Seven years ago, an op-ed titled “Fish out of Water” declared that "the military is an impossible place for hackers thanks to antiquated career management, forced time away from technical positions, lack of mission, non-technical mid- and senior-level leadership, and staggering pay gaps, among other issues." Despite the widespread fame and infamy of this declaration within the cyber community, these challenges remain largely unaddressed, except for the “lack of mission,” which has dramatically increased. Fifteen years after its establishment, USCYBERCOM and its supporting services still lack a culture conducive to executing highly technical operations or recruiting and retaining the necessary talent. A Foundation for the Defense of Democracies report last year quotes a retired Navy Captain describing USCYBERCOM as rife with "a lack of continuity of cyber personnel, unclear career paths, insufficient experience, wide use of non-cyber personnel in cyber leadership positions, and cyber operations being treated always as a supporting entity across all services."
These persistent challenges point to a deeper structural problem: attempting to conduct digital warfare through paradigms designed for physical domains. Outdated acquisition processes persist, compounded by overlapping, redundant, and paralyzing organizational structures. With Congress already granting USCYBERCOM enhanced budgetary control, now is a critical opportunity for long-overdue structural reform.
Proposals such as ending the dual-hat arrangement with the NSA or creating a separate cyber service have gained traction. Regardless of which approach is adopted, any effective cyber operations organization must fundamentally rethink assumptions inherited from physical domains and traditional military services. This includes reconsidering the administrative control versus operational control (ADCON/OPCON) division, rank and compensation systems tied to time in service, and the reliance on divisional rather than functional organizational structure.
Should the United States establish a dedicated cyber service, it must possess both combatant command authority and "organize, train, and equip" responsibilities. Critically, this new organization must operate outside existing service departments to avoid replicating the institutional barriers that currently impede cyber operations effectiveness.
The Nature of Cyber Operations
Understanding the case for organizational change requires first clarifying what constitutes cyber operations. Computer Network Exploitation (CNE) and Computer Network Attack (CNA) represent fundamentally different activities from communications and information technology management. The latter involves engineering and maintaining friendly systems that process, store, and transmit information, while cyber operations are inherently adversarial activities targeting enemy networks and operations.
The conflation of these distinct functions has clouded debates about cyber force structure. Critics who argue that cyber forces must remain embedded within existing services are often conflating the defensive IT and communications functions - core functions of a modern military, integral to any domain - with cyber operations. When an op-ed declared that "A USCF would, by necessity, be forced to integrate itself within each of the other services, since cyberspace systems, and the forces that secure, operate, and defend them cannot be extracted from the existing services," it reflected this fundamental misunderstanding. A cyber force should focus on Computer Network Exploitation and Attack, not subsume all digital functions across the Department of Defense.
Existing Impediments to Cyber Excellence
The current organizational framework divides cyber force provision among the services, each theoretically responsible for organizing, training, and equipping personnel who then execute operations under USCYBERCOM. In practice, this creates a labyrinth of competing authorities and misaligned incentives that systematically undermine operational effectiveness.
The administrative control (ADCON) and operational control (OPCON) split represents perhaps the most pernicious structural flaw. Service members often receive conflicting tasking from their dual commanders, creating a perverse incentive for members - prioritize engaging the enemy for your OPCON commander, or prioritize service-unit additional duties such as organizing morale events, reviewing DTS authorizations, and conducting uniform inspections for your ADCON commander. The latter signs your promotion reports. This system "creates confusion and frustration for OPCON commanders who don't have control over their people" and is similarly unfair to well-meaning ADCON commanders who wish to actively lead their troops but can only do so by adding additional burden on top of operational requirements. Lospinoso observed in 2018 that the ADCON/OPCON split was a "vestigial structure that should be eliminated altogether" as well as a violation of the principle of unity of command. This split continues to be almost universally derided yet unmodified.
The Trouble with the Services
The services' approach to cyber demonstrates a troubling pattern of institutional neglect despite decades of opportunity. The United States military has squandered a qualitative lead that should have been insurmountable. The first description of a stack buffer overflow exploit, a fundamental technique of offensive cyber operations, was in a 1972 Air Force study, over twenty years before this technique became widely known. Since then, the U.S. military has enjoyed larger budgets than any possible adversary and domestic access to the world's most advanced technology sector. Yet it was not until 2008, after nearly a decade of indiscriminate People's Liberation Army offensive cyber operations against U.S. networks, that the military formalized its first cyber force provider with the provisional Air Force Cyber Command. Ultimately, this command was canceled and since then, cyber has been treated as a supporting function rather than an independent element of national power.
