While the budget proposal would allot just $5 million for the effort — a small portion of Cybercom’s $1.3 billion research and development spending plan — the stand-up of the program follows congressional direction to prod the command to develop an AI roadmap.

In the fiscal 2023 defense policy bill, Congress charged Cybercom and the Department of Defense chief information officer — in coordination with the chief digital and artificial intelligence officer, director of the Defense Advanced Research Projects Agency, director of the National Security Agency and the undersecretary of defense for research and engineering — to jointly develop a five-year guide and implementation plan for rapidly adopting and acquiring AI systems, applications, supporting data and data management processes for cyber operations forces.

Cybercom created its roadmap shortly thereafter along with an AI task force.

The new project within Cybercom’s R&D budget aims to develop core data standards in order to curate and tag collected data that meet those standards to effectively integrate data into AI and machine learning solutions while more efficiently developing artificial intelligence capabilities to meet operational needs.

The effort is directly related to the task of furthering the roadmap.

As a result of that roadmap, the command decided to house its task force within its elite Cyber National Mission Force.  

The command created the program by pulling funds from its operations and maintenance budget and moving them to the R&D budget from fiscal 2025 to fiscal 2026.

The command outlined five categories of various AI applications across its enterprise and other organizations, including vulnerabilities and exploits; network security, monitoring, and visualization; modeling and predictive analytics; persona and identity; and infrastructure and transport.

Specifically, the command’s AI project, Artificial Intelligence for Cyberspace Operations, will aim to develop and conduct pilots while investing in infrastructure to leverage commercial AI capabilities. The command’s Cyber Immersion Laboratory will develop, test and evaluate cyber capabilities and perform operational assessments performed by third parties, the budget documents state.

In fiscal 2026, the command plans to spend the $5 million to support the CNMF in piloting AI technologies through an agile 90-day pilot cycle, according to the documents, which will ensure quick success or failure. That fast-paced methodology allows the CNMF to quickly test and validate solutions against operational use cases with flexibility to adapt to evolving cyber threats.

The CNMF will also look to explore ways to improve threat detection, automate data analysis, and enhance decision-making processes in cyber operations, according to budget documents.

The post Cyber Command creates new AI program in fiscal 2026 budget appeared first on DefenseScoop.

Hunt-forward operations involve physically sending defensively oriented cyber protection teams from the U.S. military’s Cyber National Mission Force (CNMF) to foreign nations at their invitation to look for malicious activity on their networks. These operations are mutually beneficial, officials have said, because they help bolster the security of partner nations and provide Cybercom — and by extension, the United States — advance notice of adversary tactics, allowing the U.S. to harden systems at home against these observed threats.

In responses to lawmakers’ advance policy questions ahead of his confirmation hearing before the Senate Armed Services Committee Tuesday, retired Lt. Gen. Dan Caine stated that Cybercom hunt-forward missions in the U.S. Southern Command area of responsibility discovered Chinese Communist Party malware on multiple foreign partner networks.

Southcom’s area of responsibility includes the landmass of Central and South America and adjacent waters and the Caribbean Sea. It encompasses 31 countries, 12 dependencies and “areas of special sovereignty,” according to the command.

These hunt-forward operations are conducted at the invitation of host nations. Details about specific countries where Cybercom conducts these ops are highly sensitive, and permission of the host government must be gained before public disclosure.

It’s no secret that China has interests in South American nations and Beijing has deployed cyber capabilities for a variety of malicious activities.

Cybercom did not confirm or deny the assertion by Caine, noting in a statement it routinely assists partners that request support in securing their cyber posture against foreign malicious activity across all geographic areas of responsibility.

“This strengthens our Allies’ and Partners’ cybersecurity posture, and makes it more difficult for foreign adversaries to threaten all of us. USCYBERCOM’s core mission is to defend the nation in cyberspace. By policy and for operational security, we do not discuss cyber operations, plans or intelligence. No operation will be publicly disclosed without the partner nation’s consent,” a Cybercom spokesperson said of hunt forward operations.

Cybercom conducted its first hunt-forward operations in Latin America a couple of years ago. Officials have stated in the past that the CNMF conducts about two dozen defend-forward operations per year with foreign partners on foreign government networks to hunt and find Chinese, Russian and Iranian threats, among others.

In written congressional testimony last year, Cybercom commander Gen. Timothy Haugh noted that CNMF deployed 22 times to 17 nations for hunt-forward ops, with active operations occurring simultaneously in all geographic commands for the first time. Those activities led to the public release of more than 90 malware samples for analysis by host nations’ cybersecurity community.

“Such disclosures can make billions of Internet users around the world safer on-line, and frustrate the military and intelligence operations of authoritarian regimes,” he wrote.

