“We created an AI Task Force and what the decision that we made is we put it inside of our largest operational organization. It’s inside the Cyber National Mission Force. [Commander] Maj. Gen. Lorna Mahlock has that team of expertise as a tool that when she’s got a hard problem, she can use that task force as one of the solutions,” Gen. Timothy Haugh, commander of Cybercom and director of the National Security Agency, said at a dinner hosted by the Intelligence and National Security Alliance Tuesday.

The Cyber National Mission Force is a sub-unified command under Cybercom made up of 39 joint teams and thought to have the DOD’s most talented cyber operators aligned in task forces organized against specific threat actors, with the core mission of defending the nation against digital threats.

The AI Task Force was created as part of congressional direction in the fiscal 2023 annual defense policy bill, which required the command — along with the Department of Defense chief information officer in coordination with the chief digital and artificial intelligence officer, director of the Defense Advanced Research Projects Agency, director of the NSA and the undersecretary of defense for research and engineering — to jointly develop a five-year guide and implementation plan for rapidly adopting and acquiring AI systems, applications, supporting data and data management processes for cyber operations forces.

Haugh said they briefed their roadmap to Congress and the task force was created to accelerate that plan.

He has previously described three outcomes the task force will be focused on:

• Delivering AI capabilities for operations by the cyber mission force — the offensive and defensive teams each service provides to Cybercom to conduct cyber ops — and integrating the task force more closely with operations.
• Posturing the command to enable AI adoption by addressing materiel issues such as policy and standards that will be critical for responsible, ethical, assured and secure AI application.
• Countering AI threats.

The organization is part of an integrated approach to addressing artificial intelligence between Cybercom and the NSA.

The goal is for that task force and roadmap to help provide lessons for AI’s application across DOD.

“The collaboration that’s going on between NSA and Cyber Command really allows us to build a community to practice that we’re both learning together,” Haugh said. “We’ll also look to how we share compute resources and things like that, to really allow us to scale and then do so faster. I think those opportunities for us, we really can be unique in the department with our workforce and with the way that we apply both our experience in AI /ML — certainly NSA has done that for decades.”

The post Cybercom’s AI task force housed within its elite cyber unit appeared first on DefenseScoop.

Officials are dubbing the review Cybercom 2.0.

“As we’re trying to look at the future of U.S. Cyber Command, I want to have a bold move forward,” Gen. Paul Nakasone, commander of Cybercom and director of the NSA, told reporters during a media roundtable at Fort Meade. Nakasone is set to retire Friday following a change-of-command ceremony where he will pass the torch to Lt. Gen. Timothy Haugh, who will pin on his fourth star.

The command, now just north of 10 years old, was built on many principles of its time a decade ago. The domain it operates in is so dynamic that many of these tenets are now outdated.

For example, the cyber mission force — the teams each service provides to Cybercom to conduct offensive and defensive operations — was designed around 2012, built from 2013 to 2016, and reached full operational capability in 2018.

At the time, according to declassified task orders that were unearthed via the Freedom of Information Act by the National Security Archive at George Washington University, the priority was to get the teams formed, built quickly and rely as much as possible on NSA support.

“Given the increasing threats to our nation’s critical infrastructure and DoD networks, it is imperative that we establish, train, and employ equipped cyber mission forces as expeditiously as possible. We must get these forces in position now—these teams will be prepared to defend the nation, provide support to combatant commanders, and to provide active defense of key terrain on critical networks,” a task order from March 2013 read. “We will establish immediate operational capability during FY13 by effectively task organizing our available personnel into [REDACTED] effective, combat-ready teams, positioned in the best locations for mission success, and with a command and control structure in place to direct successful operations.”

The order goes on to state that while the initial focus was on establishing combat-ready teams quickly and efficiently, they would keep the end-state force posture in mind.

Those teams and their structures have not been holistically relooked or reexamined since then, with new teams being added to the initial 133 for the first time in the president’s fiscal 2022 budget request. For example, Nakasone said those teams were built with a different understanding of the world in 2012, with a counterterror focus and when Iranian financial system cyber disruptions were one of the main threats of the day — long before the shift back to great power competition with nations such as China.

Many of the manning numbers of personnel and teams were arbitrary given the quantity of forces the services had available at the time and to justify the need to Department of Defense leadership, according to former officials.

There were calls and expectations in the past to relook the team structure and reexamine how the force trains and acquires capabilities — particularly after the cyber mission force reached full operational capability in 2018 — however, the remedy for many years had been to task organize for particular missions or break teams into smaller elements.

