Hunt-forward operations involve physically sending defensively oriented cyber protection teams from the U.S. military’s Cyber National Mission Force (CNMF) to foreign nations at their invitation to look for malicious activity on their networks. These operations are mutually beneficial, officials have said, because they help bolster the security of partner nations and provide Cybercom — and by extension, the United States — advance notice of adversary tactics, allowing the U.S. to harden systems at home against these observed threats.

In responses to lawmakers’ advance policy questions ahead of his confirmation hearing before the Senate Armed Services Committee Tuesday, retired Lt. Gen. Dan Caine stated that Cybercom hunt-forward missions in the U.S. Southern Command area of responsibility discovered Chinese Communist Party malware on multiple foreign partner networks.

Southcom’s area of responsibility includes the landmass of Central and South America and adjacent waters and the Caribbean Sea. It encompasses 31 countries, 12 dependencies and “areas of special sovereignty,” according to the command.

These hunt-forward operations are conducted at the invitation of host nations. Details about specific countries where Cybercom conducts these ops are highly sensitive, and permission of the host government must be gained before public disclosure.

It’s no secret that China has interests in South American nations and Beijing has deployed cyber capabilities for a variety of malicious activities.

Cybercom did not confirm or deny the assertion by Caine, noting in a statement it routinely assists partners that request support in securing their cyber posture against foreign malicious activity across all geographic areas of responsibility.

“This strengthens our Allies’ and Partners’ cybersecurity posture, and makes it more difficult for foreign adversaries to threaten all of us. USCYBERCOM’s core mission is to defend the nation in cyberspace. By policy and for operational security, we do not discuss cyber operations, plans or intelligence. No operation will be publicly disclosed without the partner nation’s consent,” a Cybercom spokesperson said of hunt forward operations.

Cybercom conducted its first hunt-forward operations in Latin America a couple of years ago. Officials have stated in the past that the CNMF conducts about two dozen defend-forward operations per year with foreign partners on foreign government networks to hunt and find Chinese, Russian and Iranian threats, among others.

In written congressional testimony last year, Cybercom commander Gen. Timothy Haugh noted that CNMF deployed 22 times to 17 nations for hunt-forward ops, with active operations occurring simultaneously in all geographic commands for the first time. Those activities led to the public release of more than 90 malware samples for analysis by host nations’ cybersecurity community.

“Such disclosures can make billions of Internet users around the world safer on-line, and frustrate the military and intelligence operations of authoritarian regimes,” he wrote.

Hunt-forward operations were credited with mitigating the effects of Russian cyber ops against Ukraine during its 2022 invasion. Cybercom sent personnel to Ukraine ahead of the invasion and helped harden their networks.

Caine also addressed, in his policy question responses, the hotly contested debate about the dual-hat arrangement in which the commander of Cybercom is also the director of the National Security Agency. Proponents believe the military can benefit from the unique intelligence insights and resources of NSA, leading to faster decision-making and operational outcomes. Opponents argue the roles are too powerful for one person to hold and relying on the intelligence community’s tools — which are meant to stay undetected — for military activities poses risks to such espionage activity.

Caine told lawmakers he believes the dual-hat should be maintained, agreeing with the findings of a 2022 study that found the role should be strengthened as well.

“The Dual-Hat arrangement provides the ability to look across both organizations and has empowered both USCYBERCOM and NSA to fulfill their missions better than each could do alone. It promotes agility and enables intelligence to be operationalized rapidly,” he wrote. “It also facilitates relationships with key foreign allies and partners in part because the corresponding foreign organizations with signals intelligence (SIGINT) and cyber operations missions are fully integrated, operating under a Dual-Hat leadership structure. The span of control, does however, place a burden on one leader.”

Ahead of his own confirmation hearing in January, Secretary of Defense Pete Hegseth wrote to senators that he would “bring these debates to conclusion, consult with Congress, and make final recommendation for the way ahead.”

At the end of the first Trump administration, officials made a last ditch effort to sever the dual-hat, but it ultimately was not brought to fruition. Press reports prior to Trump’s inauguration for his second term indicated the administration wants to end the dual-hat relationship.

The post Cybercom discovered Chinese malware in South American nations — Joint Chiefs chairman nominee appeared first on DefenseScoop.

Sealing Technologies — a Parsons company — World Wide Technology and Omni Federal were tapped to develop prototypes for the Joint Cyber Hunt Kit, self-contained “fly away” technology that provides a security operations center in a box, according to DIU and budget documentation.

DIU is running the acquisition on behalf of Cybercom.

The effort is significant because the new kits will, for the first time, create a baseline standard for the gear cyber protection teams use for both the traditional defensive missions of the network as well as hunt-forward operations performed by the Cyber National Mission Force, Cybercom’s elite unit tasked with protecting the nation against significant digital threats. Hunt-forward operations, conceptualized over five years ago, involve physically sending defensively oriented CPTs to foreign countries to hunt for threats on their networks at the invitation of host nations.

Since Cybercom’s inception, there has never been a standardized defensive cyber kit for cyber protection teams — groups that hunt for malicious activity on Pentagon networks and respond to incidents — despite efforts in the past to create them. Those systems, referred to as Deployable Mission Support Systems (DMSS), varied across all the services.

