U.S. Cyber Command and Military Cyber Operations
U.S. Cyber Command (CYBERCOM) is the unified combatant command responsible for military operations in cyberspace — defending Department of Defense networks, conducting offensive cyber operations against adversaries, and supporting geographic commanders worldwide. Established in 2009 as a sub-unified command under U.S. Strategic Command, CYBERCOM was elevated to a full Unified Combatant Command in 2018 by President Trump. It operates from Fort Meade, Maryland, co-located with the National Security Agency (NSA). Its statutory authority rests on 10 U.S.C. §§ 394–396, enacted through successive National Defense Authorization Acts (NDAAs), which give Congress visibility over significant military cyber operations and constrain purely executive cyber authorities.
Current Law (2026)
| Parameter | Value |
|---|---|
| Statutory authority (operations) | 10 U.S.C. § 394 |
| Congressional notification | 10 U.S.C. § 395 — significant military cyber operations reported within 48 hours |
| Executive order limits | 10 U.S.C. § 396 — military cyber operations may not violate standing EOs without presidential approval |
| NDAA § 1642 authority | Authorizes CYBERCOM operations against Russia, China, Iran, North Korea without separate presidential approval for certain activities |
| Combatant Command status | Full Unified Combatant Command since May 2018 |
| Headquarters | Fort Meade, Maryland |
| Commander | Four-star general/admiral (dual-hatted as NSA Director — status under review 2025) |
| Cyber Mission Force | 133 teams, ~6,200 military and civilian personnel |
| Annual budget | Approx. $3 billion (CYBERCOM direct) within broader DoD cyber budget of ~$14 billion |
| NSM-13 (Biden 2022) | Current governing policy for offensive cyber operations; replaced PPD-20 |
Legal Authority
- 10 U.S.C. § 394 — Authorizes the conduct of military operations and activities in cyberspace, including what DoD terms "Defend Forward" operations proactively engaging adversary networks
- 10 U.S.C. § 395 — Requires the Secretary of Defense to notify congressional defense committees within 48 hours of any significant military cyber operation; defines "significant" to include operations likely to result in significant loss of life, property, or national security implications
- 10 U.S.C. § 396 — Prohibits military cyber operations that would violate a standing executive order without explicit presidential authorization; preserves civilian command authority over sensitive operations
- NDAA FY2019 § 1642 — Provides standing authority (without requiring separate presidential approval for each instance) for CYBERCOM to conduct operations against designated adversary cyber actors of Russia, China, Iran, and North Korea when directed by the Secretary of Defense
- 50 U.S.C. § 3093 (covert action statute) — Requires a presidential finding and congressional notification for covert action, including cyber operations that cross into intelligence/covert action territory; the Title 10/Title 50 divide determines which framework applies
- National Security Memorandum 13 (NSM-13, Biden 2022) — Replaced Obama-era PPD-20; streamlined approval processes for certain offensive cyber operations, giving CYBERCOM and geographic combatant commanders more delegated authority than the original PPD-20 framework; current status under Trump second-term review
How It Works
Cyber Mission Force Structure
The Cyber Mission Force (CMF) comprises 133 teams in three categories:
Cyber National Mission Force (CNMF) — 13 teams: Hunt and defend against advanced persistent threats (APTs) targeting U.S. national interests; led by a three-star commander (CNMFHQ, Fort Meade). Conducts Hunt Forward Operations — deploying to partner nations at their invitation to identify adversary malware and infrastructure on partner networks before attacks reach the United States.
Cyber Combat Mission Teams (CCMT) — 27 teams: Support geographic combatant commands (INDOPACOM, EUCOM, CENTCOM, etc.) with offensive cyber capabilities; provide commanders a cyber effects option alongside kinetic options; may conduct destructive or disruptive cyberattacks under appropriate authorities.