During the build, for instance, Cybercom leadership locked in the structure and didn’t want to tweak the teams so as not to appear as if they were moving the bar on the services until they reached full operational capability.

There wasn’t another model to emulate when building these teams, and so experts have said it’s no surprise they didn’t get everything right.

Additionally, Cybercom relied very heavily on NSA personnel and equipment as it grew. As a military organization, it needs its own military-specific systems separate from intelligence systems. As a result, it wants the ability to acquire and manage those capabilities much like the rest of the military develops platforms to conduct operations.

The command, in partnership with other elements of the DOD, is working hard at a holistic reexamination to better posture the command and its forces.

“I think all options are on the table except status quo,” Nakasone said during an INSA event in December. “We built our force in 2012 and 2013. We’ve had tremendous experience, but scope, scale, sophistication and the threat has changed, the private sector has changed, our partners have changed. I think that we’ve got to be able to take a look at how we’re going to change as well.”

A cross-functional team consisting of a group of experts has been convened to discuss how the command can think about how its authorities, training, personnel and acquisitions can be done differently.

In fact, a problem statement regarding what they’re seeking to examine was approved this weekend, though Nakasone declined to provide details.

“We’ve got to think boldly about such things as how we do training and how we might do personnel processes that are different,” Nakasone said.

Why now?

Sources indicated it’s been over 10 years since the command was created and they want to update the vision, force structure and doctrine. There are also now personnel at the top levels of leadership that have been around the command for years — such as Haugh and incoming deputy commander Lt. Gen. William “Joe” Hartman — with a lot of knowledge of the domain, making this a good opportunity for a revamp.

Now is the right time to begin looking at what the next iteration of Cybercom is for several reasons, Nakasone said.

In the fiscal 2023 National Defense Authorization Act, Congress directed several studies and examinations of the department, which include a force generation study due in June examining the responsibilities of the services for organizing, training and presenting the total force to Cybercom, among seven other elements. Additionally, there are 14 new teams that are slated to be built over the course of the next five years. Moreover, since 2018, when the department gained new authorities to conduct cyber operations, a lot of lessons have been learned from those operations as well as election defense, ransomware, the Russia-Ukraine conflict and other issues.

“We haven’t done this, I think, really since we started up the force. And I think this is the right time,” Nakasone said of the confluence of these circumstances leading to 2024 being the best opportunity to reexamine the command.

Other officials have noted that the variety of studies Congress has asked for provides a good opportunity to package these key questions together and provide the secretary of defense with several options for the future evolution of the command.

“The Congress has laid on really multiple studies over the past few years to look at what things should the department do or could be doing to improve our ability to generate cyber forces, train cyber forces, retain cyber forces for maximum effect,” John Plumb, assistant secretary of defense for space policy, who also serves as the principal cyber advisor to the secretary of defense, told reporters in January. “We have been slowly working through various options. And the question is like, how much would need to change? What should you look at? … What are we after for readiness? How can we make readiness better?”

He noted as they look at all the things that are coming, the team knows they have to present the secretary a set of options related to this large, significant study and find the best recommendations to present a more comprehensive set of options as opposed to doing them one at a time.

Nakasone noted how 2018 was a watershed year for the command when it gained new authorities through executive policy changes, congressional legal changes and clarifications.

“That leads us to a whole heck of a lot of operations, so from 2018, forward to now, the number of operations is sky high, which means there’s a lot of data, in terms of what’s going on,” he said.  

Prior to that point there were only a handful of operations that had taken place because there was a bias for inaction, meaning there wasn’t a lot of data regarding how effective the team structure and personnel were.

This led to the paradigm shift toward persistent engagement, which encompasses challenging adversary activities daily and wherever they operate. Nakasone noted that is something the command got right and must continue to operate.

“You have to have persistent engagement. If you’re on the sidelines watching this, you’re going to get hit. That’s why I think it’s so important for our forces worldwide to be able to be engaged, and being able to act and understand what our adversaries are doing,” Nakasone said. “Being able to continue to operate day in and day out, this is how you get really good. You operate in the domain. This is what Special Operations Command has taught us, right?  Continued operations build proficiency and professionalism. We’re going to need that. I think a lot about that piece, in terms of where Cyber Command is going.”

Similarly, the command has fashioned itself off the Socom model even though it was initially under U.S. Strategic Command, which is in charge of the military’s nuclear weapons.

Another turning point in Cybercom’s history happened in 2020 when Nakasone asked for more service-like authorities from the secretary of defense similar to Socom. He also asked for more teams and a reposturing of teams from counterterrorism to be more aligned against China and Russia.