Cybercom’s forces are constructed such that each of the services are responsible for providing a set number of offensive and defensive teams to the command to conduct operations. In many cases, the kits across each service varied despite cyber protection teams being largely trained to the same missions and standards, albeit with some variation.

As currently planned, the JCHK kits will provide a baseline of standardization across all the types of defensive CPTs, but offer a level of customization and tailoring for specific purposes and missions.

“The big thing is that flexibility and that modularity and the scalability, just to have the ability to tailor what they’re taking to the mission at hand. Whether that mission is going out and doing a vulnerability assessment or whether it’s a onboard mission where you’re looking for bad guys on an active network, being able to dial your kit into exactly what you’re going to do just makes things much easier and the outcomes from the missions are much better,” Brad Hatcher, chief product officer for SealingTech, said in an interview. “Sometimes what they need might be constrained by their space and how many people they can take to a location. Sometimes it will be more driven by the size and the volume of a network. And we build a kit that lets them tailor it specifically to each mission and take what they need and get there quick and do their mission and report back.”

According to budget documents, the forthcoming JCHK kits will be used by CPTs to secure and protect DOD networks and data centers by hunting, clearing and assessing in friendly, neutral and adversary cyberspace.

“Definitely a step forward in that it’s the latest and greatest technologies that we can put into a kit to run their missions faster to give them the ability to pull in more data, do more analytics — bigger, better everything than previous versions,” Hatcher said. “One of the bigger requirements and what can often be a limitation is the storage space that you’ve got. You’re hooking these kits up to networks and you’re trying to pull in all the traffic that’s flowing across that network to do analysis, to see what should be there, what looks odd. And those bigger storage capacities really allow the teams to really get in there and analyze as much as possible to find any anomaly on a network.”

Omni Federal’s offering, dubbed REDHOUND, provides proactive threat detection, comprehensive network analysis, threat intelligence integration, scalable investigation tools, incident response support and behavioral monitoring. The technology also boasts fast speeds leveraging a modular ARM processor architecture augmented with NVIDIA GPUs for low power for high compute in edge environments to provide flexibility, the company said in a statement.

The companies that were awarded deals will develop their prototypes between now and this summer. They’ll be tested in a lab-based environment with actual users for a period of time, and the government will eventually select one vendor to move on to the next phase of the program.

The post DIU awards prototype deals for next-generation defensive kits for Cybercom appeared first on DefenseScoop.

That effort will now also combine the equipment cyber protection teams use with the kit for hunt-forward operations performed by the Cyber National Mission Force, Cybercom’s elite unit tasked with defending the nation against significant digital threats. Hunt-forward operations, conceptualized over five years ago, involve physically sending defensively oriented cyber protection teams to foreign countries to hunt for threats on their networks at the invitation of host nations.

Since Cybercom’s inception, there has never been a standardized defensive cyber kit for cyber protection teams — the teams that hunt for malicious activity on Pentagon networks and respond to incidents — despite efforts in the past to create them. Those systems, referred to as Deployable Mission Support Systems (DMSS), varied across all the services. The way Cybercom’s forces are constructed, each of the services are responsible for providing a set number of offensive and defensive teams to the command to conduct operations.

Those DMSS kits are self-contained systems consisting of hardware and software capable of surveying, securing and protecting military networks as well as performing vulnerability analysis and incident response. They are designed to be taken to an incident with little to no notice to connect to the network in order to locate, contain and defeat malicious cyber activity that is either attempting to or has breached Department of Defense systems, according to budget documents.

Despite being designed to be joint in nature with the same training and equipment to operate on the DOD Information Network for defensive teams and the same training for offensive teams, each service provided slightly different DMSS systems to their respective cyber protection teams — creating incongruencies with equipment and forces as well as interoperability issues.

The closest the DOD came was a few years ago, requiring a set of basic tools be included across all DMSS kits provided by the services.

Now, there is an effort to standardize those efforts.

A solicitation from DIU issued Monday aims to combine the DMSS kit with the hunt-forward equipment, to create a singular standardized defensive cyber hunt system across the entire force.

The new Joint Cyber Hunt Kit (JCHK), as it is known, will be a mobile “security operations center (SOC) in a box,” DIU said. It must be portable by a nine-person team anywhere in the world and fit in a suitcase for easy air travel.

“Like the DMSS and HFO kits, the JCHK will be a self-contained flyaway capability utilized by the Cyber Protection Team (CPT) Mission Elements to secure and protect military networks and data centers by conducting Hunt, Clear, Enable Hardening, and Assess missions in blue, gray, and red cyberspace,” fiscal 2025 budget documents state. “The dynamic nature of CPT defensive cyberspace operations driven by the adversary’s rapidly evolving offensive cyber tactics, techniques and procedures require the [Budget Activity-8] flexibility as JCHK evolves. The merging of capabilities will facilitate the standardization of training, maintenance logistics, and force protection and will promote efficient execution of resources based on economy of scale.”

