Lawfare Daily: The Case for a U.S. Cyber Force

[Audio Excerpt]

Erica Lonergan

The services each have their own and different standards for what it means to generate forces for cyberspace. And understandably, the services don't prioritize cyberspace as much as they do their core warfighting priorities and functions.

Eugenia Lostri

It's the Lawfare Podcast. I'm Eugenia Lostri, Lawfare's Fellow in Technology Policy and Law with Dr. Erica Lonergan, Assistant Professor in the School of International and Public Affairs at Columbia University.

Erica Lonergan

We don't want to get to a point where there's a realization that, “maybe we should actually be organizing our forces this way because, we're not at an appropriate state of readiness and we have this contingency or confluence we have to deal with.” Ideally, we'd like to do this now, right, before we're in some prospective conflict with a highly capable near-peer or peer adversary. 

[Main Podcast]

Eugenia Lostri

Today, we're talking about the organization of the U.S. military in cyberspace and whether setting up a cyber force is the best path forward.

So there's two concepts that will underpin a lot of today's conversation that I think it would be useful to begin with. And those are A) responsibility for force generation, and B) responsibility of force employment. So tell us a little bit about these concepts and how they relate to the issue that we're going to be talking about today, which is the organization of the U.S. military in cyberspace.

Erica Lonergan

Yeah, thank you so much for that question, because this distinction between force generation and force employment is really the foundation of the argument that we're making in this report, that the time has come to establish an independent, uniformed, separate service for cyberspace.

And so, this distinction goes all the way back to the Goldwater-Nichols reforms in the 1980s, which established these distinctions between the roles and responsibilities of the military services. The Army, the Navy, the Air Force, the Marine Corps, and now the Space Force, and the Combatant Commands: CENTCOM, INDOPACOM, Cyber Command, CYBERCOM, and so on. The distinction between force generation and force employment is that the services are, according to Title 10 of the U.S. Code, are responsible for organizing, training, and equipping personnel within their respective warfighting domains. And then those personnel are employed by the force employers, the combatant commands, for various missions and objective around the world and through various functions.

And the reason why this is the crux of the argument we make in this monograph is that the way the U.S. military is currently organized when it comes to cyberspace is that Cyber Command is the primary force employer for cyberspace operations. However, the responsibilities for force generation are spread out across all of the existing services. So the Army, the Navy, the Air Force, the Marine Corps, and now most recently, Space Force, are responsible for presenting the forces to Cyber Command to be employed.

And the challenge with this is that the services each have their own and different standards for what it means to generate forces for cyberspace. And understandably, the services don't prioritize cyberspace as much as they do their core warfighting priorities and functions. And so that's really at the heart of the argument that we're making.

Eugenia Lostri

So when we talk about the way that the U.S. military acts in cyberspace, what type of operations or responsibilities should we keep in mind?

Erica Lonergan

Yeah. I think one easy distinction to make is thinking about the difference between offensive cyber operations and defensive cyber operations. Typically offensive cyber operations—and these are all defined much more precisely in joint doctrine. So if you want to get delve into the details of that you can check it out in terms of how it's officially defined. But from a basic perspective, offensive cyber operations entail gaining access to and causing effects against adversary targets through the use of cyberspace, whereas defensive cyber operations are about defending your own networks and systems. Although there are certain types of activities where defensive operations look little bit like offensive ones in terms of a more proactive defense, right. Then there's also a set of operations called DODIN operations or Department of Defense Information Network operations. And those are the basic things that need to be done to build and maintain and operate the DOD's own information systems, so all of the various IT infrastructure that the Department of Defense is responsible for and on which lots of things rely. So I would think of three broad categories of cyberspace operations.

Cyber Command is primarily responsible for those first two, right, for offensive and defensive cyberspace operations. There are segments of the DODIN that Cyber Command is responsible for, but defending the broader DoD information network is a much broader mission.

Eugenia Lostri

So CYBERCOM is primarily responsible for force employment when it comes to cyberspace, right? So tell us a little bit about the history of how did the U.S. end up with a cyber command? How has it evolved to maybe better serve the needs that the domain needs?

Erica Lonergan

Yeah, so there's actually a lot of really great work that's been done to memorialize the history of the creation of U.S. Cyber Command. And Mike Warner, who's the Cyber Command historian, has done a lot of great work on this topic, and there's a lot, many of his articles that you can read that get into the details on that.