This included enhanced budget authority, which provides direct control and management of planning, programming, budgeting and execution of the resources to maintain the cyber mission force.

Many of these changes will also affect the services and how they present their forces to the command.

“I’m a pretty demanding customer with the services. I just want their best and I want it all the time. They have been very, very supportive, in terms of what’s gone on, but I will tell you that we operate in a domain that requires a longer dwell time for our soldiers, sailors, airmen and Marines, than the constant movement,” Nakasone said. “I think that this has been a concern that I’ve expressed that I think is one of the things that we’re going to have to deal with in the future.”

Nakasone recognized that the services have to provide a number of different forces to combatant commands, with Cybercom being one of them. They have to balance their readiness needs as well. However, he was aware that it’s his job as the commander of Cybercom to talk about why this domain is unique and why there is a need to consider recruiting, retention, or assignment policies differently than in the past.

This has also led to calls for an independent cyber service — akin to the Army, Navy, Marine Corps, Air Force and Space Force — which have intensified over the last year.

Proponents of an independent cyber service argue that cyber operators have no distinct identity — as they are still members of their respective services — there are readiness issues associated with each service resourcing their cyber contributions differently, lexicon and pay scales are different, and the command-and-control structures are confusing. Moreover, they allege only an independent cyber force or service can solve key problems.

Congress had initially proposed an independent study on the matter, but it was cut out of the annual policy bill for fiscal 2024. Proponents have vowed to get it into the fiscal 2025 bill.

Nakasone has, at least publicly, remained neutral to this notion, offering that it’s a policy determination for the secretary of defense.

What could be done for the future force?

According to experts and sources, there could be more formal restructuring of teams — rather than task organizing for each mission — to break them into smaller elements.

The Cyber National Mission Force — a sub-unified command under Cybercom made up of 39 joint teams and thought to have the DOD’s most talented cyber operators that defend the nation from significant cyber threats, which Nakasone, Haugh and Hartman have all commanded — has significantly more flexibility than the combat mission teams that conduct offensive operations on behalf of combatant commands, and cyber protection teams that conduct defensive cyber ops. This is due to the fact it’s a smaller force and organized around six task forces. This allows them to be able to more accurately task organize based upon skill sets and readiness of personnel needed for certain missions.

That could be a possible model going forward. Having greater oversight of readiness of forces and skills through new tools the command is developing will help commanders be able to have better fidelity of what they’ll need at any given time to pluck personnel with skill sets required for operations.

Initially, cyber protection teams were made up of 39-person teams with five squads. That has evolved to smaller elements after what forces learned through operations and not having to deploy 39 people to address every problem. In the future, they could be split up even more to make additional teams.

Experts noted that everything is on the table and the planners involved are not going in with any pre-determined solutions to figure out what the best way forward will be.

“As Gen. Haugh takes over that he’ll take this forward to a briefing with policymakers then, ultimately, the SECDEF and say, ‘Hey, this is how we think the Cyber Command of the future needs to be able rebuild today,’” Nakasone told reporters.

The post Holistic examination of the next iteration of US Cyber Command underway appeared first on DefenseScoop.

Mahlock, the first Marine Corps officer to lead the CNMF, takes over for Maj. Gen. William Hartman, who will assume the deputy commander role at Cybercom and pin on a third star.

The CNMF’s chief mission is to defend the nation from significant cyber threats. It is made up of 39 joint teams and thought to have the Department of Defense’s most talented cyber operators at the cutting-edge of their profession. It is aligned in task forces organized against specific threat actors. They have been on the front lines of defending elections from foreign influence, protecting critical infrastructure and, most notably, for conducting so-called hunt forward operations which involve physically sending defensively oriented cyber protection teams to foreign countries to hunt for threats on their networks at the invitation of host nations.

“CNMF has always been the ‘go-to’ force when our nation has a challenge in the cyber domain,” Gen. Paul Nakasone, commander of Cybercom and director of the National Security Agency, said while presiding over the ceremony, according to a release. “These joint cyber operators are a powerhouse that punch above their weight against some of the world’s most reckless and determined foreign malicious cyber actors.”

Hartman has led the CNMF since 2019, overseeing its elevation to a sub-unified command under Cybercom last December — an indicator of the organization’s importance. Predecessors dating back to Nakasone, who also helmed the group, have only held this job for a maximum of two years.

“It has been an honor to lead the CNMF and the talented young Americans who work tirelessly to defend our nation,” Hartman said. “I am incredibly proud of all you have accomplished over these last few years, and I know you will continue to be the elite cyber force our nation needs.”