For hunt-forward operations, national cyber protection teams travel to other nations and plug into their network. Most prominent were the ops that took place in Ukraine ahead of Russia’s 2022 invasion, which both governments credit for helping harden Ukraine from potential Russian cyber onslaught. These differ from the tasks that cyber protection teams perform on the DOD’s network.

The new system must be flexible in order to perform standalone operations, given it will most often operate in an environment where it’s not permissible to connect to the internet or send data offsite for analysis.

The solicitation said the kits must to be able to perform any and all activities related to discovering advanced persistent threat activities and analyzing their tactics, techniques and procedures.

DIU has been working to equip Cybercom for many years. Additionally, the commmand awarded a contract worth almost $60 million in 2022 to provide equipment for hunt-forward operations.

Previewing the idea of standardizing the DMSS kits, Cybercom’s top acquisition executive noted that the services will have two years to maintain their separate service kits while the competition is underway.

“We’re going to go out with an RFP and a way of contracting for a common kit, at a minimum at the hardware level and then some layer of software, common software, that will be common across all the services. Then services’ unique needs can be added on top of that,” Khoi Nguyen, who is also the director of the cyber acquisition and technology directorate (J9) at Cybercom, said at a conference in January.

At the time, he said the command wants feedback from industry in a collaborative effort to deliver the best system possible.

“The goal is to get this industry day out there and then we’re looking to do aggressive prototyping. We’re probably going to award two or three more prototyping contracts, give the team [some] amount of time to do the prototyping and then deliver the hardware. Then three months for us [and] the force to play around with it. And then we’ll pick a winner,” he said. “My intent is to, like truly do a competition, allow competition, and that’s why we’re going to give … a decent amount of time for a new vendor or new team of vendors to build a new kit, versus having a prototype period very small, where the incumbent has a higher chance of winning. That’s the goal. We’re going to lay that out as an RFP or RFI. Please come back and tell us if I’m unrealistic or whatever else. We need to know that. But the goal is to get the best kits for the users that we can.”

According to fiscal 2025 budget documents, Cybercom and DIU will be relying on other transactional authority to award a prototype agreement to support the rapid development of a JCHK prototype, with the objective of transitioning cyber protection teams to the new system at the beginning of fiscal 2026.

The post Cybercom looking to combine and standardize defensive cyber kits; solicitation issued appeared first on DefenseScoop.

The deployment is part of so-called hunt-forward operations, which involve physically sending defensively oriented cyber protection teams from the U.S. military’s Cyber National Mission Force (CNMF) to foreign nations at their invitation to look for malicious activity on their networks. These operations are mutually beneficial, officials have said, because they help bolster the security of partner nations and provide Cybercom — and by extension, the United States — advance notice of adversary tactics, allowing the U.S. to harden systems at home against these observed threats.

“We had our first defend-forward mission, a hunt-forward mission in [U.S. Southern Command] just recently, which is amazing,” Brig. Gen. Reid Novotny, special assistant to the director Air National Guard for Cybercom, J5, said at the Potomac Officers Club annual Cyber Summit Thursday.

Southcom’s area of responsibility includes the landmass of Latin America and adjacent waters and the Caribbean Sea. It encompasses 31 countries, 12 dependencies and “areas of special sovereignty,” according to the command.

Novotny didn’t disclose which nation the operation was conducted in when asked by DefenseScoop following his remarks at the summit.

Given these hunt-forward operations are conducted at the invitation of host nations, public disclosure of which country Cybercom conducts them in are highly sensitive and permission of the host government must be gained.

Novotny didn’t provide specific dates for the recent deployment to the Southcom area of responsibility.

“By policy and for operational security, we do not discuss cyber operations, plans or intelligence. USCYBERCOM prioritizes partnerships. No defend forward operation is publicly disclosed without the partner nation’s consent,” a CNMF spokesperson told DefenseScoop on Friday in response to a request for more information.

With the operation in the Southcom region, Novotny told DefenseScoop that Cybercom has now conducted hunt-forward operations on every continent at this point, adding there are more invitations than the command has capacity for.

“We do these defend-forward missions, and the whole point of the defend-forward mission is to learn something on someone else’s network, a partner network, another nation’s network so we can bring back that information and make sure our networks are more secure,” he told conference attendees.

Hunt-forward operations have become a mainstay for Cybercom, as they were enshrined in recently updated Department of Defense doctrine and featured as a part of one of the four major lines of effort the updated DOD cyber strategy seeks to employ. They serve an important security role, but also a diplomatic role as the U.S. aims to increase its partnerships with other nations on the cyber front.

Gen. Paul Nakasone, commander of Cybercom, said as recently as late May, that the command has conducted 70 of these operations in 22 nations on 50 different networks.

One of the most prominent such deployments to date was to Ukraine in the run-up to Russia’s invasion in early 2022. U.S. cyber teams went there to gain insights on Russian cyber actors and threats while helping Ukraine bolster its network.

While these operators left prior to Russia’s invasion, this partnership continues today.

“Today, we have shared over 5,000 indicators of compromise either from Ukraine to us or from us back to Ukraine, in order to do everything we can to ensure that the United States, our partners and allies are protected against what the Russians are doing in Ukraine, but also to ensure that the Ukrainians networks are as difficult as possible for the Russians to continue to attack and exploit,” Maj. Gen. William Hartman, commander of the CNMF, said recently.