Current service approaches to cyber reveal continued institutional apathy. The Army, generally considered to be the least behind of the services, still combines its cyber career field with electronic warfare, and poorly manages specialized personnel such as operators or developers. We have personally observed Army personnel so mission-essential that they are prohibited from taking leave during campaigns receive negative administrative action from the Army due to them being perceived as "not being around the company enough."
Meanwhile, after the creation of the Space Force, the Air Force dropped "cyberspace" from its mission statement without even mentioning the domain. The Air Force puts both offensive and defensive cyber officers in the same career field as communications and has no track whatsoever for developers, doing a disservice to all four groups. The Navy lags furthest behind, with cryptologic warfare officers openly stating that "Navy cyber is a ship without a rudder".
The services aren’t just ineffective; they’re redundant. There is no service-specific equipment or training for cyber forces - operators from different services use tools and infrastructure based on their USCYBERCOM sub-headquarters or NSA requirements, not based on their presenting service. A particular pain point is that operators and analysts must meet NSA qualifications, including completing NSA training courses, in order to use NSA tools. FDD describes the situation succinctly: "For example, when an Air Force cyber operations officer, a Navy cyber warfare engineer, and a Marine Corps cyber operations officer complete their initial entry training, they lack a common skillset. And none are qualified to serve in any of USCYBERCOM's basic work roles upon arrival."
In recognition of the poor efficiency of each service attempting to provide forces without a centralized standard, Congress has recently allocated billions in ‘organize, train, and equip’ money directly to USCYBERCOM. While this addresses some of the challenges of six services providing equivalent personnel to the combatant command, it is not likely to fully remedy a systemically flawed system. USCYBERCOM can only use these authorities on capabilities and individuals already assigned to the combatant command. Even then, the services retain administrative control over members, including their prospects for career advancement and future assignments.
Acquisition Theater
There is no likely pathway under the current system for USCYBERCOM to become less dependent on NSA tools due to the abysmal acquisition procedures used for Title 10 cyber capabilities. Cyber capabilities used by USCYBERCOM are an uncoordinated mesh of those provided by the services and those procured by USCYBERCOM directly. While it is true that USCYBERCOM can point to many (of course, classified) successes, these are largely due to its heavy reliance on NSA tools, infrastructure, and training. An unspoken reason behind the reluctance to split the Director of the NSA and the Commander of USCYBERCOM positions is that an NSA director, beholden only to the foreign intelligence mission, would probably prefer to cut USCYBERCOM off entirely. Rather than learn from the NSA, the services and USCYBERCOM have doubled down on "the military way", making extensive use of ineffective, industrial-age acquisition processes wholly inappropriate for digital systems. While we are limited in specificity due to classification, after five years of spending hundreds of millions on traditional defense contractors, the "Joint Cyber Warfighting Architecture" has delivered a jumbled mess of non-interoperable systems, behind schedule, and not meeting the original requirements, much less able to adapt to new requirements as they arise. A new service, using the same culture and processes should expect the same results.
Cultural Misalignment and the Talent Crisis
USCYBERCOM remains paralyzed by the traditional military culture it has inherited from the services. This is driven by the fact that the services have no reasonable process to retain the 'right' personnel. Unique to cyber operations, a small number of highly talented personnel provide an overwhelming amount of the capability. FDD quoted one Air Force officer as saying that "10% of the workforce provides 90% of the value". General Nakasone said that "our best coders are 50 to 100 times better than their peers". No service even identifies, much less retains, these personnel. A tangible contributing factor is that all services keep personnel files, performance reports, and decorations at the unclassified level. This necessarily means that the day-to-day activities of members are either omitted or massaged into meaningless oblivion before entering a personnel record. This is exacerbated by the ADCON/OPCON split: the leaders making personnel evaluations are almost never intimately familiar with their role in their operational unit or their work.
The government cannot and should not seek to fully close the staggering pay gaps between the private sector and public service, but assignment and skill incentive pay to narrow the discrepancy is an important tool to retain servicemembers and their families. Despite Congressional authorization for incentive pay for highly skilled cyber personnel, the services have failed to implement these authorities effectively. Soldiers promised additional pay for work role certifications often find themselves fighting bureaucratic battles just to receive promised pay, with little recourse beyond separating to find an employer who cares.
