Implementing Cybercom 2.0 Should Not Postpone Establishing a Cyber Force

In recent remarks, Rep. Pat Fallon (R-Texas) reflected on the dire state of the U.S. military’s readiness in the cyber domain. Fallon lamented that, despite the military having had two decades to build a cadre of cyber leadership, “of the 13 or so general and flag officers assigned to Cyber Command, there is only one single one-star [general] with a cyber background.” This is not an outlier perspective. Indeed, there is a broad consensus that the U.S. military’s current force generation model for the cyber domain—how the military organizes, trains, and equips forces—is broken. The Pentagon acknowledged in 2025 that the status quo approach to building cyber talent “is not keeping pace with the rapidly evolving and increasingly contested cyberspace domain.”

Experts have coalesced around two paths forward. The first is to provide U.S. Cyber Command, the unified combatant command responsible for the military’s cyber operations, with greater budgetary control and acquisition authorities, an initiative dubbed “Cybercom 2.0.” The second is to establish a new branch of the armed forces, a Cyber Force, with the primary responsibility for force generation for the cyber domain. The policy debate falsely presents these as mutually exclusive options. Meanwhile, too many experts who support Cybercom 2.0 portray it as a faster, more efficient solution, overlooking its flaws.

Cybercom 2.0 preserves the core role of the existing armed services in generating cyber forces, while also empowering Cyber Command with additional “service-like” authorities. The initiative began in late 2024 following repeated congressional interventions to mandate studies and assessments of the military’s persistent cyber readiness and talent management issues. The following year, the Pentagon approved a “Revised Cyber Force Generation Model Implementation Plan,” an updated version of the original Cybercom 2.0 proposal. This decision continued the false dichotomy between Cybercom 2.0 and establishing a Cyber Force, choosing the former in lieu of the latter.

Cybercom 2.0 identifies many of the current force generation model’s deficiencies. Its emphasis on attributes such as domain mastery, specialization, and dynamism captures some of the military’s fundamental issues with talent management and readiness.

But even if Cybercom 2.0 is fully implemented, it offers an incomplete solution. Cybercom 2.0 cannot induce the existing branches of the military to prioritize the cyber domain. The Pentagon’s overview of Cybercom 2.0 specifically stipulates that Cybercom 2.0 will leverage “the authorities provided to Commander, U.S. Cyber Command (USCYBERCOM) in Title 10, U.S. Code, section 167b … with the authorities and activities of the Military Departments.” These authorities have been vested in the command since 2016.

However, the Cybercom 2.0 plan provides few teeth to hold the existing armed services responsible for delivering the forces that Cyber Command needs. Lt. Gen. (Ret.) Chris Weggeman made this exact point: “What Cyber Command lacks today is sufficient capability and capacity to clutch all their new authorities and deliver required outcomes at relevant speed/scale. They are undermanned, lack the talent and experience required at scale, [and] lack the data-fabric and state-of-the-art analytics/automation to fuel process efficiency.”

According to senior officials, the Pentagon’s revised force generation model is based on three core principles: cultivating mastery of the cyber domain, establishing dedicated career pathways that enable specialization, and fostering agility to match the dynamism of the cyber domain. Cybercom 2.0 aims to achieve these objectives through establishing three “enabling” organizations: a Cyber Talent Management Organization (CTMO), an Advanced Cyber Training and Education Center (ACTEC), and a Cyber Innovation Warfare Center (CIWC).

The creation of these three organizations undercuts the argument that Cybercom 2.0 is more efficient than creating a Cyber Force because creating a new service will result in more bureaucracy. The three new organizations within Cybercom 2.0—CTMO, ACTEC, and CIWC—are all organizations that also reside at the department level for each of the existing services. To provide just one example from the Army, the CTMO in Cybercom 2.0 is similar to elements of both Army Recruiting Command and Human Resources Command; ACTEC parallels portions of Army Transformation and Training Command, including the Cyber Center of Excellence and the Cyber School; and the CIWC is similar to the various rapid acquisitions officers under the assistant secretary of the army for acquisition, logistics, and technology. And that is just for one of the five existing services. By recreating organizations that already exist within each of the services, Cybercom 2.0 is creating more bureaucracy, not less.

