Cybercom discovered Chinese malware in South American nations — Joint Chiefs chairman nominee

So-called hunt forward operations by U.S. Cyber Command have uncovered Chinese malware implanted in Latin American nations, according to President Donald Trump’s nominee to be the next chairman of the Joint Chiefs of Staff.

Hunt-forward operations involve physically sending defensively oriented cyber protection teams from the U.S. military’s Cyber National Mission Force (CNMF) to foreign nations at their invitation to look for malicious activity on their networks. These operations are mutually beneficial, officials have said, because they help bolster the security of partner nations and provide Cybercom — and by extension, the United States — advance notice of adversary tactics, allowing the U.S. to harden systems at home against these observed threats.

In responses to lawmakers’ advance policy questions ahead of his confirmation hearing before the Senate Armed Services Committee Tuesday, retired Lt. Gen. Dan Caine stated that Cybercom hunt-forward missions in the U.S. Southern Command area of responsibility discovered Chinese Communist Party malware on multiple foreign partner networks.

Southcom’s area of responsibility includes the landmass of Central and South America and adjacent waters and the Caribbean Sea. It encompasses 31 countries, 12 dependencies and “areas of special sovereignty,” according to the command.

These hunt-forward operations are conducted at the invitation of host nations. Details about specific countries where Cybercom conducts these ops are highly sensitive, and permission of the host government must be gained before public disclosure.

It’s no secret that China has interests in South American nations and Beijing has deployed cyber capabilities for a variety of malicious activities.

Cybercom did not confirm or deny the assertion by Caine, noting in a statement it routinely assists partners that request support in securing their cyber posture against foreign malicious activity across all geographic areas of responsibility.

“This strengthens our Allies’ and Partners’ cybersecurity posture, and makes it more difficult for foreign adversaries to threaten all of us. USCYBERCOM’s core mission is to defend the nation in cyberspace. By policy and for operational security, we do not discuss cyber operations, plans or intelligence. No operation will be publicly disclosed without the partner nation’s consent,” a Cybercom spokesperson said of hunt forward operations.

Cybercom conducted its first hunt-forward operations in Latin America a couple of years ago. Officials have stated in the past that the CNMF conducts about two dozen defend-forward operations per year with foreign partners on foreign government networks to hunt and find Chinese, Russian and Iranian threats, among others.

In written congressional testimony last year, Cybercom commander Gen. Timothy Haugh noted that CNMF deployed 22 times to 17 nations for hunt-forward ops, with active operations occurring simultaneously in all geographic commands for the first time. Those activities led to the public release of more than 90 malware samples for analysis by host nations’ cybersecurity community.

“Such disclosures can make billions of Internet users around the world safer on-line, and frustrate the military and intelligence operations of authoritarian regimes,” he wrote.

Hunt-forward operations were credited with mitigating the effects of Russian cyber ops against Ukraine during its 2022 invasion. Cybercom sent personnel to Ukraine ahead of the invasion and helped harden their networks.

Caine also addressed, in his policy question responses, the hotly contested debate about the dual-hat arrangement in which the commander of Cybercom is also the director of the National Security Agency. Proponents believe the military can benefit from the unique intelligence insights and resources of NSA, leading to faster decision-making and operational outcomes. Opponents argue the roles are too powerful for one person to hold and relying on the intelligence community’s tools — which are meant to stay undetected — for military activities poses risks to such espionage activity.

Caine told lawmakers he believes the dual-hat should be maintained, agreeing with the findings of a 2022 study that found the role should be strengthened as well.

“The Dual-Hat arrangement provides the ability to look across both organizations and has empowered both USCYBERCOM and NSA to fulfill their missions better than each could do alone. It promotes agility and enables intelligence to be operationalized rapidly,” he wrote. “It also facilitates relationships with key foreign allies and partners in part because the corresponding foreign organizations with signals intelligence (SIGINT) and cyber operations missions are fully integrated, operating under a Dual-Hat leadership structure. The span of control, does however, place a burden on one leader.”

Ahead of his own confirmation hearing in January, Secretary of Defense Pete Hegseth wrote to senators that he would “bring these debates to conclusion, consult with Congress, and make final recommendation for the way ahead.”

At the end of the first Trump administration, officials made a last ditch effort to sever the dual-hat, but it ultimately was not brought to fruition. Press reports prior to Trump’s inauguration for his second term indicated the administration wants to end the dual-hat relationship.