Why the US Cyber Force Debate Reveals Deeper Problems Than Organization Charts Can Fix

Security Careers

Security Careers

10 min read
Why the US Cyber Force Debate Reveals Deeper Problems Than Organization Charts Can Fix

Analysis: While Congress debates whether to create a seventh military branch for cyber operations, the fundamental structural and cultural problems that plague USCYBERCOM remain unaddressed—and China just reorganized its cyber forces for the second time in a decade.

The Organizational Agility Gap

While the United States has spent the better part of a decade studying whether to create an independent Cyber Force, China has already iterated twice on its military cyber structure. In April 2024, the People's Liberation Army dissolved its Strategic Support Force—itself only established in 2015—and split it into three separate arms reporting directly to the Central Military Commission: the Aerospace Force, Cyberspace Force, and Information Support Force.

This wasn't just reshuffling boxes on an org chart. China recognized that consolidating cyber, space, and electronic warfare under a single command created bureaucratic bottlenecks that prevented seamless integration with joint operations. Rather than commission another study, they restructured their entire approach to information warfare.

Meanwhile, the US military cyber enterprise continues operating under a structure that Air Force Captains James Brahm and James Lynch call "a labyrinth of competing authorities and misaligned incentives that systematically undermine operational effectiveness." Their op-ed "A Cyber Force Isn't Enough" in the Cyber Force Journal makes a compelling case that simply creating a new service branch won't solve the fundamental problems plaguing US military cyber operations.

The ADCON/OPCON Split: A Case Study in Organizational Dysfunction

The most pernicious structural flaw in current US military cyber operations is the division between Administrative Control (ADCON) and Operational Control (OPCON). Service members frequently receive conflicting tasking from dual commanders, creating an impossible choice: prioritize engaging the enemy for your OPCON commander, or prioritize service-unit additional duties like organizing morale events and uniform inspections for your ADCON commander who signs your promotion reports.

This isn't a theoretical problem. Brahm and Lynch cite cases where Army personnel so mission-essential they're prohibited from taking leave during campaigns receive negative administrative action for "not being around the company enough." The system violates the basic military principle of unity of command and has been universally derided since at least 2018, yet remains completely unmodified.

For enterprise CISOs, this should sound familiar. How many security professionals report to both a CISO for operational direction and a different manager for administrative purposes? How often do security teams get pulled into "all hands" meetings and corporate initiatives that have nothing to do with their actual mission of protecting the organization? The dysfunction scales.

The problem extends beyond personnel management. OPCON headquarters plan and direct operations that ADCON headquarters must fund, creating a perverse dynamic where the people controlling the purse strings have minimal understanding of operational requirements. Sound familiar to anyone who's ever tried to get budget approval for security tools from a CFO who thinks antivirus and firewalls are sufficient?

Why Traditional Military Services Fail at Cyber

The harsh reality is that the existing military services have had decades to get cyber right and have consistently failed. Despite the US military discovering stack buffer overflow exploits in 1972—over twenty years before the technique became widely known—it wasn't until 2008, after nearly a decade of indiscriminate PLA cyber operations against US networks, that the military formalized its first cyber force provider.

The services' approach reveals continued institutional apathy:

Army: Combines cyber with electronic warfare and poorly manages specialized personnel like developers and operators. "Generally considered to be the least behind" is damning with faint praise.

Air Force: Dropped "cyberspace" from its mission statement after creating the Space Force, combines offensive and defensive cyber officers with communications personnel, and has no career track whatsoever for developers.

Navy: Lags furthest behind, with cryptologic warfare officers openly stating that "Navy cyber is a ship without a rudder."

The redundancy is staggering. Operators from different services use tools and infrastructure based on their USCYBERCOM sub-headquarters or NSA requirements, not based on their presenting service. An Air Force cyber operations officer, Navy cyber warfare engineer, and Marine Corps cyber operations officer complete initial entry training with completely different skillsets, and none are qualified to serve in any of USCYBERCOM's basic work roles upon arrival.

The Talent Crisis and Cultural Misalignment

Perhaps the most critical insight from the Brahm-Lynch analysis is about talent management. In cyber operations, a small number of highly talented personnel provide an overwhelming amount of capability. One Air Force officer quoted in the piece estimates that "10% of the workforce provides 90% of the value." General Nakasone has stated that "our best coders are 50 to 100 times better than their peers."

Yet no service even identifies, much less retains, these personnel. Why? Because all services keep personnel files, performance reports, and decorations at the unclassified level. This means that day-to-day activities are either omitted or "massaged into meaningless oblivion" before entering a personnel record. Combined with the ADCON/OPCON split, leaders making personnel evaluations are almost never intimately familiar with their subordinates' operational work.

Enterprise parallel: How many organizations promote security engineers based on their ability to write PowerPoint presentations and attend meetings rather than their technical contributions? How often do the best threat hunters and incident responders get passed over for promotion because they don't "show leadership" in the traditional corporate sense? This mirrors challenges many security professionals face when advancing their cybersecurity careers in organizations that don't properly value technical excellence.

