Cyber Force, ROI, and the Case for Reform with Ed Cardon & Josh Stiefel
Season 2 Episode 41 •Show Notes
Should the U.S. have a dedicated Cyber Force? In this episode, General Ed Cardon and Josh Stiefel examine persistent gaps in the nation’s cyber posture, from undefined mission boundaries to unclear return on billions in cyber spending. They explore the organizational tradeoffs, workforce realities, and coordination challenges that have stalled progress, despite years of warnings. With host Frank Cilluffo, they unpack what it would take to move beyond patchwork solutions.
Main Topics Covered
- The failure of past “wake-up calls” to drive meaningful cyber reform
- Gaps in command, control, and mission clarity across defensive cyber operations
- The case for a dedicated Cyber Force and what it would need to solve on day one
- Why workforce development—not just recruitment—is central to cyber readiness
- The role of metrics and return-on-investment in cyber spending
- The importance of establishing clear operational roles between NSA, CNMF, DC3, DCDC
Key Quotes:
“How many of these have we been through, these quote, unquote, watershed moments that were going to change everything? … How cataclysmic does an incident have to be to get us to actually move one way or the other? – Josh Stiefel
“From 2020 to 2025, if you take all the budgets together, we’ve spent $29.9 billion on cyber operations. That’s as much as two Ford-class aircraft carriers. Do we have the equivalent combat capability in cyberspace as two Ford-class carriers? I’d argue no.” – Josh Stiefel
“[Cyber Com] just is not where it needs to be. It’s doing great work, but not at the scale and breadth that we know we’re going to need. – Ed Cardon
“In my experience, we tend to study [decisions like standing up a Cyber Force] for a couple of years before we implement it. We don’t have that kind of time.” – Ed Cardon
“Each one [of the typhoons] is a really bad day. Collectively, it’s the perfect storm. And the fact that we at least publicly haven’t made it a much bigger set of issues is going to send a signal to all of our adversaries that this is okay.” – Frank Cilluffo
Relevant Links and Resources
CSIS Cyber Force Commission: https://www.csis.org/programs/strategic-technologies-program/projects/commission-us-cyber-force-generation
Guest Bios:
Transcript
1
00:00:00,000 –> 00:00:01,000
Ed Cardon [00:00:00]: We created this thing called Hunt Forward. Where’s the hunt backward? Right inside our own infrastructures.
2
00:00:01,000 –> 00:00:02,000
Josh Stiefel [00:00:08]: Colonial Pipeline, there was SolarWinds, there was WannaCry, NotPetya, OPM, Sony, how many of these have we been through? These quote, unquote, watershed moments that were gonna change everything and they didn’t.
3
00:00:02,000 –> 00:00:03,000
Frank Cilluffo [00:00:24]: Welcome to Cyber Focus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I’m your host, Frank Cilluffo, and this week I have the privilege to sit down with two amazing Americans focused on cyber issues. First, we have General Edward Cardon. General Cardon spent 36 plus years in service for the US Army, including as the commanding General of Army Cyber Command, and also went on to help stand up Futures Command, if I’m not mistaken. And Josh Stiefel, who has been a staff leader on Congress and the House Armed Services and shepherded the last seven National Defense Authorization Acts, or NDAAs. And anyone in Washington knows there’s only one bill that passes and that’s the NDAA. Gentlemen, it’s a privilege to sit down with both of you today. You’re at the forefront of a major effort that CSIS and, and the foundation for Defense of Democracies and Cyber Solarium 2.0, which I’m part of, is leading, looking at whether or not we need a Cyber Force.
4
00:00:03,000 –> 00:00:04,000
Frank Cilluffo [00:01:34]: Before we get to answering that question, I would love to diagnose where we are and what’s leading some of the thinking there. And General Cardon, maybe we start with you and what are we lacking right now in terms of our overall capacity? And anything from your amazing work at ARCYBER that can be helpful in, in this thinking.
5
00:00:04,000 –> 00:00:05,000
Ed Cardon [00:01:56]: So there was this idea of having Cyber Com 2.0. I think a lot of people realize when Cyber Com was created in 2010, and here we are in 2023, 2024 timeframe, that it just is not where it needs to be. It’s doing great work, but not at the scale and breadth that we know we’re going to need. And when you look forward, that problem’s going to get worse. And so even General Nakasone said, the force we have today is not the force we need for the future, but look how much effort it has taken to stand up the force we have today. And are there better ways to do that? So, one of the challenges is that this debate’s been going on a long time. Do we need a cyber service? But what’s interesting, as we try to continue to strengthen Cyber Command, Cyber Command continues to ask for more and more responsibilities that look service like. And so there is a debate whether you should have an operating force and a generating force under the same leadership.
6
00:00:05,000 –> 00:00:06,000
Ed Cardon [00:03:03]: That remains to be seen because the cyber domain’s a little bit different. But in my experience, being in operations for a long time, operations tends to trump the generating force all the time. And that may not be the best way to do it for the future.
7
00:00:06,000 –> 00:00:07,000
Frank Cilluffo [00:03:17]: Well said. And I want to pull some our cyber thoughts in that in a second. But Josh, and sometimes this isn’t the sexy stuff, it’s the organize, the train, the equip and keeping the services on task. So what are your thoughts here?