The bigger problem is that Cybercom 2.0’s release defers meaningful debate about establishing a Cyber Force. Senior leaders have explicitly argued that it is necessary to buy time for Cyber Command to improve. For example, after the revised force generation model was approved in late 2025, Gen. (Ret.) Timothy Haugh summarized the argument against establishing a Cyber Force as being “all about time.” He presented Cybercom 2.0 as a faster and more cost-effective option: “We should start with the steps that can be done aggressively with the least cost and the most rapid return. … We want to be focused on producing more tooth and not focused on growing bureaucracy.” Another former Cyber Command official opined that establishing a Cyber Force would be misaligned to China’s ostensible timeline to be prepared to invade Taiwan by 2027, warning that “[y]ou can’t just take a knee for a couple of years while you spin this thing up.”

This is not a new argument. Nearly a decade ago, Adm. (Ret.) Mike Rogers called for additional time to get all of Cyber Command’s teams to full operational capability before making any judgments about force structure changes—a move that locked the Cyber Mission Forces into a prolonged and static course of action. However, even after achieving full operational capability, the command failed to make noticeable improvements.

This prompted the next ostensible incremental fix, which was for Congress to provide Cyber Command with “service-like” acquisition authorities, especially “Enhanced Budgetary Control” (EBC), which gave the command oversight of approximately $2 billion. In turn, leaders pressed for the command to have sufficient time to implement EBC prior to any further changes. As Lt. Gen. (Ret.) Charlie “Tuna” Moore argued in a 2024 op-ed, “Establishing a cyber service will take years—with no guarantee of success—much longer than simply allowing Cyber Command to fully execute its new ‘service-like’ authorities.” In other words, just give the command more time.

The calls for delay and time for implementation in the context of the Cybercom 2.0 debate ring hollow for those who have paid attention to the department’s efforts to generate cyber forces for more than a decade and a half. Attempts to improve force generation by making changes to Cyber Command’s resources or authorities do not get at the heart of the issue: the failure of the services to prioritize force generation for cyberspace. Even more problematically, Cybercom 2.0 is not the quick fix for force generation that proponents suggest it will be. For example, the Pentagon assesses that the ACTEC will not reach initial operational capability until 2028 and will not achieve full operational capability until 2031 (and, notably, both dates fall beyond Chinese President Xi Jinping’s notional 2027 timeline).

If we simply allow time for Cybercom 2.0’s full implementation before considering whether to establish a Cyber Force, another several years will pass, and many of the same deficiencies in the services’ recruitment, training, and retention of cyber forces will likely continue.

These critiques do not mean that the Cybercom 2.0 effort is futile. However, in implementing Cybercom 2.0, the department should consider how this initiative lays the groundwork for the next logical step toward establishing a Cyber Force.

Luckily, there are those in the department who understand that both Cybercom 2.0 and a Cyber Force are necessary. In January, Assistant Secretary of War for Cyber Policy Katherine Sutton rejected the framing of the two paths as mutually exclusive during her congressional testimony. “I think one of the most common misconceptions … is that it’s a debate between Cyber Command 2.0 and Cyber Force,” she said. As the department has built the Cyber Command 2.0 model, she explained, it has been deliberately “agnostic to the organizational model and that it would support both the current model … as well as the establishment of a Cyber Force.”

Sutton’s testimony offers refreshing nuance to what has become a simplistic caricature of the ongoing debate about establishing a Cyber Force. Rather than using Cybercom 2.0 to postpone efforts to build a Cyber Force, policymakers should consider how the revised force generation model could serve as a building block for an independent service—which is the only solution that will address the military’s readiness challenges in the cyber domain.