Despite Congressional authorization for incentive pay for highly skilled cyber personnel, services have failed to implement these authorities effectively. Soldiers promised additional pay for work role certifications often find themselves fighting bureaucratic battles just to receive promised compensation. This parallels challenges in enterprise security where finding and securing competitive CISO positions requires navigating compensation structures that often don't reflect actual market value or technical contribution.

Acquisition Theater vs. Real Capability Development

The op-ed pulls no punches on acquisition: "After five years of spending hundreds of millions on traditional defense contractors, the 'Joint Cyber Warfighting Architecture' has delivered a jumbled mess of non-interoperable systems, behind schedule, and not meeting the original requirements, much less able to adapt to new requirements as they arise."

This is what happens when you apply industrial-age acquisition processes to digital systems. Traditional defense contractors excel at building aircraft carriers and fighter jets—physical systems with decades-long lifecycles. Cyber capabilities require continuous evolution, rapid prototyping, and the ability to pivot as threat landscapes shift.

USCYBERCOM's heavy reliance on NSA tools, infrastructure, and training is both a strength and a vulnerability. An unspoken reason behind the reluctance to split the Director of NSA and Commander of USCYBERCOM positions is that an NSA director beholden only to the foreign intelligence mission would probably prefer to cut USCYBERCOM off entirely.

Three Alternative Models Worth Considering

Brahm and Lynch propose that Congress should consider alternatives to simply creating a US Cyber Force:

Option 1: Transfer Authority to NSA

The cheapest and simplest solution would transfer the extensive military cyber budget and authorities to the NSA, which has demonstrated excellence in digital operations. However, this raises legitimate concerns about diminishing focus on NSA's core foreign intelligence mission.

Option 2: Create a National Cyber Agency

Both USCYBERCOM and the NSA's Computer Network Operations division could be consolidated into a new National Cyber Agency, civilian in character but distinct from traditional signals intelligence operations. This would be similar to how other nations structure their cyber capabilities.

Option 3: A True Independent Cyber Force

If a military service branch is created, it must fundamentally break from existing service paradigms. This means:

  • Single chain of command: Consolidate ADCON and OPCON under one authority
  • Functional organization: Organize around mission functions (offensive ops, defensive ops, capability development) rather than service-based divisions
  • Technical career tracks: Allow advancement through technical specialization, not just traditional organizational leadership
  • Classified personnel management: Conduct performance evaluations at the classification level of routine work
  • Flexible service models: Allow experienced personnel to transition between full-time and part-time status while maintaining clearances
  • Geographic stability: Replace frequent duty station changes with extended periods in one location
  • Mission-focused culture: Prioritize technical excellence over traditional military customs

Critically, any new cyber force must NOT be subordinated to the Department of the Army or any existing service department. The argument that the Army should receive a cyber force because the Air Force and Navy already have "pet services" (Space Force and Marines) represents organizational politics rather than credible logic.

What CISOs Can Learn From Military Cyber Dysfunction

The structural problems plaguing military cyber operations mirror challenges facing enterprise security organizations:

Dual Reporting Structures Kill Effectiveness

When security teams report to both security leadership for operational direction and other departments for administrative purposes, you get the same dysfunction. Security professionals end up attending corporate events and completing administrative tasks that have nothing to do with protecting the organization. The optimal CISO reporting structure places security leadership directly under the CEO, granting necessary authority for company-wide information protection.

Solution: Give security teams clear reporting lines with both administrative and operational control under security leadership. If you need security engineers embedded in product teams, make those relationships explicit collaborations, not dual reporting structures.

Traditional Performance Metrics Don't Work for Technical Excellence

Evaluating security professionals based on traditional corporate metrics (presentations given, meetings attended, "leadership demonstrated") rather than technical contributions leads to promoting the wrong people and losing top talent.

Solution: Develop technical contribution frameworks that recognize deep expertise. Create advancement tracks for technical specialists that don't require moving into people management. Ensure evaluators have the technical competency to assess the work being evaluated. When hiring or developing CISOs, prioritize both technical depth and leadership capability.

Acquisition Processes Designed for Physical Assets Fail for Digital Capabilities

Enterprise procurement processes designed for purchasing hardware and facilities management services create the same problems as military acquisition when applied to security tools and services.

Solution: Create separate acquisition tracks for security capabilities that emphasize rapid evaluation, proof-of-concept testing, and continuous assessment. Build relationships with vendors who understand that security requirements evolve constantly.

Organizational Politics Trumps Mission Requirements

When security architecture decisions get made based on which department controls budget or who reports to whom rather than what actually protects the organization, you get fragmented capabilities that don't integrate well.

Solution: Establish clear mission priorities and authority structures that align with those priorities. Security architecture should be designed around threat models and risk tolerance, not org chart politics.

The Talent War Requires Different Tactics

Competing with private sector salaries is impossible for most organizations, government or enterprise. But you can compete on mission, autonomy, and the opportunity to work on genuinely interesting problems. Understanding CISO compensation structures and benefits helps organizations design competitive packages that go beyond base salary.