8
00:00:07,000 –> 00:00:08,000
Josh Stiefel [00:03:32]: So what’s interesting is the conversations we’re having today about force design and force generation, training deficiencies, training disparities, issues with recruitment, issues with readiness. They’re not that different from the conversations we were having five years ago or 10 years ago or even 15 years ago. So we’re not resolving the problems that we’ve been dealing with for so long, and yet we’re having new problems added onto our plate because of how dynamic the domain is. And so we are in this place where we know we’re not where we need to be. To General Nakasone’s point, right, you know, status quo is the only option not on the table. But we are not really thinking dispassionately and objectively about where we should be and what will it take to get there.
9
00:00:08,000 –> 00:00:09,000
Josh Stiefel [00:04:23]: And what’s interesting about the Commission is there’s actually a range of views amongst the commissioners of where we have to be. And I think that’s one of, one of the best sort of attributes we have for it. What we start off with is an ironclad assumption to move past this debate of should we or shouldn’t we have a service aligned to this domain the same way we do in the maritime space, in the, in space, in the air domain? Let’s just assume the President has directed the establishment of the cyber service. Right? We’re going to start with what does it have to look like? What are the options we should be considering, what are our best recommendations? And then what’s a plan to actually build it out? You know, in the case of the Space Force, they were basically told to break ground on construction without having hired an architect or sketched a blueprint. We want to avoid that. We want to put the thought in on the front end to at least have something for folks in the department to compare against and plan towards so they at least have something to work off of instead of having to figure it out, right, when we’re already in a conflict with the adversary.
10
00:00:09,000 –> 00:00:10,000
Frank Cilluffo [00:05:31]: And General and Josh both jump in here. All of this is against the backdrop where we are talking a whole lot about leaning forward and I’m a big proponent of that. We’re never going to firewall or defend our way out of this problem, but we want to make sure that we can align and achieve the outcomes we’re looking for. Structurally, are we there? What is that best case scenario?
11
00:00:10,000 –> 00:00:11,000
Ed Cardon [00:05:57]: Well, maybe if I just, I mean, one of the reasons I’m on this commission is because one of the challenges we had with the Army Cyber Forces. Right? So the way the decisions made to stand up a cyber Army, Army Cyber Command, and then the debate about what’s in it and what’s not, how to do it, that went on for almost five years. We don’t have five years to, once the decision’s made, let’s figure it out. So we’ve done this in other domains. We have to recognize this domain’s different. So it may not all look the same.
12
00:00:11,000 –> 00:00:12,000
Ed Cardon [00:06:31]: There’s certain areas that might look actually quite different. But the idea that we have a series of options on the table, here’s how you might want to implement it. So we actually have real capability and much faster than we have in other domains, I think would be invaluable to the department.
13
00:00:12,000 –> 00:00:13,000
Frank Cilluffo [00:06:51]: And you know, General, one thing that I find most impressive about Army Cyber Command in particular is it, it tends to align with the Title 10 side of the mission, where stuff really does happen. And other services, they’re doing some really unique and good work in niche areas, but it tends to have a little more of that Title 50 feel to it. And, and I think that’s sort of where we need to be. If we’re talking offensive, we’ve got to make sure we have not only the force structure, not only the workforce coming into the future, but also the strategic outcomes where we’re looking to achieve. I think there’s a lot that can be gleaned from Army Cyber. And I’m not saying it because you’re here, but you, your predecessor, Rhett Hernandez, General Nakasone was able to take some of those ideas and implement it. That’s sort of what we need at national level. Josh, any, any thoughts there?
14
00:00:13,000 –> 00:00:14,000
Josh Stiefel [00:07:55]: So what’s interesting here is, you know, cyber’s new. It’s, it’s, it’s dynamic, it’s different. But we almost absolve ourselves of the connections that we have and how we can look back in our own military history and say, when have we been through similar situations before, and how did these resolve themselves? Right? And so we think about what’s lacking here. You know, I think about the fact that there are seven degree granting institutions in the Navy for the maritime space. There is one in the Department of Defense dedicated to cyber, and the department tried to shut it down four years ago. Right? You know, is that something that’s, that’s the right thing for the department to be removing the things that we’ve had each service determine unilaterally, like that they require? Right?
15
00:00:14,000 –> 00:00:15,000
Josh Stiefel [00:08:45]: So, in the case of the army, you have SAMS, the School of Advanced Military Studies, you have SAWS in the Marine Corps, you have SAS in the Air Force. Each service has said, I need a place where I can build and develop and teach the most exquisite planners on the planet. Right?
16
00:00:15,000 –> 00:00:16,000
Josh Stiefel [00:09:03]: A dedicated schoolhouse just for them. In cyber, we have nothing really resembling that. And is that because we’ve determined and, and gone through an analysis that says we don’t need it in this space, or is it because there’s no real proponent for it, thus it’s a add on cost for someone else to take on and a burden that they’re not willing to shoulder. So when we look at the history, we, we, we’ve seen this movie before in the country, right? It resolves itself the same way every time. And I think about, you know, what would a Cyber Force look like? You know, everyone can talk about the operational stuff, but what about the things that people don’t think about? The intelligence support, the legal support, the targeting support. These are things where the enablement of our operations is so critical. Because today we have 6,500 authorized positions in the Cyber Mission Force. We’re lucky to get even close to that, but that’s a small force.
17
00:00:16,000 –> 00:00:17,000
Josh Stiefel [00:10:02]: And when we find sort of new things that the domain requires, you know, dedicated targeting, foundational intelligence, science and technical intelligence, we just add that onto the plates of the operators instead of saying no, that’s something that we need on the front end as distinct from the operators. Right?