Basically, Cyber Command was stood up in 2010, and what it did was it combined joint elements that were separately doing offense and defense in cyberspace into a single joint functional combatant command. So this was in 2010. And when Cyber Command was first established, it was created as a sub-unified combatant command under U.S. Strategic Command. It wasn't until 2018 that Cyber Command was elevated to a unified combatant command, taken out of Strategic Command and given its own independent combatant command. And that took place alongside a lot of other changes to strategy and law and policy that gave Cyber Command much more operational purview. And it also took place alongside Cyber Command certifying that it had reached a full operational capability. So it was fully staffed and ready to carry out all of its missions in cyberspace and was also elevated to a unified combatant command at that time.

Eugenia Lostri

Your report paints quite a picture about the range of challenges that the status quo presents. And it goes from inconsistencies across services, which you've mentioned, to the lack of mental health support. Tell us a little bit more about what are some of the most pressing challenges and how do they relate to the way in which force generation for cyberspace is structured?

Erica Lonergan

I guess for me what I found to be most compelling about our report and about the research we did was that we really tried to capture and, to the best of our ability, represent the experiences of the 75-plus personnel who we interviewed as part of our research. And what stood out to us across the services, across ranks, was that there were these kind of common themes about a lack of readiness that all stemmed from these inconsistent priorities and training and educational approaches across the services. And just in general, a mismatch between service cultures and the kind of culture that the military really needs to foster in order to be effective in cyberspace.

I think that, when you think about, what are the roles and responsibilities of a service, and we think about it in terms of organize or man, train and equip, there are areas where improvements could be made across all of those. I think the most important really comes down to the personnel piece. And I think that's what distinguishes the requirements of operating in cyberspace from some of the other domains. Cyberspace operations require having the right, appropriately skilled, technically proficient, person matched to the right work role in order to be able to accomplish that task. And so it means that quality of personnel and being able to retain and effectively promote those personnel over time is really essential for readiness and for operational effectiveness over the long term.

And the challenge that we found over and over again was that so many of the of the gaps and challenges that currently exist can be derived from this challenge of personnel, right? Because the reality is that each of the services have their own priorities and requirements and approach to promotion and personnel management and so on that come from decades and decades of prioritizing warfighting within their specific domain, as they should. But what it means, for instance, to organize, train, and equip competent warfighters for fighting in the land domain or in the maritime domain are just simply different from the cyber domain.

I'm not convinced that persisting in the status quo where we keep those responsibilities across all of the services will be sufficient to address this problem of, how do you actually identify, recruit, train, educate, and promote and retain the right personnel for the cyber mission.

Eugenia Lostri

During this interview process, while you were talking to people, was there a moment or a particular anecdote where you just went, “Oh wow, things are just worse than I expected,” or, “This really encapsulates the need for a new approach?”

Erica Lonergan

Yeah. So first of all, I just want to underscore how much I appreciated, from just a research perspective, being able to engage with the individuals we spoke with, their willingness to speak in a very candid way about their personal experiences. And I know this wasn't your question, but just to give some context, the reason why we don't—we have a compendium of all of the interviews, but we made a decision to publish what we felt were representative quotations for them because we wanted to preserve the confidentiality of the people who we interviewed. And these individuals are taking some measure of professional risk in offering their candid assessment. And so I just thought that would be an important point to share.

But in terms of what stood out to me or what I found to be the most compelling, or I guess even really the most shocking, was the shell game that we talk about in the report with full operational capability. And again, this gets back to the personnel issue, the reality that there simply isn't a sufficient number of appropriately trained and skilled personnel to achieve a level of readiness that's required. And so, a number of people we interviewed talked about how various teams may certify that they've achieved full operational capability, but due to a variety of kind of bureaucratic maneuvers that are being played, they're not truly in practice at full operational capability. So that was just to me, I think the most, not surprising, but just really the most compelling.  And also the fact that it was something that we didn't just hear from one person, right. This was like a common narrative that we heard from lots of different people that confirmed to me that this is more of a systemic challenge. And then, and again, gets back to this issue of making sure you have the appropriately trained people who are able to accomplish the mission.

Eugenia Lostri

And just to make it super clear for everyone, what would a full operational capacity involve?

