United States Cyber Command

Audio readout of this profile.

Overview

United States Cyber Command is the unified combatant command of the United States Armed Forces responsible for the planning, coordination, integration, synchronisation, and conduct of military cyber operations. USCYBERCOM defends Department of Defense networks, conducts full-spectrum cyber operations in support of combatant commanders, and — under the 2018 National Defense Strategy and the associated implementation guidance — conducts the "defend forward" cyber operations against foreign adversaries that the Department of Defense has identified as threats to United States national security.¹

The Commander of USCYBERCOM is dual-hatted as the Director of the National Security Agency and Chief of the Central Security Service. The dual-hat arrangement, in place since the establishment of USCYBERCOM in 2009, has been the subject of sustained policy debate; successive administrations have evaluated separating the two positions but have, to date, sustained the arrangement.

History & Origins

USCYBERCOM was established on 23 June 2009 by Secretary of Defense Robert M. Gates as a sub-unified command under United States Strategic Command. The establishment was the consolidation of two existing organisations — the Joint Task Force – Global Network Operations (responsible for defensive cyber operations) and the Joint Functional Component Command for Network Warfare (responsible for offensive cyber operations, and itself an NSA-aligned organisation under STRATCOM) — into a single command structure. USCYBERCOM achieved initial operational capability on 21 May 2010 and full operational capability on 31 October 2010.²

The decision to establish USCYBERCOM as a sub-unified command under STRATCOM, rather than as a unified combatant command in its own right, reflected the period of policy uncertainty following the 2008 cyber-intrusion of classified Department-of-Defense networks (Operation Buckshot Yankee, the Agent.btz incident) and the broader assessment that the department's existing institutional arrangements for cyber operations were inadequate to the operational tempo of the period.³

USCYBERCOM was elevated to a full unified combatant command, separate from STRATCOM, on 4 May 2018, by direction of President Donald J. Trump in the National Defense Authorization Act for Fiscal Year 2017 implementation. The elevation was accompanied by the issuance of National Security Presidential Memorandum 13 (NSPM-13, August 2018), which delegated cyber-operational decision authorities to the Department of Defense to a degree not previously articulated and which is the principal executive-branch authority on which the post-2018 "defend forward" operational concept has rested.⁴

Mandate & Jurisdiction

USCYBERCOM's authorities derive from 10 U.S.C. § 167b (establishing the Cyber Command), the Unified Command Plan (the document by which the President assigns missions to combatant commands), the National Defense Authorization Act for Fiscal Year 2017 (Pub. L. 114-328, sec. 923, the elevation provision), Executive Order 12333, and National Security Presidential Memorandum 13. USCYBERCOM's principal functions are:

• defence of the Department of Defense Information Network (DODIN) against cyber intrusion;
• conduct of full-spectrum cyber operations in support of combatant commanders' operational plans;
• conduct of "defend forward" cyber operations against foreign adversaries threatening United States national security;
• service as the United States Government's principal military cyber-operations element, in coordination with the National Security Agency, the Cybersecurity and Infrastructure Security Agency, and the Federal Bureau of Investigation;
• support to the integration of cyber operations into joint force planning across the combatant commands.⁵

USCYBERCOM does not conduct domestic law-enforcement operations and does not collect intelligence on US persons. The cyber-defence of the Department of Homeland Security and of US critical infrastructure is the responsibility of the Cybersecurity and Infrastructure Security Agency (CISA) and, in operational coordination, the Federal Bureau of Investigation; USCYBERCOM operations against foreign actors targeting US critical infrastructure are conducted in coordination with those agencies.⁶

Notable Operations

Confirmed Operation Olympic Games / Stuxnet (c. 2007–2010). The joint US – Israeli cyber-sabotage operation against the Iranian uranium-enrichment facility at Natanz, conducted prior to the formal establishment of USCYBERCOM by predecessor organisations and continued under USCYBERCOM following its 2009 establishment. The operation introduced the Stuxnet worm into the Natanz industrial-control systems and physically damaged a substantial fraction of the centrifuge cascade. The operation was confirmed in the reporting of David Sanger and Kim Zetter and is the principal documented case of pre-2010 United States military cyber-effects operations.⁷

Confirmed Joint Task Force ARES and Operation Glowing Symphony (2016–c. 2018). The USCYBERCOM-led offensive cyber-operations campaign against the Islamic State, conducted in coordination with United States Central Command and partnered services. Joint Task Force ARES was established in May 2016. Operation Glowing Symphony, conducted in November 2016 and subsequently, conducted disruptive operations against ISIS media and command-and-control networks. The operation was disclosed in part through National Security Council documents released to the National Security Archive in 2020.⁸

Confirmed 2018 election-defence operations. USCYBERCOM, in partnership with NSA, established the Russia Small Group in 2018 and conducted offensive cyber operations against Russian Internet Research Agency infrastructure across the 2018 mid-term election period. The operations were disclosed in Washington Post reporting in February 2019 and were subsequently confirmed in the unclassified IC Assessment on 2018-election influence efforts.⁹

Confirmed Hunt Forward operations (2018–present). Under the post-2018 "defend forward" concept, USCYBERCOM has conducted more than fifty Hunt Forward deployments to over 20 partner countries — including substantial deployments to Ukraine across 2021–2022 in the period before and after the Russian invasion — under which Cyber National Mission Force teams operate from partner networks to identify and disclose foreign-adversary cyber tradecraft. The deployments are described in successive USCYBERCOM annual reports.¹⁰

