The NSA announced three cyber leadership appointments just as the DoD debates the needs of CYBERCOM 2.0 and the Cyber Force Commission publishes a report.
Even though the Directorate is relatively new, Imbordino and Baroody already have critical experience in the agency. Both started in acting leadership positions in January 2026, with Imbordino as deputy chief and Baroody leading directly below him. The two have now graduated (just a year after the retirement of the previous NSA cybersecurity directorate leader, Dave Luber) to chief and deputy chief of the directorate, respectively. Unsurprisingly, the last six months were not the first time either officer has worked in cybersecurity. Imbordino has almost 25 years of experience across intelligence, operational missions, and cybersecurity, and even helped secure US elections from 2019 to 2021. Holly Baroody has served as a cyber defense operator in the US Navy, a cyber operations analyst in the Department of Defense, and an executive director for the US Cyber Command (CYBERCOM).
Alongside Ibordino and Baroody, Bruce Jones is also set to join the NSA’s cybersecurity ranks as the head of the Cybersecurity Collaboration Center (CCC). The CCC, which “is how NSA scales intel-driven cybersecurity through open, collaborative partnerships”, connects with partners across the globe, the industry, and even within the agency, “to harden the U.S. Defense Industrial Base, operationalize NSA’s unique insights on nation-state cyber threats, jointly create mitigations guidance for emerging activity and chronic cybersecurity challenges, and securing emerging technologies.” Jones' career in the NSA as a technical and operational leader will likely be valuable in his new role.
Around the Department of Defense (DoD), conversations are starting about hiring more people into their cybersecurity arm, CYBERCOM. The Republican Representative of Nebraska, Don Bacon, told Breaking Defense that “China has 10:1 people doing offensive cyber to us. I think we should be expanding our capabilities…I think we’re underfunded and undermanned.” Current leadership in CYBERCOM is pushing for a different approach to leveling the playing field, however. Katie Sutton, the Assistant Secretary of Defense for cyber policy explained that ‘strength in numbers’ would not be guiding the organization’s strategy: “The Department of War will not match adversary cyber forces in sheer number, rather, we will maintain our advantage in the cyber domain through true domain mastery, essentially creating a ‘quality over quantity’ approach”.
Increasing cyber mastery appears to be an uncontroversial goal, but several experts in national cybersecurity defense have questioned what the rollout would look like. Mark Montgomery, from the Foundation for Defense of Democracies, shared his hesitation: “I have been arguing for a long time that the cyber force generation model is broken in each of the military services. Nowhere is this more clear in the failure to develop and retain sufficient ‘master’ level operators.” Assistant professor of International and Public Affairs at Columbia University agreed with Sutton, with some caveats: “Broadly, I agree that it is important to focus on the quality of cyber personnel, not just engage in a bean-counting exercise. Setting aside CYBERCOM’s limited ability to enforce generating personnel with domain mastery, there is the question of the timeline for implementation.”
Even with conversations around increasing funding for CYBERCOM, some government officials are pushing for even more specification around national cybersecurity defense. On June 3rd, 2026, the Center for Strategic and International Studies (CSIS) commission published a report based on 10 months of work around recommendations for the proposed organization’s structure, recruitment, integration, and retention. The report explains that a Cyber Force with “an end strength of 20,000 active-duty uniformed personnel, an additional 3,500-5,000 National Guard personnel, and a civilian complement of 6,000 personnel” would require an estimated $10-11 billion initial budget. Even with this price point, the commission argues the need for a cyber force, describing “a dangerous gap between the centrality of cyberspace for modern warfighting and the U.S. military’s persistent inability to generate the capabilities necessary to deter, compete, fight, and win in the cyber domain.”
Cyber capabilities are indeed becoming an unavoidable part of warfighting. The first attacks in the US-Israel war on Iran were cyber-enabled, and the war continues to unfold in the cyber domain. The hackers behind a March breach of the Los Angeles transit system in what was originally portrayed as an act of hacktivism, were recently discovered to be working with Iran’s Ministry of Intelligence and State Security (MOIS), according to an investigation by Israeli startup Gambit. The breach led to weeks of work to restore important systems, although metro and bus services managed to operate uninterrupted. Attacks like these might be why Joshua Steifel, the co-chair of the CSIS commission, called the Cyber Force “an inevitability”. While the Cyber Force is yet to be developed, the updates to NSA cyber leadership and DoD strategy are signs that preparation for the ‘inevitable’ is already underway.