Digital defenders: A look at the evolution and elevation of America’s Cyber National Mission Force
In December, Secretary of Defense Lloyd Austin elevated U.S. Cyber Command’s Cyber National Mission Force to a sub-unified command, which current and former officials say was an endorsement of the important role that cyber warriors play within the Department of Defense and their contribution to defending the nation from digital threats.
The CNMF — formerly one of Cybercom’s headquarters elements — is made up of 39 joint teams and thought to have the DOD’s most talented cyber operators at the cutting-edge of their profession. It is aligned in task forces organized against specific threat actors. They have been on the front lines of defending elections from foreign influence, protecting critical infrastructure and, most notably, for conducting so-called hunt forward operations which involve physically sending defensively-oriented cyber protection teams to foreign countries to hunt for threats on their networks at the invitation of host nations.
Former officials described a natural evolution in the elevation to a sub-unified command for CNMF, highlighting the importance in continued maturation for the still young U.S. Cyber Command.
“It’s a great indicator of the continued maturation. It’s a great testament to the hard work of those men and women and the strong leadership they have,” Michael Rogers, who served as commander of Cybercom from 2014 to 2018, told DefenseScoop. “It’s an endorsement by the Department of Defense, I think, of the importance of the mission and the need to generate structures that are optimized to execute the mission … It shows the department believes that that’s the right direction, too, as well. It isn’t just the cyber guys going, ‘We need to do this.’ It’s the whole department thinking, ‘Yeah, it’s the appropriate thing for us to do.’”
He added that sub-unified commands are normally joint organizations within a combatant commander’s area of responsibility and typically created because missions are believed to be both a higher level of priority and of a sustained nature.
Austin’s decision clarifies and codifies the unique missions and functions of the CNMF to defend the nation from cyber threats, George Franz, cybersecurity lead for Accenture Federal Services and the first CNMF commander, told DefenseScoop.
Several former officials who spoke with DefenseScoop explained that sub-unification was always the plan at some point down the road for CNMF when it, and the broader cyber mission force, was created around 2012. The broader cyber mission force consists of 133 total teams that conduct cyber ops for Cybercom, including the 39 CNMF teams.
“Early on, there was the idea that eventually CNMF was going to be a force with a unique mission,” Franz said.
However, that wasn’t something that officials put emphasis on initially because they had little capacity. They only had 12 people in the headquarters and shared an office with two desks at the beginning.
“The idea was you’ve got to build the force, deploy the force, start to demonstrate capacity and eventually … there’s a time when the decision ultimately needs to get made about alignment,” Franz said.
A former CNMF staff member who is now part of the Association of U.S. Cyber Forces (AUSCF) said the discussion regarding sub-unification really began to gain steam following the Russia Small Group, a joint CNMF-NSA task force established in 2018 to thwart election interface by Russia and other foreign actors after the perceived failures surrounding the 2016 election.
Then Brig. Gen. Timothy Haugh, who was the commander of CNMF and is now the three-star deputy commander of Cybercom, assigned personnel to begin working on a package to make CNMF a sub-unified organization in the 2019 timeframe, the former staff member said, adding it took a couple of years to negotiate it and get it right.
Sub-unification isn’t something the command could do on its own. It had to present a plan and get it approved by the secretary of defense.
Sub-unification also doesn’t come with a direct set of new authorities or resources or an increased budget. In fact, officials said they will not be getting an increase in personnel or funding as a result of the elevation. Sources indicated the command was careful to pitch elevation to department leadership as “resource neutral,” though, at some point in the future, they might come back with more requests.
The former staff member posited that it’s possible in the future that CNMF will get more control over procurement, allowing them to modify or change the toolkits they need.
Sub-unification demonstrates maturation and the potential to take more delegated authorities that rest at the four-star level, experts say.
“If you look at how authorities get delegated from SecDef to combat command as sub-unified, so that does allow, I would say, agility, freedom of movement, a little … autonomy. But it gives that commander more of the responsibility for mission command of things,” Franz said. “They haven’t been limited by the lack of sub-unification, but that designation just makes it a lot easier. They will be able to test and codify things over time to make that even more efficient now that because it’s formal. You’ve got all the processes that go around formal command are now available to the CNMF commander.”
The former staff member said section by section, things can be delegated down such as funding or procurement authority, especially since prior to sub-unification, CNMF was essentially living as a staff element on Cybercom’s budget.
Authority to conduct an operation could also be delegated, depending on the risk profile or mission, they said. However, certain actions might require additional permissions.
Defending the nation in cyberspace
Officials have noted that the CNMF elevation was not done in response to some crisis.
While it has always been charged with defending the nation from foreign cyberspace threats, the DOD has been on a long journey to figure out exactly how it performs that role and fits with other government entities.
For years, there were debates both inside and outside government as to how the DOD would protect the country in the digital realm. It was clear the U.S. military had responsibility to defend the United States from kinetic attacks such as missile salvos, but tackling cyber threats was a trickier problem.
Following a series of executive policy changes, congressional legal changes and clarifications and conceptual revamps, DOD and Cybercom developed the frameworks of “defend forward” and “persistent engagement.”
The 2018 DOD cyber strategy directed Cybercom to “defend forward,” which involves operating on networks outside the United States in order to confront threats before they ever reach domestic networks. It executes that directive under its operational concept of persistent engagement, which means challenging adversary activities daily and wherever they operate.