Other recent deployments include Albania after Iranian cyberattacks there and Latvia.

“Defend Forward is a unique authority that allows us to execute operations abroad as part of our ‘defend forward’ strategy, while also building strategic relationships with key Allies and Partners. Defend Forward operations have occurred in every geographic area of responsibility.  This sort of activity strengthens our Allies’ and Partners’ cybersecurity posture, and makes it more difficult for foreign adversaries to threaten all of us,” the CNMF spokesperson said.

Updated on June 9, 2023, at 5:25 PM: This story has been updated to include comments from a Cyber National Mission Force spokesperson.

The post US Cyber Command conducts ‘hunt forward’ mission in Latin America for first time, official says appeared first on DefenseScoop.

Hartman’s nomination for assignment to “a position of importance and responsibility” was posted to a congressional website May 30 with no fanfare and no description of his next job.

The news of the nomination was first reported by The Record.

If confirmed, Hartman would pin a third star and be the second in charge at the command, typically seen as the person running the day-to-day activities while the commander of Cybercom also serves as the director of the National Security Agency.

Hartman would take over for Lt. Gen. Timothy Haugh, who was nominated to succeed Gen. Paul Nakasone as commander of Cybercom.

In his role, one of Haugh’s main tasks was focused on developing and building out the Joint Cyber Warfighting Architecture (JCWA), Cybercom’s primary weapon system to conduct cyber operations that consists of an amalgam of platforms and capabilities.

Hartman currently commands the elite Cyber National Mission Force at Cybercom, which is made up of 39 joint teams and thought to have the Department of Defense’s most talented cyber operators at the cutting-edge of their profession. It is aligned in task forces organized against specific threat actors. They have been on the front lines of defending elections from foreign influence.

At the end of 2022, the CNMF was elevated to a sub-unified command under Cybercom, signifying its importance.

Given its prowess, commanding the CNMF has generally been thought to be a launching pad for promotion and higher commands. Prior commanders of the CNMF include Nakasone, Haugh and Vice Adm. Timothy White, who retired in 2020 as the commander of 10^th Fleet/Fleet Cyber Command.

Notably, Hartman has commanded the CNMF since August 2019. Predecessors dating back to Nakasone have only held this job for a maximum of two years.

In his time as the head of CNMF, Hartman has helped lead the so-called “hunt-forward” ops, which involve physically sending defensively oriented cyber protection teams from the CNMF to foreign countries to hunt for threats on their networks at the invitation of host nations. Officials say they are mutually beneficial because they help bolster the security of partner nations and provide Cybercom — and by extension, the United States — advance notice of adversary tactics, allowing the U.S. to harden systems at home against these observed threats.

While they started prior to his command, they ballooned under his leadership as he increased the capacity.

They have become a mainstay for the command, as they were enshrined in recently updated DOD Doctrine for cyber operations and featured as a part of one of four complementary lines of effort the updated DoD cyber strategy seeks to employ.

To date, Cybercom has conducted 70 of these operations in 22 nations on 50 different networks.

These initiatives also have played a significant role in a broader U.S. diplomatic effort within Cybercom’s operating concept of persistent engagement, which envisions challenging adversary activities daily and wherever they operate.

“There’s no accident that Gen. Hartman is visible on the ground and [in] Europe, visible as the commander of the Cyber National Mission Force meeting with and engaging with our partners and allies. That’s a very deliberate, diplomatic and informational use of a military commander and his formation to send a message that bolstered collaboration and to strengthen partnerships,” a former official told DefenseScoop.

Various U.S. diplomatic stations have tweeted out several photos of Hartman — dressed in a business suit, not wearing the typical combat uniform of a military officer — on the ground with leaders of foreign nations.

Moreover, the CNMF under Hartman picked up pilot efforts started before him and bolstered support for the private sector through several initiatives aimed at sharing indicators of compromise discovered in operations to improve the collective cybersecurity of the nation.

Jon Harper contributed to this story.

The post Cyber National Mission Force Commander Maj. Gen. William Hartman nominated as deputy at Cybercom appeared first on DefenseScoop.

The highly anticipated strategy is the first since 2018 and follows the release of the National Cybersecurity Strategy in March.

The DOD also publicly released an unclassified “fact sheet” on Friday, and said an unclassified “summary” will be provided in the “coming months.”

Of note, the fact sheet explains that the updated strategy is based upon real-world operations. Prior to 2018, the Pentagon had only conducted a limited number of cyber ops due to a variety of factors such as stringent authorities and a high-risk calculous.

The 2018 National Defense Authorization Act combined with changes to executive policy streamlined authorities and made it easier for the DOD to approve and conduct operations.

As a result, the 2018 strategy first articulated the concept of “defend forward,” which involves operating on networks outside the United States in order to confront threats before they ever reach domestic networks. This concept sought to take advantage of these new streamlined authorities and get ahead of the barrage of activity facing the nation.

“Since 2018, the Department has conducted a number of significant cyberspace operations through its policy of defending forward, actively disrupting malicious cyber activity before it can affect the U.S. Homeland. This strategy is further informed by Russia’s 2022 invasion of Ukraine, which has demonstrated how cyber capabilities may be used in large-scale conventional conflict,” the fact sheet states.