Mahlock comes into the role after most recently serving as the deputy director for combat support at the Cybersecurity Directorate within the NSA. Her appointment to CNMF, along with Hartman’s, was part of the months-long backlog due to the blanket hold on senior military officer confirmations that was imposed by Alabama Republican Sen. Tommy Tuberville in protest of the DOD’s abortion policies.

“It is an honor to be selected as the next commander of the Cyber National Mission Force,” Mahlock said. “I have had the opportunity to observe you from afar and I am humbled by the opportunity to serve alongside you. You are our nation’s elite cyber warriors, competing daily against a threat that is very real, but which few can comprehend, quantify or see.”

Given its prowess, commanding the CNMF has generally been thought to be a launching pad for promotion and appointment to higher commands. Prior commanders of the CNMF include Nakasone, Lt. Gen. Timothy Haugh — who has been confirmed to replace Nakasone — and Vice Adm. Timothy White, who retired in 2020 as the commander of 10^th Fleet/Fleet Cyber Command.

The post Cyber Command’s premier force gets new commander appeared first on DefenseScoop.

These types of ops involve physically sending defensively oriented cyber protection teams from the U.S. military’s Cyber National Mission Force (CNMF) to foreign countries to hunt for threats on their networks at the invitation of host nations. The CNMF was recently designated a sub-unified command in December.

Since 2018, the CNMF has deployed 44 times to 22 different nations conducting such operations on nearly 70 networks, according to Cybercom. Officials say these operations are mutually beneficial because they help bolster the security of partner nations and provide Cyber Command — and by extension, the United States — advanced notice of adversary tactics allowing the U.S. to harden systems at home against these observed threats.

The Iranian cyberattacks occurred in July and September 2022. The July attacks, in response to an Iranian government opposition group conference in Albania, shut down numerous Albanian government services. The September attacks targeted a government system used to track border crossings following Albania cutting diplomatic ties with Iran.

The U.S. government issued sanctions against Iran and sought to help Albania bolster its overall security posture.

 “We will continue to support our NATO ally Albania’s remediation efforts, and invite partners to join us alongside our NATO allies in holding Iran accountable for its destructive cyberattacks against Albania in July and September 2022,” U.S. Ambassador at Large for Cyberspace and Digital Policy Nathaniel Fick said in a statement.

The CNMF team was deployed for three months and provided technical findings to the Albanian government allowing them to bolster their networks. These insights are also critical to defending the U.S. against malicious cyber activity.

“These hunts bring us closer to adversary activity to better understand and then defend ourselves, but they also bring the U.S. closer to our partners and allies. These relationships are key to protecting our networks and critical infrastructure against shared threats,” Maj. Gen. William Hartman, commander of the CNMF, said.

“When we are invited to hunt on a partner nations’ networks, we are able to find an adversary’s insidious activity in cyberspace, and share with our partner to take action on. We can then impose costs on our adversaries by exposing their tools, tactics and procedures, and improve the cybersecurity posture of our partners and allies. When we share information, we are all more defended from those who seek to do us harm,” he added.

These types of ops are an opportunity for the U.S. to build stronger partnerships with other nations on the cyber front, a key priority for enhancing global digital security.

“The cooperation with U.S. Cyber Command was very effective and made us feel safe by assuring that we have followed all the right steps in responding to these sophisticated attacks,” Mirlinda Karçanaj, general director of the National Agency of Information Society, an Albanian government institution that coordinates information systems, said. “We hope that this cooperation will continue in the future so that we can further exchange experiences and increase our capacities to another level.”

The post US cyber forces wrap up deployment to Albania in response to Iranian cyberattacks appeared first on DefenseScoop.

The CNMF — formerly one of Cybercom’s headquarters elements — is made up of 39 joint teams and thought to have the DOD’s most talented cyber operators at the cutting-edge of their profession. It is aligned in task forces organized against specific threat actors. They have been on the front lines of defending elections from foreign influence, protecting critical infrastructure and, most notably, for conducting so-called hunt forward operations which involve physically sending defensively-oriented cyber protection teams to foreign countries to hunt for threats on their networks at the invitation of host nations.

Former officials described a natural evolution in the elevation to a sub-unified command for CNMF, highlighting the importance in continued maturation for the still young U.S. Cyber Command.

“It’s a great indicator of the continued maturation. It’s a great testament to the hard work of those men and women and the strong leadership they have,” Michael Rogers, who served as commander of Cybercom from 2014 to 2018, told DefenseScoop. “It’s an endorsement by the Department of Defense, I think, of the importance of the mission and the need to generate structures that are optimized to execute the mission … It shows the department believes that that’s the right direction, too, as well. It isn’t just the cyber guys going, ‘We need to do this.’ It’s the whole department thinking, ‘Yeah, it’s the appropriate thing for us to do.’”