Hunt-forward operations were credited with mitigating the effects of Russian cyber ops against Ukraine during its 2022 invasion. Cybercom sent personnel to Ukraine ahead of the invasion and helped harden their networks.

Caine also addressed, in his policy question responses, the hotly contested debate about the dual-hat arrangement in which the commander of Cybercom is also the director of the National Security Agency. Proponents believe the military can benefit from the unique intelligence insights and resources of NSA, leading to faster decision-making and operational outcomes. Opponents argue the roles are too powerful for one person to hold and relying on the intelligence community’s tools — which are meant to stay undetected — for military activities poses risks to such espionage activity.

Caine told lawmakers he believes the dual-hat should be maintained, agreeing with the findings of a 2022 study that found the role should be strengthened as well.

“The Dual-Hat arrangement provides the ability to look across both organizations and has empowered both USCYBERCOM and NSA to fulfill their missions better than each could do alone. It promotes agility and enables intelligence to be operationalized rapidly,” he wrote. “It also facilitates relationships with key foreign allies and partners in part because the corresponding foreign organizations with signals intelligence (SIGINT) and cyber operations missions are fully integrated, operating under a Dual-Hat leadership structure. The span of control, does however, place a burden on one leader.”

Ahead of his own confirmation hearing in January, Secretary of Defense Pete Hegseth wrote to senators that he would “bring these debates to conclusion, consult with Congress, and make final recommendation for the way ahead.”

At the end of the first Trump administration, officials made a last ditch effort to sever the dual-hat, but it ultimately was not brought to fruition. Press reports prior to Trump’s inauguration for his second term indicated the administration wants to end the dual-hat relationship.

The post Cybercom discovered Chinese malware in South American nations — Joint Chiefs chairman nominee appeared first on DefenseScoop.

The capability, known as Panoptic Junction, is part of an effort undertaken by Army Cyber Command, a service component command of Cybercom.

“ARCYBER is piloting an AI, machine learning platform that will enable scalable, continuous security monitoring of networks and platforms. It analyzes system compliance, threat intelligence and streaming cyber event data, which will enable advanced detection of adversary activity, malware and anomalies at speeds that human analysts would not come close to. But not only is it fast, it’s agile. It is rapidly taking the pulse of networks and assimilating threat information simultaneously, protecting networks in real time. And it is performing these security assessments in the lens of what is most applicable to the specific architecture” that it’s supporting, Morgan Adamski, executive director of Cybercom, said Wednesday at CyberTalks.

A series of assessments kicked off in April.

Adamski told DefenseScoop that officials have already seen “a lot of great successes” with the technology.

“It’s increased efficiencies in operations and maintenance. It’s improved our ability to identify risk and detect adversary activity. It’s … provided real -time hardening recommendations and improved the technical ability of our force,” she said on the sidelines of the conference.

“Part of the purpose of creating these pilots is to test out the efficiency of it and then determine whether or not it’s applicable to that enterprise-wide approach, which shows a lot of promise,” Adamski added. “Our hope is that we’ll continue to see good things come out of it and then we can make that determination, and then we can roll it into the larger enterprise funding aspect of it.”

Cybercom stood up its AI Task Force within the Cyber National Mission Force a few months ago. The CNMF is a sub-unified command under Cybercom made up of 39 joint teams and thought to have the DOD’s most talented cyber operators.

The task force intends to explore applications within the context of operational execution, in real time, and allow AI capabilities to be employed for immediate use in 90-day windows, according to Adamski.

“We came to find that we needed operational use cases, real-world practice of how we wanted to leverage AI so that we can learn and better inform our way forward,” she said during her keynote at the conference.

The Department of Defense Information Network (DODIN) is massive, with more than 3 million users globally on any given day. And it frequently comes under digital attack, Adamski noted.

AI technology is seen as a solution for quickly analyzing potential threats to the network and rapidly deploying defenses.

The task force is keeping an eye on a number of efforts across the enterprise, such as Panoptic Junction.

“The Cyber National Mission Force oversees the AI Task Force, and the AI Task Force is responsible for seeing all of these pilot activities across the cyber mission force. So it can be specific to the Cyber National Mission Force, but it also can be specific to the cyber components,” Adamski explained, adding that the task force is responsible for “herding and capturing all the great things happening across the [services’] cyber components,” including ARCYBER.

Members of the task force, which is still small right now, have high technical skills, she noted.

“We are building that team as quickly as possible, and we’re also partnering with [federally funded research-and-development centers], research labs, private sector. So we’re looking to augment that technical talent as quickly as possible,” Adamski told DefenseScoop.

The post Cybercom seeing successes with Panoptic Junction artificial intelligence capability appeared first on DefenseScoop.