Officials have previously discussed how the Russia-Ukraine conflict has taught the department to think differently about cyber.

The fact sheet notes four complementary lines of effort the strategy seeks to employ.

First, defending the nation by campaigning in cyberspace to generate insights about malicious activity as well as continuing to defend forward to disrupt adversaries’ capabilities.

Second, investing in cyber capabilities to fight and win in conflict by ensuring the Department of Defense Information Network is robust, and support cyber resilience among the joint force. The Pentagon also notes it will use cyber ops to gain asymmetric advantages for the joint force.

Next, the strategy seeks to protect the cyber domain with allies and partners by building their capacity. This involves “hunt forward operations,” the fact sheet says, which involve physically sending defensively oriented cyber protection teams from U.S. Cyber Command’s Cyber National Mission Force (CNMF) to foreign countries to hunt for threats on their networks at the invitation of host nations. Officials say they are mutually beneficial because they help bolster the security of partner nations and provide Cybercom — and by extension, the United States — advance notice of adversary tactics, allowing the U.S. to harden systems at home against these observed threats.

Last, the fact sheet explains that DOD will build enduring advantages by optimizing the organizing, training and equipping of cyber forces. The department is currently facing issues of readiness shortfalls among its cyber mission force, while building an acquisition capability for Cybercom thanks to enhanced authorities from Congress — all while there are outside voices pushing more loudly for an independent cyber service.

The post DOD sends new cyber strategy to Congress, releases unclassified fact sheet appeared first on DefenseScoop.

Nakasone came in to lead Cybercom during a significant shift in the cyber community.

He took the helm as Cybercom was elevated to a unified combatant command spearheading a new era for the organization and military cyber. Prior to that, it was sub-unified under U.S. Strategic Command.

Additionally, following a barrage of cyber incidents inside the U.S. involving nation-state actors and criminal groups, there were questions about Cybercom’s role in defending America from significant cyber harm.

For years, there were debates both inside and outside government as to how the Department of Defense would protect the country in the digital realm. It was clear the U.S. military had responsibility to defend the United States from kinetic attacks such as missile salvos, but tackling cyber threats was a trickier problem.

Nakasone helped spearhead the paradigm shift of “defend forward” and “persistent engagement.” While he first teased both at the Aspen Security Conference in July 2018, the terms weren’t officially formalized until the September 2018 DOD cyber strategy was released. They are now part of the military’s doctrine for joint cyberspace operations.

The strategy directed Cybercom to defend forward, which involves operating on networks outside the United States in order to confront threats before they ever reach domestic networks. Cybercom achieves that through persistent engagement, which means challenging adversary activities daily and wherever they operate.

The open question since articulated has been how successful the command has it been in beating back threats and how it’s measuring success. Some officials in the past have noted they’re not looking at metrics, but rather outcomes. Nakasone, in written congressional testimony in March, said success depends on stopping foes from achieving their goals.

“Success for USCYBERCOM will be measured by how effectively foreign adversarial actors are prevented from achieving their strategic objectives,” he wrote. “USCYBERCOM will counter adversaries in competition to defuse crises, deter conflict and prevail against aggression. Aligning efforts of both USCYBERCOM and [the National Security Agency] is essential to achieving these goals and is in the best interest of the nation.”

Sources that spoke to DefenseScoop noted that over the past five years, there has been a misconception regarding what “persistent engagement” is — and isn’t — as well as how the broader public should think about it.

According to one former official, the concept stems from Nakasone’s time commanding the Cyber National Mission Force from 2014 to 2016. While they were somewhat more active than other cyber teams, Nakasone soon realized upon taking command next at Army Cyber Command, that there was a higher risk calculus within the national security establishment for conducting cyber missions. This meant that there weren’t a lot of operations taking place.

“It was a counter remedy to inaction. There was too much bias for inaction at that time,” the former official said. “One of the implied goals or unstated goals of persistent engagement was to demystify a lot of cyber operations through doing it consistently and make it so that it wasn’t such an esoteric mystery.”

Another former official related persistent engagement to just one tool in the broader set of instruments of national power.

“It’s a long-term vision, a campaign that has elements of diplomacy and information and obviously, military operations, and even to a very small extent, it’s across [diplomatic, information, military and economic, or] DIME. I think that framing is important and I think it’s deliberate,” they said.

They highlighted the visibility and public nature of the commander of the Cyber National Mission Force.

Others have noted that the force sought to add friction to adversary activity as prior to the concept, many suspected malicious actors were operating too freely with very little consequences.

“It’s like a full-court press. You’re not waiting for them to get past you. You’re going to defend as soon as they get the ball in bounds,” Kurt Sanger, who was formerly Cybercom’s deputy general counsel, told DefenseScoop.

What is less clear to outsiders is how successful persistent engagement has been in terms of preventing malicious activity.

