Cyber Command conducted offensive operations to protect midterm elections
Image: U.S. Army/Joseph Friend
Martin Matishak December 19, 2022

Cyber Command conducted offensive operations to protect midterm elections

Martin Matishak

December 19, 2022

Cyber Command conducted offensive operations to protect midterm elections

FORT MEADE, Md. — U.S. Cyber Command conducted both defensive and offensive operations to thwart foreign actors from interfering in the 2022 midterms, according to the digital combat unit’s chief.

Cyber Command executed so-called “full spectrum” operations to safeguard the latest U.S. election, Army Gen. Paul Nakasone, who leads both the National Security Agency and CYBERCOM, said earlier this month during a rare briefing for reporters. 

He previously defined that to mean defensive and offensive actions, as well as information operations.

“We did conduct operations persistently to make sure that our foreign adversaries couldn’t utilize infrastructure to impact us,” Nakasone said. “We understood how foreign adversaries utilize infrastructure throughout the world, we had that mapped pretty well, and we wanted to make sure that we took it down at key times.” 

“There was a campaign plan that we followed and it wasn’t just November 8: it covered before, during, and until the elections were certified,” he added.

The actions, which Nakasone repeatedly declined to elaborate on, marks the third consecutive cycle where CYBERCOM has undertaken steps to defend a national election, or every one since Russia’s multifaceted digital onslaught on the 2016 presidential race.

The command made election security one of its enduring missions after it was given new powers by the White House and Congress. 

The Trump administration issued National Security Presidential Memoranda 13, which streamlined Pentagon authorities to conduct time-sensitive military operations in cyberspace. And language in the fiscal 2018 National Defense Authorization Act cleared the way for clandestine digital operations, categorizing them as “traditional military activity.”

The command, armed with intelligence from the NSA, launched the first offensive cyber campaign against Russia to secure the 2018 midterm elections.

It deployed “hunt forward” teams to Eastern Europe, sent direct messages to Russian disinformation operators to inform them that they had been identified, and launched a digital strike that temporarily knocked the notorious Internet Research Agency offline in the days before and after the election.

The command also took action against Iranian hackers backed by the Islamic Revolutionary Guard Corps in the run-up to the 2020 presidential election. The hackers posed as a far-right group, sending threatening emails to American voters and posting a video to shake confidence in the U.S. voting process.

Nakasone said the overall degree to which foreign powers targeted last month’s election had dropped compared to years past.

“There were plenty of foreign influence operations that were ongoing and continue to be ongoing up to Election Day. But compared to previous elections, I estimate that unlike 2018 and 2020, there was a lessened degree of activity,” he said.

That dovetails with remarks made Monday by Army Maj. Gen. William Hartman, the head of the Cyber National Mission Force (CNMF), which serves as CYBERCOM’s lead organization on election security.

Hartman said he was “surprised” by the lack of activity, speculating Moscow and Iran were too busy dealing with security matters.

Like Nakasone, Hartman declined to specify what defensive or offensive actions the command took to protect the latest U.S. election.

Nakasone stood by remarks he made in October that malign actors had not utilized any new tricks to launch interference or influence operations on the election.

“I didn’t [see new tactics or tools] — and I saw the same foreign adversaries that I’ve seen before, a lot of the same ones, the proxies and the elements of the Russian and Iranian governments that do this type of work,” he said.

Nakasone downplayed the importance of the command’s latest steps to protect an election.

“Rest assured, we were doing operations well before the midterms began, and we were doing operations likely on the day of the midterms. This is what persistent engagement is. This is the idea of understanding your foreign adversaries and operating outside the United States,” he said, referring to the command’s now years-old strategy.

That approach involves continually confronting the adversary and sharing information with partners. This year the command sent troops to Ukraine, Lithuania and Croatia to help strengthen their digital defenses and acquire previously undiscovered malware.

The final version of the annual defense policy, which is awaiting President Joe Biden’s signature, would authorize an additional $44 million for hunt forward operations.

Martin Matishak is a senior cybersecurity reporter for Recorded Future News. He spent the last five years at Politico, where he covered Congress, the Pentagon and the U.S. intelligence community and was a driving force behind the publication's cybersecurity newsletter.