U.S Cyber Command says it’s changing the way it thinks about cyber defense. The Cyber Mission Force still has the job of protecting Defense networks and domestic critical infrastructure. But to do that effectively, leaders say they need to continuously probe foreign networks for malicious activity, and they’re promising to be much more transparent about what they find.
The National Mission Force is one of the three major components of Cyber Command. In terms of the number of teams, it’s also the smallest, but it’s the one with the biggest role in interacting with other federal agencies and allied governments as part of its mission to protect not just DoD assets, but the nation as a whole.
DoD, DHS reach accord on new steps to cooperate in cyber defense
The command has now adopted a stance of what it calls “persistent engagement,” according to Brig. Gen. Timothy Haugh, the commander of the Cyber National Mission Force. Partly at the urging of Congress, the force has decided it can’t adequately defend the homeland without venturing outside it – at least in a virtual sense.
“We have moved towards the ‘defend forward’ model, actually moving off of our Department of Defense networks and partnering with various nations to be able to hunt for adversary activity on their networks,” he said at a cyber conference hosted by the Atlantic Council this week. “The intent for that is to challenge our adversaries wherever they are and to be able to gain insights from how they are targeting the critical processes of our allies and our partners, to be able to bring that information back and be able to disclose that to DHS and FBI.”
And in that context, CYBERCOM sees its role as much more of an cyber defense enabler than a direct actor, Haugh said. He said the National Mission Force will measure its success not based just on the direct outcomes of military cyberspace operations, but the value of the information it provides to other government agencies.
“These are things that we, as a department, might not have looked as measures of our effectiveness, but today we can look at it and say if the Department of State issues a démarche based off of information that the Department of Defense has provided, that is an outcome that’s positive for our nation,” he said. “If DHS can issue an alert that goes to industry based off of information that is derived from our operations, that’s a success for the Department of Defense. Whether it’s treasury sanctions, whether it’s the Department of Energy being able to communicate directly through the Energy ISAC back to all of its member firms threats to that sector, that is an outcome for the Department of Defense that we are seeking to achieve, and we will use our resources to do that.”
Christopher Krebs, the director of DHS’s Cybersecurity and Infrastructure Security Agency, said his agency sees the challenge in much the same way: it can’t meet its own mission of securing critical infrastructure, including the election system, without accurate insights into what’s happening on global networks.
“We’re trying to understand what the adversary — in this case Russia — is doing elsewhere in eastern Europe and Ukraine and other parts of the world so that we can get inside their decision loop and understand what tools they’re trying to develop,” Krebs said. “Sometimes they might not think we’re watching or listening. Oh, but we are. So I want to be able to take that understanding of tool sets and capabilities that they’re road-testing somewhere else and I want to be able to bring that back here and help harden infrastructure to take those avenues off the table.”
But Haugh said the National Mission Force does not want to limit its information sharing just to other federal agencies and allies. He said his organization is also looking for ways to share what it learns in its ventures onto overseas networks directly with the private sector — or at least parts of it.
“We have begun an initiative that if we discover malware as part of our own going Cyber Command operations, we disclose that malware on global cybersecurity forums to allow industry to be able to generate countermeasures more quickly,” he said. “That’s an area we want to continue to explore what is the right role for the department in terms of our relationships with industry, how we pass information in the most agile manner to be able to be able to put additional pressure on adversaries that are targeting our critical infrastructure.”
Still, Haugh said his organization sees about a third of its mission as taking direct action to stop cyber attacks on U.S. critical infrastructure. Even then though, that part of the mission is largely in a support role to DHS and other agencies when they do not have enough manpower or resources to deal with a particular incident.
And he said recent legislation Congress passed as part of the 2019 Defense Authorization Act has made that easier. It gave the Defense secretary new authorities to immediately detail up to 50 CYBERCOM personnel to DHS’s Cybersecurity and Infrastructure Security Agency whenever circumstances warrant.
“This took away a critical challenge for us. In the past, if DHS needed our assistance, we had to go through a pretty complex process to be able to provide it, and it also required DHS to fund DoD’s activities. That’s no longer the case,” Haugh said. “We have the ability, up to 50 personnel, to be able to really rapidly respond if DHS has a call. We can bring more mass through the previous process, but now we can move much more quickly in partnership with CISA as needed.”