In the lead-up to Russia’s invasion of Ukraine, “hunt-forward” teams deployed from U.S. Cyber Command to help the Ukrainians harden their networks and identify vulnerabilities—an early defensive play in a conflict that would be dominated by information operations and cyber threats. CYBERCOM also provided remote analysis to Ukraine and moved into high gear when the invasion began to mitigate threats and offer support for critical networks. The prominent cyber element in the current war has captured public attention and underscored the Pentagon’s emphasis on this emerging capability. And it will likely have implications for future defense budgets and growth strategies, the head of CYBERCOM said April 5.
“My sense is, we are learning a tremendous amount from our operations right now in support of the crisis in Ukraine that will likely inform us,” Gen. Paul M. Nakasone told the House Armed Services Committee’s subcommittee on cyber, innovative technologies, and information systems (CITI). “We’re a different force today than we were even four years ago when I took over.”
As Air Force Magazine reported in March, Air Force leaders have acknowledged that the Ukraine mission has stretched U.S. cyber forces thin and demonstrated the limitations of what they can accomplish at their current size and resourcing levels.
Asked about that report in the hearing, Nakasone acknowledged that Ukraine had been formative, though he deferred a detailed discussion of capabilities to a later classified briefing.
“What I would offer here is that one of the very big lessons that we’ve learned is the ability to deploy a number of different teams early on in a crisis to U.S. European Command,” he said. “And then working with [EUCOM Commander Gen. Tod] Wolters and his staff to make sure those experts, those teams, go to the places that are necessary.”
Created in 2012 with 133 teams and roughly 6,200 personnel, CYBERCOM is slated to grow by 14 more teams between now and fiscal 2024, with five teams added this year. About half of the 14 teams are slated to come from the Air Force. But Nakasone indicated that growth, authorized in the fiscal 2022 defense budget, could well be just a starting point.
“The question I often get asked is, is this enough? What’s the number of teams that you need?” Nakasone said. “And this is a study that’s ongoing right now within the department, to really determine what is the final number of teams we need for the future.”
Nakasone’s day on Capitol Hill included four hearings, with open and closed sessions before the House and Senate Armed Services Committees. The volume of questions he received on cyber warfare and resourcing, even while testifying alongside U.S. Special Operations Command leaders on the Senate side, highlighted the growing interest in cyber. Lawmakers invited Nakasone to ask for anything he needed and to be honest about any shortfalls or unmet requests. Many also asked detailed questions about CYBERCOM’s strategy to recruit and retain top talent, a particular challenge in light of competition from the civilian sector and immature career pipelines that are not yet standardized across the services.
Nakasone told CITI subcommittee chairman Rep. Jim Langevin (D-RI) that this standardization was a particular priority, and an area where change was coming soon.
“I’m working this very closely with the service Chiefs now,” Nakasone said. “This is something that Command Sergeant Major [Sheryl] Lyon is also working with the senior enlisted leaders: we have to standardize tour lengths, we need to standardize Active-duty service obligations.”
The Marine Corps in particular is a model in this area, he said. The Marines launched a cyberspace career track in 2018 and have emphasized policies that allow cyber troops to stay in that field once established.
“What the Marines have really done very efficiently, that I applaud, is the fact that they’ve lengthened their tours, in terms of how long they stay with us,” Nakasone told Rep. Seth Moulton (D-Mass.), a veteran Marine Corps officer who served in Iraq. “Most young men and women that come into the Marine Corps that want to be cyber warriors want to do cyber, so being able to do that for six-plus years at one location has been very, very attractive to them. And we see that in the payoff with regards to the retention numbers.”
Other creative efforts to attract cyber talent are also on the table. Nakasone mentioned targeted local supplements, a strategy rolled out in 2021 that allows CYBERCOM to pay rates higher than the set military schedule for high-end talent.
“People that are coders or people that have significant technical abilities, pay them at 28 percent more than the going rate,” he said. “That’s never going to, perhaps, compete with the private sector. But what it does do, it does give us a leg up on being able to say what you do is valued.”
Nakasone also discussed the incentive of direct commissioning, suggesting it may be employed more broadly as CYBERCOM grows. Currently, the Army and Coast Guard allow civilians to commission directly into the cyber officer corps. Like the Navy and Marine Corps, the Air Force has resisted using the direct-commission authority to bring civilians in, although it has employed it in limited cases for enlisted Airmen.
In a post on LinkedIn this month, Space Force Senior Cyber Officer Col. John Smail said that service was all in on civilian direct-commissioning.
“If you are a cyber/IT professional in industry or a government civilian and want to serve your country as a uniformed Active-duty Guardian, this may be an awesome opportunity for you!” he said.
Nakasone said this authority gave CYBERCOM “a certain amount of dynamic” in recruiting.
“Being able to do recruiting from a population of civilians, ‘Hey, come in and be a mid-grade officer.’ Or, as we take a look at our enlisted workforce and say, ‘Hey, why don’t you go spend six months with industry, or go get a graduate degree.’ These are all areas that perhaps we haven’t traditionally done within our services,” he said. “But this is a dynamic nature that I think we’ve got to approach the problem here in cyberspace.”
The Defense Department is now conducting the 2022 Cyber Posture Review, the first since 2018 on the size and capabilities of the cyber force. Once complete, it will inform CYBERCOM’s forward strategy and resource priorities. The conclusions are likely to emphasize the continued need to develop cyber talent as well as to recruit and retain those with the desired skills.
“Broadly,” Nakasone said, “Our supply is not large enough in our nation.”