U.S. Cyber Command has deployed personnel to foreign nations 27 times in the last four years to help partner nations shore up their cyber defenses against threats, a top general said.
These so-called hunt forward operations involve physically sending defensively oriented cyber protection teams from the Cyber National Mission Force to foreign nations to hunt for threats on their networks at the invitation of host nations.
“We deploy teams globally, over 27 times in the middle of a global pandemic, to ensure that we can actively engage with our adversaries in foreign space, one, to reinforce our relationships with our partners and allies, but also to ensure that whatever our adversaries are doing in their near abroad, they can’t do that back here in the United States,” Maj. Gen. William Hartman, commander of the Cyber National Mission Force, said Friday during a presentation as part of the Air Force Association’s Air Warfare Symposium.
The Cyber National Mission Force is responsible for tracking and disrupting specific nation-state actors in foreign cyberspace in defense of the nation. These teams are separate from those that support specific combatant commands. It is the only cyber force within Cyber Command that essentially conducts offensive and defensive operations, though Cyber Command describes both as defensive operations — one focused on internal networks and the other on preemptive activity in foreign cyberspace against a potential threat.
Cyber Command has been conducting these types of operations for several years now. Officials say they are mutually beneficial because they help bolster the security of partner nations and provide Cyber Command — and by extension, the U.S. — advanced notice of adversary tactics allowing the U.S. to harden systems at home against these observed threats.
A Cyber National Mission Force spokesperson clarified to FedScoop that there have been 27 total hunt forward operations since 2018, though most of them have occurred since the COVID-19 pandemic in March 2020. They also added that these were 27 separate deployments to 15 nations, including Montenegro, Estonia and North Macedonia, though some deployments were to the same nation multiple times.
Officials have noted that these types of operations were pivotal in helping defend domestic U.S. elections against foreign threats, conducting 11 hunt forward operations in nine different nations as part of the 2020 elections.
“What started as three countries in focus on defending the 2018 elections, has increased significantly,” Lt. Gen. Charles Moore, deputy commander of Cyber Command, said in November 2021 during an event hosted by C4ISRNET. “Our primary goal is obviously to get out and see what we can learn about adversaries and what their intentions and what their tools and what their infrastructure and what their [tactics, techniques and procedures] might look like. Bringing that back to help inoculate or defend the United States, but not just us, to share it with the global cybersecurity enterprise, which is exactly what we’ve done.”
Officials have noted that these operations are a key component to Cyber Command’s operating concept of persistent engagement, which seeks to challenge adversary activities wherever they operate.
Cyber Command has publicly disclosed malware found during these operations as a means of informing the general public to beware and patch, but also to burn these tools for adversaries causing them friction.
At the time, Moore said they had disclosed close to 30 pieces of malware.
“It really makes the adversary have to pay attention to everywhere that we’re operating,” he said. “Just the virtue of knowing that we’re going to be in many different places around the world trying to perform these operations, gain insights in what they’re doing and how they’re doing it and what tools they have, they have to take additional precautions, which imposes costs on them or they have to elect not to perform those operations to begin with.”
The prior year’s request, DOD sought $431.6 million for cooperation with allies and partners to conduct hunt forward operations as opposed to a $147.2 million request in Fiscal Year 2022.