When military leaders and lawmakers can’t agree on how to defend the nation in cyberspace, what does that tell us about the state of cybersecurity-and what should your organization be doing about it?

The Debate That’s Shaking Washington

If you want to understand where cybersecurity is headed, look no further than the heated debate currently unfolding between the Pentagon and Congress over the creation of a dedicated US Cyber Force. It’s not just another Washington turf war-it’s a window into the fundamental challenges that every organization, military or civilian, faces in defending against modern cyber threats.

Here’s what’s happening: A bipartisan group of lawmakers is pushing hard for the establishment of an independent Cyber Force as the sixth branch of the U.S. military, sitting alongside the Army, Navy, Air Force, Marines, and Space Force. The proposal, backed by influential think tanks like the Foundation for Defense of Democracies (FDD), calls for a force of 10,000 personnel with a $16.5-17 billion budget. The argument? That America’s current cyber force generation system is “clearly broken” and leaving the nation “increasingly behind” adversaries like China and Russia.

The Pentagon, however, isn’t having it. In September 2024, the Department of Defense formally appealed to Congress to drop the proposal, arguing instead for a Special Operations Command (SOCOM)-like model that would keep cyber forces under the existing U.S. Cyber Command (CYBERCOM) structure. As acting CYBERCOM commander Lt. Gen. William Hartman told lawmakers in May 2025, “Our preference was the SOCOM-like model.”

The fiscal year 2025 National Defense Authorization Act (NDAA) has directed the National Academies of Sciences, Engineering, and Medicine (NASEM) to conduct an independent evaluation of whether establishing a separate Cyber Force is feasible and advisable. As this study progresses, the tension between those calling for radical restructuring and those defending incremental change only intensifies.

But here’s what makes this debate so relevant beyond the Beltway: The challenges driving this high-stakes argument-talent shortages, fragmented systems, inconsistent training, retention issues, and the inability to keep pace with evolving threats-are the exact same challenges facing enterprises across every industry.

The Core Problem: When Traditional Structures Can’t Keep Up

To understand why this debate matters to you, we need to look at what’s actually broken. Former CYBERCOM commander Gen. Paul Nakasone, who retired in February 2025, put it bluntly: the United States is falling “increasingly behind” its adversaries in cyberspace. This from someone who had access to the most advanced cyber capabilities and unlimited resources of the U.S. military.

The Talent Crisis

The Cyber Mission Force (CMF) was created by the Pentagon in 2012 with a specific structure: 133 teams. More than a decade later, that number has barely budged, even as cyber threats have exploded exponentially. Why? The military services run their own recruitment and training systems, leading to what the FDD report calls “inconsistent training” and cyber warriors arriving at CYBERCOM with wildly varying levels of knowledge and experience.

It’s a talent pipeline problem that every CISO can relate to. You can’t find qualified people, and when you do, keeping them is another challenge entirely. The skills they bring are inconsistent, and by the time you get them up to speed, they’re considering offers from the private sector or moving to another role.

The FDD study, drawing on insights from more than 75 active-duty and retired military cyber officers, identifies chronic structural issues that prevent effective force generation. The military simply cannot staff up adequately to defend cyberspace, with talent shortages being chief among the concerns that have plagued Congress for a decade.

The Fragmentation Problem

Perhaps more concerning is the fragmentation issue. Right now, cyber capabilities across the Department of Defense are scattered across different services, commands, and organizations. The Air Force does its thing, the Army does its thing, the Navy does its thing-and coordinating between them is an ongoing challenge.

The House and Senate versions of the fiscal 2026 NDAA are pushing for “Joint Task Force-Cyber” elements across geographic combatant commands precisely because current coordination is insufficient. Geographic combatant commanders don’t have as much control over cyber forces in their regions as they do over physical forces. Cyber teams are controlled through CYBERCOM, which maintains the ability to reorganize and realign forces as it sees fit-sometimes in ways that don’t align with what regional commanders actually need.

This is the military version of what happens in enterprises when security operations, endpoint management, network security, and data protection all operate in silos with different vendors, different dashboards, and different priorities.

The Readiness Challenge

The most damning critique is that despite years of effort and billions in investment, the current system simply isn’t producing the readiness levels needed. The “CYBERCOM 2.0” initiative, launched to address force generation challenges, has been criticized as “status quo-plus”-incremental improvements that don’t go far enough.