Erica Lonergan

Oh, it's just literally like certifying that you have a certain number of personnel in your unit that you are supposed to have and that are ready to accomplish the mission. They're all trained, they're all certified, they've checked all the boxes. They meet all the requirements. Those requirements are set. There's claims that they're at that capacity, but perhaps in practice, they may not be.

And there are other things too, that just in general diminish readiness, even for units that may truly be a full operational capability. And this is something we also talk about in the report. It gets at this tension between operational control and administrative control of personnel. So if you are, let's say, an army officer and your current position is at Cyber Command and you are on a Cyber National Mission Force team, right? Cyber Command has operational control. They have OPCON over you, but your parent service, the army, in this hypothetical example, still has administrative control over you, ADCON. And they can demand certain things of you and your time that could take away from you accomplishing your mission. This could be things like a service like potluck—I'm trying to think of like really banal types of types of requirements, other sort of administrative requirements. And that was another thing that came up in some of the interviews. A number of the interviews that we had was this this tension between those things that the services are demanding from you, and those things that are essential for your operational mission.

And of course like this ADCON, OPCON challenges exist in lots of different contexts. I don't mean to exaggerate its salience when it comes to cyberspace, but it does get back to this sort of broader challenge of the services having just different priorities, different standards for promotion, which is particularly important for retention than maybe, the priorities of an individual service member who's looking for a career in a particular service in cyberspace.

And so for what determines your promotion—and I don't mean to keep harping on the army, but I'll just—but it's true for all of the services, right, it's the service that determines the key roles that you need to have, the key boxes you need to check, basic requirements that you need to not be delinquent on like physical fitness requirements and so on and so forth in order to be able to advance. And those things don't always match up to the things that are important in order to be able to quote unquote “advance” in a cyber career. And that's never going to change unless there's a single unified entity that has the primary responsibility for organizing, training, and equipping personnel in cyberspace, for there to be a service.

Eugenia Lostri

So one of the things that I found very compelling as I was reading the report is that these inconsistencies between the services when it came to field designations or the skill sets that they were prioritizing or how they were training people and the aftermath of that, when all of these differently trained, differently prepared people go to the same place, like that really creates a challenge to the culture of CYBERCOM, right? Because, you might have people who are at different ranks doing a similar job or are being paid different salaries. And those things, they get around. Everyone talks about, how much are you making? And I could imagine that really creates some tension, some friction. What were your findings there?

Erica Lonergan

Yeah, I think that you're 100 percent right. It is a big challenge when you have various personnel coming to fulfill similar or comparable work roles. And they have different types of training, they may be different ranks, differently compensated, and so on and so forth. And I do think that's something that makes it difficult to cultivate a cohesive organizational culture within Cyber Command.

Although it's important to emphasize that our quote unquote “critique” in this piece is not of Cyber Command per se. We think that CYBERCOM is doing an exemplary job in the environment in which it's operating, right. And it's in this position where it's gaining these incremental service-like authorities. But at the end of the day, they're not sufficient to overcome what are the systemic challenges that are presented by how we currently organize the military and cyberspace. And so, that was definitely another theme that kept coming up in terms of the inconsistencies across training, across roles, across pay. And we have a chart in the paper that literally maps out the different work roles and how the services define them and how Cyber Command defines them. And you can just see visually from it that there isn't consistency and uniformity there. And that is a direct result of the way that the system is set up right now.

Eugenia Lostri

The other thing that struck me was the perception, probably rightly so, that the cyber component is maybe less of a priority for many of the services, right? And there is a little bit maybe, a culture of bullying. I do have some terms around some of the analysts being called nerds or, which just really struck me, right, because maybe because we're in the cyberspace world, we just constantly hear about the importance of that mission. Can you tell us a little bit more about that? What are some of the examples, maybe, that you collected during your interviews? But also, what is the impact of that kind of awful situation on the very present challenge for, I think, almost everyone that is talent recruitment and retention?