Joint Force Headquarters-DOD Information Network was created in 2015 as a subordinate headquarters under U.S. Cyber Command to protect and defend the Pentagon’s network globally. JFHQ-DODIN is led by a three-star general who also serves in a “dual-hat” role as the director of the Defense Information Systems Agency, a much bigger combat support agency providing critical IT services to warfighters.

The proposals — part of each chamber’s annual defense policy bill, which still must be reconciled before becoming law — follow the elevation and sub-unification of Cybercom’s elite Cyber National Mission Force in December 2022. Comprised of 39 joint teams, CNMF is thought to have the DOD’s most talented cyber operators aligned in task forces organized against specific threat actors, with the core mission of defending the nation against digital threats.

Sub-unified commands are designed to conduct a portion of a mission assigned to the parent combatant command. They’re established because that particular mission is thought to be a sustained, higher priority. Cybercom itself was initially a sub-unified command under U.S. Strategic Command until it became a unified combatant command in 2018.

In CNMF’s case, sub-unification did not come immediately with new resources or personnel. But in practical terms, the move signified the maturity of the group and provided a better resource pipeline for personnel from the services, according to officials.

Attempted cyber intrusions are only increasing in scale and sophistication — all during relative peacetime, which is to say that the U.S. is not engaged in a direct armed conflict, although there’s an ongoing tit-for-tat in cyberspace to steal secrets and undermine U.S. interests. While the Defense Department has stopped listing specific statistics publicly in recent years, in 2018, officials stated there were typically 1 billion cyber operations targeting the DODIN each month.

The DODIN would be under constant stress and attack if things were to ever escalate to a true “hot war.”

Thus the case for elevating JFHQ-DODIN currently making its way across Congress. According to comments in congressional hearings this year and statements by lawmakers, the proposals follow the sentiment that the offensive component of Cybercom tasked with defending the nation was elevated and, given the exponential threats in the cyber domain, the defensive component should be too.

“The reason why they need a unified command is because the current JFHQ-DODIN model is plagued by persistent problems of staffing shortages, lack of prioritization and a clear shortfall in institutional capacity. I don’t think it’s responsive enough, I don’t think it’s able to engender the right level of staffing the way it’s organized,” Mark Montgomery, senior director of the Foundation for Defense of Democracies’ Center on Cyber and Technology Innovation and former executive director of the congressionally mandated Cyberspace Solarium Commission, said in an interview. “The department has faced multiple, significant cyber incidents over the last several years, but its primary defensive organization remains starved of resources.”

The defensive cyber mission in the DOD involves many organizations and chains of command. For example, the DOD chief information officer and the commander of Cybercom both have DODIN defense responsibilities.

The DODIN is a federated network of networks with 46 DODIN areas of operation comprising each service, agency and field activity, as opposed to a singular monolithic enterprise network for the entire DOD.

Sources have indicated that the cyber terrain within the DOD is not organized to match the way the U.S. military fights — it’s aligned to service components as opposed to warfighting commands.

Unlike the CNMF’s mission, there is also a significantly larger workforce dedicated to protecting the DODIN, estimated at around 300,000 in the overall network operations force that not only includes defensive cyber protection teams — which are part of the cyber mission force, the forces and teams each service provides to Cybercom to conduct cyber operations — but also local defenders, system administrations and cybersecurity service providers.

But what the elevation might look like is unclear. The current legislative proposals simply direct the Pentagon to elevate JFHQ-DODIN without specifying exactly how to elevate it or if it should be separate from DISA.

Senate Armed Services Committee ranking member Roger Wicker, R-Miss., in a long-term spending plan unveiled in May, recommended elevating JFHQ-DODIN to help DOD and Cybercom be “better postured for future and emerging threats in the cyber domain.”

Rep. Don Bacon, R-Neb., who proposed the provision on the House side, previously noted that there was broad agreement on the House Armed Services Committee that DOD’s cyber defense mission should have an organizational structure and resource priority commensurate with its responsibilities.

“As we looked at options, we felt the obvious move was to mirror what the Department did for the offensive side which elevated the Cyber National Mission Force to a subordinate unified command in 2022. The leadership of the Department has been clear on the mission improvements they’ve seen since CNMF was elevated so it was just a matter of applying that same logic to the defensive side of the mission,” he said in a statement previously.

Cybercom chief Gen. Timothy Haugh acknowledged that under potential sweeping changes to the way the command is organized, JFHQ-DODIN could be tweaked.

And the No.2 official leading the JFHQ-DODIN is encouraged by lawmakers’ support. “I appreciate everything that Congress is doing to focus on defense,” Brig. Gen. Heather Blackwell, deputy commander of JFHQ-DODIN, said in an interview on the sidelines of the TechNet Cyber conference in June. 