Cyber Protection Teams (CPT) — 68 teams: Defend DoD Information Networks (DODIN) — the 15,000+ networks, 3 million endpoints, and 7,000 satellites and ground systems that constitute the DoD's global IT infrastructure; respond to intrusions on military networks; conduct forensic analysis.
National Mission Force Support Teams (NMST) — 25 teams: Provide analytics, planning, and intelligence support to the CMF.
The Title 10 / Title 50 Divide
The most consequential legal question in military cyber is whether a given operation constitutes a "traditional military activity" under Title 10 (DoD authority, reported to armed services committees) or "covert action" under Title 50 (CIA/intelligence authority, reported to intelligence committees, requires presidential finding). The distinction matters because:
- Title 10 operations are publicly acknowledged as U.S. military activities
- Title 50 covert actions are deniable; discovering them could constitute an act of war
- Offensive cyber operations that access adversary networks before any attack may blur both categories
DoD's legal position, developed since 2009, is that proactive cyber operations to prepare the battlefield and gather intelligence in adversary networks constitute "traditional military activities" — not covert action — and thus fall under Title 10. Congress codified this view in NDAA § 1642. Critics argue some CYBERCOM operations functionally operate as covert action without the oversight requirements of Title 50 presidential findings.
Defend Forward and Persistent Engagement
CYBERCOM's 2018 Cyber Strategy introduced two interrelated doctrines:
Defend Forward: Rather than waiting for cyberattacks to reach U.S. networks, CYBERCOM operates in or near adversary infrastructure to observe attack preparations, disrupt tools, and impose costs before attacks launch. CYBERCOM deployed Hunt Forward teams to Ukraine beginning in 2022, identifying Russian offensive cyber tools used against Ukrainian networks and destroying them before they could be repurposed against U.S. targets.
Persistent Engagement: Adversaries continuously attempt to compromise U.S. networks; the correct response is continuous U.S. presence in the cyber domain, not episodic crisis response. This doctrine underpins CYBERCOM's request for standing authorities (NDAA § 1642) to operate without per-operation presidential approval.
NSA Dual-Hat Relationship
Since 2010, the CYBERCOM commander has simultaneously served as NSA director. This dual-hat arrangement lets CYBERCOM draw directly on NSA's intelligence collection and technical capabilities in support of military cyber operations. The Biden administration considered splitting the roles; the Trump administration maintained the dual-hat in 2025. The arrangement is controversial because NSA's primary mission is intelligence collection, while CYBERCOM's mission includes offensive operations that can "burn" intelligence sources by alerting adversaries when U.S. access is exploited offensively.
Civilian Authority Coordination
CYBERCOM's domain overlaps with two civilian authorities:
CISA (Cybersecurity and Infrastructure Security Agency, DHS): Under Title 6, CISA protects civilian federal .gov networks and coordinates with critical infrastructure sectors (energy, finance, water, healthcare). CISA has no offensive authority. CYBERCOM and CISA operate a 24/7 coordination mechanism and share threat intelligence, but CYBERCOM cannot take offensive action to protect a private utility company's network without significant legal authority questions.
FBI Cyber Division: Investigates cyber intrusions as criminal matters, generates grand jury subpoenas and indictments, conducts court-authorized malware takedowns. The FBI/DOJ indictment process and CYBERCOM's offensive disruption operations sometimes run in parallel, creating coordination challenges.
Election Security Operations
CYBERCOM's most politically visible role has been protecting election infrastructure. In 2018, CYBERCOM disrupted the Internet Research Agency's ability to access the internet on Election Day (Operation Synthetic Theology). In 2020, 2022, and 2024, CYBERCOM deployed Hunt Forward teams to European partner nations, seizing infrastructure used by Russian, Chinese, and Iranian actors to conduct influence operations. CYBERCOM does not have authority over state election systems (CISA coordinates with state authorities); its role is disrupting foreign adversary infrastructure before it reaches U.S. elections.