Erica Lonergan

Yeah. I think I completely resonate with what you said in terms of those of us who work in the cyber field more broadly. I think when we look up and we look around and we see the importance of cyber and we just wonder why no one else gets it. I think that's extends to how the services think about cyberspace. And again, that's rational, right? From an organizational perspective, that makes a lot of sense because the core fundamental imperative of each of the services is to develop personnel for warfighting in their unique domain. And what it means to be a sailor or a guardian or an airman or soldier and so on, it's different. They're all fundamentally distinct, they have unique requirements, and the services have built service cultures around what it means to be a warrior in each of those domains. And as we've been talking about, cyber doesn't neatly fit into that. And so, would the Navy care about cyber as much as it cares about building and training and organizing its personnel for war at sea, right? It makes perfect sense when you think about it, but this is the system that that we've ended up with.

I think a really compelling example, getting back to the Navy again, is Congress had to force the Navy essentially to create a service, a designator, for cyberspace because the service was resistant to doing that and it took congressional intervention to make that happen. And Congress has intervened numerous times over the years to request information and studies and so on about the state of readiness of the military's forces in cyberspace. I think some of the same conversations and concerns that were had years ago, you could replay those tapes again today, and it's the same issue because nothing has—there have been incremental changes at the margins, which have been important, but the fundamental structure persists. And that's why we're in this situation that we're in.

Eugenia Lostri

Now, you outlined the case for setting up a specific cyber force. And before we get into that, I do want to talk a little bit about these incremental changes that you just mentioned. Just tell us what were those and why do you think they were maybe not enough?

Erica Lonergan

I think the most significant incremental changes have been changes to acquisition authorities, which has given Cyber Command increasing service-like responsibilities, similar to Special Operations Command, which does have unique service-like responsibilities. So there have been incremental improvements to Cyber Command's ability to control resources for acquisitions rather than have the services control those resources. The most recent is enhanced budgetary control. That's just the most recent example. There have been other, smaller efforts to give Cyber Command greater purview and authority over directing and controlling its resources to acquire capabilities. That said, the bulk of the acquisitions is still taking place—the services are still responsible for the bulk of the acquisitions.

I think the reason why, from my perspective—and I think gets at this comparison of the SOCOM model versus a service model, which is, one of the most prevalent counterargument to establishing an independent service for cyberspace is that instead, Cyber Command should follow the Special Operations Command model, the SOCOM model. And this is something we talk about in the paper, too. And SOCOM is unique because it's a combatant command. It's the primary force employer for special operations. But it also has these unique, service-like functions, particularly when it comes to acquisitions, although there has been a good deal of controversy around SOCOM’s approach to acquisitions and some of the failures and problems that have been manifest over the years. So I'm not sure we want to point to that as the most effective model. But Cyber Command has been incrementally moving toward more of a SOCOM-like model, especially with this most recent enhanced budgetary control, which gives Cyber Command service-like authorities when it comes to acquisitions.

I think there are a couple of important counterpoints to that model. The first one is that I think the SOCOM model doesn't translate easily to cyberspace because the reality is that each of the services still provides personnel to SOCOM and they provide those personnel because they are uniquely equipped to train them in domain-specific competencies. So, the training that's required for an army ranger to be proficient at special operations on land is different from what's required for a Navy SEAL to be proficient at that form of special operations. And those are domain-specific proficiencies. That's not comparable in cyberspace. For the most part, there isn't a sort of land warfare-specific competency for cyber operations that only the Army could provide, or only the Navy, or only the Air Force, or only the Marine Corps. So I think that's one counterpoint to the SOCOM model. There are still unique, domain-specific requirements for special operations that don't exist in cyberspace.

I think the second is the challenge of the dual hat and the reality that adding service-like responsibilities to Cyber Command would be effectively adding another hat to an already burdened commander. The debate about the dual hat is its own thing and we could probably—I know Lawfare has had, I'm sure, many podcasts debating the dual hat structure. Very quickly, the basic idea is that the commander of Cyber Command is also dual hatted as the director of the National Security Agency. This goes back to that history we were talking about earlier, the original key founding decisions when Cyber Command was first created to instantiate it as a dual-hatted commander with NSA. And a lot of that had to do with the immaturity of the command at the time and the reliance on the NSA for all kinds of things.

There's been this ongoing debate about whether the dual hat should be split. And one of the critiques of maintaining the dual hat is that it's simply too much responsibility for one person to have and that separating it out will alleviate that burden. Whether or not you agree or disagree with that proposition, the reality is that if you add service-like responsibilities onto a dual-hatted commander, certainly that will even further burden that individual. We've had wonderful commanders of Cyber Command and directors of the NSA. But they're humans, right? And there's only so much that that any human can do.

