The problem with that is that practical cyber security is essentially about the "structural soundness" of a huge infrastructure that's mostly civilian and mostly private, about the resilience of private company internal systems and consumer products - a "cyber force" (no matter how strong or large) has neither authorisation nor practical ability to come in the servers and systems of every important private organization (some large, some quite small - e.g. municipal water infrastructure orgs whose "IT" is a contractor booked for a couple hours per week) and change them so that they'd be more defensible.