18
00:00:17,000 –> 00:00:18,000
Frank Cilluffo [00:10:20]: I’m reminded of then General Eisenhower’s quote at the time, and he often said, in preparation for battle, I have found plans to be useless, but planning to be indispensable. And I’m not suggesting plans are useless, we need them. We shouldn’t be coming up with them after the adversary kicks us in the most obvious place. They should be as forward leaning as possible. But that is very true and I’d be curious. I tend to think we’ve let the adversary define our strategy because we’re reacting to them. We’re giving the initiative to the adversary.
19
00:00:18,000 –> 00:00:19,000
Frank Cilluffo [00:10:59]: This done right, whether it’s through a Cyber Force or whether it’s through fine tuning everything in a, in a more efficient way, should have us define the strategy and basically get to a point where dissuade, deter, compel the adversary. Right? We seem to do it backwards, and history is filled with examples of that. And I’d be curious, sort of bluntly, if nothing changes, if the status quo is, unlike General Nakasone’s statement, the only option on the table, what risks do we face in the next few years?
20
00:00:19,000 –> 00:00:20,000
Ed Cardon [00:11:32]: I think we already see some of them. Right? So while we have a tremendous offensive capability, if we just look at Volt Typhoon and Salt Typhoon, both attributed to China. Right? So they’re deep inside of our critical infrastructure. Even recent reporting has said they’re in really deep and we don’t know how we’re going to get them out. And Salt Typhoon came out and basically collected information on every American that we have.
21
00:00:20,000 –> 00:00:21,000
Frank Cilluffo [00:12:01]: Absolutely. Yeah.
22
00:00:21,000 –> 00:00:22,000
Ed Cardon [00:12:02]: Then I think, you know, that’s here now. So that’s on the defensive side. Like, if we’re so great, how did this happen?
23
00:00:22,000 –> 00:00:23,000
Frank Cilluffo [00:12:12]: Absolutely.
24
00:00:23,000 –> 00:00:24,000
Ed Cardon [00:12:14]: And you know, there’s, and this is where the complications of, well, a lot of this stuff is private infrastructure. The way that the department, you know, Admiral Rogers used to talk about, you know, the FBI has these authorities, CISA has these authorities. DoD has almost no authorities inside the United States. Right?
25
00:00:24,000 –> 00:00:25,000
Frank Cilluffo [00:12:34]: Except with the DIB, right?
26
00:00:25,000 –> 00:00:26,000
Ed Cardon [00:12:35]: Except with, well, and that grew over time. It didn’t start that way. Right? It started because people got smart about, the way to attack the United States is to start going up the chain and influence the, you know, weapons and capabilities we need to actually conduct war.
27
00:00:26,000 –> 00:00:27,000
Frank Cilluffo [00:12:52]: Which is a bad story. And the broader mission assurance picture is not great either.
28
00:00:27,000 –> 00:00:28,000
Ed Cardon [00:12:56]: Right. So, you know, that’s, I mean, that part’s here. Now how do we, and in a weird way, you could say we could take the offensive force. You know, let me back up a little bit. Maybe, we created this thing called Hunt Forward, which I think is fantastic. Right? Working with other nations.
29
00:00:28,000 –> 00:00:29,000
Ed Cardon [00:13:13]: Super. And worked really well with the Ukraine. Where’s the hunt backward? Right? Inside our own infrastructures. Where is that and who does it? Because right now that’s not even sorted out.
30
00:00:29,000 –> 00:00:30,000
Frank Cilluffo [00:13:26]: That’s really well said. And if you think about it, the ability to project power, deploy forces, that’s all in that side of the House. Right? To ensure that we actually have an offensive capability, whether kinetic or cyber, or the convergence of the two, which is where sort of where I am. Josh, anything, if nothing changes today, what is, what is this picture? Which is already a bad picture, to be honest.
31
00:00:30,000 –> 00:00:31,000
Josh Stiefel [00:13:51]: Absolutely. We continue to let the adversaries sort of set the tone and tenor. And, you know, my biggest fear is that we are, no country in the world is better prepared for a 20th century conflict than we are. Right? That’s not the one we’re fighting. You know, the adversaries have picked up on that. China developed its cyberspace force, you know, nine years ago.
32
00:00:31,000 –> 00:00:32,000
Josh Stiefel [00:14:12]: I’d argue the Israelis are the world’s first independent cyber force. They’re leading the way because you put these guys together and some magic happens. And so we’re going to continually be following until we’re leading. And I don’t know what it’s going to take because, you know, to the point about the typhoons, before typhoons, there was, you know, Colonial Pipeline, there were SolarWinds, there was WannaCry, NotPetya, OPM, Sony, you know, how many of these have we been through, these quote, unquote, watershed moments that were gonna change everything?
33
00:00:32,000 –> 00:00:33,000
Frank Cilluffo [00:14:44]: Yep.
34
00:00:33,000 –> 00:00:34,000
Josh Stiefel [00:14:44]: And they didn’t. Right? So how cataclysmic does an incident have to be to get us to actually move one way or the other?
35
00:00:34,000 –> 00:00:35,000
Frank Cilluffo [00:14:52]: And I appreciate that. Cause the typhoons alone, each one of those, whether Salt, Volt, and Volt being the one that I think is most indicative of intentions crossing a line, Rubicon, Flax, Silk, you name the typhoon. Each one is a really bad day. Collectively, it’s the perfect storm. And the fact that we at least publicly haven’t made it a much bigger set of issues is going to send a signal to all of our adversaries that this is okay. Right? And we just need to do more there.
36
00:00:35,000 –> 00:00:36,000
Frank Cilluffo [00:15:27]: And I’d be curious what you think has to be at Cyber Force. Say it is a new force. On day one, what has to be included in all that? And I know you’re looking at that in your study, but either of you want to jump in? You want to start, Josh?