The Pentagon did receive Enhanced Budgetary Control (EBC) in fiscal 2024, giving CYBERCOM oversight of approximately $2 billion in acquisitions. But critics argue this is applying a SOCOM-like band-aid to a problem that requires more fundamental restructuring.

Meanwhile, every day that passes without resolution, adversaries aren’t waiting. Chinese and Russian cyber capabilities continue to mature. The infamous Volt Typhoon campaign, which embedded malware in U.S. critical infrastructure, demonstrated that threats have evolved beyond stealing data-they’re about pre-positioning for potential attacks that could cripple essential services.

Why the Pentagon Says No (And What That Reveals)

The Pentagon’s resistance to a separate Cyber Force isn’t just bureaucratic stubbornness. Their concerns reveal important insights about cybersecurity strategy that apply far beyond the military context.

The Coordination Concern

Defense officials worry that creating a separate service could “disrupt coordination, increase fragmentation, and ultimately weaken U.S. cyber readiness.” Michael Sulmeyer, who was DoD’s top cyber policy official, warned proponents to “be careful what you wish for,” noting that “having a cyber service that is divorced from those particular mission sets may pose some challenges in understanding the warfighting needs of the services.”

The argument is that cyber operations don’t exist in isolation-they’re intimately connected to air operations, naval operations, ground operations, and space operations. Pulling cyber into its own branch could actually make integration harder, not easier.

Rep. Richard McCormick (R-Georgia) raised a crucial point during hearings: Special Operations Forces work because each unit (SEALs, Green Berets, etc.) has distinct missions and training. But CYBERCOM has emphasized that cyber personnel should be “uniformly trained” and “interchangeable” between missions. “That’s what worries me,” McCormick said, “is that we’re bumping up against this.”

The Efficiency Argument

Critics of the Cyber Force proposal argue it would be expensive and inefficient. The Pentagon contends that the current structure, with proper reform, can address readiness issues without the massive disruption and cost of standing up an entirely new service branch.

Proponents counter that the Cyber Force would actually be more efficient by eliminating duplicative force generation efforts across services. They point out that the proposed $17 billion budget is substantially less than the Space Force’s $29.4 billion fiscal 2025 budget request-and Space Force started with just $15.4 billion in fiscal 2021.

The Implementation Challenge

Perhaps most tellingly, the Pentagon warned Congress that if an independent assessment goes forward without access to classified information, it will have to rely on “public, unclassified information”-implying that the full picture can’t be discussed openly. This is the ultimate “you don’t know what you don’t know” argument.

What Congress Sees That Demands Change

On the other side of this debate, lawmakers from both parties are looking at the same data and reaching a different conclusion: that the status quo is unacceptable and incremental change isn’t working.

The Window Is Closing

The FDD report warns that the nation “has a limited window of opportunity to reorganize, allocate resources, and develop sustainable cyber force readiness.” The study argues that “the military has failed to fix the problem on its own. Only Congress can create a new independent service, so it is time for lawmakers to act.”

This sense of urgency stems from the threat landscape. China’s cyber capabilities are advancing rapidly, with operations like Volt Typhoon demonstrating unprecedented sophistication. Russia continues to conduct disruptive cyber operations against Ukraine and has shown willingness to target Western infrastructure. Iran and North Korea are also becoming increasingly capable cyber actors.

Former Cyberspace Solarium Commission head Mark Montgomery told reporters, “We’re going to make a push for an outside, independent study of creating a Cyber Force. Faced with an increasing threat, we’re not growing our force in a meaningful manner.”

The RAND Study and Section 1533

Congress already mandated an evaluation of the cyber enterprise in the fiscal 2023 NDAA (Section 1533), which was assigned to the RAND Corporation. But the Pentagon won’t make decisions based on those findings until at least June 2025-and even then, there’s skepticism about whether the recommendations will be implemented.

This pattern of study-delay-study has frustrated lawmakers who believe action is needed now, not after another round of analysis. The fiscal 2025 NDAA’s direction for NASEM to conduct an independent assessment reflects this frustration-Congress wants voices outside the Pentagon’s chain of command weighing in.

The Precedent of Space Force

Advocates also point to the successful establishment of Space Force in 2019 as proof that creating a new service branch can work. Space Force was controversial at first but is now widely seen as having been necessary to address a domain that existing services weren’t adequately covering.