I think a third issue has to do with civilian oversight and control. The reason, and this gets back to Goldwater-Nichols and the roles and responsibilities of the services and the force employers, the combatant commands, is that there is civilian oversight of how the services make decisions about acquisitions. And if you simply give Cyber Command more service-like authorities, you don't necessarily have a comparable mechanism of civilian oversight that you have when it comes to each of the services. I could go on, but I think those are the most critical points to that counterpoint.

Eugenia Lostri

So I actually want to move on and talk about cyber force. You make a very compelling case that is the best path forward to address many of these issues. But I'm going to go with the basics because I don't know this. So what does what does having a force entail? Like what becomes available? What are the differences?

Erica Lonergan

So it essentially means that the responsibilities that are currently residing across the services for organizing, recruiting, training, educating, developing, promoting personnel for cyberspace operations would now be the primary responsibility of a service. It's not like those responsibilities would go away. They would simply be cohered in a single entity that would have that primary responsibility. So essentially, everything, all of the things that all of the current services are able to do would be something that the cyber service would do.

So figuring this all out would mean figuring out, who are the type of people we're trying to recruit? Defining the work roles, figuring out, do we need the same types of requirements that we have for other work finding domains in cyberspace? Do we need individuals to be able to pass a physical fitness test? Do they need to have the same types of grooming standards? All of these questions, and they may seem like inconsequential ones, but I actually think that when it comes to recruiting, when the government and the military in particular are competing against the private sector in this space, and there already is a cyber workforce shortage across the federal government, these are really important topics for the quality of life of service members. And it also gets at fostering things that will enable fostering a unique cyber-specific service culture. Like, when you close your eyes and envision what does a cyber warrior look like, maybe it looks like something different from what a what a soldier looks like. And it probably should, right? Because fighting in and through cyberspace just is fundamentally different.

It would mean figuring out, what does education look like? What's the relationship between the service and industry, the private sector? What does a guard reserve component look like? These are all really big questions. These are things that we wish we could have tackled in this study and our report alludes to some of them. But that's why we think it's really important for Congress to direct an independent study of these issues because that study would have the authority and the access and remit to actually start to address these bigger questions. What does organization look like? What does education look like? Who are we trying to recruit? How do we train them? How do we work with the private sector? How do we have an effective reserve component? How do we have unique ways of on-ramping and off-ramping personnel?

So there's, I think, a wide horizon out there and lots of opportunities to start from a proposition of, what should force design look like? And these are questions that can only be addressed in the context of having an opportunity for an independent service.

Eugenia Lostri

I could imagine, and in fact, it is one of the, I think, it's the first counterargument that you present in your report to establishing a cyber force is now if you do that, you're going to go straight into a whole bunch of budgeting concerns. It's going to create personal problems for the other services. It's going to negatively impact readiness in the short term. I'm just reading from your report, right. So how do you answer to that? Because I could imagine that setting up a whole new force, that just sounds like more bureaucracy to many.

Erica Lonergan

Yeah, and I've heard that argument from a lot of people. I think that first of all, we did just create a new force a couple of years ago, Space Force, right? So we have a model that we can look to. And Space Force also has some unique aspects to it in terms of specific requirements for personnel and skill and so on.

I think, though, that the idea that it will create more bureaucracy, I don't find compelling because we already have so much redundancy in the way that we do things. And that's because each of the services is essentially replicating, but in a different way, their process for generating forces for cyberspace.

So, yeah, there would be a transition period, but in the long term, even in the medium term, I think that the case for efficiencies and reducing redundancy is more compelling. And I also think that we don't want to get to a point where there's a realization that maybe we should actually be organizing our forces this way because we're not at an appropriate state of readiness and we have this contingency or confluence we have to deal with. Ideally, we'd like to do this now before we're in some prospective conflict with a highly capable near-peer or peer adversary. So I see now the time as being ripe to actually think proactively about these changes. And I would challenge advocates of the status quo to justify why we shouldn't make these changes, to shift the framing of the question to those who advocate for maintaining the status quo or making incremental changes to the status quo when, at least from my perspective, I think none of those changes will be sufficient to achieve the objectives that we're trying to achieve in cyberspace.