37
00:00:36,000 –> 00:00:37,000
Josh Stiefel [00:15:43]: I think the ability to incorporate the massive amount of talent that’s in the civilian workforce. Right? Whether they’re there in a full time capacity or in a part time reserve or guard capacity. Right? You need people who understand the private sector, who can talk the talk of industry and understand what the department oftentimes fails to understand today in terms of fiduciary interests of companies and the different incentive structures that they have. The regulatory compliance they’re obligated under. You need people to understand, understand that. And so I think that that has to be a foundational piece.
38
00:00:37,000 –> 00:00:38,000
Josh Stiefel [00:16:23]: Now what form it takes I don’t know. I think that’s a really interesting topic for us to be discussing within the Commission. But I know that we can’t do this without harnessing those folks with experience in uniform, but now also in the civilian sector.
39
00:00:38,000 –> 00:00:39,000
Frank Cilluffo [00:16:37]: And that’s what makes cyber really unique is they’re, in some cases maybe governments and it’s not leading, they’re actually supporting the mission of, certainly on the defensive side. But I’d be curious what, what that looks like and agree. What are some…
40
00:00:39,000 –> 00:00:40,000
Ed Cardon [00:16:56]: So Frank, I would say part of the work of the Commission has to separate out a number of lines. Right? And I believe in boundaries because if you don’t have a boundary then everybody thinks they own that turf. But if you create a boundary then people have to coordinate to cross it. It’s not impermeable but there’s coordination required. So if you look at the boundaries on the offensive side, a lot of that smashes up against the intelligence community. So what are the boundaries? Right?
41
00:00:40,000 –> 00:00:41,000
Ed Cardon [00:17:24]: When you look at the defensive side it comes up against the CIO community. So what is that? But also there’s these other ones that are emerging rapidly. Like what about the EW community? Like tactical cyber may look a lot like EW.
42
00:00:41,000 –> 00:00:42,000
Frank Cilluffo [00:17:40]: And RF.
43
00:00:42,000 –> 00:00:43,000
Ed Cardon [00:17:41]: And RF. And so that brings in the whole spectrum piece. Then you also have information operations, influence operations with, cyber’s certainly an enabling force for this in a massive way. So we haven’t sorted these out. The commission is going to offer a number of recommendations around this. So when you say what it looks like I think if he would sort these roles out and they’re decided and not relitigated once a decision’s made, this is the importance of an implementation work, could be super powerful for day one.
44
00:00:43,000 –> 00:00:44,000
Frank Cilluffo [00:18:14]: Love it. And I would just add as, from, and not to be too academic or wonky, but we tend to look at the world through our boxes and org charts. If we could look at it in terms of what outcomes we genuinely want to achieve, our boxes and org charts would look very different I think, and maybe that would be a way to sort of factor in across the, that spectrum of conflict, would be, would be really valuable.
45
00:00:44,000 –> 00:00:45,000
Josh Stiefel [00:18:44]: Related to this point, what’s, you know, an issue that I’ve been very frustrated with is, is progress on weapon system cyber security and defense industrial based cybersecurity.
46
00:00:45,000 –> 00:00:46,000
Frank Cilluffo [00:18:56]: And what and this isn’t Secret Squirrel stuff. GAO has made this very public for years.
47
00:00:46,000 –> 00:00:47,000
Josh Stiefel [00:19:02]: And what really concerns me is you get the principals together in the Pentagon, you can have 10 different principals and you say who’s in charge, and 10 hands go up. To say that we organize by org chart, this is the problem is that no one knows whose job it is to take care of these massive issues that we still have not addressed or mitigated.
48
00:00:47,000 –> 00:00:48,000
Frank Cilluffo [00:19:26]: What do you see some of the pros and cons, shortfalls, and maybe other structures. So, for transparency, 10 years ago I wrote extensively on the need to create a JSOC because I thought the, the ability to deconflict the Title 50, Title 10, I come at it from, post 9/11, I think the, the, the, the greatest breakthrough is actually ensuring that the intelligence and defense communities can come together on prosecuting the, the war on terrorism. Some would say NSPM 13 was the equivalent of that for, for cyber. At least it didn’t require the President to read over every single operation and, and, and, and sign it one way or another. What are some of the shortcomings of that model? And then more importantly, how would a service sync up with Cyber Command right now? I’d be curious what, General, we’ll start with you and then Josh.
49
00:00:48,000 –> 00:00:49,000
Ed Cardon [00:20:26]: Well, I still think Cyber Com will be the operational force. It’ll be the co com that implements. So it’ll operate just like all the others. And so the, this Cyber Force would present forces to Cyber Command. What might be different here, though, going to Josh’s earlier point, is not only would it have to present forces also to the other combatant commands, it might actually have to present forces to services.
50
00:00:49,000 –> 00:00:50,000
Frank Cilluffo [00:20:54]: Yep.
51
00:00:50,000 –> 00:00:51,000
Ed Cardon [00:20:55]: Right? And no other generating force does it like that. Right? On the point of, I do believe in a JSOC like function, Cyber National Mission Force.
52
00:00:51,000 –> 00:00:52,000
Frank Cilluffo [00:21:06]: You think’s doing that?
53
00:00:52,000 –> 00:00:53,000
Ed Cardon [00:21:09]: Well, I used to talk about it in that. It’s become a subunified command. I think this might, this is something worth looking at.
