WASHINGTON — The Defense Department has released a highly anticipated plan to attract and retain cyber talent by better integrating US Cyber Command with other military departments for recruitment and training, and establishing three new organizations to improve the military’s hacking and defensive prowess.

Announced late Thursday, the new effort is light on details, but “fundamentally changes the Department’s approach to generating cyber forces, enabling increased lethality in our cyber forces and establishing a warrior ethos built on domain mastery, specialized skills, and mission agility,” said Katie Sutton, assistant secretary of defense for cyber policy, echoing the priorites of Secretary of Defense Pete Hegseth.

The three “enabling” organizations will be a Cyber Talent Management Organization to “identify, attract, recruit, and retain an elite cyber force”; an Advanced Cyber Training and Education Center to “develop mission-specific training and education to build expertise and mastery”; and a Cyber Innovation Warfare Center to “accelerate the rapid development and delivery of operational cyber capabilities.”

The plan is additionally based on seven “core attributes”:

1. Targeted recruiting and assessments, seeking to assess recruits for the proper work role fit at US Cyber Command;
2. Incentives to recruit and retain top cyber talent;
3. Tailored and agile advanced training;
4. Tailored assignment management aiming to adopt career paths that enable the development and retention of cyber mastery
5. Specialized mission sets
6. Presented with headquarters and combat support; and
7. Optimized unit phasing that will support a sustainable operational tempo

“The War Department is laser-focused on strengthening our military’s cyber capabilities to defend the homeland and deter China. The Department has implemented an updated cyber force generation model that will enhance our ability to respond decisively against evolving threats in the cyber domain,” Pentagon policy chief Elbridge A. Colby said in the announcement, using a secondary name for the Department of Defense.

CYBERCOM 2.0-ish

The plan appears to be a revised version of what was initially called CYBERCOM 2.0, which was thought at the time to be an ambitious effort first unveiled by then-US Cyber Command chief Gen. Paul Nakasone on his way out between the end of 2023 and the beginning of 2024. At the time, it was described as a way to respond to a variety of congressional studies required and a way to modernize the command, as its structure and forces have remained largely unchanged since its inception 15 years ago.

The CYBERCOM 2.0 initiative was first approved at the end of the Biden administration and included four broad pillars, including the three newly announced organizations. The fourth was billed as a new force generation model for how each service provides cyber forces to CYBERCOM.

The Trump administration initially asked to speed the implementation plan up that the Biden administration approved, and then sent the plan back to the command to rework.

The command’s top enlisted leader noted at a military cyber conference at the end of June that much of the components from the original effort would remain, but they planned to add to it.

“We’re in the middle of re looking at it … a lot of the components that we have within the original, it’ll still be there, but we’re adding a lot more into it,” Chief Master Sergeant Kenneth Bruce, senior enlisted leader of CYBERCOM and NSA, said at HammerCon hosted by the Military Cyber Professionals Association. “I think [what] we’ll have to figure out is it’s really it’s the force [generation] model that we have to look at, and then are we working in partnership with the [National Security] Agency, where we’re not duplicating capability, where we’re not duplicating some things and we’re more integrated when we approach this problem set — with a focus on, how do we defeat our pacing adversary.”

Some observers and experts have criticized the CYBERCOM 2.0 effort as not bold enough, while others pointed to the fact that it was billed too high from the outset and was never meant to enact major, sweeping changes.

And though Thursday’s announcement has “force generation” in the title, former officials noted that the way forces are presented or generated likely will not going to change as part of this plan, but the way the force is managed will. Regardless of any potential force design or force structure changes, the three centers are and necessary regardless of what force changes could occur in the future, they said.

Issues With Organization, Incentives

CYBERCOM’s cyber mission force, the 147 teams each service provides to CYBERCOM to conduct cyber operations, has been plagued by readiness issues almost from the start, according to former officials and experts. One of the core problems the command suffers from is it is reliant on the services to provide the trained and ready forces. Cyber has typically never been a huge priority of the services, despite pledges to the contrary, according to experts, congressional staff and former military officials.

As experts and former officials have indicated, if a service chief doesn’t have enough forces to fill out their own units, be it an armored brigade or a squadron, the last thing they’re going to think about is getting more cyber personnel to CYBERCOM.

In a revealing moment, when asked if he felt he prioritized the readiness of the cyber force on par with ships, aircraft and submarines, former chief of naval operations retired Adm. Michael Gilday said in September that he’d done it “not as effectively,” adding he thought he could have done a better job.

And despite Thursday’s rollout, the question still remains of how much sway does the commander of CYBERCOM have to compel the services to provide more forces or make changes to meet mission needs.

When it comes to developing, maintaining and retaining top cyber talent, the command and DoD have struggled. Promotions and assignments come from the services, not CYBERCOM. Oftentimes, the department would spend years training operators only to have them rotate out of those roles to go back to their service. This not only created gaps in work roles, but frustrated personnel who wanted to be operators but didn’t have career paths and took salaries in the private sector that doubled or tripled what they made within the department.

In the background of the CYBERCOM 2.0 effort has been a harder push in recent years to develop a stand alone cyber force, a seventh military branch specifically focused on cyber. Proponents of a new military branch believe it is the only way to solve the myriad problems that have plagued CYBERCOM and the cyber mission force for years.

Opponents of a Cyber Force have said the command needs more time to exercise certain authorities to right the ship. Congress granted CYBERCOM expanded service-like authorities called enhanced budget authority, providing it authorization of the entire cyber operations budget, alongside its already existing acquisition authorities and joint force trainer role setting training standards across all the services.

These service-like authorities mirror how Special Operations Command is set up — with its own service-like secretary at the Pentagon, the assistant secretary of defense for Cyber Policy (created in the fiscal 2023 annual defense policy bill).

The CYBERCOM 2.0 effort, now just dubbed force generation, really boils down to better leveraging the authorities the command gained from Congress in recent years, according to former officials. Much of the activity under the new planning would be necessary regardless of a new service or not.