Rep. Morgan Luttrell (R-Texas), who introduced the amendment calling for the Cyber Force study in the House NDAA, is among those who see parallels. The question is whether cyberspace requires the same kind of dedicated focus that space does.

The Lessons for Enterprise Cybersecurity

So what does this high-level debate mean for organizations that aren’t defending the nation but are trying to protect customer data, intellectual property, and business operations? Actually, quite a lot.

Lesson 1: Fragmentation Is the Enemy

Both sides of the Pentagon-Congress debate agree on one thing: fragmented systems don’t work. Whether the answer is a new Cyber Force or a reformed CYBERCOM, everyone acknowledges that having different organizations with different training standards, different tools, and different priorities creates gaps that adversaries exploit.

For enterprises, this translates directly. When your endpoint security doesn’t talk to your network firewall, when your data loss prevention system operates independently of your access controls, when your security teams use different dashboards and have different priorities-you’re creating the same fragmentation problem the Pentagon is trying to solve.

The TerraZone Approach: This is exactly why modern security architectures are moving toward unified platforms rather than best-of-breed point solutions. TerraZone’s approach integrates multiple security functions-identity-based firewall (IDFW), micro-segmentation, endpoint security, and device compliance checking-into a single cohesive platform. Instead of managing separate vendors and trying to make their solutions work together, organizations get unified visibility and control.

Think of it this way: if the Pentagon with virtually unlimited resources struggles to coordinate cyber defenses across separate organizations, how can a typical enterprise expect to do better with limited staff and budget?

Lesson 2: Zero Trust Isn’t Optional Anymore

A recurring theme in the Pentagon debate is that traditional perimeter-based security models don’t work in modern hybrid environments. The military is dealing with networks that span classified facilities, embassies, forward-deployed units, contractors, and cloud environments. The old model of “trusted inside, untrusted outside” doesn’t apply.

This is why Zero Trust principles keep coming up in discussions about cyber force structure. The assumption must be that threats exist both inside and outside the network, requiring continuous verification and strict access controls.

The TerraZone Solution: Zero Trust architecture is built into TerraZone’s DNA through truePass and other security components. The platform ensures that:

• Verify Explicitly: Every access request is continuously verified based on user identity, device health, location, and other contextual factors
• Least Privilege: Users get only the access necessary for their specific role, nothing more
• Assume Breach: The architecture is designed to contain and mitigate breaches, not just prevent them

TerraZone’s patented Reverse Access technology takes this further by ensuring applications aren’t exposed to the internet at all. Incoming requests are pulled into the network over outbound connections, eliminating the need for open inbound ports that attackers can target.

Lesson 3: Micro-Segmentation Limits Lateral Movement

One of the key concerns driving the Cyber Force debate is lateral movement-when attackers breach one system and then move horizontally across the network to reach high-value targets. The military’s discussion of creating “Joint Task Force-Cyber” elements is partly about better segmenting operations to contain potential breaches.

The TerraZone Implementation: Micro-segmentation is a core capability of TerraZone’s platform. Instead of broad network segments that allow lateral movement, each endpoint effectively becomes its own isolated segment. Even if an attacker compromises one workstation or application, they’re contained and can’t pivot to other resources.

This is particularly powerful because segmentation follows workload identity rather than network location. Whether resources are on-premises, in the cloud, or in hybrid environments, policies remain consistent and enforce isolation where needed.

Lesson 4: Talent Scarcity Demands Simplification

If the U.S. military-which can offer job security, patriotic mission, and comprehensive benefits-struggles to recruit and retain cyber talent, what hope do private sector organizations have?

The answer isn’t to compete on talent acquisition alone (though competitive compensation matters). It’s to make your security architecture simple enough that you don’t need a team of specialists to operate it effectively.

The TerraZone Advantage: By consolidating multiple security functions into a unified platform with consistent management interfaces, TerraZone dramatically reduces the operational complexity that burns out security teams. Instead of needing specialists for endpoint protection, network segmentation, access control, and data security, organizations can manage everything through integrated workflows.

The platform also enables automation of policy enforcement, reducing manual configuration that’s both time-consuming and error-prone. When the Pentagon talks about CYBERCOM 2.0’s goals including automation, they’re recognizing the same reality: humans can’t scale to match the threat volume, so systems must become more self-managing.