And I think, and this is based on our interviews and also conversations I've had with people in the field, both before and after this report came out, everyone agrees that the status quo isn't working. The disagreement is how to fix it. And so, I think at least as the lowest bar is having a full study to examine this question and present an option for what a cyber force could look like.

Eugenia Lostri

I think maybe the alternative that I was most baffled by was that Space Force should be responsible for force generation for cyberspace. Why is that an option?

Erica Lonergan

I too am baffled by this question. We put it in there because we've had people come up to us and say, “Why can't Space Force just do this?” So we thought that maybe we should preempt that that response and tackle it head on in the report. I think because Space Force is the newest service, because it's relatively small, I think it's about right now, I think 15 or 16,000 personnel, but that number may not be perfectly accurate. But the idea is that it's relatively small, it's new, it's also this kind of emerging tech domain area. So maybe Space Force should assume responsibilities for force generation in cyberspace.

I think that argument falls flat because again, like space has its own—you can't easily transfer the skills for what you need for operating in space, operating in cyberspace. That doesn't mean that there aren't some synergies between space and cyberspace, right? Cyberspace presents a critical vulnerability to space assets. But that's true of other domains and capabilities as well because of the ubiquity of cyberspace, of information technology and so on. So I agree with your bafflement. I'm not sure why that's a counterpoint, but people have raised it. So we try to do our best to address potential responses.

Eugenia Lostri

The question of size is something that comes up several times and how many people do you need in order to make a cyber force? What would be an efficient force? And what do you need them for?

Erica Lonergan

Yeah, so we throw out some rough ideas in the paper of what we think an optimal size would be. I think our initial idea is that you start with around 10,000 people and that means taking—so right now the cyber mission force is about 6,200 personnel, but it's set to grow by a certain number, a little bit more. So you take that, those billets, along with some other elements, administrative elements and staff elements and so on. So roughly 10,000 personnel would comprise an initial size of a cyber force. Over time, we would expect it to grow, maybe significantly, to perhaps 30,000. But still, that pales in comparison to the size of the other services.

And I think this question of size is important to emphasize because when it comes to cyberspace, and here is where you do see similarities with Space Force, quality is more important than quantity. So the army relies on mass, right? When it comes to the prospective cyber force, the key would be quality of personnel. And at least from my perspective, I think it would be better to have billets go unfilled than to get filled by insufficiently trained or qualified personnel. And so we envision this force as a small, dynamic, highly proficient, adaptive force. Not this huge entity that would rival the size of some of the other services, because that's not where the locus of effort needs to be.

Eugenia Lostri

Now, if I was to come to you and be like, love it, love the cyber force, let's set it up, how do you go about it? What should be the practical next steps in order to get this set up?

Erica Lonergan

I do think I would be so happy if the powers that be came to me and said, let's do it. But I truly do think that there has to be a full study on how to do this. But there are processes for—well, first of all, I would look to the Space Force to see what was the process that they went through in order to establish their force. I think there will be a few critical decisions that should be thought about carefully that will really set the conditions for success over the long time. In general, early decisions is, as we can see from the history of Cyber Command, have longevity, they have stickiness. And so really thinking about, for instance who is the first Chief of Cyber? Who is that individual? How are they going to set the tone and the culture for the broader service? Who's going to be the first commandant, the first person running the cyber schoolhouse, that will be responsible for educating and training personnel? What will be the priorities in terms of recruiting, like the defining work roles and specializations and various requirements and attributes of personnel that we're trying to recruit into the service?

And so I think thinking through kind of those early questions really anchored on the personnel piece will be essential. But there is this process. Of course the military loves acronyms. And we can think about this through DOTMLPF-P. Doctrine, organization, training, there's personnel, there's facilities, there's policy. I'm not going in any order anymore. But basically, military organizations know how to do this and there are various considerations that need to be taken into account when, standing up a new force. I think that those processes also make sense for cyber, but they have to take into account what are the unique aspects of operating in and through cyberspace.

And also, a unique aspect of creating a cyber force, as distinct from the Space Force, for instance, is that a new cyber force would be drawing in personnel from across all of the services, whereas Space Force largely, the personnel who populate Space Force largely came from the Air Force. The same is actually true for when the Air Force was created. It was created out of the Army, right? A cyber force wouldn't be created out of any single service. It would be created out of personnel from across all of the services. And so how you integrate them and create space and time for a unique coherent service culture to develop and get all of those individuals steeped in that new culture away from their prior service culture will be really important.