For some, the key question that needs to be answered is: What problem is Congress trying to solve?

“We [must] clearly identify what the problem or challenge is we’re trying to fix. I’m not for just making a unified command because we think it’s going to be better than it is now. What’s broken and how do we enable a fix is the most important thing,” said a former cyber defense official who requested anonymity to talk freely. “I would argue there’s probably many different ways you can solve this problem … The question is, can we better secure, operate and defend the DODIN with a unified command or the command that exists?”

According to Montgomery, elevation will bring JFHQ-DODIN more attention, authorities and manpower.

“Elevating JFHQ-DODIN to the sub-unified level will afford it the same benefits that CNMF received when it was elevated. It improves the chances [of], but does not guarantee, improved outcomes. However, it gives the organization a fighting chance in the bureaucracy resource fights. It’s illogical to put our offensive and defensive responses on different frameworks,” he said.

Montgomery added that the risk of not elevating JFHQ-DODIN would be a lack of agility to counter the threat, given he doesn’t believe the organization has been properly manned or operationally oriented. He added that there has been a lack of senior leader-focused effort necessary for the threat environment.

A second former defense official in the cyber missions space who also requested anonymity to talk freely indicated that JFHQ-DODIN would be more operationally effective with command and control properly aligned.

Incorrect command and control will always result in sub-optimal performance, the official said, noting that JFHQ-DODIN will be less effective in its mission to defend the DODIN due to its lack of resources in the way of manning, training and equipping, lack of information, and improper alignment.

One of the former officials noted that creating a sub-unified command would give the organization more of a voice to set training and readiness requirements, execute command and control, and coordinate orders across its area of responsibility and assigned mission. It could also provide new responsibilities to shape the operations area or battlespace — in this case, the DODIN — to give the DOD an operational advantage in the future. 

Most sources agreed that JFHQ-DODIN is a busy organization with a challenging mission. Part of that stems from the challenges of overseeing a federated system and directing mission owners to shore up their slices of the network. Others pointed to the dual-hat relationship with DISA, which has been complicated and oftentimes competing.

Sources indicated that DISA had many more staffing and resources while staffing at JFHQ-DODIN has been significantly lower.

“DISA reports to JFHQ-DODIN when it comes to DODIN operations. Being under DISA’s [administrative control] was only a disadvantage to JFHQ-DODIN in every single way,” according to one of the former officials, noting one of the biggest areas of contention was prioritization for manning.

Additionally, sources have indicated that there have been overlaps and redundancies between staff and functions of each organization given the similarities of JFHQ-DODIN’s role and mission and DISA’s role and legacy supporting the DODIN.

Resulting issues of manning, resourcing and greater attention given to DISA have led some officials to question JFHQ-DODIN’s maturity to even act as a sub-unified command.

If they were to split, several sources indicated that JFHQ-DODIN should be led by a two-star general officer, similar to CNMF, putting them on equal footing.

On the flip side, having the administrative connection to DISA could benefit JFHQ-DODIN in the short term after an elevation.

“In the short term, this command would benefit from both the tie to DISA and the tie to Cybercom because some of these are operational issues that have inherently administrative or technical solutions, and DISA will be the likely vehicle for that administrative or technical solution,” Montgomery said.

Ultimately, the risk of not doing something is that the DODIN will remain under attack without the resources it needs.

“You can continue to meddle around with incremental solutions that don’t get you to the right answer, or you can attempt something more significant, expansive change that gives this mission the kind of attention and focus it needs,” Montgomery said. “Am I certain there’s a way you could fiddle with the current JFHQ-DODIN and make it better? Yes. Do I think you will make it best? No. The way you’ll make it best is to establish this sub-unified command.”

The post What would it mean to elevate the Pentagon’s network defense command? appeared first on DefenseScoop.

That effort will now also combine the equipment cyber protection teams use with the kit for hunt-forward operations performed by the Cyber National Mission Force, Cybercom’s elite unit tasked with defending the nation against significant digital threats. Hunt-forward operations, conceptualized over five years ago, involve physically sending defensively oriented cyber protection teams to foreign countries to hunt for threats on their networks at the invitation of host nations.

Since Cybercom’s inception, there has never been a standardized defensive cyber kit for cyber protection teams — the teams that hunt for malicious activity on Pentagon networks and respond to incidents — despite efforts in the past to create them. Those systems, referred to as Deployable Mission Support Systems (DMSS), varied across all the services. The way Cybercom’s forces are constructed, each of the services are responsible for providing a set number of offensive and defensive teams to the command to conduct operations.