Building an Effective Cyber Force
There is ample institutional interest in reforming the military cyber enterprise. In the 2024 NDAA, Congress requested an independent assessment on the potential for an independent cyber force. USCYBERCOM itself has developed the Cybercom 2.0 initiative to answer multiple Congressional reports, clearly signaling that key stakeholders view the current structure as inadequate.
The cheapest and simplest solution would likely be to transfer the extensive military cyber budget and authorities to the NSA, which has demonstrated excellence in digital operations. Alternatively, both USCYBERCOM and the NSA's Computer Network Operations (CNO) division could be consolidated into a new National Cyber Agency, civilian in character but distinct from traditional signals intelligence operations, including signals analysis and cryptanalysis. However, this approach raises legitimate concerns about diminishing focus on the NSA's core foreign intelligence mission. Additionally, USCYBERCOM's valuable partnerships with foreign governments and the private sector to address shared threats may be more effectively maintained through a uniformed military organization than a civilian intelligence agency.
The most widely discussed option involves creating an entirely new military service branch. While this would eliminate six-fold redundancy of the existing services providing forces to USCYBERCOM, simply relocating existing service components into a new branch would perpetuate fundamental problems. The ADCON/OPCON split, along with other cultural and structural barriers that currently hinder effectiveness, would persist unchanged.
Regardless of the pathway to an independent cyber entity, it is a national security imperative that this entity consolidate force provider and operational authorities under single a leadership chain, organize functionally rather than by arbitrary divisions, establish advancement tracks for technical experts, reduce or eliminate routine permanent change of station rotations, conduct performance evaluations at classified levels by technically qualified leaders, maintain continuous security clearances throughout careers, and center service requirements around mission rather than tradition.
Organizational Structure
The Goldwater-Nichols separation between service and combatant command functions has served well in physical domains where geographic coordination across services is paramount. However, cyber operations' speed, technical complexity, and borderless nature make this division counterproductive. A cyber force should consolidate both authorities, maintaining direct relationships with geographic combatant commands - as USCYBERCOM already does - while eliminating the friction of split administrative and operational control.
A cyber force should abandon USCYBERCOM's divisional structure in favor of organization around mission functions such as offensive operations, defensive operations, capability development, infrastructure management, and intelligence support. This is in direct contrast to the existing model of "Joint Force Headquarters" corresponding, ironically, to each service. A functional structure would foster deep technical specialization and create encourage pride and accountability for mission performance, rather than perpetuating bureaucratic divisions that prioritize service interests over operational effectiveness.
Career pathways
Personnel management practices must be designed to match cyber operations' unique demands. Traditional military career progression, predicated on regular rotation between positions and steady advancement through ranks, actively undermines the development of deep technical expertise. A cyber force should implement a multi-track system allowing advancement through technical specialization, traditional organizational leadership, or technical leadership. Technical leaders would serve as technology directors, risk assessment panel members, capability evaluators, and senior advisors who bridge operational requirements with technical possibilities, without compromising the expectation that organizational leaders be capable of comprehending the work done by their subordinates. All tracks must tie rank and compensation to contribution and expertise rather than strictly to time in service.
Personnel Management
Personnel management and evaluation must align with operational realities. Assessment should occur at the classification level of routine work, conducted by supervisors with direct knowledge of subordinates' contributions. The current practice of warping classified operations into unclassified near-fiction for performance reports must end.
Security clearance and access management also requires fundamental reform. Personnel should maintain continuous clearances and security accesses throughout their careers, eliminating the months or years of lost time and operational currency that accompanies position transfers.
A cyber force should pioneer flexible service models that prioritize talent retention over traditional military career patterns. Experienced personnel should be able to transition between full-time and part-time status while maintaining their clearances and access. Geographic stability options should replace the standard practice of frequent duty station changes, allowing personnel to remain in one location for extended periods. These flexibilities would help retain critical expertise that might otherwise be lost to family considerations, educational opportunities, or private sector career moves. Rather than treating civilian sector experience as a departure from military service, the cyber force should embrace it as valuable professional development that enhances operational capabilities.
