The Pentagon knows its cyber force model is broken. Here’s how to fix it

The U.S. military has tried almost everything to fix its cyber readiness issues except the one solution that would work: standing up a dedicated cyber service.

At a congressional hearing in May, senior defense officials publicly acknowledged that CYBERCOM 2.0 — an initiative launched by U.S Cyber Command (CYBERCOM) to overhaul how it builds and manages cyber forces — fell short of the Pentagon’s expectations. The effort was loosely modeled on Special Operations Command, but even under this model, CYBERCOM still lacks the authority to enforce common standards for the services, tailor recruitment to the unique dynamics of cyberspace operations, or control initial training. “We think it needs even more work,” said Laurie Buckhout, the acting assistant secretary of defense for cyber policy.

There have been attempts to address structural shortfalls in the past. Most recently, Congress granted CYBERCOM enhanced budgetary control in fiscal year 2024, giving the command oversight of roughly $2 billion in acquisitions for cyber tools, systems, and training. But the services still control the vast majority of cyber acquisition funds.

More than two decades after declaring cyberspace a warfighting domain, the U.S. military relies on an inefficient and ineffective solution to generate the capabilities needed to defend it. CYBERCOM holds the primary responsibility for operating in and through cyberspace, but it relies on personnel drawn from five different military services to do so. There are no common standards for recruiting, initial training, or career progression across the services, and none treats cyberspace as a core mission. The result is chronic readiness gaps, inconsistent quality, and top talent regularly lost to the private sector.

The solution is not more reform around the margins. Instead, a dedicated U.S. Cyber Force is long overdue. A U.S. Cyber Force would unify the responsibility for recruiting, training, and promoting cyber talent under one roof. It would foster a cyber-native culture, prioritize cultivating mastery within the cyber domain, and allow for a more flexible, mission-driven force structure. This construct is consistent with how the military organizes itself to man, train, and equip forces across all the warfighting domains. And it is structurally and fiscally viable.

Some critics argue that a U.S. Cyber Force would be too costly and duplicative. But the initial budget would be largely budget-neutral by consolidating existing cyber funding. The fact is that the Department of Defense is already paying for this force, but scattered across five services, with a cyberspace activities budget of nearly $15 billion.

If a new service were created, CYBERCOM would remain as a unified combatant command and serve as the primary force employer — just as U.S. Space Command does for the U.S. Space Force.

The U.S. Cyber Force should focus on generating capabilities for three core missions. First, it should be responsible for generating forces for national-level defensive cyber missions, such as defending against active and ongoing threats facing the Defense Department or supporting defense of critical national infrastructure. Second, it should organize, train, and equip for offensive cyber missions to project power in and through cyberspace, both as an independent capability and as an enabler of joint force missions and objectives. And third, it should generate capabilities to support cyber-related military intelligence — especially foundational intelligence relevant for the cyber domain.

Scoping the remit of the U.S. Cyber Force will be critical to ensure its effectiveness, and some functions must remain outside its purview. For example, the U.S. Cyber Force should not take over the Defense Department’s day-to-day IT operations — it cannot and should not be the cybersecurity service provider for the department. Its role should also be carefully scoped when it comes to related but not core functions, such as information warfare or artificial intelligence.

In short, the U.S. Cyber Force must focus squarely on warfighting readiness in cyberspace — building elite forces to defend national interests, deter adversaries, and, if necessary, fight and win in the cyber domain.

In designing the new service, the architects should focus on five core design principles. First, the service should prioritize quality over quantity, recruiting and retaining the right people to perform the mission. Second, the U.S. Cyber Force should establish a model where career progression follows from demonstrated expertise, rather than time in service. Third, in light of the dynamic nature of the cyber domain, the force should be structured to enable flexibility and adaptation over time, as missions, technology, the threat environment, and other factors evolve.

Fourth, standing up the service should involve a phased transition, taking due care to minimize impact to ongoing cyber operations. And finally — and most importantly — the service must focus on organizational leadership and culture. The U.S. Cyber Force can succeed to the extent that it fosters an organizational culture conducive to the cyber domain.

Every year the Pentagon delays creating a U.S. Cyber Force, the military remains underprepared for modern conflict. Establishing a dedicated cyber service is not a moonshot. It is the logical next step to build a purposeful military for a domain the United States can no longer afford to neglect.

Erica Lonergan is an assistant professor at Columbia University’s School of International and Public Affairs and an adjunct fellow at the Foundation for Defense of Democracies’ Center on Cyber and Technology Innovation. She previously served as a senior director on the bipartisan Cyberspace Solarium Commission.

Jiwon Ma is the senior policy analyst at the Foundation for Defense of Democracies’ Center on Cyber and Technology Innovation, where she contributes to the work of CSC 2.0 and authors its annual assessments.