Key Threat Actors (2025–2026)
- Volt Typhoon (PRC): Pre-positioned in U.S. critical infrastructure (energy, water, communications) for potential wartime disruption; FBI and CISA publicly attributed; CYBERCOM has conducted disruption operations
- Salt Typhoon (PRC): Compromised at least nine major U.S. telecommunications carriers including AT&T and Verizon; accessed call records and lawful intercept systems; largest known telecom breach in U.S. history
- Sandworm (Russia, GRU): Conducted destructive cyber operations in Ukraine (power grid attacks 2015, 2016; NotPetya 2017; Viasat 2022); CYBERCOM has operated against Sandworm infrastructure
- Lazarus Group (North Korea): Cryptocurrency theft to fund WMD programs; ransomware operations; ~$3 billion in crypto stolen since 2017
How It Affects You
<!-- pria:personalize type="impact" -->If you work in critical infrastructure (energy, water, finance, healthcare, transportation): Volt Typhoon's pre-positioning in U.S. infrastructure networks means CYBERCOM threat intelligence directly affects your sector's security posture. CISA's Known Exploited Vulnerabilities (KEV) catalog (cisa.gov/known-exploited-vulnerabilities-catalog) lists vulnerabilities currently targeted by APTs — your organization's patching schedule should prioritize KEV entries within CISA's mandatory remediation windows (14 days for critical, 21 days for high). If your organization receives an FBI/CISA warning letter about a specific intrusion, you can contact CYBERCOM's Hunt Forward element indirectly through CISA's 24/7 hotline (888-282-0870) to request assistance or intelligence sharing.
If you work in telecommunications or internet services (ISPs, carriers, hosting providers): The Salt Typhoon breach demonstrated that even large, security-mature organizations can be penetrated through lawful intercept systems (CALEA-mandated back-doors). Carriers can engage with NSA's Commercial Solutions for Classified (CSfC) program or CISA's Protective Domain Name System (PDNS) service. If you receive a National Security Letter or DOJ order to maintain confidentiality while granting access, you have limited but real legal options — consult outside counsel who specialize in national security law before assuming compliance is mandatory in any particular form.
If you are a defense contractor (holding a DoD contract or cleared facility): CYBERCOM's activities create specific obligations under the Defense Federal Acquisition Regulation Supplement (DFARS 252.204-7012). You must: report cyber incidents to DoD Cyber Crime Center (DC3) within 72 hours; preserve forensic images for 90 days; allow DoD to review your systems. Failing to report a qualifying incident risks contract termination and False Claims Act liability. Enroll in the DoD Vulnerability Disclosure Program (hackerone.com/deptofdefense) and implement CMMC Level 2 (or Level 3 for CUI involving critical programs) before October 2026 enforcement deadlines.
If you are a cybersecurity professional or researcher: CYBERCOM's Vulnerability Disclosure Program (VDP) and joint advisories with NSA/CISA/FBI provide the most authoritative public threat intelligence available — read NSA Cybersecurity Advisories (nsa.gov/Press-Room/Cybersecurity-Advisories-Guidance/) before any major penetration test on defense-adjacent infrastructure. If you discover vulnerabilities in DoD systems, responsible disclosure through DC3's VDP program (dc3.mil) provides legal protection and recognition; unauthorized testing of DoD systems, even with good intent, can constitute a federal crime under 18 U.S.C. § 1030 (CFAA).
If you are a member of Congress, congressional staffer, or work in federal oversight: Under 10 U.S.C. § 395, DoD is required to notify the armed services committees within 48 hours of "significant military cyber operations." In practice, the notification is classified and goes to committee leadership and ranking members. The statute does not define "significant" with mathematical precision, giving DoD discretion that has been contested. Staff with appropriate clearances on SASC and HASC have oversight jurisdiction; SSCI and HPSCI also receive notifications on the Title 50 side. The dual-hat NSA/CYBERCOM arrangement means that the same commander's activities are overseen by four different committees, creating seams that adversaries exploit.