Those DMSS kits are self-contained systems consisting of hardware and software capable of surveying, securing and protecting military networks as well as performing vulnerability analysis and incident response. They are designed to be taken to an incident with little to no notice to connect to the network in order to locate, contain and defeat malicious cyber activity that is either attempting to or has breached Department of Defense systems, according to budget documents.

Despite being designed to be joint in nature with the same training and equipment to operate on the DOD Information Network for defensive teams and the same training for offensive teams, each service provided slightly different DMSS systems to their respective cyber protection teams — creating incongruencies with equipment and forces as well as interoperability issues.

The closest the DOD came was a few years ago, requiring a set of basic tools be included across all DMSS kits provided by the services.

Now, there is an effort to standardize those efforts.

A solicitation from DIU issued Monday aims to combine the DMSS kit with the hunt-forward equipment, to create a singular standardized defensive cyber hunt system across the entire force.

The new Joint Cyber Hunt Kit (JCHK), as it is known, will be a mobile “security operations center (SOC) in a box,” DIU said. It must be portable by a nine-person team anywhere in the world and fit in a suitcase for easy air travel.

“Like the DMSS and HFO kits, the JCHK will be a self-contained flyaway capability utilized by the Cyber Protection Team (CPT) Mission Elements to secure and protect military networks and data centers by conducting Hunt, Clear, Enable Hardening, and Assess missions in blue, gray, and red cyberspace,” fiscal 2025 budget documents state. “The dynamic nature of CPT defensive cyberspace operations driven by the adversary’s rapidly evolving offensive cyber tactics, techniques and procedures require the [Budget Activity-8] flexibility as JCHK evolves. The merging of capabilities will facilitate the standardization of training, maintenance logistics, and force protection and will promote efficient execution of resources based on economy of scale.”

For hunt-forward operations, national cyber protection teams travel to other nations and plug into their network. Most prominent were the ops that took place in Ukraine ahead of Russia’s 2022 invasion, which both governments credit for helping harden Ukraine from potential Russian cyber onslaught. These differ from the tasks that cyber protection teams perform on the DOD’s network.

The new system must be flexible in order to perform standalone operations, given it will most often operate in an environment where it’s not permissible to connect to the internet or send data offsite for analysis.

The solicitation said the kits must to be able to perform any and all activities related to discovering advanced persistent threat activities and analyzing their tactics, techniques and procedures.

DIU has been working to equip Cybercom for many years. Additionally, the commmand awarded a contract worth almost $60 million in 2022 to provide equipment for hunt-forward operations.

Previewing the idea of standardizing the DMSS kits, Cybercom’s top acquisition executive noted that the services will have two years to maintain their separate service kits while the competition is underway.

“We’re going to go out with an RFP and a way of contracting for a common kit, at a minimum at the hardware level and then some layer of software, common software, that will be common across all the services. Then services’ unique needs can be added on top of that,” Khoi Nguyen, who is also the director of the cyber acquisition and technology directorate (J9) at Cybercom, said at a conference in January.

At the time, he said the command wants feedback from industry in a collaborative effort to deliver the best system possible.

“The goal is to get this industry day out there and then we’re looking to do aggressive prototyping. We’re probably going to award two or three more prototyping contracts, give the team [some] amount of time to do the prototyping and then deliver the hardware. Then three months for us [and] the force to play around with it. And then we’ll pick a winner,” he said. “My intent is to, like truly do a competition, allow competition, and that’s why we’re going to give … a decent amount of time for a new vendor or new team of vendors to build a new kit, versus having a prototype period very small, where the incumbent has a higher chance of winning. That’s the goal. We’re going to lay that out as an RFP or RFI. Please come back and tell us if I’m unrealistic or whatever else. We need to know that. But the goal is to get the best kits for the users that we can.”

According to fiscal 2025 budget documents, Cybercom and DIU will be relying on other transactional authority to award a prototype agreement to support the rapid development of a JCHK prototype, with the objective of transitioning cyber protection teams to the new system at the beginning of fiscal 2026.

The post Cybercom looking to combine and standardize defensive cyber kits; solicitation issued appeared first on DefenseScoop.

Last year, the command elevated the Cyber National Mission Force — its elite cadre of teams responsible for defending the nation from cyberattacks — to a sub-unified command. Lawmakers in both houses this week were concerned with why the CNMF was elevated and not Joint Force Headquarters-Department of Defense Information Networks (JFHQ-DODIN), a subordinate headquarters under Cybercom responsible for protecting and defending the Pentagon’s network globally.

“As we look at Joint Force Headquarters-DODIN, our element that allows us to set the globe from a defensive perspective across the entire department, that’s an area that we’re evaluating,” Gen. Timothy Haugh, commander of Cybercom, explained during a Senate Armed Services Committee hearing Wednesday.