He added that sub-unified commands are normally joint organizations within a combatant commander’s area of responsibility and typically created because missions are believed to be both a higher level of priority and of a sustained nature.

Austin’s decision clarifies and codifies the unique missions and functions of the CNMF to defend the nation from cyber threats, George Franz, cybersecurity lead for Accenture Federal Services and the first CNMF commander, told DefenseScoop.

Several former officials who spoke with DefenseScoop explained that sub-unification was always the plan at some point down the road for CNMF when it, and the broader cyber mission force, was created around 2012. The broader cyber mission force consists of 133 total teams that conduct cyber ops for Cybercom, including the 39 CNMF teams.

“Early on, there was the idea that eventually CNMF was going to be a force with a unique mission,” Franz said.

However, that wasn’t something that officials put emphasis on initially because they had little capacity. They only had 12 people in the headquarters and shared an office with two desks at the beginning.

“The idea was you’ve got to build the force, deploy the force, start to demonstrate capacity and eventually … there’s a time when the decision ultimately needs to get made about alignment,” Franz said.

A former CNMF staff member who is now part of the Association of U.S. Cyber Forces (AUSCF) said the discussion regarding sub-unification really began to gain steam following the Russia Small Group, a joint CNMF-NSA task force established in 2018 to thwart election interface by Russia and other foreign actors after the perceived failures surrounding the 2016 election.

Then Brig. Gen. Timothy Haugh, who was the commander of CNMF and is now the three-star deputy commander of Cybercom, assigned personnel to begin working on a package to make CNMF a sub-unified organization in the 2019 timeframe, the former staff member said, adding it took a couple of years to negotiate it and get it right.

Sub-unification isn’t something the command could do on its own. It had to present a plan and get it approved by the secretary of defense.

Sub-unification also doesn’t come with a direct set of new authorities or resources or an increased budget. In fact, officials said they will not be getting an increase in personnel or funding as a result of the elevation. Sources indicated the command was careful to pitch elevation to department leadership as “resource neutral,” though, at some point in the future, they might come back with more requests.

The former staff member posited that it’s possible in the future that CNMF will get more control over procurement, allowing them to modify or change the toolkits they need.

Sub-unification demonstrates maturation and the potential to take more delegated authorities that rest at the four-star level, experts say.

“If you look at how authorities get delegated from SecDef to combat command as sub-unified, so that does allow, I would say, agility, freedom of movement, a little … autonomy. But it gives that commander more of the responsibility for mission command of things,” Franz said. “They haven’t been limited by the lack of sub-unification, but that designation just makes it a lot easier. They will be able to test and codify things over time to make that even more efficient now that because it’s formal. You’ve got all the processes that go around formal command are now available to the CNMF commander.”

The former staff member said section by section, things can be delegated down such as funding or procurement authority, especially since prior to sub-unification, CNMF was essentially living as a staff element on Cybercom’s budget.

Authority to conduct an operation could also be delegated, depending on the risk profile or mission, they said. However, certain actions might require additional permissions.

Defending the nation in cyberspace

Officials have noted that the CNMF elevation was not done in response to some crisis.

While it has always been charged with defending the nation from foreign cyberspace threats, the DOD has been on a long journey to figure out exactly how it performs that role and fits with other government entities.

For years, there were debates both inside and outside government as to how the DOD would protect the country in the digital realm. It was clear the U.S. military had responsibility to defend the United States from kinetic attacks such as missile salvos, but tackling cyber threats was a trickier problem.

Following a series of executive policy changes, congressional legal changes and clarifications and conceptual revamps, DOD and Cybercom developed the frameworks of “defend forward” and “persistent engagement.”

The 2018 DOD cyber strategy directed Cybercom to “defend forward,” which involves operating on networks outside the United States in order to confront threats before they ever reach domestic networks. It executes that directive under its operational concept of persistent engagement, which means challenging adversary activities daily and wherever they operate.

“Elevation [of the CNMF] to a sub-unified command means that it now takes on additional authorities and responsibilities for conducting that mission, that counter cyberattack mission, to support the defend-the-nation role that it has. Over time, I think what that became was continuous reconnaissance and positioning to understand priority cyber threat capabilities, which we all know openly now are China, Russia, Iran, North Korea” and violent extremist organizations, a former official involved in the creation of the cyber mission force told DefenseScoop.