“We don’t know how bad it might have been had it not been for persistent engagement, but what we do know are certain things that we might have expected to happen didn’t happen, such as we did not see similar interference in the election in 2020 compared to what we believe may have happened in 2016,” Sanger said. “Did Cyber Command and persistent engagement have something to do with that? I believe it did. But I guess you never really know what punches the enemy pulled because of the way we were doing business.”

Others have noted that it’s impossible to fully stop adversary activity and there must be realistic measures of success.

“So long as we have a realistic definition of ‘success,’ then yes [it has been successful]. There’s no universe in which USCYBERCOM somehow could wholly prevent adversarial foreign-government cyber activity,” Bobby Chesney, dean of the University of Texas School of Law and someone who follows cyber law and issues very closely, told DefenseScoop in an email. “But there’s a ton of benefit when we defend forward both in the sense of operating by permission in other states’ systems (to help them identify and fend off adversaries), and when we operate in adversary systems themselves (to see threats as they are emerging and, on occasion, to issue warnings or even take harm-preventing actions).”

While some believed this seemingly more aggressive posture would lead to escalation in the cyber domain, others have noted it has not — which in and of itself is a success.

“One of the primary concerns that people had about the strategy and the vision was that it would lead to escalation. I think there we can say it’s a resounding success,” Jacquelyn Schneider, a fellow at the Hoover Institution, told DefenseScoop.

Schneider noted that in follow-on strategies, she’d like to see less ambiguity, making it more clear about what Cybercom is more willing and not willing to do.

However, one former official believes that the concept has not fully been executed to its potential.

“I think it’s been successful every time it’s been tried. I would fight the notion that has been truly tried,” they said. “I don’t see [persistent engagement] going away, but I think to say that we’ve done persistent engagement with a straight face does not do the concept justice, because it would require a whole lot more in the way of offensive operations.”

Steering the ship

Nakasone has gained high praise consistently from members of Congress while testifying, along with the broader cyber community, and was asked to stay on for an extra year.

“Against all odds, he has kept USCYBERCOM out of headlines and out of our nation’s increasingly unhappy politics,” Chesney said. “That’s amazing when you consider how things have been for just about every other government entity touching on the grey zone conflicts/Cold War II in recent years,” he added, referring to the great power competition between the United States and its advanced adversaries.

Nakasone’s tenure also saw the initial development of so-called hunt-forward operations, which have now ballooned into a mainstay and are part of the U.S. military’s doctrine for joint cyberspace operations.

These ops involve physically sending defensively oriented cyber protection teams from Cybercom’s Cyber National Mission Force (CNMF) to foreign countries to hunt for threats on their networks at the invitation of host nations. Officials say they are mutually beneficial because they help bolster the security of partner nations and provide Cybercom — and by extension, the United States — advance notice of adversary tactics, allowing the U.S. to harden systems at home against these observed threats.

Nakasone’s tenure will likely best be remembered for the enhanced authorities Cybercom received and its maturation into a fully fledged organization. In the years prior, the command was always compared to the analogy of flying a plane while building it.

In the years since becoming a standalone combatant command, it has received significant authorities for executing cyber ops abroad, an important development since those authorities previously had been held at the highest levels of government, effectively dissuading cyber operations from taking place.

A series of executive policy changes, congressional legal changes and clarifications, and conceptual revamps paved the way for Cybercom to operate on networks outside the U.S.

The command has also been given what’s known as enhanced budget authority from Congress, which provides direct control and management of planning, programming, budgeting and execution of the resources to maintain the cyber mission force. This is important as Cybercom aims to leverage service-like authorities to build out key platforms for military cyber ops, and it’s the only other combatant command besides Special Operations Command to have budget authority.

When Cybercom was initially created, it relied heavily on personnel, infrastructure platforms and tradecraft from the National Security Agency to build its enterprise. But cyber troops need their own platforms and infrastructure separate from the NSA, whose primary mission is to conduct foreign intelligence missions.

The two organizations are still co-located and share a leader. Nakasone’s tenure has seen more favorable discussion surround the longevity of what is known as the dual-hat relationship, one of the most hotly debated issues in the military cyber world.

Proponents maintain that the military can benefit from the unique intelligence insights and access of NSA, leading to faster decision-making and operational outcomes. Opponents argue the two roles are too powerful for one person to hold, and relying on intelligence infrastructure and tools —which are meant to stay undetected — for military efforts poses risks to such espionage activity.

It was always expected that the dual-hat arrangement would not be permanent given the inherently different missions of each organization: foreign intelligence and warfighting. However, Nakasone, as well as members of Congress, have continued to laud this relationship. In fact a study led by retired Gen. Joseph Dunford, who was formerly the chairman of the Joint Chiefs of Staff, determined that maintaining the dual-hat arrangement would be beneficial for national security.

“Whatever criticism there might be about USCYBERCOM’s operational quality, it’s light years from where it used to be. People forget what a fledgling entity this really was,” Chesney said.

The post With a replacement named, a look back at US Cyber Command’s transformational years under Gen. Nakasone appeared first on DefenseScoop.

Through a pair of initiatives, the Pentagon’s digital warriors have worked to share significant indicators of compromise to improve the defensive posture of the private sector.

The first, a program dubbed “under advisement,” involves members of the CNMF sitting in unclassified spaces and chat rooms and disclosing threats with the cybersecurity sector. The CNMF, now a sub-unified command under Cybercom, is tasked with defending the nation from malicious activity.

