Building America's Cyber Force
The CSIS Commission on Cyber Force Generation has produced a day-one implementation plan organize and sustain a dedicated cyber service.
BLUF: The CSIS Commission on Cyber Force Generation, released this week, is the most comprehensive implementation plan ever produced for standing up an independent U.S. military cyber service. Its core finding: the current structure cannot keep pace with the threat. The AI acceleration makes that conclusion not just valid but urgent.
Cyber is an area IBA has not covered nearly enough. It underpins the security and reliability of every defense system and belongs at the center of any serious analysis of the industrial base. Part of the reason for that gap is personal: I am not a cybersecurity expert, and writing about it with confidence is a challenge I am working on every day.
I am not alone in underweighting it. The president’s budget request put a number to how much the Department of Defense has done the same.
CYBERCOM 2.0, the Pentagon’s own initiative to fix its cyber force generation problem, was funded at $74.1 million against a vetted ask of approximately $956 million in the FY2027 budget. Seven cents on the dollar.
That number did not emerge from nowhere. Between FY2024 and FY2026, the DOD’s cyberspace operations budget fell 30%, dropping from $7.4 billion to approximately $5.4 billion. Not because the mission contracted. Because the services reclassified investments as “cybersecurity” rather than “cyber operations” to keep them outside CYBERCOM’s budgetary controls. Space Force received a 77% budget increase over the same period. The FY2027 request of $7.7 billion represents a partial rebound. Adjusted for inflation, it still falls short of what DOD requested in FY2024.
While those numbers were being locked in, Anthropic released Claude Mythos Preview under Project Glasswing. The most capable AI system ever built is being held in limited deployment partly because the institutional frameworks for safely integrating it into national security operations do not yet exist. The U.S. military has no central organization responsible for understanding what a model like Mythos can do offensively or defensively. Nobody owns that question.
Cyber is a domain of warfare in the same way that land, sea, air, and now space are. For every other domain there is a dedicated military service that mans, trains, and equips the force while combatant commands use those resources to conduct operations in their area of responsibility. Cyber is the only domain where that structure does not exist. China recognized this more than a decade ago and built a dedicated cyber force accordingly. The United States has not.
In my view, it is a matter of time before we correct that. Joshua Stiefel and Lieutenant General Ed Cardon (USA, ret.) share that view. They have spent the past year leading the CSIS Commission on Cyber Force Generation to define what correcting it actually looks like. This week, the commission publishes its findings.
Last week they sat down with IBA to walk through what the commission means and where the bodies are buried.
Note: The Commission’s central findings are about the structure of a proposed Cyber Force and do not advocate for the creation of that force itself, which is a political decision. Any advocacy for that in this piece is my own editorial commentary and is not the position of CSIS or the Commission.
Cyber Is The Only Domain Nobody Owns
Every warfighting domain has a service dedicated to generating its forces. The commission’s foundational finding is that cyberspace does not. “The cyber domain is thus the only domain of warfare that lacks a dedicated organizational unit for force generation.”
That responsibility has defaulted to CYBERCOM. But CYBERCOM is a combatant command, not a military service. Its statutory job is force employment: using forces that others generate to conduct operations. Over the past decade, as the services failed to generate adequate cyber forces, Congress granted CYBERCOM increasing “service-like” authorities to fill the gap. CYBERCOM is now responsible for both generating and employing forces under a single commander. That is the pre-Goldwater-Nichols arrangement the 1986 defense reorganization was passed specifically to prevent.
The standard objection to fixing this is cost. A new military service means a new Pentagon bureaucracy, and new bureaucracies grow. Space Force’s 77% budget increase this year is not a small data point for skeptics.
That argument misreads the situation. Cyber resourcing is already happening. It already costs money. It runs across 440 organizations and more than 70,000 military, civilian, and contractor personnel conducting cyber functions across DOD and the Coast Guard. 26 separate non-operational organizations support cyber budgeting. The Army alone has 10 separate budget entities doing this work. The spending exists but the budgetary coherence does not.
The fragmentation is the predictable result of asking each service to prioritize a mission that competes with its primary identity. LTG Cardon was direct about how this plays out at the top:
“Admiral Gilday was very clear on this. He’s responsible for the Navy first. So cyber isn’t the top of the list.”