Solution: Focus on what your organization uniquely offers—maybe it's mission importance, technical challenges, work-life balance, or the opportunity to build something from scratch. Implement incentive structures that actually reward top performers, not just time in position.

The Real Question: What Problem Are We Solving?

The most important insight from the Brahm-Lynch op-ed isn't about organizational structure at all—it's about clarity of mission. Computer Network Exploitation (CNE) and Computer Network Attack (CNA) are fundamentally different from communications and IT management. Yet debates about cyber force structure constantly conflate these distinct functions.

A cyber force should focus on offensive and defensive cyber operations, not subsume all digital functions across the Department of Defense. Similarly, modern CISOs must focus on protecting the organization from threats, not become IT help desk overflow.

When critics argue that a US Cyber Force would "by necessity, be forced to integrate itself within each of the other services, since cyberspace systems and the forces that secure, operate, and defend them cannot be extracted from the existing services," they're conflating operational cyber forces with IT infrastructure management. These require different expertise and serve different operational purposes.

For CISOs: If your security organization is responsible for provisioning laptops, managing WiFi, and resetting passwords, you're probably conflating security operations with IT operations. The skills needed to hunt advanced persistent threats are not the same skills needed to troubleshoot printer drivers.

The Clock Is Ticking

China's 2024 reorganization was the second major restructuring of PLA cyber capabilities in nine years. They recognized problems with their 2015 structure and rapidly iterated to fix them. The United States, meanwhile, has commissioned multiple studies, held countless hearings, and produced exactly zero structural changes to address the fundamental problems identified in "Fish Out of Water" back in 2018.

The 2025 NDAA includes language requesting an independent assessment of creating a cyber force, but notably lacks a deadline for completion. Without a due date, the review moves to the bottom of DoD's to-do list. Even if completed, the recommendation will likely be another compromise that perpetuates existing dysfunction.

As Brahm and Lynch conclude: "A pint of cyber sweat can save a gallon of pilot blood." Acting now, rather than waiting for crisis or major war, is essential. Modest investments in cyber capabilities today can prevent conventional war tomorrow or tip the scales if war occurs.

The alternative is allowing adversaries to establish positions of cyber dominance that require exponentially greater resources to overcome during actual conflict. China isn't waiting for the perfect organizational structure—they're iterating rapidly and learning from each restructuring. The United States remains paralyzed by a Goldwater-Nichols framework designed for geographic coordination of physical domains, not for the speed and borderless nature of cyber operations.

Conclusion: Structure Enables or Constrains Mission

Creating a US Cyber Force won't automatically solve the problems facing military cyber operations. Simply relocating existing service components into a new branch would perpetuate the same cultural and structural barriers that currently hinder effectiveness. The ADCON/OPCON split would persist. Traditional promotion systems would still reward time in service over technical excellence. Acquisition processes would remain optimized for physical domains.

But the status quo is unacceptable. The services have had decades to develop effective cyber capabilities and have consistently failed. USCYBERCOM's "Cybercom 2.0" initiative, while a step forward in securing more direct control over training and retention, still leaves service chiefs with administrative control over members' career advancement and future assignments.

Whether through enhanced NSA authorities, creation of a National Cyber Agency, or establishment of a truly independent Cyber Force, the United States needs organizational structures that enable rather than constrain mission success. That means:

  • Single chains of command that align responsibility with authority
  • Functional organization around mission requirements
  • Technical career advancement tracks
  • Performance evaluation aligned with actual work
  • Acquisition processes designed for digital capabilities
  • Flexible service models that retain talent
  • Culture focused on adaptability and technical excellence

For CISOs and security leaders, the lessons are clear: organizational structure profoundly impacts operational effectiveness. You can have the best security tools, brightest security engineers, and most comprehensive security policies, but if your organizational structure creates competing priorities, splits authority from responsibility, and evaluates technical work using non-technical metrics, you'll systematically undermine your own effectiveness. The CISO Playbook provides additional frameworks for navigating these organizational challenges.

The debate over a US Cyber Force reveals a deeper truth: fixing organizational dysfunction requires more than redrawing org charts. It requires fundamental rethinking of how we structure, evaluate, and empower technical organizations to do the work they were created to do.

The question isn't whether to create a Cyber Force. The question is whether we have the organizational courage to build something that actually solves the problems we face, or whether we'll create another layer of bureaucracy that perpetuates existing dysfunction with a new name.

China has already answered that question—twice in nine years. We're still studying it.

References:

  • Brahm, J. & Lynch, J. (2025). "A Cyber Force Isn't Enough." Cyber Force Journal.
  • Foundation for Defense of Democracies (2024). Report on US Cyber Force requirements.
  • Congressional Research Service (2025). "Defense Primer: U.S. Cyber Command (USCYBERCOM)."
  • Various reporting on China's PLA reorganization (2024).

This analysis represents the views of the author based on publicly available information and professional experience. It does not represent the official position of any government agency or military service.

Read more