“You’ve seen the strategy, the DOD strategy, move from a focus on just building the force structure and building the capabilities now, to moving from less of a reactive posture to more of a proactive posture and process — which you recognize in the strategy of defend forward and persistent presence,” the former official added.

While this was always the vision, it took the department and U.S. government a long time to get there, especially given the sensitivities involved in defending privately owned networks.

The vision of the first Cybercom commander, Gen. Keith Alexander, “was always that CNMF would defend the nation and it would do that outside of the [DOD Information Network] and frankly, outside of the borders of the United States,” Franz said. “In order to defend in cyberspace, you had to defend forward of the targeted areas.”

Despite all the debate over the years, Franz noted that sub-unification really codifies this mission within DOD and the U.S. government because the secretary of defense has approved it and the national command authority has signed off on its mission.

Becoming the ‘JSOC’ of the cyber realm

Upon elevation, officials stated that while not exactly perfect, the closest and most analogous arrangement within the Defense Department to CNMF sub-unified command was Joint Special Operations Command (JSOC) under the umbrella of U.S. Special Operations Command.

Many former officials said there had been caution not to exactly equate CNMF to JSOC, but that was essentially the model.

“I don’t think it’s changed very much from the original vision of what the Cyber National Mission Force was supposed to be. It was always envisioned, honestly, to be the JSOC of the cyber realm,” said the former official involved in the creation of the cyber mission force.

“The Cyber National Mission Force … this is where the JSOC analogy comes in pretty well. It’s comparable to the special ops national mission force for strategically significant national-level missions of consequence. In the case of SOCOM and JSOC, that’s counterterrorism, countering weapons of mass destruction, etc. In the case of U.S. Cyber Command, that’s counter cyberattack against the nation. There was a lot of argument initially over what exactly that meant and how that would be executed,” the former official added.

The JSOC analogy also rings true for CNMF given the unique mission set it holds, which requires a certain skillset that differs from the other types of cyber mission force teams. Additionally, the longer deployment cycles on the CNMF are similar to the longer tours members of JSOC often had relative to others in the special ops community.

When it comes to skillsets, the former staff member noted that on the defensive side, CNMF operators must possess extremely deep threat-specific knowledge. They’ll have a high level of expertise on a particular actor such as Russia’s foreign intelligence service or China’s ministry of state security — and thus be able to understand how those actors operate in a network and where they’re going to go once they gain access.

On the offensive side, the former staff member noted that CNMF operators have different characteristics of what they must gain access to relative to their counterparts conducting offensive ops for theater combatant commands. A combat mission team for a combatant command might be working the same target that won’t change for some years whereas a national mission team for CNMF will be looking at targets that are more dynamic and require a different mindset, understanding and approach to crack it.

However, a former senior DOD cyber official stated they didn’t like the JSOC analogy as it tended to created a tiered model for quality and readiness.

Maintaining momentum

Former officials noted that the sub-unification is just one part of the journey for both CNMF and Cybercom, cautioning that there is still more work to be done going forward.

Officials used to use the metaphor that Cybercom was building the proverbial airplane while they were flying it in trying to stand up a new organization — with forces, procedures, capabilities and policies — while also conducting operations. The command continues to mature its structures and there will likely be more change in the coming years.

When it comes to sustaining the CNMF post-sub-unification, experts said there probably will need to be a separate readiness model for the Cyber National Mission Force.

“I think you’ve got to design the readiness model to meet the circumstance and the requirements of missions. They are going to have a different looking readiness model just because their mission profile is different, organization is different, different set of skills,” Franz said. “That’s what the sub-unification designates — they do have a unique functional mission recognized by DOD and so readiness has got to meet the requirements for that.”

Given the need for longer deployment cycles and different skillsets on CNMF, they will need to work with the services — which providing the training and forces — to develop a slightly different model.

“At some point, CNMF does become that uniquely trained, resourced force, on the road to becoming what is the equivalent of a special mission unit in cyber,” Franz said. “They just literally have a different mission, they have a different mission profile, they operate differently.”

The CNMF commander, currently Maj. Gen. William Hartman, has more of a voice now to set training and readiness requirements that they can start to articulate to the services.

“What this lets him do is formally put him in a position where he can establish the training and readiness requirements, establish the force posture, the types of people. Frankly, there’s things like tour lengths, all the administrative readiness and training stuff that comes with running that command. He can start to tailor that to the unique mission requirements of CNMF,” Franz said. “The institutional processes now [are] more behind him, because as a sub-unified commander, he’s just in a position to articulate those more clearly, with more authority, trying to drive things in a more effective way.”

Others said they will likely also be able to select their own members somewhere down the line.