And then the other thing, too, is figuring out where a cyber force would live. We proposed in the piece that it would exist within the Department of the Army. We see this as a practical, most likely outcome if a cyber force were to be created. But what will be, I think from my personal opinion, really important is making sure that if a cyber force is, if the army is the executive agent for a cyber service, to give that service autonomy and space and time to cultivate a unique service culture. Like the Marines have a very unique service culture within the Department of the Navy. So having the space and the autonomy for cyber to do that and not having the Army service culture overwhelm what needs to be a distinct cyber service culture.

Eugenia Lostri

As you're thinking about the best ways to organize the military in cyberspace, do you look at the way that other countries, whether they're allies or adversaries, have gone about it?

Erica Lonergan

We've definitely thought about other models, both from an adversarial perspective and from a friendly allied and partner perspective. I think it's important, though, to not mirror image and make sure that a cyber service fits within the broader construct of how we, the United States, as a democracy—we've made decisions about how we organize our forces. So other models, I think, can offer insights or counterpoints or different perspectives. But I think it will be really important to make sure that a cyber service fits within the construct of how we, the U.S., organize ourselves.

For instance, from an adversarial perspective, a number of experts point to China. They have their strategic support forces that integrates cyber, information electronic warfare, psyops, and so on into a single cohesive force. The Department of Defense in the U.S. government have defined China as the pacing threat. So we do need to think about potential adversaries and what their capabilities are and what their concepts of operations are and what that may mean for us. But I think it's important to make sure that a cyber service fits in an American model of military organization.

From an allied and partner perspective, I do think there are insights that can be gained from other states. If you look at Unit 8200 in Israel, there are some unique ways that our partner has been able to recruit highly trained and talented personnel, standards for grooming and physical fitness and things like that, and really focusing on technical skills and specialization. Those are general insights I think that we can draw some best practices from, but also, we need to respect that we have a very different way of organizing our military and a very different relationship between our military and society, and it's important to preserve that.

Eugenia Lostri

So before we wrap up, I want to make sure, if you have any final thoughts that you want to make sure you get across, or if there's anything that we didn't talk about that you were hoping that we were going to talk about. The floor is yours.

Erica Lonergan

Yeah, thank you. First of all, thank you again so much for this opportunity to chat a bit more about this report. I hope this comes through in the report, but in case it doesn't, I really want to underscore it here is that I can certainly speak for myself, and I'm sure speak for my co-author too, on this when we say that we're coming at this from a perspective of truly of wanting to help make things better, not trying to take shots at cyber commands. That's not the intent of this piece. It's really to illuminate what we've learned about some of the readiness challenges and hopefully galvanize a debate and a conversation around how to address them. Because we take these challenges seriously and we think the consequences of not addressing them are significant.

The other thing too is that I know I've said this a couple of times, but I'll just say it again. I really do think that there's an opportunity for Congress to act here, not in simply waving a magic wand and creating a service, but actually directing a study that can be comprehensive and that can really fully explore this issue. We were able to interview 75-plus individuals because we did our best to network and have those conversations. But we think they're representative too of the general sentiment, but a congressionally mandated study would have far more access and remit to more completely study this issue and gain a greater and more nuanced picture. So to me, I see that as the critical next step. And I think there's an opportunity to do that hopefully in this Congress.

Eugenia Lostri

Thank you so much for joining me. This was a great conversation.

Erica Lonergan

Yeah, thank you for having me. This is wonderful.

Eugenia Lostri

The Lawfare Podcast is produced in cooperation with the Brookings Institution. You can get ad-free versions of this and other Lawfare podcasts by becoming a Lawfare material supporter through our website, lawfaremedia.org/support. You'll also get access to special events and other content available only to our supporters. Please rate and review us wherever you get your podcasts.

Look out for our other podcasts, including Rational Security, Chatter, Allies, and The Aftermath, our latest Lawfare Presents podcast series on the government's response to January 6th. Check out our written work at lawfaremedia.org.

The podcast is edited by Jen Patja. And your audio engineer this episode was Cara Shillenn of Goat Rodeo. Our theme song is from Alibi Music. As always, thank you for listening.