Lesson 5: Secure Data Exchange Can’t Be an Afterthought

Another thread running through the Pentagon debate is the challenge of secure collaboration-both between different military branches and with coalition partners, contractors, and other stakeholders. Cyber operations require sharing threat intelligence, coordinating responses, and collaborating on defensive measures, all while ensuring sensitive information doesn’t leak.

The TerraZone Portfolio: This is where TerraZone’s Secure Data Exchange (SDE) solutions become critical:

• Managed File Transfer (MFT): Automates secure file transfers between applications, systems, and partners with full encryption, authentication, and audit trails
• Secure Email: Enables sending sensitive data via email without requiring recipients to install software or exchange keys
• Digital Vault: Provides secure storage and controlled access to sensitive documents
• Rights Management Services (RMS): Allows sharing files with granular control over who can view, edit, print, or forward

These capabilities ensure that collaboration doesn’t come at the expense of security. Files are encrypted at rest and in transit, access is strictly controlled, and every interaction is logged for compliance and forensic purposes.

The Bigger Picture: Why Traditional Security Models Are Failing

The Pentagon-Congress debate isn’t happening in isolation. It’s part of a broader recognition that cybersecurity approaches developed for an earlier era don’t work in today’s threat environment.

The Perimeter Has Dissolved

The traditional model assumed a clear network perimeter: trusted resources inside, untrusted world outside. Firewalls at the perimeter, VPNs for remote access, and network segmentation internally. But that model breaks down when:

• Applications migrate to multiple clouds
• Employees work from anywhere on personal devices
• Business partners need access to internal resources
• IoT devices proliferate without traditional security controls
• Attackers increasingly breach through legitimate credentials rather than exploiting vulnerabilities

This is why both sides of the Cyber Force debate emphasize the need for new approaches. The old perimeter model simply doesn’t reflect how modern networks actually work.

Adversaries Are Patient and Sophisticated

The Volt Typhoon campaign demonstrated a new level of sophistication: Chinese actors embedded malware in U.S. critical infrastructure not to steal data, but to pre-position for potential destructive attacks. They were patient, careful to avoid detection, and focused on achieving long-term strategic positioning.

This “living off the land” approach, using legitimate credentials and tools rather than obvious malware, defeats traditional signature-based defenses. It requires security architectures that assume compromise, monitor for anomalous behavior, and limit what any single compromised credential can access.

Speed of Change Outpaces Security Updates

Perhaps most fundamentally, the rate of technological change has accelerated beyond what traditional security models can accommodate. New applications are deployed continuously through CI/CD pipelines. Infrastructure is provisioned and de-provisioned dynamically. Users’ work patterns shift constantly.

Security that requires manual policy updates, change review boards, and coordinated deployments simply can’t keep pace. This is why automation, identity-based policies, and context-aware access controls have become essential-they allow security to adapt at the speed of business.

What Your Organization Should Do Now

You don’t need to wait for Congress and the Pentagon to resolve their debate to take action. The challenges they’re wrestling with have clear implications for enterprise security strategy.

1. Conduct a Fragmentation Assessment

Take an honest look at your security architecture:

• How many different security vendors do you work with?
• Do your security tools share information and coordinate responses?
• Can you see your entire security posture from a single dashboard?
• How much time does your team spend integrating different systems?

If you’re dealing with significant fragmentation, you’re likely experiencing the same gaps and blind spots that concern Pentagon critics. Consider consolidating onto platforms that integrate multiple functions rather than continuing to add point solutions.

2. Implement Zero Trust Principles

You don’t need to rip and replace everything at once, but start moving toward Zero Trust architecture:

• Verify explicitly: Implement multi-factor authentication everywhere, not just for VPN access
• Least privilege: Review and limit user permissions; ensure people can only access what they need for their actual job functions
• Assume breach: Implement segmentation and monitoring that can detect and contain attacks even after initial compromise

TerraZone’s truePass platform provides a comprehensive Zero Trust implementation that includes remote access, conditional access based on device compliance, posture checking, and continuous verification-without requiring you to replace your entire infrastructure.