This evaluation is part of an effort dubbed Cybercom 2.0, a holistic top-to-bottom review underway at the command to examine how to reshape its organization and forces and ensure it’s best postured for the future and emerging threats. Haugh noted that as part of the Cybercom 2.0 endeavor, the DOD is responding to a series of studies Congress required that all ask for evaluations on how it is structured.

“In December 2022 [the secretary of defense] officially elevated Cybercom’s defensive arm, Cyber National Mission Force to a sub-unified command. The logic was that it would provide greater enabling resources for this critical mission set. With how much adversary activity we have witnessed against DOD networks, it would appear that your defensive arm Joint Force Headquarters could similarly benefit,” Rep. Morgan Luttrell, R-Texas, said Wednesday at a House Armed Services Subcommittee on Cyber, Innovative Technologies, and Information Systems hearing.

Sen. Jacky Rosen, D-Nev., also questioned Haugh on if elevating JFHQ-DODIN to a sub-unified command similar to the CNMF would allow Cybercom to be more resilient against future cyberattacks.

DOD will be examining if JFHQ-DODIN is structured appropriately and if it has the right resources to perform its mission.

“What’s the right way to position the Joint Force Headquarters-DODIN in terms of the right resources and authorities to make sure that it has the capacity to really set the globe? That’s the mission we’ve given them,” Haugh told the House Armed Services Subcommittee on Cyber, Innovative Technologies, and Information Systems. “When we have a crisis, we want them to set the globe. I think it’s an area that we’re certainly going to evaluate. And it does look different as a headquarters also in terms of assigned forces, but it’s something that we will definitely be looking at.”

JFHQ-DODIN has recently created a new model for assessing network readiness that is more threat informed and will better posture itself to respond to incidents.

The post DOD evaluating its main network defense arm for the future appeared first on DefenseScoop.

Mahlock, the first Marine Corps officer to lead the CNMF, takes over for Maj. Gen. William Hartman, who will assume the deputy commander role at Cybercom and pin on a third star.

The CNMF’s chief mission is to defend the nation from significant cyber threats. It is made up of 39 joint teams and thought to have the Department of Defense’s most talented cyber operators at the cutting-edge of their profession. It is aligned in task forces organized against specific threat actors. They have been on the front lines of defending elections from foreign influence, protecting critical infrastructure and, most notably, for conducting so-called hunt forward operations which involve physically sending defensively oriented cyber protection teams to foreign countries to hunt for threats on their networks at the invitation of host nations.

“CNMF has always been the ‘go-to’ force when our nation has a challenge in the cyber domain,” Gen. Paul Nakasone, commander of Cybercom and director of the National Security Agency, said while presiding over the ceremony, according to a release. “These joint cyber operators are a powerhouse that punch above their weight against some of the world’s most reckless and determined foreign malicious cyber actors.”

Hartman has led the CNMF since 2019, overseeing its elevation to a sub-unified command under Cybercom last December — an indicator of the organization’s importance. Predecessors dating back to Nakasone, who also helmed the group, have only held this job for a maximum of two years.

“It has been an honor to lead the CNMF and the talented young Americans who work tirelessly to defend our nation,” Hartman said. “I am incredibly proud of all you have accomplished over these last few years, and I know you will continue to be the elite cyber force our nation needs.”

Mahlock comes into the role after most recently serving as the deputy director for combat support at the Cybersecurity Directorate within the NSA. Her appointment to CNMF, along with Hartman’s, was part of the months-long backlog due to the blanket hold on senior military officer confirmations that was imposed by Alabama Republican Sen. Tommy Tuberville in protest of the DOD’s abortion policies.

“It is an honor to be selected as the next commander of the Cyber National Mission Force,” Mahlock said. “I have had the opportunity to observe you from afar and I am humbled by the opportunity to serve alongside you. You are our nation’s elite cyber warriors, competing daily against a threat that is very real, but which few can comprehend, quantify or see.”

Given its prowess, commanding the CNMF has generally been thought to be a launching pad for promotion and appointment to higher commands. Prior commanders of the CNMF include Nakasone, Lt. Gen. Timothy Haugh — who has been confirmed to replace Nakasone — and Vice Adm. Timothy White, who retired in 2020 as the commander of 10^th Fleet/Fleet Cyber Command.

The post Cyber Command’s premier force gets new commander appeared first on DefenseScoop.

During the committee’s markup of the fiscal 2024 National Defense Authorization Act, an amendment offered by Rep. Mike Gallagher, R-Wisc. — who chairs the HASC subcommittee on cyber, innovative technologies and information systems — would require the DOD’s principal cyber advisor, the undersecretary of defense for personnel and readiness along with the principal cyber advisors of the services and the commander of U.S. Cyber Command to conduct a study on the personnel and resources required to enhance and support the occupational resiliency of the cyber mission force (CMF).

