U.S. Cyber Command lost yet another seasoned leader earlier this month.
Lt. Gen. Charles “Tuna” Moore, second in command behind Gen. Paul Nakasone, retired after serving roughly five years at Cyber Command. By all accounts, he was an effective, impressive figure, having completed a Harvard Kennedy School cybersecurity program in 2019 and advancing through the ranks to help oversee the military’s primary digital warfare unit at an increasingly critical time for cyber defenses.
But even for a talented military service member in his 50s, working inside a part of the military that White House officials, Pentagon leaders and lawmakers say is dangerously understaffed, longstanding policies and a military staffing system makes it nearly impossible to remain.
There is “no seat for him,” sources said, pointing out that Moore is just the latest example in a long line of forced retirements where top generals who aren’t promoted “reach the end of the line.”
But at a time when General Nakasone along with many other cybersecurity leaders inside and out of the government are sounding alarms about the dire cybersecurity talent shortage and the inability to retain the most skilled cyber practitioners, many former Cyber Command and National Security Agency officials say it is time to change the military’s rotation system and approach to retirement that is robbing the military of its most experienced personnel.
Department of Defense staffing norms require staff to rotate every few years. Since Cyber Command receives talent from outside its ranks, it is also subject to the whims of the various military services, which rotate their brightest people to Cyber Command for anywhere from two to four years, asking for them back, experts and former officials say, just when they have mastered the complexities of the cyber mission.
The services — Army, Navy, Marines, Air Force, Coast Guard — say they have manpower needs that require they get their talent back, sources said. But as a result, Cyber Command officials are left to execute cyber operations with a constantly rotating bench.
“What that means in cyberspace is by the time someone is just getting up to speed, it’s time for them to leave,” said Rick Ledgett, who was deputy director and acting chief operating officer of the NSA until he retired in 2017. “That hurts the cyber mission.”
The NSA and Cyber Command work very closely; General Paul Nakasone has a “dual hat,” meaning he runs both entities. Ledgett, who worked with Nakasone and the founding director of Cyber Command, retired Gen. Keith Alexander, said that Alexander tried to fix the rotation problem but was unsuccessful.
Alexander declined to speak with CyberScoop.
Congress poised to act
The issue is a long-standing one. Sen. Mike Rounds, R-S.D., a member of the Senate Armed Services Committee and chairman of the Cybersecurity Subcommittee, in 2018 told a joint Cybersecurity and Personnel Subcommittee hearing that Congress needed to review the cyber operational readiness of the DOD.
“A great deal of the department’s cyber readiness issues revolve around the shortage of skilled, cyber-capable personnel,” Rounds said. “An ongoing concern of the subcommittee, which I am sure the department shares, is that we preempt a hollow cyber force … Cyber Command needs the indigenous capability, without over-reliance on NSA, to surveil adversary networks for zero-day vulnerabilities, produce malware to exploit these vulnerabilities and implant this malware within a reasonable and realistic timeline.”
Five years later and it’s unclear if much has changed. In April, Nakasone told Congress a top priority for him is to build a skilled workforce “through recruitment, training and retention.”
But Congress seems to have the issue on its radar. The Senate version of the National Defense Authorization Act this year calls for the Secretary of Defense to complete a study on the responsibilities of the military services for “organizing, training, and presenting the total force” to Cyber Command.
DOD Secretary Lloyd Austin is charged with producing a report by next June that addresses the “low service retention rate” for critical roles inside the Cyberspace Operations Forces “specifically addressing Cyber Mission Force rotations [and] length of service commitments.”
For those who have worked at the NSA and partnered with Cyber Command, the problem feels particularly acute. Gavin Wilde was at the NSA as a Russian specialist and worked closely with Cyber Command as part of the “Russia Small Group” in both 2018 and 2020. Cyber Command was at a sharp disadvantage because of the constant rotations, he said.
“The current practice of either rotating out or retiring military members or generals, general officers, at the very moment when they’re reaching critical mass of expertise is problematic for both the discipline as well as for getting Cyber Command to a place of maturity where it’s not reliant on NSA or others to help them with that expertise,” Wilde said.
The dynamic is a “drag on the talent shortage at NSA,” he said. Many new employees at the NSA are coming out of graduate programs, eager to begin working in their area of expertise only to find “themselves having to educate their peers in Cyber Command who haven’t had that benefit, and who by the time they catch up or reach parity, are rotating out,” Wilde said.
How to fix the problem
There are ways that Cyber Command could address the issue even without permission from the services. The military has authority to direct commission cyber officers for several years, but has rarely done so, said Sean Plankey, who worked for Cyber Command before ending up at the White House and the Department of Energy with cybersecurity portfolios.
“They only used it at the lowest possible level of commissioning and so, they’re struggling to bring people in and the military itself functions on a up or out system,” Plankey said. “That means you have to get promoted or in a period of time you get pushed out, and you can’t get promoted.”
Rear Adm. Mark Montgomery, the former executive director of the Cyberspace Solarium Commission and before that a staffer on the Senate Armed Services Committee, said the rotation problem could be overcome if the military created a Cyber Force akin to the Space Force launched in in December 2019.
A Cyber Force would require Congressional intervention to create and was much more needed than a Space Force, Montgomery said. He worries a Cyber Force cannot be created anytime soon because the Space Force is still new.
Absent a Cyber Force, which would solve the problem by making cyber its own service not dependent on the others for staffing, DOD should accommodate longer tours and consistent tours within certain parts of the cyber mission force, including Cyber Command, Montgomery added.
“This is absolutely something the services should be addressing … . This is a career path that requires persistent training and exposure to the cyber infrastructure,” he said, pointing out that enlisted personnel working on nuclear power plants do not rotate because of the complexity of the mission.
A staffing system that’s an outgrowth of deep-seated cultural issues
A former high-ranking Cyber Command official who spoke only on the condition of anonymity said that the debates about how to staff special commands like Cyber Command go back to 1987 when the Special Operations Command was created and poached top talent from the various services. When Cyber Command formed with plans to rotate officers from the services “some of the knives came out because there were people still pissed off about SOCOM and how that got stood up,” he said.
The main problem with the rotation system is that it not only robs Cyber Command of talent, but also often leads to experienced people leaving the service. If they are rotated out of an operational role on a national force to sit on a ship, they decide to retire, former officials said.
“They’re going back to another unit that doesn’t know how to employ their talents right or where they don’t feel enabled to bring all of that experience,” said a second former Cyber Command official, who spoke on condition of anonymity because he is not authorized to speak to the press. “Invariably what happens is those people get out because they seek that same high performing organization [that they had at Cyber Command] … so they go join a startup.”
Despite the flaws to the current system, it’s difficult to fix, said Gary Brown, a professor at the Eisenhower School for National Security and Resource Strategy and a military expert.
“The military rotation thing essentially affects the entire system so you can’t really pull one career field out of the system and expect the system to still work because there are certain boxes you have to check to be competitive for promotion,” Brown said, before adding that the military requires leaders to get promoted to stay.
For those who are passed over, Brown said, “then you’re going to be kicked out, even if you wanted to stay, which is kind of wild in this case, because we’re desperate for people but we just don’t have that much of a system to stay … . It’s a difficult system.”
U.S. Cyber Command and the Defense Department declined to comment for this story.