U.S. Cyber Command has deployed a team of defensive operators to a Central or South American nation for the first time, according to a Cybercom official.
The deployment is part of so-called hunt-forward operations, which involve physically sending defensively oriented cyber protection teams from the U.S. military’s Cyber National Mission Force (CNMF) to foreign nations at their invitation to look for malicious activity on their networks. These operations are mutually beneficial, officials have said, because they help bolster the security of partner nations and provide Cybercom — and by extension, the United States — advance notice of adversary tactics, allowing the U.S. to harden systems at home against these observed threats.
“We had our first defend-forward mission, a hunt-forward mission in [U.S. Southern Command] just recently, which is amazing,” Brig. Gen. Reid Novotny, special assistant to the director Air National Guard for Cybercom, J5, said at the Potomac Officers Club annual Cyber Summit Thursday.
Southcom’s area of responsibility includes the landmass of Latin America and adjacent waters and the Caribbean Sea. It encompasses 31 countries, 12 dependencies and “areas of special sovereignty,” according to the command.
Novotny didn’t disclose which nation the operation was conducted in when asked by DefenseScoop following his remarks at the summit.
Given these hunt-forward operations are conducted at the invitation of host nations, public disclosure of which country Cybercom conducts them in are highly sensitive and permission of the host government must be gained.
Novotny didn’t provide specific dates for the recent deployment to the Southcom area of responsibility.
“By policy and for operational security, we do not discuss cyber operations, plans or intelligence. USCYBERCOM prioritizes partnerships. No defend forward operation is publicly disclosed without the partner nation’s consent,” a CNMF spokesperson told DefenseScoop on Friday in response to a request for more information.
With the operation in the Southcom region, Novotny told DefenseScoop that Cybercom has now conducted hunt-forward operations on every continent at this point, adding there are more invitations than the command has capacity for.
“We do these defend-forward missions, and the whole point of the defend-forward mission is to learn something on someone else’s network, a partner network, another nation’s network so we can bring back that information and make sure our networks are more secure,” he told conference attendees.
Hunt-forward operations have become a mainstay for Cybercom, as they were enshrined in recently updated Department of Defense doctrine and featured as a part of one of the four major lines of effort the updated DOD cyber strategy seeks to employ. They serve an important security role, but also a diplomatic role as the U.S. aims to increase its partnerships with other nations on the cyber front.
Gen. Paul Nakasone, commander of Cybercom, said as recently as late May, that the command has conducted 70 of these operations in 22 nations on 50 different networks.
One of the most prominent such deployments to date was to Ukraine in the run-up to Russia’s invasion in early 2022. U.S. cyber teams went there to gain insights on Russian cyber actors and threats while helping Ukraine bolster its network.
While these operators left prior to Russia’s invasion, this partnership continues today.
“Today, we have shared over 5,000 indicators of compromise either from Ukraine to us or from us back to Ukraine, in order to do everything we can to ensure that the United States, our partners and allies are protected against what the Russians are doing in Ukraine, but also to ensure that the Ukrainians networks are as difficult as possible for the Russians to continue to attack and exploit,” Maj. Gen. William Hartman, commander of the CNMF, said recently.
“Defend Forward is a unique authority that allows us to execute operations abroad as part of our ‘defend forward’ strategy, while also building strategic relationships with key Allies and Partners. Defend Forward operations have occurred in every geographic area of responsibility. This sort of activity strengthens our Allies’ and Partners’ cybersecurity posture, and makes it more difficult for foreign adversaries to threaten all of us,” the CNMF spokesperson said.
Updated on June 9, 2023, at 5:25 PM: This story has been updated to include comments from a Cyber National Mission Force spokesperson.