The force should prioritize quality over quantity. Given the extensive Communist co-option of the private sector and low wages in China, it is reasonable to assume that the United States will face around a 10:1 personnel disadvantage against China in cyber operations. This stark numerical reality makes indispensable the recruitment, development, and retention of the best available talent. Accession to a cyber service should be open to all Americans based on their merit, skill, and dedication to our Constitution, including veterans who already served with distinction in other services. Anything less is an unforced error that will cede advantage to the Communists.
Culture
Beyond structural reforms, the cyber force must cultivate a distinct culture aligned with its unique mission requirements. Adaptability must be a core expectation. Policies, procedures, and structures should be designed for constant evolution as technological landscapes shift and render yesterday's advantages inevitably obsolete.
The culture must embrace varied perspectives and flatter hierarchies that enable rapid information flow and decision-making. The hierarchical structures that enable mass coordination in conventional operations become impediments in cyber warfare, where small teams of specialists must respond instantly to emerging threats and opportunities, and repeatable actions that don't require creativity can be automated. The distinction between commissioned and enlisted personnel, rooted in centuries of class-based military tradition, has no clear justification in cyber operations and should be reconsidered.
Personnel requirements must reflect actual mission requirements. An infantryman would not be assessed on their ability to reverse engineer malware or develop zero-day exploits, nor should an exploit developer be disqualified because they have an autism spectrum diagnosis. Since the majority of cyber operations can be conducted from within the United States, deployability and the wearing of a traditional field uniform should be the equivalent of a special experience identifier.
Cyber Force personnel should focus intensively on achieving peak performance in their core technical missions. For the rare assignments requiring deployability, Cyber Force personnel should exceed the fitness and marksmanship standards of physical domain services, reflecting the specialized nature of forward-deployed cyber operations.
Independence
Creating an effective cyber force requires building from a clean slate rather than simply transferring existing units, which would import their parent services' cultural constraints. This allows establishment of cyber-optimized policies from inception rather than fighting decades of accumulated bureaucratic sediment.
The cyber force should not be subordinated to the Department of the Army, inheriting regulations and policies developed without consideration of the cyber mission. The argument that the Army should receive a cyber force because the Air Force and Navy already have 'pet services' represents organizational politics rather than credible logic.
The cyber force must maintain tight focus on core cyber operations, actively resisting the mission creep that commonly affects new organizations seeking to expand their relevance and budget share. While coordination with the services' defensive IT and communications functions remains essential, the cyber force should not attempt to subsume these distinct responsibilities, which require different expertise and serve different operational purposes.
Strategic Imperatives
In 2006, Secretary of the Air Force Michael Wynne spoke about establishing "a major command that stands alongside Air Force Space Command and Air Combat Command... [that] the American people can rely on for preserving the freedom of access and commerce, in air, space and now cyberspace." Instead of advancing this vision, the United States has moved backward. Meanwhile, China established the People's Liberation Army Strategic Support Force (PLASSF) in 2015, consolidating cyber, space, and electronic warfare capabilities under a unified command. Recognizing the limitations of this approach, China has since reorganized the Strategic Support Force into three separate entities: a dedicated Cyber Force, Space Force, and Information Support Force, all reporting directly to the Central Military Commission.
In an increasingly complex world, policymakers regularly reach to cyber options to defend the United States, advance its interests, and strike at adversaries below the threshold of armed conflict - and prepare the information environment for victory if a major kinetic war does occur.
Acting now, rather than waiting for a crisis or major war, is essential. Modest investments in cyber capabilities today can prevent a conventional war tomorrow, or tip the scales if war does occur: a pint of cyber sweat can save a gallon of pilot blood. The alternative is allowing adversaries to establish positions of cyber dominance that will require exponentially greater resources to overcome during actual conflict.
Conclusion
The United States stands at an inflection point in military cyber operations. Despite pioneering the domain and maintaining significant technological advantages, organizational structures and culture systematically undermine operational effectiveness. The challenges identified in "Fish Out of Water" seven years ago have not been resolved through incremental reforms, not for lack of an additional service, but because none of the existing services have been willing and able to adopt the characteristics of effective cyber organizations described here.
Congress should consider alternatives to a U.S. Cyber Force, such as granting additional authorities to the NSA or creating a National Cyber Agency with both intelligence gathering and covert action authorities. If a cyber service is created, it is imperative that specific measures are taken to avoid experiencing the same obstacles to success as USCYBERCOM. A cyber service does not belong under the Department of the Army, should resolve the ADCON/OPCON split, and should be designed from the ground up to focus on the cyber mission.