The fact that a service chief who led 10th Fleet, the Navy’s cyber fleet and knows this domain better than anyone else in his service, expresses this priority clearly highlights the central challenge.
The commission put the same observation into its findings: “No service within the Department of Defense has primacy for cyber force generation. None of the services prioritize cyber force generation.”
The consequences show up in the numbers. In 2021, General Nakasone secured agreement to expand the cyber mission force from 133 to 147 teams. That growth was not the product of a requirements analysis. As Stiefel described it:
“That was not because we did an analysis of what we require and how many teams do we need to get there. That 14 teams was based on what the services were comfortable giving. When we think about military requirements, we think about what we need, not what we can afford.”
The resourcing failure is the visible part of the problem. Beneath it is a doctrine void that is harder to see and more consequential to close.
Here is some anecdotal evidence to support that data: a Chief Warrant Officer 4 with ten years in military cyber recently searched for doctrine on how to conduct offensive cyber operations. He could not find it. As Stiefel told IBA:
“There’s doctrine on cyber operations from 2021, but that’s like saying there’s doctrine on infantry. You’ve got to go a level deeper than that. And there’s no one whose job it is to produce it.”
To drive that point home the Army last updated its Field Manual (FM) for Cyber Operations in 2021, but still has not updated its subordinate Army Doctrine Publications under that FM.
The Joint Cyber Warfighting Architecture illustrates where that absence leads. First announced in 2018, it remains incomplete in 2026. The Defense Science Board issued a critical assessment two years ago. A program office stood up inside CYBERCOM to address it has struggled mightily. Stiefel: “We were talking in 2022 about ‘we’ve got to be ready for 2027’. We’re seven months away from that and we are no further along this journey.”
Anthropic & Project Glasswing: The Technology Didn’t Wait
Against the backdrop of fragmented budgets and absent doctrine, the private sector has not paused. Frontier AI models are collapsing the time required to conduct cyber operations by orders of magnitude. LTG Cardon put it plainly:
“The models are loose. The models are turning what used to take months into hours or minutes or seconds.”
The adversary has already confirmed it. In November 2025, Anthropic’s Threat Intelligence team disrupted what it characterized as the first large-scale AI-orchestrated cyberespionage campaign. The attacker, assessed with high confidence as a Chinese state-sponsored group, used Claude Code to target approximately 30 organizations, including technology companies, financial institutions, and government agencies. Claude executed between 80 and 90 percent of the operation without direct human involvement. That campaign ran for roughly two months before it was detected.
Volt Typhoon is the longer-horizon version of the same threat. The Chinese state campaign has spent years quietly pre-positioning inside U.S. critical infrastructure, building access designed to be activated when needed. China built its independent cyber force more than a decade ago. As Stiefel told IBA:
“The Chinese write 5-year plans and they stick to them. Beijing hates [the Cyber Force proposal]. They don’t want to see us do it, because they think this is strategic advantage for them.”
The White House addressed part of this yesterday. President Trump signed an executive order titled “Promoting Advanced Artificial Intelligence Innovation and Security,” establishing a voluntary framework for government review of frontier AI models before public release. The original draft required a 90-day mandatory pre-release review. After industry pushback, the final order reduced that to 30 days, made it voluntary, and expressly prohibited creating a licensing or permitting regime for AI.
The order creates an AI cybersecurity clearinghouse and directs agencies to develop benchmarks for assessing AI models’ offensive capabilities. What it does not create is a central military institution capable of actually conducting that assessment across force generation and force employment.
Anthropic’s Claude Mythos Preview, the most capable AI system currently in existence, is being held in limited deployment under Project Glasswing rather than released to the public. The restriction exists partly because the institutional frameworks for safely integrating a model of that capability into national security operations do not yet exist. That is not a critique of Anthropic. It is a precise description of the institutional gap the commission is trying to close.
LTG Cardon:
“I don’t know if we even know what [an AI-built cyber force] should look like yet.” And then, on what that means for the force as currently structured: “The force we built wasn’t built for an AI model.”
The Cyber Commission’s Blueprint
The commission spent ten months building what the Pentagon has not produced on its own: a day-one implementation plan for standing up an independent U.S. Cyber Force. The commission’s working assumption was deliberate. It did not debate whether a Cyber Force should exist. It assumed the political decision had been made and asked a harder question: how do you actually build one?
Hill staffers drafting NDAA amendments should read what follows closely. This is the specific answer to that question.