3. Embrace Micro-Segmentation

Move beyond simple network segmentation to identity-based micro-segmentation that:

• Controls east-west traffic within your network, not just north-south at the perimeter
• Follows workloads wherever they go, including cloud and hybrid environments
• Enforces policies based on what the workload does, not where it sits on the network

This approach dramatically limits what attackers can do even if they get initial access, containing breaches before they spread.

4. Simplify Management

Given talent scarcity, optimize for operational efficiency:

• Consolidate security functions where possible to reduce complexity
• Automate policy enforcement and routine tasks
• Implement solutions that don’t require constant tuning and adjustment
• Invest in training for your existing team rather than hoping to hire unicorns

5. Secure Your Data Exchanges

Review how sensitive information moves:

• Are emails with sensitive attachments being sent unprotected?
• Do file transfers to partners use secure, audited channels?
• Can you quickly identify who accessed what and when?
• Are you compliant with regulations like GDPR, HIPAA, or PCI-DSS?

Implementing solutions like TerraZone’s Secure MFT, Secure Email, and Digital Vault capabilities ensures that data protection doesn’t end at your network perimeter-it travels with the data wherever it goes.

The Path Forward: Learning from the Debate

While Congress and the Pentagon continue their discussion about the optimal structure for cyber defense, the underlying challenges they’re addressing aren’t going away. Whether the solution is a new Cyber Force, a reformed CYBERCOM, or some hybrid approach, several principles have emerged from the debate that apply universally:

Integration matters more than independence: While there’s debate about organizational structure, everyone agrees that siloed operations with poor communication create vulnerabilities. This applies equally to enterprise security architectures.

Identity is the new perimeter: Access decisions must be based on verified identity and contextual factors, not network location. This Zero Trust principle is becoming non-negotiable.

Automation is essential: Human teams, no matter how skilled, can’t scale to match the threat volume and speed. Effective security requires automated enforcement of policies, anomaly detection, and response capabilities.

Talent scarcity is real: Organizations must design security architectures that can be operated effectively by available staff, not architectures that require teams of specialists.

Speed of change matters: Security that can’t adapt quickly becomes a business bottleneck. Modern architectures must accommodate rapid change while maintaining protection.

Conclusion: The Security Transformation Is Here

The debate between the Pentagon and Congress over establishing a US Cyber Force is about more than military organization charts. It’s a high-stakes conversation about how to defend critical assets in an environment where traditional approaches have proven insufficient.

Every organization-whether defending the nation’s security or protecting customer data-faces the same fundamental challenges: sophisticated adversaries, dissolved perimeters, talent scarcity, fragmented systems, and the need for speed.

The good news is that while the military grapples with the political and organizational complexity of restructuring its cyber forces, enterprise organizations can act now. The technology and architectural approaches that address these challenges-Zero Trust, micro-segmentation, unified security platforms, and secure data exchange-are available and proven.

TerraZone’s comprehensive security platform brings together the capabilities that modern organizations need: identity-based access controls, network segmentation that follows workloads, endpoint security that doesn’t require constant management, and secure collaboration tools that enable business without compromising protection.

You don’t need a $17 billion budget or an act of Congress to transform your security posture. You need a clear understanding of the challenges you face, architectural principles that address modern threats, and solutions that make advanced security practically implementable.

While Washington debates the future of cyber defense, your organization’s security can’t wait. The adversaries certainly aren’t waiting. They’re adapting, improving, and searching for vulnerabilities right now.

The question isn’t whether to transform your security architecture-it’s whether you’ll do it proactively or in response to a breach that forces your hand. The Pentagon-Congress debate makes clear that everyone, at every level, is wrestling with the same fundamental challenge: how to defend in cyberspace when traditional models no longer work.

The organizations that thrive will be those that recognize this reality and act on it-with unified platforms, Zero Trust principles, intelligent automation, and security that adapts at the speed of business.

Take the Next Step

Want to learn how TerraZone’s unified security platform can address the challenges highlighted in the Pentagon-Congress cyber force debate? Our team can provide:

• Security Assessment: Evaluate your current architecture for fragmentation and gaps
• Zero Trust Roadmap: Develop a practical path to Zero Trust implementation
• Platform Demo: See how TerraZone integrates multiple security functions
• Compliance Review: Ensure your data exchange practices meet regulatory requirements

Contact us today to schedule a consultation and discover how enterprise organizations are solving the same challenges that have Washington debating the future of cyber defense.