“Where it probably will head is, I think, that eventually CNMF gets just like JSOC [and] gets its own selection and assessment criteria for the force,” the former staff member said.

A former top official said that culture is extremely important, just as it is in the special ops community.

“The special operations culture and values are very unique, but they are what sustains the organization and its ability to accomplish what it’s chartered to do,” the former official said. “I think the same thing is really true of the entire cyber mission force, but especially the Cyber National Mission Force.”

The post Digital defenders: A look at the evolution and elevation of America’s Cyber National Mission Force appeared first on DefenseScoop.

This designation signifies the codification of the enduring mission of the CNMF to defend the nation in cyberspace, officials said during a ceremony at Fort Meade, Maryland, on Monday.

The mission of the organization is to protect the nation against cyber threats. Its personnel — largely considered to be the best of the best in the cyber ops arena — form task forces organized against specific threat actors. They are most well known for conducting so-called hunt forward operations which involve physically sending defensively-oriented cyber protection teams to foreign nations to hunt for threats on their networks at the invitation of host nations. They have also worked to defend elections and combat ransomware, among other tasks.

The Cyber National Mission Force was one of several headquarters elements under Cybercom, in addition to Joint Force Headquarters-Department of Defense Information Networks — responsible for operating and maintaining the DOD’s networks globally — and the various Joint Force Headquarters-Cyber, which are each run by the heads of the service cyber components and are responsible for planning and conducting cyber operations on behalf of the combatant commands they are assigned to.

While the sub-unified designation doesn’t mean the CNMF will receive new resources or personnel anytime soon, in practical terms, it signifies maturity of the group and will provide a better resource pipeline for personnel from the services, according to officials.

Currently, when the services — which are responsible for providing the manpower to Cybercom — resource the CNMF, it only shows up as a Cybercom headquarters billet, just like any other combatant command. Now, they’ll be able to see that CNMF identifier, which will allow the services to have greater context for that billet and provide increased training.

Maj. Gen. William Hartman, commander of the CNMF, noted that this won’t create an excess burden on the services to provide that higher fidelity of training given the services must train all cyber operators — offensive and defensive — to the same joint standard set forth by Cybercom. Rather, he told reporters following the ceremony, it will engender an environment where everyone is brought up to a higher level.

Moreover, Hartman equated the Cyber National Mission Force to Special Operations Command’s elite Joint Special Operations Command, which is also a sub-unified organization under Socom. He said JSOC is the most analogous organization to CNMF in that it has a specific and enduring mission, more lengthy duty assignments, unique skill sets and its personnel are trained to an elite standard.

The CNMF was created in 2014 to help meet the U.S. military’s need for an agile force in cyberspace. Now that it has matured, officials said it was time to codify it as a subordinate unified command, noting that its mission is enduring and highlighting the importance of cyberspace as a national security issue.  

With that maturity also comes increased trust and agility. Hartman told reporters that when Cybercom was first created, many of the policies resided at the four-star commander level. However, with the maturation of the CNMF, it could be time to push some of those policies and authorities down to allow the CNMF to respond faster and be even more agile, he said.

The post Cyber National Mission Force declared sub-unified command appeared first on DefenseScoop.

The program, dubbed “Under Advisement,” involves members of the command’s elite cyber national mission force (CNMF) — which is responsible for tracking and disrupting specific nation-state adversaries — sitting in chat rooms and disclosing threats with the cybersecurity sector, officials have said.

These military personnel use their real names for the sake of transparency and actually talk to members of the private sector.

“They are technical experts that can actually talk to people. They sit in private chats, elite invite-only industry forums, all in full name and with full transparent attribution,” Maj. Gen. William Hartman, commander of the cyber national mission force, said Wednesday during a speech at the Vanderbilt University Summit on Modern Conflict and Emerging Threats. “If you see something in the news about a cyber incident, you can bet one of them got a call about 1am the night before and have been exchanging unclassified information with cybersecurity experts as rapidly as possible.”

These chats occur on Signal and other trusted cybersecurity forums, Holly Baroody, deputy to the commander of the cyber national mission force, said in an event hosted by AFCEA April 20.

“When I first arrived to CNMF, I said what can we share with them? A lot of what we do is classified. But it turns out, we can share a lot. We’re fighting the same bad actors that industry is fighting,” she said. “When we identify a foreign threat and we’re able to share that with industry, then they share information back, our cyber experts are able to enrich that data and feed it back into industry. This bi-directional sharing of threat information both enables our operations to go after those foreign cyber actors in foreign space and enables homeland network defense.”