The commission recommends a total force of approximately 30,000 personnel: 20,000 active-duty commissioned and warrant officers, 3,500 to 5,000 Cyber National Guard, and 5,000 to 6,000 civilians and contractors. As envisioned, the Cyber Force would be the second-smallest uniformed service in the DOD, behind only the Space Force at roughly 10,400.
The overall initial budget estimate is $10 to $11 billion, spanning O&M, Procurement, RDT&E, and personnel. Most of that money is not new appropriations. It comes from reallocating existing cyber spending currently distributed across the services. The same dollars now flowing through 440 organizations get consolidated under one service with a single budget authority.
The commission estimates 12 to 18 months to reach initial operating capacity, following a four-phase build. First, a planning group sets conditions within two weeks of a decision. Next, initial units are fielded and presented to operational commands. This is followed by three to four years of iterative growth to become the primary force provider. Finally, institutional fine-tuning addresses long-term management, basing, and support structures.
Regarding institutional alignment, the commission offers two neutral options. The first integrates the Cyber Force into the Department of the Army to utilize existing infrastructure and Fort Eisenhower facilities, though it risks the service being marginalized by the Army’s “infantry-first” culture and budget priorities. The second creates an independent Department of the Cyber Force with its own secretariat, requiring more time and funding but ensuring direct representation in resource allocation battles.
Regardless of alignment, the commission identifies four non-negotiable enabling structures: a dedicated Cyber Force Intelligence Center for foundational adversary intelligence; a Cyber Force JAG Corps to build career expertise in cyber law; a Force Generation and Training Command to centralize accessions and readiness; and Cyber Force Component Commands for each combatant command to consolidate existing service elements.
The Cyber National Guard warrants distinct focus. Operating under dual federal and state authority, it is specifically designed to protect critical infrastructure like power, water, and finance. Its ability to be activated by governors without a presidential declaration directly counters the Volt Typhoon threat. By providing operational technology specialists at the state level, it addresses a critical gap exposed by the November 2025 GTG-1002 campaign that no current service component fills.
A Cyber Force is a new acquisition customer with consolidated budget authority and a mandate to move faster than any existing service. For commercial AI and cybersecurity vendors, it is a fundamentally different relationship than working through five separate service procurement offices with competing priorities.
Whether Washington ultimately designates its leading frontier AI labs as supply chain risks rather than strategic partners is a separate policy debate and an important one. But if the customer structure gets right, the commercial access pathway becomes considerably cleaner.
The commission’s acquisition model is built for commercial speed: pooled developer units managed as dynamic talent pools, fused squadrons combining operators, analysts, developers, and contracting officers under one command, and Rapid Capabilities Offices at scale with contract obligation authority pushed to the field level. The administrative distance between identifying a mission gap and procuring a solution shrinks from years to days.
The commission’s prescription is structural. Contract authority belongs at the operational level, not a service headquarters. “Tailored and integrated approaches will likely be preferable for a cyber service,” the report states, explicitly rejecting the large industrial procurement frameworks the existing services built over decades.
The open question: will Congress resource a Cyber Force at the required level, or will it face the same institutional gamesmanship that funded CYBERCOM 2.0 at 7 cents on the dollar?
Stiefel’s read on the outcome:
“Whether we like it or not, Cyber Force is coming. It’s a question of when. Rome wasn’t built in a night. We will get there. But we’re better off the sooner it happens.”
LTG Cardon’s question belongs in front of every defense appropriator and NDAA drafter sitting on the Hill this week:
“If you put artificial intelligence on top of the structure we have today, would you still have the same answer?”
Industrial Base Alpha is published by Industrial Base Alpha LLC and provides general market research, analysis, and commentary on the defense industrial base. IBA is not a registered investment adviser and does not provide investment advice. Nothing in this publication constitutes a recommendation to buy, sell, or hold any security, nor does it address the specific financial circumstances of any reader. All analysis reflects the author's views as of the date of publication and is subject to change without notice. Readers should conduct their own due diligence and consult a qualified financial adviser before making any investment decision. For full terms, see industrialbasealpha.com.
Note: The Commission’s central findings are about the structure of a proposed Cyber Force and does not advocate for the creation of that force itself, which is a political decision. Any advocacy for that in this piece is my own editorial commentary and is not the position of CSIS or the Commission.