Cyber Command: insights from hunt forward teams in Ukraine flow to US private sector

U.S. Cyber Command Director Paul Nakasone laid out a range of activities that his agency has undertaken in support of Ukraine as it continues to fight off a Russian military with significant offensive cyber capabilities – from deploying hunt forward teams to harden network defenses for key assets, to sharing indicators and intelligence from the latest Russian malware.

In testimony to Congress Tuesday, the head of U.S. Cyber Command said the team initially deployed in December of 2021 and involved U.S. and Ukrainian cybersecurity personnel sitting “side by side” to gain insights on the latest operations. Nakasone argued that these deployments not only provide crucial assistance in the digital realm to allies or friendly nations like Ukraine, they also redound to the larger benefit of U.S. domestic critical infrastructure and the private sector who can ingest the latest information from the front lines and use it secure their own systems.

“The big piece about hunt forward is not only the fact that we understand the networks of our allies as they invite us in there but also understanding what our adversaries are doing and then…sharing that broadly, not only with our partners and NATO but the private sector,” he said. “Critical infrastructure is within the private sector, so as we expose these things we’re able to shine a broader light on this activity.”

On the domestic front, a number of senators asked what his agency was doing to support US businesses and domestic entities from the prospects of a Russian directed cyber attack. While noting that NSA and Cyber Command’s legal mandates are focused on overseas, Nakasone argued that there is a symbiotic effect between the U.S. government’s offensive and defensive cyber operations.

Over the past year, NSA and Cyber Command have moved to turn many intelligence gains in cyberspace into unclassified but actionable alerts or warnings that have trickled down to the broader public, particularly around ongoing or historic Russian hacking campaigns that could be deployed in the future against U.S. targets.

“It begins outside the United States where my authorities rest, and that’s through a series of persistent engagement campaigns against malicious cyber actors that intend to do our nation harm,” said Nakasone. “With the NSA, being able to release that information so that when we do a hunt forward operation in a specific country, being able to understand the tradecraft and the malware, and then releasing it publicly provides an antidote to what they might do.”

Questions about offensive cyber operations by the military were top of mind for many Senators after CyberScoop reported last week that the Biden administration is mulling changes to National Security Presidential Memorandum 13, which since 2018 has allowed the Pentagon and U.S. Cyber Command more leeway to authorize cyber operations overseas. The changes under consideration would reportedly remove that authority or place it within a larger interagency process where other stakeholders can weigh in.

Senators Mike Rounds, R-SD, and Angus King, I-MN, both expressed concerns about the potential impact that such changes would have on ability of the U.S. to move swiftly and decisively in cyberspace.

"Substantial changes I believe would be a grave mistake. It would undermine deterrence at the worst possible moment and I’ve communicated that to the White House," King said.

Cyber talent management envy

DHS has recently began making use of its congressionally authorized powers to sidestep normally hiring and pay requirements for cybersecurity job candidates, offering higher salaries and a quicker path to employment. That has resulted in some envious comments in recent weeks from the leaders of the FBI and NSA/Cyber Command, who see great potential in the concept for their own agencies.

Last week in stumping for similar powers, FBI assistant director for cyber Bryan Vorndran told Congress that “we have found our struggles to pay [top cyber talent] market value — even federal government market value — is often a dealbreaker” in hiring.

Nakasone took a similar tack when asked about early lessons from the DHS program and how it could apply to Cyber Command, saying it demonstrates the need to think creatively about both short term authorities that can address immediate needs and longer-term initiatives to bring more minorities and women into fields of study like data science, artificial intelligence and coding.

Currently, women represent about 35% of Cyber Command’s civilian workforce and 20% of their military personnel, numbers that are on par or better with the 20-25% national average but that “our talent initiatives right now are focused on developing the next generation [because] while we have enough for today, we need more for tomorrow.”

“We need as large a pool [of talent] as possible. This is a critical piece of what our nation is going to do in the future,” said Nakasone. “Cyberspace is where our nation stores its wealth and treasure…being able to attract from broad range of our society that traditionally perhaps have not touched [STEM] is an important first step.”

Nakasone was asked how a social media data threat analysis center (authorized through the 2020 National Defense Authorization Act but yet to be established) might help agencies like Cyber Command root out or disrupt foreign influence operations online. Nakasone said a center could be useful but only under certain conditions, namely that it would be more effective it weren’t perceived as a government mouthpiece. Other departments like the Department of Homeland Security that have set up task forces around disinformation have come to similar conclusions.

“Here’s what the center really need to do…it needs to be able to look at all of the full spectrum operations of what our adversaries are doing. What are the tactics, what are the tradecraft, what are they procedures they’re doing?” said Nakasone. “I think the second piece is what would probably be most helpful is this center being outside the government, a federally funded research center or perhaps another center that is obviously in support that is able to attract the talent and is able to remain very dynamic in its approach.”