points in the training pipeline and preventing troops with multiple years of training from completing mission qualification.
Worse, it creates a toxic combination of poor talent management and poor leadership in many parts of the Cyber Mission Force. With promotion largely restricted to those willing to choose service promotion requirements over becoming mission-effective cyber professionals, the quality of cyber leaders suffers. There are a few exceptions, including Air Force officer operators, Army warrant officer operators and analysts, and Navy officer developers. But in the majority of the services’ cyber career fields filling the Cyber Mission Force, this dynamic creates significant morale and retention problems among cyber officers and non-commissioned officers. Congress sought to address these issues when it required Cyber Command to monitor promotions across cyber career fields (Title X, s. 167b (2)(a)(x)), but for half a decade, Cyber Command has failed to fulfill this legal obligation.
Both Congress and the Department of Defense have sought to address the Cyber Mission Force’s retention issues in recent years, but these efforts have mostly focused on the financial side of the problem. Those problems are real — mission-qualified cyber non-commissioned officers are often paid significantly less than the market rate for their skills while assigned to high-cost-of-living areas. But in my experience, financial issues are secondary. The primary drivers of low retention have been poor talent management and poor leadership, as service policies that punish or prevent building cyber expertise push many out of the military.
Conclusion
Despite rarely claiming its forces meet Department of Defense readiness standards, Cyber Command has a long history of significantly overstating the skill and readiness of its forces. An honest appraisal of the percentage of the Cyber Mission Force actually qualified to conduct operations is deeply sobering and suggests that it would have severe difficulty executing wartime plans or supporting national strategy at scale in a crisis.
My years of experience working with allied cyber forces and studying adversary cyber forces have taught me there are four key organizational and cultural attributes that distinguish successful cyber forces from unsuccessful cyber forces: They require significant tech education before people begin specialized cyber training, they recruit and promote personnel who demonstrate the technical aptitude to understand the cyber domain, they have cultures of listening to experts regardless of rank and of de-emphasizing strict enforcement of military protocol or uniform regulations, and they stress higher education (particularly science and engineering graduate degrees) as a key part of career progression. None of these consistently apply to the forces the current military services provide to Cyber Command, which does not bode well for America’s ability to win a future cyber fight against adversaries like China that have built successful cyber forces.
These problems are inherent to the current structure of the Cyber Mission Force. Minor tweaks to assignment policy or retention bonuses will not solve the core problems causing the Cyber Mission Force’s readiness failures. The current services’ cyber priorities and talent management practices are not producing tactical proficiency, operational expertise, or domain knowledge at the scale the mission requires. Continuing to make gradual reforms within the current force structure will not fix the fatal problems with talent management and career progression that stretch across all services. Even with Special Operations Command-like or service-like authorities, Cyber Command’s need for experienced cyber professionals will continue to be a hostage to Air Force network management priorities, Army staff requirements, and Navy at-sea expectations for promotion. Moreover, many of the Cyber Command staff officers tasked with managing these problems are themselves victims of the cycle of perpetual amateurism, as most have little or no cyber experience.
Solving the Cyber Mission Force’s readiness problem requires a different approach. Without major structural changes, the United States risks conceding the cyber domain to adversaries in a future high-end, multi-domain fight. A sustainable force of experienced cyber professionals is a critical component of winning future multi-domain fights. However, the current structure of the Cyber Mission Force will not produce that force. Fixing these training and talent management problems requires a dedicated Cyber Force (i.e., a new military service roughly 20,000 strong that provides all offensive and defensive military cyber forces to both Cyber Command and the intelligence community). Winning the cyber fight requires breaking the cycle of perpetual amateurism — reorganizing military cyber forces into an independent Cyber Force focused on the cyber domain, able to create and invest in dedicated professionals to man, train, and equip effective cyber forces.
John “Strider” Cobb is an Air Force offensive cyber officer with over a decade of experience in military and intelligence community cyber operations. His experiences have ranged from laboratory researcher to deployed special operations planner. The views expressed are personal and may contradict the official positions of U.S. Cyber Command, the U.S. Air Force, the Department of Defense, other agencies of the U.S. government, or NATO.