 Just in the past year, that program has shared well over 100 indicators of malware.

Using its unique authorities to act outside U.S. borders, Cybercom is able to discover malware through overseas operations and provide advance warning to others.

“In this past year alone, Cyber Command has collaborated with 22 private sector partners to pass 149 unique indicators of malicious cyber activity,” Holly Baroody, executive director of Cybercom, said Thursday during a presentation at the HammerCon conference, hosted by the Military Cyber Professionals Association. “We’ll continue to grow our partnerships with the private sector building off of our authorities granted to us by Congress and in recognition that cyber is a team sport and [a] threat to one is a threat to all.”

She added that in the past, the under-advisement program was able to share suspicious IPs with Microsoft, uncovering thousands of potential victims.

The second initiative is the so-called hunt-forward concept, which involves physically sending defensively oriented cyber protection teams from the CNMF to foreign countries to search for threats on their networks at the invitation of host nations. These operations not only improve the defense for that partner nation, but also the U.S. and broader cybersecurity community as malicious activities are detected and addressed.

They also feed into the under-advisement efforts.

“A threat to the Ukrainians from Russia is a threat to all of us. A threat anywhere in this [Indo-Pacific] theater from China is generally a threat to all of us. The ability to share is fundamentally important,” Maj. Gen. William Hartman, commander of the CNMF, said Wednesday during a presentation at the LANPAC conference hosted by the Association of the United States Army.

“As the [Russian] invasion kicked off [last year], we started to see a number of U.S. private companies reach out and want to provide assistance to Ukraine. What we were able to do is essentially provide an ability to triage data that was provided by U.S. private industry and then help facilitate the passage to the Ukrainians — because they were simply overloaded from an ability to communicate with the various partners that wanted to help them, whether it was the Cyber National Mission Force, whether it was other U.S. government agencies, whether it was NATO partners, whether it was the European Union — and our ability to take that information, triage it, analyze it and say, ‘Hey, these are the vulnerabilities that that you need to be most concerned about,’” Hartman said.

While the American hunt-forward team left Ukraine days before Russia invaded, Hartman said they continue to share information about threats.

“Today, we have shared over 5,000 indicators of compromise either from Ukraine to us or from us back to Ukraine, in order to do everything we can to ensure that the United States, our partners and allies are protected against what the Russians are doing in Ukraine, but also to ensure that the Ukrainians networks are as difficult as possible for the Russians to continue to attack and exploit,” he said.

The post Cybercom working more collaboratively with private industry to improve broader digital defenses appeared first on DefenseScoop.

These types of ops involve physically sending defensively oriented cyber protection teams from the U.S. military’s Cyber National Mission Force (CNMF) to foreign countries to hunt for threats on their networks at the invitation of host nations. The CNMF was recently designated a sub-unified command in December.

Since 2018, the CNMF has deployed 44 times to 22 different nations conducting such operations on nearly 70 networks, according to Cybercom. Officials say these operations are mutually beneficial because they help bolster the security of partner nations and provide Cyber Command — and by extension, the United States — advanced notice of adversary tactics allowing the U.S. to harden systems at home against these observed threats.

The Iranian cyberattacks occurred in July and September 2022. The July attacks, in response to an Iranian government opposition group conference in Albania, shut down numerous Albanian government services. The September attacks targeted a government system used to track border crossings following Albania cutting diplomatic ties with Iran.

The U.S. government issued sanctions against Iran and sought to help Albania bolster its overall security posture.

 “We will continue to support our NATO ally Albania’s remediation efforts, and invite partners to join us alongside our NATO allies in holding Iran accountable for its destructive cyberattacks against Albania in July and September 2022,” U.S. Ambassador at Large for Cyberspace and Digital Policy Nathaniel Fick said in a statement.

The CNMF team was deployed for three months and provided technical findings to the Albanian government allowing them to bolster their networks. These insights are also critical to defending the U.S. against malicious cyber activity.

“These hunts bring us closer to adversary activity to better understand and then defend ourselves, but they also bring the U.S. closer to our partners and allies. These relationships are key to protecting our networks and critical infrastructure against shared threats,” Maj. Gen. William Hartman, commander of the CNMF, said.

“When we are invited to hunt on a partner nations’ networks, we are able to find an adversary’s insidious activity in cyberspace, and share with our partner to take action on. We can then impose costs on our adversaries by exposing their tools, tactics and procedures, and improve the cybersecurity posture of our partners and allies. When we share information, we are all more defended from those who seek to do us harm,” he added.

These types of ops are an opportunity for the U.S. to build stronger partnerships with other nations on the cyber front, a key priority for enhancing global digital security.

“The cooperation with U.S. Cyber Command was very effective and made us feel safe by assuring that we have followed all the right steps in responding to these sophisticated attacks,” Mirlinda Karçanaj, general director of the National Agency of Information Society, an Albanian government institution that coordinates information systems, said. “We hope that this cooperation will continue in the future so that we can further exchange experiences and increase our capacities to another level.”