The CMF conducts cyber operations on behalf of U.S. Cyber Command. Each of the services are responsible for providing a set amount of teams to Cybercom to perform offensive and defensive ops. At the outset, there were 133 teams but the DOD has authorized growth to 147 in the next five years.  

There are three primary buckets the teams fall into: offensive teams that conduct cyber ops on behalf of combatant commands, defensive teams that defend and hunt on DOD networks for adversary activity, and support teams that provide intelligence, mission planning and other necessary assistance for combat mission teams.

Additionally, the Cyber National Mission Force — the command’s elite cyber warriors tasked with defending the nation from cyber threats — has teams that perform offensive functions under the guise of active defense, or acting outside of DOD networks to thwart a potential threat.

The provision in the House NDAA markup defines ‘‘occupational resiliency’’ as the ability of CMF personnel to mitigate unique psychological factors that contribute to the degradation of mental health and job performance under such assignment.

These personnel often work long hours and are always conducting operations. Officials frequently remind the public that cyber operators are in constant contact with adversaries in cyberspace — either defending DOD networks from daily enemy probes or carrying out offensive ops.

With the exception of so-called hunt-forward operations — which involves physically sending defensively oriented cyber teams to foreign countries to search for threats on their networks at the invitation of host nations — cyber warriors aren’t forward-deployed in the traditional sense, but report to their jobs and return to their homes following operations.

The study mandated by the House panel must include an inventory of the resources and programs available to personnel assigned to the CMF and their locations; an assessment of the risk to the occupational resiliency of personnel relative to their work role within the CMF and the number of such personnel available to perform operations in each type of team; an evaluation of the extent to which personnel assigned to the CMF have been made aware of resources and programs and the measures required to improve such awareness; and a determination by the commander of Cybercom regarding the adequacy and accessibility of such resources and programs for CMF personnel.

The House Armed Services Committee passed its version of the defense policy bill just after midnight on Thursday. The legislation must still be passed by the full House, reconciled with the Senate’s version of the NDAA and be signed by the president before becoming law.

The post House panel wants study on ‘occupational resiliency’ of Cybercom’s operators appeared first on DefenseScoop.

The deployment is part of so-called hunt-forward operations, which involve physically sending defensively oriented cyber protection teams from the U.S. military’s Cyber National Mission Force (CNMF) to foreign nations at their invitation to look for malicious activity on their networks. These operations are mutually beneficial, officials have said, because they help bolster the security of partner nations and provide Cybercom — and by extension, the United States — advance notice of adversary tactics, allowing the U.S. to harden systems at home against these observed threats.

“We had our first defend-forward mission, a hunt-forward mission in [U.S. Southern Command] just recently, which is amazing,” Brig. Gen. Reid Novotny, special assistant to the director Air National Guard for Cybercom, J5, said at the Potomac Officers Club annual Cyber Summit Thursday.

Southcom’s area of responsibility includes the landmass of Latin America and adjacent waters and the Caribbean Sea. It encompasses 31 countries, 12 dependencies and “areas of special sovereignty,” according to the command.

Novotny didn’t disclose which nation the operation was conducted in when asked by DefenseScoop following his remarks at the summit.

Given these hunt-forward operations are conducted at the invitation of host nations, public disclosure of which country Cybercom conducts them in are highly sensitive and permission of the host government must be gained.

Novotny didn’t provide specific dates for the recent deployment to the Southcom area of responsibility.

“By policy and for operational security, we do not discuss cyber operations, plans or intelligence. USCYBERCOM prioritizes partnerships. No defend forward operation is publicly disclosed without the partner nation’s consent,” a CNMF spokesperson told DefenseScoop on Friday in response to a request for more information.

With the operation in the Southcom region, Novotny told DefenseScoop that Cybercom has now conducted hunt-forward operations on every continent at this point, adding there are more invitations than the command has capacity for.

“We do these defend-forward missions, and the whole point of the defend-forward mission is to learn something on someone else’s network, a partner network, another nation’s network so we can bring back that information and make sure our networks are more secure,” he told conference attendees.

Hunt-forward operations have become a mainstay for Cybercom, as they were enshrined in recently updated Department of Defense doctrine and featured as a part of one of the four major lines of effort the updated DOD cyber strategy seeks to employ. They serve an important security role, but also a diplomatic role as the U.S. aims to increase its partnerships with other nations on the cyber front.

Gen. Paul Nakasone, commander of Cybercom, said as recently as late May, that the command has conducted 70 of these operations in 22 nations on 50 different networks.