54
00:00:53,000 –> 00:00:54,000
Frank Cilluffo [00:21:17]: From a planning perspective.
55
00:00:54,000 –> 00:00:55,000
Ed Cardon [00:21:18]: Well, if it, if, if, if the Cyber National Mission Force by default becomes the operational force, then you have one force. Right? Well, we need know the Army has lots of, you know, we have four cores for a reason. We have 12 divisions for a reason. Right? So that kind of structure, you know, that kind of structure is in the generating forces. And then I’ll stop there.
56
00:00:55,000 –> 00:00:56,000
Frank Cilluffo [00:21:46]: Josh?
57
00:00:56,000 –> 00:00:57,000
Josh Stiefel [00:21:47]: Well, on the point of JSOC, right, we don’t have to think about a JSOC for defense. We do have to think about cyber for defense. Right? And so for all the good work that CNMF does. I am always concerned that, you know, the offensive side gets far more attention, far more resourcing than the defensive side. I want to treat the newly renamed DCDC as an equivalent to CNMF, and I want them to get as many resources, as much prioritization to make sure that we don’t take our eye off that, that we’re not always sort of lured by, you know, the sexiness of offensive operations. Because where do we have the most control over our ability to affect the network, affect the terrain? It’s inside our own network.
58
00:00:57,000 –> 00:00:58,000
Frank Cilluffo [00:22:30]: Just to put a fine point on that, and I’ll let you finish, I mean, what you will hear from industry is they will pay for the real or perceived sins of government leaning forward anyway because they’re going to be on the front lines of the retaliation and response. So it’s even more complicated in that you’ve got critical infrastructure owners and operators who need a seat at this table as well, so sorry to cut you off.
59
00:00:58,000 –> 00:00:59,000
Josh Stiefel [00:22:53]: No, no. And to your point, right. who is responsible in the Pentagon to talk to the private sector about this issue? Because I can tell you that there’s far more than the number one that will say that they’re in charge of it. Right? That’s a problem for us. I think that there’s some real goodness going on at DCDC under General Stanton. Thinking about this, thinking holistically, I know there’s been, you know, really good interplay between DCDC and the Defense Cyber Crime Center, also known as DC3, maybe bringing those organizations together, because they’re basically looking at different sides of the same coin.
60
00:00:59,000 –> 00:01:00,000
Ed Cardon [00:23:33]: And there were also good relationships led by General Hartman on linking them with the CNMF. Right?
61
00:01:00,000 –> 00:01:01,000
Frank Cilluffo [00:23:41]: That’s essential. Yep.
62
00:01:01,000 –> 00:01:02,000
Ed Cardon [00:23:43]: So there are pieces. The question is, is it enough? Right?
63
00:01:02,000 –> 00:01:03,000
Frank Cilluffo [00:23:49]: And it would let them focus on a mission that’s narrower. Right? I mean, at the end of the day, not narrow, operations is never, but it’s not everything and everywhere, all the time. Is that, is that fair? Is that one of the arguments?
64
00:01:03,000 –> 00:01:04,000
Ed Cardon [00:24:05]: I kind of back all the way out of that. Like, the IT is everywhere, all the time running. So we have to have a way to monitor it. Right? Artificial intelligence is, is really like upping the game on the defensive side.
65
00:01:04,000 –> 00:01:05,000
Frank Cilluffo [00:24:19]: It’s also on the offensive side.
66
00:01:05,000 –> 00:01:06,000
Ed Cardon [00:24:21]: It’s also doing it to the offense. Right? And so speed matters. So, and this is an area that, you know, that the commission also has to explore. I do want to highlight one thing that Josh said. He talked about the people. I’ve always believed the people are the key to this whole thing. We get enamored with the technology over here, but it’s actually, you know, when you meet one of these people that’s, you know, I call them one of the, one of the 100s.
67
00:01:06,000 –> 00:01:07,000
Ed Cardon [00:24:47]: Like, there’s a hundred people in the country that can do this. And you know, it’s a very unique skill set. But there’s only, there’s only a couple of them that know how to do it. You know that we need those people. We need to attract them, and we may not need them in the force, but we need access, the force needs access to them.
68
00:01:07,000 –> 00:01:08,000
Frank Cilluffo [00:25:06]: Actually, I do want to get your thoughts, because workforce, everyone talks about it, there’s not a whole lot of doing there. It’s hard. I get it. And this is everything from pay scale, all these complicated back office functions are essential to being able to build the cyber workforce of tomorrow.
69
00:01:08,000 –> 00:01:09,000
Ed Cardon [00:25:26]: I think you ought to start with what you want. And so for me, I’ve always thought it’d be like one third military, one third civilian, one third contract. The contract force is the fungibility, right? If you need something fast, you get it through the contract, but it also needs permeability. So you should, you should be required to go in and out of the force. That includes the military, right? Go back out to private sector, go work in one of the hyperscalers, go work in one of the big social media, come back.
70
00:01:09,000 –> 00:01:10,000
Frank Cilluffo [00:25:56]: So do we really need a Goldwater-Nichols that expands into industry though? That’s the difference. It’s not just you have to spend some time in another service or bill it.
71
00:01:10,000 –> 00:01:11,000
Josh Stiefel [00:26:07]: I think when you look at it, we have found solutions to this, right? In other domains, we, we know how to solve for this. And so, you know, whether you look at the guard, whether you look at Title 32 authorities or you look at, we found creative ways to address the operational problem. And is it at scale? Probably not. But then that gets the question of, okay, what enablers have you provided or you know, facilitated? In this case, I’d say a JAG corps, right? Who knows, who has, who are experts in the legal changes that might be required to make something a reality. And so to me, that’s where I think we have to really think broadly about organize train, and equipped. That means a lot of things. One is the enablers.