<!-- /pria:personalize -->State Variations
Cyberspace operations are an exclusively federal domain. States have no legal authority to conduct offensive cyber operations or to regulate CYBERCOM's activities. However:
- State National Guard Cyber Units: All 54 states and territories have National Guard cyber units, funded partially through DoD's National Guard Bureau. When not federalized, Guard cyber units can defend state government networks, assist state election officials, and support law enforcement investigations — but cannot conduct offensive operations.
- State Data Breach Laws: 50 states have data breach notification laws that apply to private entities within their borders, independently of CYBERCOM's activities. California's CPRA, New York's SHIELD Act, and Colorado's CPA impose obligations that overlap with federal DFARS/CMMC requirements for defense contractors operating in those states.
- Critical Infrastructure Regulation: State public utility commissions regulate power grid cybersecurity standards within their borders, which interact with NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) federal standards. CYBERCOM's Volt Typhoon disclosures have prompted state commission proceedings in Texas, California, and New York.
Implementing Regulations
- DoD Directive 5144.02 — Establishes the DoD Chief Information Officer (CIO) as the functional principal for DoD cyberspace operations policy
- DoD Instruction 8500.01 — Cybersecurity risk management framework for DoD information technology; implements NIST SP 800-37 within the DoD
- CJCSI 6510.01 — Chairman of the Joint Chiefs of Staff Instruction on cybersecurity and cyberspace operations; the principal policy document for multi-service cyber operations
- DFARS 252.204-7012 — Safeguarding covered defense information and cyber incident reporting; applies to all defense contractors handling Controlled Unclassified Information (CUI)
- CMMC 2.0 — Cybersecurity Maturity Model Certification; required for all defense contracts beginning October 2026 enforcement; Level 1 (17 controls), Level 2 (110 NIST SP 800-171 controls, third-party assessment), Level 3 (NIST SP 800-172 enhanced controls, DCSA assessment)
Pending Legislation
- NDAA FY2026: Senate Armed Services Committee proposals include codifying NSM-13 authorities and expanding NDAA § 1642 to cover additional state-sponsored actors; House version proposes expanding Hunt Forward authority to domestic critical infrastructure networks (currently limited by Posse Comitatus and Title 10/Title 6 divide)
- Cyber Force Legislation: Several proposals in Congress would establish a U.S. Cyber Force as a sixth (or seventh, with Space Force) branch of the armed services, separating the cyber mission from Army, Navy, Air Force, and Marine Corps; CYBERCOM leadership has resisted separation
- Dual-Hat Review: Multiple legislative proposals would statutorily require or prohibit the dual-hat arrangement between CYBERCOM and NSA; as of April 2026, no bill has cleared committee
Recent Developments
- Salt Typhoon (2024–2025): PRC intelligence hackers maintained persistent access to at least nine U.S. telecommunications carriers for 12–18 months, accessing metadata and content of calls involving senior U.S. government officials and political campaign staff. CYBERCOM and FBI conducted joint disruption operations; full extent of access remains classified. Congress demanded briefings under § 395 authority.
- DOGE System Access (2025): Department of Government Efficiency personnel accessing federal payment systems, Social Security Administration databases, and Treasury records raised CYBERCOM awareness concerns about foreign exploitation of newly granted access pathways. CYBERCOM cannot legally monitor domestic federal civilian systems, but NSA's dual-hat visibility created oversight questions that multiple inspectors general began investigating.
- Ukraine Hunt Forward (2022–2025): CYBERCOM deployed teams continuously to Ukraine, identifying Russian offensive tools and destroying them before use. Teams discovered pre-positioned malware targeting Ukrainian power grid prior to major Russian strikes in winter 2022–2023, allowing partial mitigation.
- Dual-Hat Debate (2025): Trump second-term DoD leadership ordered a review of the dual-hat CYBERCOM/NSA arrangement; SECDEF Pete Hegseth indicated openness to splitting the roles, which would require new legislative authority and structural changes to how CYBERCOM accesses NSA collection capabilities.