One of the most prominent such deployments to date was to Ukraine in the run-up to Russia’s invasion in early 2022. U.S. cyber teams went there to gain insights on Russian cyber actors and threats while helping Ukraine bolster its network.

While these operators left prior to Russia’s invasion, this partnership continues today.

“Today, we have shared over 5,000 indicators of compromise either from Ukraine to us or from us back to Ukraine, in order to do everything we can to ensure that the United States, our partners and allies are protected against what the Russians are doing in Ukraine, but also to ensure that the Ukrainians networks are as difficult as possible for the Russians to continue to attack and exploit,” Maj. Gen. William Hartman, commander of the CNMF, said recently.

Other recent deployments include Albania after Iranian cyberattacks there and Latvia.

“Defend Forward is a unique authority that allows us to execute operations abroad as part of our ‘defend forward’ strategy, while also building strategic relationships with key Allies and Partners. Defend Forward operations have occurred in every geographic area of responsibility.  This sort of activity strengthens our Allies’ and Partners’ cybersecurity posture, and makes it more difficult for foreign adversaries to threaten all of us,” the CNMF spokesperson said.

Updated on June 9, 2023, at 5:25 PM: This story has been updated to include comments from a Cyber National Mission Force spokesperson.

The post US Cyber Command conducts ‘hunt forward’ mission in Latin America for first time, official says appeared first on DefenseScoop.

Hartman’s nomination for assignment to “a position of importance and responsibility” was posted to a congressional website May 30 with no fanfare and no description of his next job.

The news of the nomination was first reported by The Record.

If confirmed, Hartman would pin a third star and be the second in charge at the command, typically seen as the person running the day-to-day activities while the commander of Cybercom also serves as the director of the National Security Agency.

Hartman would take over for Lt. Gen. Timothy Haugh, who was nominated to succeed Gen. Paul Nakasone as commander of Cybercom.

In his role, one of Haugh’s main tasks was focused on developing and building out the Joint Cyber Warfighting Architecture (JCWA), Cybercom’s primary weapon system to conduct cyber operations that consists of an amalgam of platforms and capabilities.

Hartman currently commands the elite Cyber National Mission Force at Cybercom, which is made up of 39 joint teams and thought to have the Department of Defense’s most talented cyber operators at the cutting-edge of their profession. It is aligned in task forces organized against specific threat actors. They have been on the front lines of defending elections from foreign influence.

At the end of 2022, the CNMF was elevated to a sub-unified command under Cybercom, signifying its importance.

Given its prowess, commanding the CNMF has generally been thought to be a launching pad for promotion and higher commands. Prior commanders of the CNMF include Nakasone, Haugh and Vice Adm. Timothy White, who retired in 2020 as the commander of 10^th Fleet/Fleet Cyber Command.

Notably, Hartman has commanded the CNMF since August 2019. Predecessors dating back to Nakasone have only held this job for a maximum of two years.

In his time as the head of CNMF, Hartman has helped lead the so-called “hunt-forward” ops, which involve physically sending defensively oriented cyber protection teams from the CNMF to foreign countries to hunt for threats on their networks at the invitation of host nations. Officials say they are mutually beneficial because they help bolster the security of partner nations and provide Cybercom — and by extension, the United States — advance notice of adversary tactics, allowing the U.S. to harden systems at home against these observed threats.

While they started prior to his command, they ballooned under his leadership as he increased the capacity.

They have become a mainstay for the command, as they were enshrined in recently updated DOD Doctrine for cyber operations and featured as a part of one of four complementary lines of effort the updated DoD cyber strategy seeks to employ.

To date, Cybercom has conducted 70 of these operations in 22 nations on 50 different networks.

These initiatives also have played a significant role in a broader U.S. diplomatic effort within Cybercom’s operating concept of persistent engagement, which envisions challenging adversary activities daily and wherever they operate.

“There’s no accident that Gen. Hartman is visible on the ground and [in] Europe, visible as the commander of the Cyber National Mission Force meeting with and engaging with our partners and allies. That’s a very deliberate, diplomatic and informational use of a military commander and his formation to send a message that bolstered collaboration and to strengthen partnerships,” a former official told DefenseScoop.

Various U.S. diplomatic stations have tweeted out several photos of Hartman — dressed in a business suit, not wearing the typical combat uniform of a military officer — on the ground with leaders of foreign nations.

Moreover, the CNMF under Hartman picked up pilot efforts started before him and bolstered support for the private sector through several initiatives aimed at sharing indicators of compromise discovered in operations to improve the collective cybersecurity of the nation.

Jon Harper contributed to this story.

The post Cyber National Mission Force Commander Maj. Gen. William Hartman nominated as deputy at Cybercom appeared first on DefenseScoop.