72
00:01:11,000 –> 00:01:12,000
Frank Cilluffo [00:26:51]: Can I, can I push back on that a teeny bit? It’s not that I disagree with it, I do. But we’re very good when we have a specific campaign we’re running up against. Ukraine and, Russia invades Ukraine. We have ways where we can bring both on the red and the blue, offense, defense together to ramp up capabilities. It’s that every other day. And we want to make the big mistakes on the practice field, not Main Street, USA, when it matters. Right? So how do we find, I mean, this is not to be trite, but you got to do the reps to be good in anything.
73
00:01:12,000 –> 00:01:13,000
Frank Cilluffo [00:27:29]: And that’s not when the balloon goes up, that’s every day before that.
74
00:01:13,000 –> 00:01:14,000
Josh Stiefel [00:27:33]: But if you look at CNMF’s program under advisement, if you look at the Cybersecurity Collaboration Center run out of NSA, massive successes because they found ways to creatively get after, is there a disparity between what the government is seeing and a threat picture and what the private sector is seeing? Can we talk about it? Are there liability protections? Whatever it may be, they’ve found creative ways to tackle each one of these in small bites. And so I do think that we have, we got to give ourselves a little bit of credit here that there is those solutions. It just may not be at the scale where…
75
00:01:14,000 –> 00:01:15,000
Frank Cilluffo [00:28:08]: Maybe it’s CCC on steroids. Because the next level of questions, I’m tired of the public private partnership discussion. It’s all about operational collaboration, and that is going to be with industry too. And maybe CCC is a model you can put on steroids. And I assume this is agnostic to whether or not there’s a Cyber Force, right, that can plug in. But how do we get around that workforce issue? How do we get it so we’re not getting every one of those hundred, if they’re not here today, we can build them tomorrow?
76
00:01:15,000 –> 00:01:16,000
Ed Cardon [00:28:43]: Well, the first thing, to back up, to do this training, the force has to be bigger than when you actually need.
77
00:01:16,000 –> 00:01:17,000
Josh Stiefel [00:28:49]: Boom. Yep.
78
00:01:17,000 –> 00:01:18,000
Ed Cardon [00:28:50]: Right? And often we don’t think about it that way. So what percentage of the force is in an education or training mode? Right? And that’s where you start to see, you know, you get questions like who’s going to write the doctrine? Who’s going to do all that? Well, I view that as a generating force responsibility, but it has to be, in this domain, tightly coupled with the operational piece. But rather than being in the operation, you should be watching it and then extend it out. What does that look like down the road? They have time to think about that. That’s their job as opposed to get after target.
79
00:01:18,000 –> 00:01:19,000
Frank Cilluffo [00:29:28]: And I love that because it’s the enabling function, it’s the gap between strategy and tactics, and that tends to be in every field, but even more so when it comes to cyber and building out that doctrine. But it also means you have to invest. So not to use a bad sports analogy, but do you try to build your team based on who’s going to win today or do you build your team where you will win for the next 10 years? And you have to invest in those future first round picks, every once in a while, give up a key position. Right?
80
00:01:19,000 –> 00:01:20,000
Josh Stiefel [00:30:03]: So there was a lot of criticism about a space for saying we can’t afford to reorganize now. It would be too detrimental, too costly. We made that decision in 2019. The question was settled. Are we glad now that we have a group of people, cadre of folks thinking about space warfare 24/7? Because now in 2025 that looks quite prescient. Right? So we don’t really have buyer’s remorse about that decision. Going back to the workforce issue, I mentioned the Israelis, right? Everyone turns the Israelis, they’re the startup nation, incredible high tech sector, incredible talent.
81
00:01:20,000 –> 00:01:21,000
Josh Stiefel [00:30:37]: There’s a direct correlation from Unit 8200 to the development of a workforce that’s populating their private sector. Right? So they invest in it early, they invest in it, you know, at the, at the primary and secondary education level to prepare Israeli, you know, boys and girls for 8200 to then be selected and assessed, trained on an unbelievable investment in order to say, you know, their length of service, it still is worth it to the nation because they’re working in, in the private sector and they’re coming back maybe as a reservist.
82
00:01:21,000 –> 00:01:22,000
Frank Cilluffo [00:31:14]: And they live in a tough neighborhood and they get a lot of experience and everyone’s serving.
83
00:01:22,000 –> 00:01:23,000
Ed Cardon [00:31:20]: So, so Frank, this is building the ecosystem, right? And the ecosystem normally is not built inside of operational force. Operational force is worried about what’s in front of it today or maybe a week from now or two weeks or a month, certainly not more than a year. Right? They’re knocking down targets, accomplishing mission every day. The generating force is the one that generally thinks deeper, right? And this idea of the building the ecosystem, that is the long term solution, right? The long term solution is to build these. Because then, I mean, I, I laugh with my private industry friends, right? They’re poaching talent out of this cyber mission force, DCDC, which would be okay if they kept coming back.
84
00:01:23,000 –> 00:01:24,000
Frank Cilluffo [00:32:07]: If they come back.
85
00:01:24,000 –> 00:01:25,000
Ed Cardon [00:32:08]: Right? And I think, I think you could start to create this engine that would generate an unbelievable force. You know, 10 years from now, to Josh’s earlier point in the Space Force, would be like, wow, that was an incredible decision.
