President Biden recently nominated Air Force Lt. General Timothy Haugh to replace General Nakasone as the Director of the National Security Agency (NSA)/Commander of U.S. Cyber Command (CYBERCOM). This is due to take place when he steps down from the position in which he has served over the past five years. He has also nominated Maj. General William Hartman to be the new deputy.
Haugh served as Nakasone’s number 2 at CYBERCOM, and has substantial experience in the Pentagon’s cyber efforts, having led the Air Force Cyber, and serving as the director of CYBERCOM’s Cyber National Mission Force, the group charged with hunt-forward operations.
On paper, Haugh possesses the background and experience to continue the work that NSA and CYBERCOM have already started with respect to implementing the Department of Defense’s “defend-forward” strategy, as well as the doctrines outlined in the President’s more aggressive National Cybersecurity Strategy. Though there may be some Senate political pushback on Haugh’s appointment, all signs point to his eventual confirmation.
Before departing, Nakasone refined CYBERCOM’s priorities in order to reflect the changing dynamic of global strategic challenges that have emerged since assuming the Commander’s position in 2018.
Specifically, CYBERCOM will seek to improve its global operational readiness via quality personnel recruitment and mission enhancement; strengthen the command’s cyber warfighting advantage through enhanced collaboration with internal and external partners; and effectively execute the full extent of the command’s Title 10 authorities to support its missions and develop a Joint Cyber Mission Force.
Success in fulfilling these priorities will undoubtedly require a seamless partnership with the NSA, one of the prime reasons supporters have pointed to when debate over ending the dual-hatted nature of the director/commander role surfaces.
Merging of the NSA and CYBERCOM
Since merging the leadership role of the NSA and CYBERCOM, the United States has become more proactive in cyberspace.
Though the U.S. government still prefers to define this “defense-forward” mission and deployment of “hunt-forward” teams as a form of proactive defense designed for persistent engagement. They are nonetheless still offensive activities whose purpose is to “disrupt cyber threats, degrade the capabilities and networks of adversaries, and continuously harden the Department of Defense Information Network (DODIIN).” These teams are located under CYBERCOM’s Cyber National Mission Force (CNMF), an entity whose mission is to ensure that commanders can operate freely in the cyber domain.
The Force is broken down into 133 separate teams whose roles are to support Cyber Protection of the DoDIIN. Cyber Combat Missions to support combatant commands, Combat Support Teams that bolster National Mission and Combat Mission teams, and CNMF Teams that defend the nation via neutralizing adversary activity.
CYBERCOM’s International Impact
After 2018, the United States committed to moving away from a purely defense-only mindset when it comes to hostile cyber activity. Instead, it has moved to leveraging its formidable offensive cyber capabilities to upend or neutralize hostile cyber activity at its source, even if it falls below the level of armed conflict.
CYBERCOM has conducted at least 47 of these operations in 20 countries including Croatia, Estonia, Lithuania, Montenegro, and Ukraine, among others since operationalizing these hunt-forward teams. Even if mission details have been scarce when it comes to these operations, they have largely been viewed favorably.
Nakasone has defined success as how effective the operations were in preventing adversaries from achieving their strategic objectives. Because the CNMF capability has proven instrumental to CYBERCOM’s success, the Secretary of Defense elevated its status to become a permanent subordinate organization.
While many of CYBERCOM’s CNMF deployments have targeted state cyber actors, these teams have also been engaged in assisting foreign partners go after high-profile cybercrime gangs as well. Such cooperation is instrumental when addressing cross border criminal actors that operate in different countries with different laws, requiring a streamlined information exchange that meets the legal requirements of all state stakeholders.
Considering the prolific nature of these criminal endeavors, disrupting gang activities before they have the chance to operationalize makes sense. Case in point: if they had been deployed in a timely manner, hunt-forward teams could have played an important role in mitigating the threat of the 2021 ransomware attacks that impacted Colonial Pipeline and the JBS meat processing company, disrupting supply to the U.S. civilian population.
Ransomware gangs have been particularly brazen and willing to exploit critical infrastructures, emergency services and in the case of Costa Rica, entire government institutions. As a result of such attacks, the Costa Rican government declared a national state of emergency. Neutralizing their operations would certainly send a message to these gangs.
Navigating Perception and Intent
Dovetailing with these key personnel moves, the Department of Defense updated its Cyber Strategy reinforcing the principles of defense-forward as outlined in its previous 2018 strategy, and complementing the United States’ recent publication of its National Cybersecurity Strategy.
The common theme between the two is that the United States will be a more proactive actor in cyberspace, a fact not lost on cyber adversaries like China and North Korea. There is no doubt that they have been closely monitoring how CNMF teams have been deployed against Iran after its alleged role in the Albania cyber attack, and in support of Ukraine against Russian state assets and cyber proxies.
While hunt-forward teams will not deter adversary cyber behavior altogether, the fact that the United States has asserted that it will “campaign in and through cyberspace below the level of armed conflict to reinforce deterrence” is a warning of which they must be aware.
Adversaries now know that any hostile act they commit against a foreign government may potentially invite U.S. intervention. A mere request for the assistance of these CNMF teams is enough for the United States to come to their aid.
The United States will further capitalize by sending cyber teams to support allies and friendly nations to “frustrate” adversary activities. In this way, Washington can leverage strong partnerships and cooperation to build enduring advantages in cyberspace by expanding its already considerable global reach with the hope of constraining the space in which adversaries operate.
However, such initiatives come with a risk. Providing adversaries like China fuel to feed propaganda campaigns that paint the United States as a dangerous cyber aggressor and hegemon, threatening global cybersecurity, not fortifying it.
So, while CMNF teams may help to mitigate hostile cyber actors, states may perceive their activities and the U.S. government intent behind them in a different light. This is a tight rope Washington needs to navigate carefully.
Haugh, or whomever should ascend to the position, will oversee both NSA and CYBERCOM, which should continue to bolster information sharing among allied nations with similar organizational structure. Despite any pushbacks to continuing the dual-hatted role, the future leader will be able to execute timely cyber operations without any bureaucratic obstacles between organizations with competing Title 50 and Title 10 authorities.
If the message was not clear enough in 2018, it is now: the United States will use its cyber capacity and capability as an instrument of national power that protects its own and allied interests against shared threats. And that is important for the further refinement of the United States aggressive cyber strategy that should likely be its policy for the foreseeable future.