I don't think that defending a country against malware is a job for the military. This doesn't change when the aggressors (supposedly) wear uniform.
Military bureaucracies do not attract the right people for the job, it's that plain and simple. They're not exactly competent at contracting software-related services, so there's no reason to trust them with "cyberdefense".
Sadly, the very same applies to the police forces as well. They're routinely lagging behind ad hoc efforts of clubs and even individual users when it comes to dealing with crime in the internet, i.e. child porn.
The first stop for "cyberdefense" should be the commercial PC security suite developers with their anti-virus fight experience. Such companies exist in most larger Western countries. The Russia-based Kaspersky has ruined the CIA's day more than once when it began to deliver protection against its attacks while Western competitors appeared to collaborate.
|I'm still trying to figure out what "U.S.Cyber Command" wanted to tell us by|
publishing this photo op of a clueless-looking soldier with lots of nonsense on computer screens.
Let's assume we would be sensible enough to foster at least one such company in our country instead of allocating millions at incredibly inefficient efforts to the same ends in our uniformed bureaucracies.
Would that suffice?
Well, there's a huge motivation problem at work. Sellers of protection software are not interested in keeping the malware from reaching computers in the first place. They're interested in it reaching the computer, so their product gains importance.
Safety precautions such as deactivating USB ports, limiting connectivity of company or agency computer networks to the internet to necessary connections and so on would be outside the interests of such a software provider.
Civilian IT security advisors can do this, but the small companies (even self-employed individuals) have varied standards of quality and big companies in the business suffer from the typical efficiency and service quality deficiencies of large consulting companies (which focus on attracting customers with much show, and pay less attention to substance).
The government might thus find that certain safety precautions should be sponsored through publication of security standards, enforcing minimum security standards and through controlled efforts at government-influenced companies (including the monopoly electricity network providers).
Whatever efforts of its own it's going to have in regard to IT security; it should be modest. The government is not going to attract many really good employees even if it tried to recruit them to a civilian, non-uniformed agency is a city with great quality of life and better pay than usual for public employees. The few it's going to get should be put to best use.
Finally; kick every bureaucrat in the ass who purports that IT defence specialists could be created by sending someone normal to a course!