86
00:01:25,000 –> 00:01:26,000
Frank Cilluffo [00:32:24]: And I would agree 100% and do when I speak to students. You have a once in a lifetime opportunity in terms of public service. You’re going to see and play and let’s be serious, the mission matters. But I, I think we have to get out of the, you’re expected to be anywhere for 50 years. That’s just not lining up with the real workforce. It has to be go in, out and ideally learn from. You’re taking lessons, you’re learning, you’re understanding the pain points, you know what the Advil or whatever is needed to address it, and vice versa.
87
00:01:26,000 –> 00:01:27,000
Frank Cilluffo [00:33:02]: But our system’s not built for that.
88
00:01:27,000 –> 00:01:28,000
Ed Cardon [00:33:04]: But that’s a function of this domain. Unlike, like, you, you, you in the Army, that land domain is very specific. Anybody want to take a guess on which the big companies are going to be five years from now in this IT space with this AI environment? That’s, if we could figure that out…
89
00:01:28,000 –> 00:01:29,000
Frank Cilluffo [00:33:21]: If we could have guessed, I’d be investing. Right?
90
00:01:29,000 –> 00:01:30,000
Ed Cardon [00:33:23]: So it’s, so that’s so fast moving. That’s why I think they need to go in and out. Because, you know, as they say, by the time you, from the time you start your computer science program to the time you graduate, it’s OB.
91
00:01:30,000 –> 00:01:31,000
Frank Cilluffo [00:33:37]: Yep.
92
00:01:31,000 –> 00:01:32,000
Ed Cardon [00:33:37]: Right?
93
00:01:32,000 –> 00:01:33,000
Frank Cilluffo [00:33:38]: Well said. True. But there’s nothing more valuable than experience, scar tissue.
94
00:01:33,000 –> 00:01:34,000
Ed Cardon [00:33:45]: Foundational education guilt.
95
00:01:34,000 –> 00:01:35,000
Frank Cilluffo [00:33:37]: Yep.
96
00:01:35,000 –> 00:01:36,000
Josh Stiefel [00:33:48]: You know, one of the privileges of my former role on the committee was talking to operators at all levels. Right? And one of the things, you know, I saw that I think does the service members a real disservice is saying, oh, you know, we just can’t compete with the private sector, you know, for pay. I don’t think people are leaving because of pay. That might be the straw, the straw that breaks the camel’s back. They’re leaving because they’re in institutions that don’t view them as valuable to their core mission. And so if we had an organization or we had an institution where they’re seen as valued, where they’re seeing leaders above them, that came from their communities, that can speak their language, that have been through what they’ve been through, that have, you know, found success in this domain, you show them that there’s not just an incentive, right, but, but there is a pathway, and you’re not treated as an other.
97
00:01:36,000 –> 00:01:37,000
Frank Cilluffo [00:34:41]: Is that a failure of leadership, Josh, when you really get down to it?
98
00:01:37,000 –> 00:01:38,000
Josh Stiefel [00:34:45]: No, I don’t fault the services. Like, I want the Air Force thinking about air warfare 24 hours a day, seven days a week. I don’t want them to have to balance that with the competing prioritization of a different domain. I think that gets to the heart of, you know, the view that I have at least, that we build our military services per the war fighting domains. We have five domains, and we’ve built services for four out of those five. I want, right, I want the Army thinking about land warfare all the time. I don’t want it have to balance it with anything else.
99
00:01:38,000 –> 00:01:39,000
Frank Cilluffo [00:35:19]: But the flip side is, is you want every service to appreciate the cyber component of their existing AOR. Right?
100
00:01:39,000 –> 00:01:40,000
Josh Stiefel [00:35:28]: You need generalists and you need specialists. Right? And so if you had a cyber service, right, it doesn’t absolve the Army from having to care about cyber, just their lens and their perspective is going to be different. We created an Air Force, but we didn’t take planes away from the Navy and the Marine Corps. Right? We create a cyber force, you’re not telling the Army they don’t have to care about their network anymore because it’s someone else’s job.
101
00:01:40,000 –> 00:01:41,000
Josh Stiefel [00:35:52]: You’re saying to the Army, you have to get these functions, right, those that are related to your ability to conduct ground operations. Right? And that involves, there’s going to be a cyber component to that. But that’s different from saying that Army, you know, at the same time that you’re building formations for infantry and maneuver and fires, you also have to think about cyber, which isn’t going to support those. That’s really the situation we have today.
102
00:01:41,000 –> 00:01:42,000
Ed Cardon [00:36:18]: And this is one of those lines that the Commission is going to have to take a look at, because you could see a service easily say, well, you created a Cyber Force. You should provide those to me. Right? But the problem is, is, and having, you know, been in the Army, that we want cyber, we want to have some cyber personnel that are experts in the land domain, right? So they understand it from that domain.
103
00:01:42,000 –> 00:01:43,000
Frank Cilluffo [00:36:43]: Or sea or undersea or space.
104
00:01:43,000 –> 00:01:44,000
Ed Cardon [00:36:46]: Right. So, so the question is, you know, people are like, are they in or out? Well, okay, let’s focus on mission. Let’s focus on mission. And based on mission, you know, form follows function. Right? Form follows function.
105
00:01:44,000 –> 00:01:45,000
Frank Cilluffo [00:36:57]: And General, I love that you brought that up, because form should always follow function. I’d be curious, and we’re running out of time, but I want to make sure that the old adage, what gets measured gets done, but are we measuring what matters? What are the MOEs? What should success look like? And not to sound like the typical, but the DC way is create something new so you don’t have to fix what was, wasn’t fixed. How do we ensure that we’re building something that we can all be proud of 20 years from now?
