Cyber Command to expand 'canary in the coal mine' unit working with private sector
U.S. Cyber Command is doubling the size of a little-known program that serves as one of the military's chief links to private industry in order to bolster the country’s defenses against cyberthreats.
The team of tech-savvy military and civilian experts, dubbed “Under Advisement,” will grow from one dozen to two dozen people by this time next year, according to Army Lt. Col. Jason Seales, the command’s chief of private sector partnerships.
Cyber Command and companies use tools like Slack and Microsoft Teams to communicate daily about digital threats. The “results” for both the digital warfighting command and participating private organizations are “clear,” he said during a recent interview at the NSA’s Cybersecurity Collaboration Center (CCC).
“We need to make sure that we have additional resources and capabilities available … and not put the burden so much on the small handful of folks that we have now — kind of spread that wealth out.”
The effort got its start around the 2020 presidential election, when industry was eager to share indicators of compromise and other potentially malicious cyber activity with the federal government to help defend against foreign interference.
At the time, Cyber Command’s elite Cyber National Mission Force (CNMF) was having trouble meeting the enormous demand for information.
“When you look at all the big companies, they get hit by all the same cyber actors as anyone else does,” Seales told Recorded Future News.
“So the thought was, ‘Well, why don't we start partnering with them? Why don't we start sharing some of this information back and forth — obviously at the unclassified level — that they have on malicious cyber actors so the command can then go out into foreign space and go hunt for them?’”
Ultimately, a former Marine Corps major and two others began making the connections with businesses in the hopes of improving defense planning and information sharing between the two sides as an extension of the CNMF.
It’s a collaboration that has been refined through landmark incidents like the Colonial Pipeline ransomware strike and the China-linked Hafnium cyber espionage campaign. The program has now matured to the point where it can keep up with the faster speed of industry and share information that produces operational results for both sectors on a regular basis, according to Seales.
Speaking at HammerCon last month, Cyber Command Executive Director Holly Baroody said that in the past year operators had “collaborated with 22 private sector partners to pass 149 unique indicators of malicious cyber activity.”
Those figures are “steadily growing, daily,” according to Seales, who took over the team in November 2022.
'They’ll come to us’
Commonly, companies come to Under Advisement — located within the collaboration center’s 36,000-square-foot office unclassified space across the highway from Fort Meade in Maryland — with a suspicious IP address or piece of malware.
Once its origins are confirmed to be foreign, the team can then act as a conduit, sharing the data with companies and other federal agencies — especially the CNMF. That force has become pivotal to Cyber Command, particularly through its “hunt forward” missions around the world to see firsthand the digital tactics of foreign adversaries and obtain new malware samples.
For instance, if a deployed military team discovers never-before-seen malicious software, “they'll come to us because we have those connections with the private sector to get this megaphone blasted out to everybody so they can patch their networks long before that malware migrates from Country X,” Seales said.
It is Cyber Command’s authority to “impose costs” on adversaries globally that separates Under Advisement from the Cybersecurity and Infrastructure Security Agency’s much more high-profile Joint Cyber Defense Collaborative (JCDC), with its focus on shielding the country’s critical infrastructure and domestic networks from attack.
It also differentiates the team from the work of the Justice Department and the FBI, which aim to prosecute hackers in court, as well as the NSA’s CCC with its cybersecurity missions.
That said, Under Advisement is a JCDC member and can tap that roster of partners — as well as the collaboration center’s list of almost 500 participants from across the defense industrial base and private cybersecurity firms — to alert entities about potential threats.
Seales said it’s “pretty remarkable” to watch data shared with multiple federal agencies and businesses on JCDC channels prompt the various players to “swarm in to try to help,” like with the vulnerabilities in the MOVEit file transfer tool that has impacted both public and private sectors.
“It's pretty awesome to be able to go see that. It's something we haven't had before.”
‘Our canary in the coal mine’
Even before its expansion got underway, Under Advisement had been routinely cited by Cyber Command leaders as a success story.
The team is “our canary in the coal mine,” outgoing Cyber Command and NSA chief Gen. Paul Nakasone said last month during a speech at Vanderbilt University, adding it is “seen as value added to industry partners, given both Under Advisement gives and it gets.”
Maj. Gen. William Hartman speaks at event in 2021. Image: U.S. Cyber Command / Josef Cole
“If it’s late Friday night or Monday night or over a weekend and there’s some vulnerability that’s released out there on the internet, you can bet” the Under Advisement team is working, CNMF chief Maj. Gen. William Hartman said in December during a ceremony when the force was made a permanent subordinate organization of Cyber Command.
Hartman, who has been nominated to be Cyber Command’s next deputy, previously described the team as a “CNMF group of nerds and they wear that label as a badge of honor.”
JD Work, a professor at the National Defense University’s College of Information and Cyberspace, said it “makes sense” for the military to have a “direct level of connectivity” to industry” given the volume of digital threats that exist in foreign cyberspace.
“We are dealing with things that move very quickly in this environment, and where we're dealing with things that properly exist in foreign threat spaces,” according to Work, who contributed analysis and research on information sharing relationships as the CNMF team matured.
He noted that there are private sector representatives who would prefer a “single point of contact, single pane of glass” when working with the government but “there's really a very different focus between the different players and I see this has generally been productive.”
“I am acutely cognizant of the challenges of potential duplication of effort, particularly in a crisis. I'm absolutely certain the team is very well aware of this and their decisions are very measured as a result,” he said. “These are very busy folks. It's not like they are routinely out there just trying to drum up business for their shop.”
Talk is not cheap
Seales, who originally began his military career as a helicopter pilot before joining the Army’s then nascent cyber mission in 2011, said those looking to join the crew need to possess two specific attributes: be an analyst who can speak “cyber lingo” as the command ferrets out and hunts down foreign adversaries; and second, “you have to be a good people person.”
“You got to be able to sit down and have a good conversation with a company and a provider and be an outgoing person,” he said, noting civilians can stay on permanently while service members generally cycle out after three years.
“It's very hard to be an introvert and be super successful in [Under Advisement] because your job is to go out there and partner with organizations, talk to strangers to be able to build out or inform a relationship.”
To prepare for the future expanded lineup, Seales and his team have spent the last six months crafting standard operating procedures so that the growth is codified and analysts aren’t sitting around for months during their tour of duty waiting to be trained.
There is one hitch, though: Seales himself won’t be around to see it.
After 26 years in the service, Seales will leave Under Advisement at the end of the calendar year before his official retirement in September 2024.
“That's the nature of the beast of any kind of military organization: you set the conditions for your successor to basically take it to the next level,” he said.
Martin Matishak is a senior cybersecurity reporter for The Record. He spent the last five years at Politico, where he covered Congress, the Pentagon and the U.S. intelligence community and was a driving force behind the publication's cybersecurity newsletter.