Cyber National Mission Force elevated in fight against foreign hackers
FORT MEADE, Md. — The Defense Department on Monday elevated the status of a key digital warfighting force, the latest sign of the maturation in U.S. cyber warfare as it grapples with hacks from foreign adversaries and other actors.
U.S. Cyber Command chief Gen. Paul Nakasone presided over a ceremony that established the Cyber National Mission Force (CNMF) as a “subordinate unified command” underneath CYBERCOM. Defense Secretary Lloyd Austin authorized the designation on October 25.
The change formalizes the CNMF — first activated in 2014 and now composed of 39 joint cyber teams with over 2,000 military and civilian personnel — as a permanent military organization, with the command serving as its parent.
The force has been central to the command’s election security efforts, its work to bolster Ukraine’s forces against Russian hackers and the ever-green battles against cyber espionage and ransomware. The new designation could allow it to move faster in the digital realm, with some strategic decision-making and authority pushed down from the four-star level closer to the cyber combat unit’s operators.
“My sense is the future holds a lot for the Cyber National Mission Force,” Nakasone, who once led the elite unit himself before eventually becoming head of CYBERCOM and the National Security Agency, said during the event.
Maj. Gen. William Hartman, the CNMF’s commander, said the unit could be analogous to the Joint Special Operations Force, which is a component of U.S. Special Operations Command.
“They have service members... that are trained to this extraordinary, elite standard [and] they have long dwell opportunities because the services have identified that ‘you have a unique skillset so it’s important that we can keep you in place;’" he told reporters during a roundtable discussion after the ceremony.
CYBERCOM itself began as a subordinate organization to U.S. Strategic Command when it was established in 2010. The Trump administration formally boosted its status and made it an independent “unified command” in 2018.
An area where the CNMF has been, and remains, active is in the deployment of “hunt forward” teams around the globe. Over the last four years, it has sent out personnel 38 times, to 21 countries, and scoured over 60 networks.
This year CYBERCOM has publicly acknowledged it sent teams to Ukraine, Lithuania and Croatia to help shore up their network defenses and obtain unfamiliar malware samples. The missions are often disclosed well after they have wrapped up, usually at the behest of the country that invited the U.S. to work on its systems.
Hartman, the CNMF’s fifth commander since its inception, said he recently observed two hunt forward teams in action. The first was “about a month ago” in an undisclosed country in the Middle East, the second time the two-star had visited the anonymous nation. He also observed a team working in a European country for the first time.
Hartman said he was “surprised” by the lack of foreign cyber activity around last month’s U.S. election, noting Russia was “pretty active” during the 2018 midterms.
“Collectively” there was “much less focus” from Moscow and Iran, which attempted to influence the 2020 presidential race, than in the three previous election cycles, he told reporters.
He speculated the Kremlin was “very, very busy” with its war on Ukraine and stifling internal dissent, while Tehran was focused on the protests that have roiled that country over the last several weeks.
Hartman said he was “not aware of any significant activity” from China around Election Day. He declined to comment on whether or not CYBERCOM conducted offensive action to defend the election.
CNMF personnel remain in “fairly significant, daily” contact with Ukraine’s cyber forces as Kyiv girds itself against Russia, he said. To date, the two nations have shared “thousands” of indicators of compromise and other vulnerabilities, he added.
“I believe the Russians will continue to be very opportunistic,” Hartman said, especially as the nearly year-old conflict remains close to a stalemate.
However, he has not observed a “deliberate change” in behavior that would indicate Moscow intends to attack the U.S. or NATO allies.
Hartman described the digital landscape around Ukraine as “a crazy space” as the Kremlin’s forces, hacktivists and ransomware actors jostle with each other.
Martin Matishak is a senior cybersecurity reporter for The Record. He spent the last five years at Politico, where he covered Congress, the Pentagon and the U.S. intelligence community and was a driving force behind the publication's cybersecurity newsletter.