Much of cyberspace and cybersecurity is a symbiotic relationship. Threats that affect one affect all, and many have referred to cyber as the ultimate team sport.

“If you have information about a threat to your network, it’s a threat to everyone’s network … If we share information with each other, we can reduce vulnerabilities and we can stop many attacks before they ever occur,” Hartman said. “Not only does it help [the Department of Defense] defend our networks, but enables industry partners where we’re able to enrich their data with our expertise and share information back with those partners who can see and do things on their platforms and in their networks that we can’t.”

As of press time, Cyber Command hadn’t responded to FedScoop about when the program began and why it was needed.

For many years following the creation of Cybercom, the DOD faced problems with how to use its new cyber force to protect the nation from the barrage of cyber intrusions and breaches that it faced.

Historically it was clear the Pentagon would defend against a missile strike on a U.S. entity, for example. However, given the pervasiveness of cyber activities throughout society and given that most networks are not owned by the government, the DoD’s role in protecting the nation from foreign cyberthreats was less clear.

Through streamlined authorities and new operating concepts, Cyber Command articulated an ability to operate outside the country to defeat adversary cyber advances before they reached U.S. soil.

“From an offensive standpoint, we take everything we learn about our adversaries and turn that into offensive action to actively pursue our adversaries in foreign cyberspace,” Baroody said. “We go after their infrastructure, we go after their capabilities. Frankly, we go after anything in their ecosystem that makes them effective at attacking the United States. We take actions to disrupt, degrade and deny their operations. This combined defensive and offensive approach imposes costs on our adversaries by taking time, money and resources away from them [and] making it harder for them to do their job.”

The cyber national mission force has disclosed over 90 malware samples of adversaries on public forums through so-called hunt-forward operations, which involve physically sending defensively-oriented cyber protection teams from the CNMF to foreign nations to hunt for threats on their networks at the invitation of host nations. Disclosing malware not only allows companies to patch against threats, but takes those tools away from adversaries.

The Under Advisement program is another example of Cyber Command using its unique abilities and expertise to lend a hand to efforts to bolster national security.

The post Cyber Command creates forum with industry to share threat information appeared first on DefenseScoop.

Specifically, the award is for so-called hunt-forward operations, which involve physically sending defensively-oriented cyber protection teams from the Cyber National Mission Force to foreign nations to hunt for threats on their networks at the invitation of host nations.

Sealing Technologies’ prototyped solution was awarded funding through an other transaction authority agreement (OTA) through the Defense Innovation Unit, the company said.

The equipment will support automated deployments, configurations and data flows for cyber ops. It is modular in self-contained units that can be carried on commercial aircraft, according to the company.

“SealingTech’s kit is designed to be modular so it can be configured for mission requirements and optimized for enhanced performance characteristics,” said Angie Landress, program manager at Sealing Technologies.

Recently, working with industry and academia, Cyber Command was able to develop new kits for hunt-forward operations that allow them to observe malicious cyber activity on more networks faster, Holly Baroody, deputy to the commander of the Cyber National Mission Force, said during an event hosted by AFCEA’s D.C. chapter Wednesday. It wasn’t immediately clear if she was referring to Sealing Technologies’ capability.

Hunt-forward operations are a key pillar of Cyber Command’s persistent engagement operating concept, which posits constant contact with adversaries to cause them friction in their attempts at malicious behavior aimed at the U.S. homeland and partner nations.

“Through our hunt-forward operations, we’re able to detect and identify adversary malware and techniques, often before it’s used against the United States … We go where the intelligence tells us there’s a shared threat to our homeland,” Baroody said. “We then share that with the partner nation so that they can take the necessary steps to secure their networks. We also share our findings with other government partners like FBI, DHS CISA, as well as private industry, arming them with the information to bolster the defense of our homeland.”

These operations also require important relationship and trust building with partners in order to place sensors on their networks to observe traffic.

Since 2018, Cyber Command has deployed teams more than 28 times to 15 nations on over 50 networks, Baroody said, including to Ukraine and NATO countries to bolster defense against Russian cyberattacks.

As part of its efforts to cause friction for adversaries, the Cyber National Mission Force will release information about malware discovered during these hunt-forward operations to expose enemy tools and warn the broader cybersecurity community.

To date, the force has released over 90 malware samples, Baroody said.

“We leverage the industry standard of VirusTotal to ensure the industry partners can strengthen their networks and that the tools our adversaries employ can be inoculated against — essentially removing it from their arsenal,” she said.

The post Cyber Command awards nearly $60M contract for ‘hunt forward’ operations appeared first on DefenseScoop.