“Elevation [of the CNMF] to a sub-unified command means that it now takes on additional authorities and responsibilities for conducting that mission, that counter cyberattack mission, to support the defend-the-nation role that it has. Over time, I think what that became was continuous reconnaissance and positioning to understand priority cyber threat capabilities, which we all know openly now are China, Russia, Iran, North Korea” and violent extremist organizations, a former official involved in the creation of the cyber mission force told DefenseScoop.
“You’ve seen the strategy, the DOD strategy, move from a focus on just building the force structure and building the capabilities now, to moving from less of a reactive posture to more of a proactive posture and process — which you recognize in the strategy of defend forward and persistent presence,” the former official added.
While this was always the vision, it took the department and U.S. government a long time to get there, especially given the sensitivities involved in defending privately owned networks.
The vision of the first Cybercom commander, Gen. Keith Alexander, “was always that CNMF would defend the nation and it would do that outside of the [DOD Information Network] and frankly, outside of the borders of the United States,” Franz said. “In order to defend in cyberspace, you had to defend forward of the targeted areas.”
Despite all the debate over the years, Franz noted that sub-unification really codifies this mission within DOD and the U.S. government because the secretary of defense has approved it and the national command authority has signed off on its mission.
Becoming the ‘JSOC’ of the cyber realm
Upon elevation, officials stated that while not exactly perfect, the closest and most analogous arrangement within the Defense Department to CNMF sub-unified command was Joint Special Operations Command (JSOC) under the umbrella of U.S. Special Operations Command.
Many former officials said there had been caution not to exactly equate CNMF to JSOC, but that was essentially the model.
“I don’t think it’s changed very much from the original vision of what the Cyber National Mission Force was supposed to be. It was always envisioned, honestly, to be the JSOC of the cyber realm,” said the former official involved in the creation of the cyber mission force.
“The Cyber National Mission Force … this is where the JSOC analogy comes in pretty well. It’s comparable to the special ops national mission force for strategically significant national-level missions of consequence. In the case of SOCOM and JSOC, that’s counterterrorism, countering weapons of mass destruction, etc. In the case of U.S. Cyber Command, that’s counter cyberattack against the nation. There was a lot of argument initially over what exactly that meant and how that would be executed,” the former official added.
The JSOC analogy also rings true for CNMF given the unique mission set it holds, which requires a certain skillset that differs from the other types of cyber mission force teams. Additionally, the longer deployment cycles on the CNMF are similar to the longer tours members of JSOC often had relative to others in the special ops community.
When it comes to skillsets, the former staff member noted that on the defensive side, CNMF operators must possess extremely deep threat-specific knowledge. They’ll have a high level of expertise on a particular actor such as Russia’s foreign intelligence service or China’s ministry of state security — and thus be able to understand how those actors operate in a network and where they’re going to go once they gain access.
On the offensive side, the former staff member noted that CNMF operators have different characteristics of what they must gain access to relative to their counterparts conducting offensive ops for theater combatant commands. A combat mission team for a combatant command might be working the same target that won’t change for some years whereas a national mission team for CNMF will be looking at targets that are more dynamic and require a different mindset, understanding and approach to crack it.
However, a former senior DOD cyber official stated they didn’t like the JSOC analogy as it tended to created a tiered model for quality and readiness.
Maintaining momentum
Former officials noted that the sub-unification is just one part of the journey for both CNMF and Cybercom, cautioning that there is still more work to be done going forward.
Officials used to use the metaphor that Cybercom was building the proverbial airplane while they were flying it in trying to stand up a new organization — with forces, procedures, capabilities and policies — while also conducting operations. The command continues to mature its structures and there will likely be more change in the coming years.
When it comes to sustaining the CNMF post-sub-unification, experts said there probably will need to be a separate readiness model for the Cyber National Mission Force.
“I think you’ve got to design the readiness model to meet the circumstance and the requirements of missions. They are going to have a different looking readiness model just because their mission profile is different, organization is different, different set of skills,” Franz said. “That’s what the sub-unification designates — they do have a unique functional mission recognized by DOD and so readiness has got to meet the requirements for that.”
Given the need for longer deployment cycles and different skillsets on CNMF, they will need to work with the services — which providing the training and forces — to develop a slightly different model.
“At some point, CNMF does become that uniquely trained, resourced force, on the road to becoming what is the equivalent of a special mission unit in cyber,” Franz said. “They just literally have a different mission, they have a different mission profile, they operate differently.”
The CNMF commander, currently Maj. Gen. William Hartman, has more of a voice now to set training and readiness requirements that they can start to articulate to the services.
“What this lets him do is formally put him in a position where he can establish the training and readiness requirements, establish the force posture, the types of people. Frankly, there’s things like tour lengths, all the administrative readiness and training stuff that comes with running that command. He can start to tailor that to the unique mission requirements of CNMF,” Franz said. “The institutional processes now [are] more behind him, because as a sub-unified commander, he’s just in a position to articulate those more clearly, with more authority, trying to drive things in a more effective way.”
Others said they will likely also be able to select their own members somewhere down the line.
“Where it probably will head is, I think, that eventually CNMF gets just like JSOC [and] gets its own selection and assessment criteria for the force,” the former staff member said.
A former top official said that culture is extremely important, just as it is in the special ops community.
“The special operations culture and values are very unique, but they are what sustains the organization and its ability to accomplish what it’s chartered to do,” the former official said. “I think the same thing is really true of the entire cyber mission force, but especially the Cyber National Mission Force.”