106
00:01:45,000 –> 00:01:46,000
Josh Stiefel [00:37:31]: So let’s look at a really current example, right? Operation Midnight Hammer, you know, the strikes against the Iranian nuclear program, something that required unbelievable precision. You had, you know, maneuver between tankers, bombers, unique ordinance being dropped. Could that have been pulled off by the Navy? Could that have been pulled off by the Marine Corps? Could have been pulled off, could it have been pulled off by the Army? No.
107
00:01:46,000 –> 00:01:47,000
Josh Stiefel [00:37:57]: Right? Why? Because you had an Air Force that had been making investments through the years. Because all the things that were involved in that operation are things that have, that we’ve been laying the groundwork on investments for for decades. Right? Tanker technology, you know, refueling, ordnance, the R and D that goes into that. You don’t develop that overnight. And so that was a byproduct that no one could have envisioned when this debate was being had in the 20s and 30s and even in the 50s when we already had an Air Force, you know, thinking about how we’re going to be able to cross halfway around the globe. But aren’t we glad that we did that? Because someone was in charge and said, I better make these investments today because I might need it down the road.
108
00:01:47,000 –> 00:01:48,000
Frank Cilluffo [00:38:41]: General?
109
00:01:48,000 –> 00:01:49,000
Ed Cardon [00:38:41]: Cyber is very hard to measure. This leads directly to cyber deterrence. Right? Which I know on the Solarium Commission, you talked about a lot. It’s very hard to measure.
110
00:01:49,000 –> 00:01:50,000
Frank Cilluffo [00:38:51]: Yes. Lots of views there.
111
00:01:50,000 –> 00:01:51,000
Ed Cardon [00:38:53]: And so I think there’s a, there’s, this is an area that needs a lot more research. Right? We have a very hard time measuring cyber effects. We can, we know when the cyber effect is measured in something physical, like the Dabiq Magazine in ISIS went away. That wasn’t by accident. Right?
112
00:01:51,000 –> 00:01:52,000
Ed Cardon [00:39:11]: Now, that’s very small example, but so you, we can see that. Right?
113
00:01:52,000 –> 00:01:53,000
Ed Cardon [00:39:16]: But for a lot of this stuff, very hard, it’s measured by attack, a successful attack. I wouldn’t even, unlike people that say, I get attacked a million times, of course, you know, you’re getting scammed, right? Probably some of it’s by the teenager down the road. But my, my point is, is these MOEs are really important down the road because as we do start doing more and more operations, it’s all about where we put our money, right? We got to be able to show that we’re spending this money well.
114
00:01:53,000 –> 00:01:54,000
Frank Cilluffo [00:39:46]: And policy without resources is rhetoric. And it’s hard to disprove double negatives. That’s what makes this business so hard. It’s the same challenges you have in the intelligence community, but on steroids. Gentlemen, what questions didn’t I ask that I should have? We covered a lot of terrain. I wish we had more time.
115
00:01:54,000 –> 00:01:55,000
Josh Stiefel [00:40:03]: Cost.
116
00:01:55,000 –> 00:01:56,000
Frank Cilluffo [00:40:04]: Cost, okay. Dollars?
117
00:01:56,000 –> 00:01:57,000
Josh Stiefel [00:40:06]: When thinking about, you know, what should we do, which, oh, it’s too expensive or, oh, you know, whatever.
118
00:01:57,000 –> 00:01:58,000
Frank Cilluffo [00:40:12]: You never know when you need that exquisite capability, to your point earlier.
119
00:01:58,000 –> 00:01:59,000
Josh Stiefel [00:40:16]: Yeah. But also, we are spending an unbelievable amount of money towards this. It’s just, is it being spent as, as well as it ought to be? From 2020 to 2025, public figures, we’ve spent $29.9 billion on cyber operations. That’s enough for two Ford class aircraft carriers. Do we have the equivalent combat capability in cyberspace as two Ford class carriers? I’d argue no. Right? So we’re putting the money, are we getting the ROI out of it that we should be expecting as citizens, as taxpayers, as defense professionals? Because that’s a really scary thing, is that we are putting money towards it and we’re not exacting a long term benefit from it.
120
00:01:59,000 –> 00:02:00,000
Frank Cilluffo [00:41:01]: Sounds like a appropriator, but who is an authorizer in that, but well said. General, last word.
121
00:02:00,000 –> 00:02:01,000
Ed Cardon [00:41:08]: I think this is really important work. If not, you know, the decision will be made and then in my experience, we tend to study it for a couple of years before we implement it. We don’t have that kind of time.
122
00:02:01,000 –> 00:02:02,000
Frank Cilluffo [00:41:22]: Well said. Gentlemen, thank you both for your commitment to these issues, for your public service over the many years, for joining us today, and in all sincerity, this is an investment we have to make now where or we’re going to pay the prices in the future. Thank you both so much.
123
00:02:02,000 –> 00:02:03,000
Ed Cardon [00:41:39]: Thank you. Thanks a lot, Frank.
124
00:02:03,000 –> 00:02:04,000
Josh Stiefel [00:41:40]: Thank you.
125
00:02:04,000 –> 00:02:05,000
Frank Cilluffo [00:41:41]: Thank you for joining us for this episode of Cyber Focus. If you liked what you heard, please consider subscribing. Your ratings and reviews help us reach more listeners. Drop us a line if you have any ideas in terms of topics, themes or individuals you’d like for us to host. Until next time, stay safe, stay informed and stay curious.