WASHINGTON — The top member on the House Armed Services subcommittee focused on cyber had a stark warning about the how America’s greatest geopolitical rival is positioning itself to overwhelm the US military in cyberspace.
“China has 10:1 people doing offensive cyber to us. I think we should be expanding our capabilities,” Rep. Don Bacon, R-Neb., told Breaking Defense on the sidelines of the 4th Annual National Cyber Innovation Forum Thursday.
US Cyber Command does a “great job with what they have,” he said, “but I think we’re underfunded and undermanned.”
Recently a Pentagon official described how part of the command’s new CYBERCOM 2.0 force generation strategy is specifically designed to emphasize “domain mastery” over brute numbers.
“The Department of War will not match adversary cyber forces in sheer number, rather, we will maintain our advantage in the cyber domain through true domain mastery, essentially creating a ‘quality over quantity’ approach,” Assistant Secretary of Defense for cyber policy Katie Sutton said in a statement to Breaking Defense earlier this month, using the Department of Defense’s secondary name.
“Mastery” is one of the three priorities for Cyber Command 2.0, which was unveiled in November and describes, in part, how CYBERCOM will begin taking over the advanced training.
Each military services is currently tasked with providing the basic training to cyber warriors they present to CYBERCOM. An Advanced Training and Education Center (ATEC) will lead the more in-depth instruction beyond initial qualification, and a Cyber Talent Management Organization will look to identify top talent, holistically borrowing models from the medical, special operations and nuclear community.
But Bacon, who added quantity is a quality all its own, is not alone in having some skepticism about whether the “mastery” strategy will be enough on its own. Multiple analysts, former officials and former cyber operators who spoke to Breaking Defense described different challenges CYBERCOM will likely face — from logistics to cooperation with the military services it depends on.
“I have been arguing for a long time that the cyber force generation model is broken in each of the military services. Nowhere is this more clear in the failure to develop and retain sufficient ‘master’ level operators,” analyst Mark Montgomery of The Foundation for Defense of Democracies told Breaking Defense. “Given the threat environment we need both quantity and quality, and we will certain not get both in our broken force generation models and I am not sure we can get even one of those attributes (quantity or quality).”
Building Toward Mastery
While the department is taking this approach now, the notion of mastery has been around for several years as a way to mature the force.
The military’s cyber force is still relatively new, with the command created in 2009 and the cyber mission force in 2012. The force had to start essentially from zero to build, creating an issue of lack of experts or so-called “masters” — a literal, technical term for which cyber operators can qualify.
As the force began to increase in size — from the initial 133 teams to an authorized growth of 14 more teams in 2020 — the goal was to mature it in kind.
“My focus on mastery at that time was really a way to say we’ve already increased the size of the force from the 2020 relook, now we need to right size the training pipeline to account for that growth,” Michael Sulmeyer, the first person to hold the Assistant Secretary of Defense for Cyber Policy position after Congress created it in 2023, told Breaking Defense. “With every time you grow, you have to be able to somehow tell a story about what that pipeline is going to look like to get these individuals through. That’s where I wanted us to sort of pause and say, all right, well, then what’s the plan, what’s the goal to do that.”
He added that he wasn’t focused on the technical definition of mastery, but said the ultimate goal was to get more combat power out of the force through operators with deeper cyber experience and training.
As part of the CYBERCOM 2.0 plan and maturing the force, CYBERCOM said in a statement it is moving away from “a legacy one-size-fits-all approach to create masters” and looking at the entire talent management lifecycle in order to “deliberately cultivate, recognize and incentivize deep technical expertise, ensuring our operators have the sustained experience needed to dominate the domain.”
The goal is to build cyber warriors that can adapt on the fly and outmaneuver adversaries to consistently secure a “decisive advantage in cyberspace,” a command spokesperson said.
“U.S. Cyber Command can drive change swiftly through Cyber Talent Management Organization (CTMO), ACTEC, and Cyber Innovation and Warfare Center (CIWC) integrating with the joint force. Whether that means cultivating a targeted talent pool for expertise, baking these advanced skills into our foundational training, or standing up and equipping highly specialized units, we are building the flexibility to adapt and win, whatever the mission requires,” the spokesperson said.
The advanced training isn’t coming a moment too soon, as the US has been engaged in highly technical joint operations from Venezuela to Iran that demanded cyber support.
“There are a lot of recent operations that have been executed that have taught us a lot in terms of the level of cyber mastery that is required and will be required for the execution,” Vice Adm. Heidi Berg, commander of Fleet Cyber Command/10th Fleet, said at the Sea-Air-Space conference in April. “But it is really about how do you build cyber mastery across the spectrum of conflict, whether it is cyber mastery day to day in a contested communications environment — but nonetheless not in conflict — to building that cyber mastery to be able to operate in conflict and in combat.”
Potential Problems
However, since CYBERCOM 2.0’s release, some skepticism has emerged about the workability of some components — or how quickly it can be realized.
Erica Lonergan, assistant professor of International and Public Affairs at Columbia University, told Breaking Defense that CYBERCOM is right realize the US “is never going to out-compete China by focusing on mass in cyberspace” and said “qualitative edge” and “domain mastery” are “important components.”
“Broadly, I agree that it is important to focus on the quality of cyber personnel, not just engage in a bean-counting exercise,” she said.
But she cautioned, “Setting aside CYBERCOM’s limited ability to enforce generating personnel with domain mastery, there is the question of the timeline for implementation.”
Montgomery, who served as executive director of the Cyberspace Solarium Commission, said that any “effort to improve [the number of master operators] has to be embraced, however the continued failure to adopt a dedicated cyber force means any answer is proven and temporal in nature.” (The idea of a wholly separate Cyber Force, like the Space Force, has been a hotly debated idea in recent years.)
Critics have also pointed to suspicion that the other military services may not provide the best candidates, despite efforts to identify them early.
For their part, services officials said they’re on board.
The 16th Air Force, the Air Force’s service cyber component, said in a statement to Breaking Defense that “domain mastery is demonstrated through consistent, repeatable mission performance and the achievement of successful operational outcomes in complex settings” and it is focusing on “targeted recruiting to properly vector talent and the development of holistic career paths to ensure long-term mission assurance.”
Army Cyber Command noted it is implementing a variety of initiatives under CYBERCOM 2.0 to include a Cyber Management Division at the Army Human Resources Command, modeled after the Special Operations talent management framework, and a surgical Force Realignment, swapping billets between intelligence and cyber branches.
“Building true technical mastery — via depth or breadth — requires time, stability, and focus. The Army’s legacy personnel system prevented this by cycling people into generic assignments to advance their careers,” a spokesperson for ARCYBER said, noting those initiatives are their solution.
The Navy cyber component did not respond by press time, but at the WEST conference in February Anne Marie Schumann, principal cyber adviser to the service, said she’s “really interested in taking what we learn as we start to implement [CYBERCOM 2.0] and looking at how that translates not just to the force generation that I’m providing to Cyber Command, but for force generation writ large.”
“We’re going to learn things about best practices in recruiting or identifying talent. We’re going to look at things like how we incentivize,” she said. “This is a whole talent management model to include the training piece. I think there’s going to be a lot of applicability there for the services as well as service-retained forces.”
Mastery or not, back on the Hill Bacon said he thinks CYBERCOM needs more money. The command asked for $73 million for cyber operations in last year’s budget and $103.8 million in the fiscal 2027 budget.
At an AI conference in Washington earlier this month, the retiring Republican suggested that might change. In his remaining time, he said he is “working a review to maybe adjust the baseline for cyber.”
Aaron Metha contributed to this report.