Confirmed Continuing operations against Russian, Chinese, North Korean, and Iranian state-affiliated actors. USCYBERCOM has, across the 2018–2025 period, conducted disclosed-in-part offensive and defensive cyber operations against state-affiliated actors of the four named threat actors. The disclosures have been made principally through the Cybersecurity Advisories jointly issued by NSA, CISA, and the FBI, and through the public-disclosure releases of malware indicators conducted by the Cyber National Mission Force.¹¹

Controversies & Abuses

Confirmed Dual-hat policy debate (2009–present). The dual-hat arrangement under which the Commander of USCYBERCOM also serves as Director of NSA has been the subject of sustained policy debate across successive administrations. Critics of the arrangement argue that the operational priorities of a combatant command and the collection priorities of an intelligence agency are structurally inconsistent and that the same officer should not serve in both roles; defenders argue that the practical-operational and personnel synergies between the two organisations are substantial and that the alternative — separating the roles — would degrade both. The Trump and Biden administrations both conducted formal reviews of the arrangement and both elected to sustain it. The debate is the principal continuing institutional question on the future of the command.¹²

Confirmed NSPM-13 transparency concerns. The 2018 National Security Presidential Memorandum 13 — which delegated cyber-operational authorities to the Department of Defense and which is the principal executive-branch authority on the post-2018 "defend forward" concept — has been classified in substantial part. The limited public disclosure of NSPM-13's content has been the subject of sustained congressional concern, with successive National Defense Authorization Acts including reporting requirements intended to elaborate the public-record account of the operational authorities under which USCYBERCOM operates.¹³

Notable Figures

• General Keith B. Alexander — First Commander (21 May 2010 – 28 March 2014). Concurrent Director of NSA.
• Admiral Michael S. Rogers — Commander (3 April 2014 – 4 May 2018). Period of the elevation to unified combatant command.
• General Paul M. Nakasone — Commander (4 May 2018 – 2 February 2024). Architect of the "defend forward" concept and of the Hunt Forward deployments.
• General Timothy D. Haugh — Commander (2 February 2024 – 3 April 2025). Relieved by the Trump administration.
• Lieutenant General William J. Hartman, USA — Acting Commander (3 April 2025 – present). Formerly Commander, Cyber National Mission Force, then Deputy Commander, USCYBERCOM.

Oversight & Accountability

USCYBERCOM is subject to oversight by the Senate Select Committee on Intelligence, the House Permanent Select Committee on Intelligence, the Senate and House Armed Services Committees, the Department of Defense Inspector General, and the Intelligence Community Inspector General (for its NSA-coordinated activities). The Cyberspace Solarium Commission (2019–2020) and its successor implementation body have been the principal continuing public-record source of strategic-level recommendations on the operational and institutional arrangement of US military cyber forces.¹⁴

Sources & Further Reading

1. USCYBERCOM, "Mission and Vision"; Department of Defense Cyber Strategy, September 2018.
2. Department of Defense, news release establishing USCYBERCOM, 23 June 2009; United States Strategic Command, transition documents, 2010.
3. William J. Lynn III, "Defending a New Domain: The Pentagon's Cyberstrategy," Foreign Affairs, September/October 2010 — public account of Operation Buckshot Yankee.
4. National Defense Authorization Act for Fiscal Year 2017, Pub. L. 114-328, sec. 923; National Security Presidential Memorandum 13 (NSPM-13), August 2018 (substantially classified); Department of Defense, Achieve and Maintain Cyberspace Superiority: Command Vision for US Cyber Command, March 2018.
5. 10 U.S.C. § 167b; USCYBERCOM mission; Department of Defense Cyber Strategy, 2018.
6. CISA, "Cybersecurity Division"; FBI Cyber Division.
7. David E. Sanger, "Obama Order Sped Up Wave of Cyberattacks Against Iran," New York Times, 1 June 2012; Kim Zetter, Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (Crown, 2014).
8. Dina Temple-Raston, "How the U.S. Hacked ISIS," NPR, 26 September 2019; National Security Archive, "Joint Task Force ARES and Operation Glowing Symphony", 21 January 2020.
9. Ellen Nakashima, "U.S. Cyber Command operation disrupted Internet access of Russian troll factory on day of 2018 midterms," Washington Post, 27 February 2019; Office of the Director of National Intelligence, Foreign Threats to the 2018 US Federal Elections, December 2018 (declassified release).
10. USCYBERCOM Cyber National Mission Force, public disclosures on Hunt Forward deployments, 2018–present, archived at USCYBERCOM news; 2023 DoD Cyber Strategy Summary.
11. Joint Cybersecurity Advisories series, NSA / CISA / FBI, archived at CISA Cybersecurity Advisories.
12. Senate Armed Services Committee, hearings on USCYBERCOM-NSA dual-hat arrangement, 2017, 2021, 2024; National Defense Authorization Acts, dual-hat reporting requirements.
13. House Permanent Select Committee on Intelligence and Senate Select Committee on Intelligence, NSPM-13 reporting and review correspondence, 2018–present; National Defense Authorization Act for Fiscal Year 2020, sec. 1641 (cyber-operations reporting).
14. Cyberspace Solarium Commission reports, 2020 and subsequent.