The post US cyber forces wrap up deployment to Albania in response to Iranian cyberattacks appeared first on DefenseScoop.

“There’s so much more progress to be made here, particularly when it comes to training and maintaining our cyber workforce. And within the cyber enterprise specifically, we’re working with [U.S. Cyber Command] and the military services to ensure that the men and women when they show up for duty are going to be able to defend our nation against cyber threats on day one,” Rep. Jim Langevin D-R.I., said in an interview with DefenseScoop.

Langevin — who is the chairman of the House Armed Services Subcommittee on Cyber, Innovative Technologies, and Information Systems and the co-chair of the Congressional Cybersecurity Caucus — is retiring after 21 years in Congress at the end of this session. He is regarded as a highly influential lawmaker concerning cyber policy across the government including the DOD.

Though Langevin has high praise for the work done by Cybercom and its cyber mission force — the roughly 6,200-person, 133-team cadre of cyber warriors that conduct offensive, defensive and support missions for the DOD — he is worried they don’t have the adequate training to ensure they’re fully ready upon entering service.

Unlike in traditional warfighting functions, cyber forces don’t have workup cycles and training events before deploying abroad for a fixed period of time. Typically, military forces will conduct a rotation at a training center to prepare them for deployment. Cyber operators, on the other hand, are in constant contact every day with adversaries in cyberspace.

Congress is exploring ways to “make sure that our men and women are properly trained from day one when they hit the ground running, and we can’t accept a situation in which service members who are responsible for performing critical operations, tasks are not equipped with the foundational or advanced skills that they require,” Langevin said. “More training and better training before they actually are operational with Cyber Command, I think is important.”

He noted that there is typically a limited amount of time for cyber operators on a particular assignment. If half that time is taken to get trained before those forces are operationally capable, then that’s a “poor construct” for training and preparing cyber warriors on day one.

“We need to change the current construct and we’re working on that,” Langevin said.

Additionally, Langevin said he’d like to see continued emphasis on partnerships with partners and allies in cyberspace. Most if not all of the challenges the U.S. faces are the same as others around the globe, he explained.

“I think we also need to look at international partnerships with our partners and allies and how we collectively work most closely together to defend our cyber networks to defend our respective nations,” he said. “Collectively, this is not just a U.S. challenge or problem, protecting countries in cyberspace, it’s really an international one. Working closely with partners and allies is really important going forward.”

The so-called hunt forward operations conducted by Cybercom, in which forces physically deploy to other nations at their request to hunt for cyber threats on their networks, improve the trust between the U.S. and foreign partners, the congressman noted.

“The hunt forward operations that Cyber Command is conducting with our allies and our partners helps us to better understand and disrupt malicious actors. I think they also increase trust at an operations level between the U.S. and its partners and its great capacity building exercises when we’re collaborating like this,” Langevin said.

These operations not only improve the trust and security of partners and their networks but also bolster security at home as malware strains and adversary tactics can be shared domestically with system owners.

Langevin has spoken glowingly about them in the past.

“Working with our partners and allies ahead of time in hunt-forward operations that we’re involved with, I believe that that has helped us significantly to be prepared for pushback against Russia in the war in Ukraine,” Langevin said at DefenseScoop’s DefenseTalks conference in September. “I think [that’s] a significant reason why we haven’t seen more effective cyber operations on the part of Russia both in Ukraine and maybe any blowback we might have experienced here in the United States.”

Congressional improvement

Langevin noted that in addition to DOD, Congress has made significant strides in its understanding of and focus on cybersecurity issues.

“I think we’ve made significant progress over the years that I’ve been in Congress on cyber. We no longer have to debate whether we will fight wars in cyberspace. Cyberspace is clearly now a recognized domain of warfare where our service members and civilians are engaged with our adversaries on a daily basis,” he said. “When I was first elected, there certainly wasn’t a combatant command dedicated to cyberspace operations or a subcommittee for cyber or even the mention of the word cyber in the entire [National Defense Authorization Act] — I was first elected in 2000, going back that far.”

Langevin said his subcommittee didn’t even exist five years ago and in the four years he’s served as chairman of the panel, it has put more than 220 provisions of cyber legislation into law. After this year’s NDAA, that number will be close to 300.

One thing Langevin would like to see in the future is a select committee on cybersecurity. Currently, there are many committees that touch cyber, creating jurisdictional issues and turf battles. So he believes a single committee focused solely on cyber issues would help alleviate that and create greater synergy across the government.

Appropriations committees would still be in charge of funds, but just like the Church Committee led to the creation of the select committees on intelligence that now oversee policies and oversight of the intelligence community, Langevin sees a select cyber committee serving the same purpose.  

While he doesn’t see it happening in the immediate term, he hopes it won’t take a catastrophic event to create it.

“Unfortunately, it might take a catastrophic event in cyber to galvanize and really force the issue of creating a full cyber select committee. I hope it doesn’t come to that, but as we saw with 9/11, I don’t think you’d ever see the reorganization of the government and the creation of the Department of Homeland Security and the Homeland Security Committee were it not for that catastrophic event of 9/11,” Langevin said.

The post Rep. Langevin calls on DOD to improve cyber training for operators appeared first on DefenseScoop.