The seals of the U.S. Cyber Command, the National Secrity Agency and the Central Security Service greet employees and visitors at the campus the three organizations share March 13, 2015 in Fort Meade, Maryland. (Photo by Chip Somodevilla/Getty Images)

WASHINGTON: US Cyber Command’s deputy commander said today that its “hunt-forward” operations have been “very effective” in blending offensive and defensive cyber operations, revealing that the command has conducted more than a couple dozen of the operations in 14 countries over the last few years.

Air Force Lt. Gen. Charles “Tuna” Moore said that since 2018 CYBERCOM has conducted “well over” 24 hunt-forward operations in 14 countries, during which it has discovered approximately 30 new pieces of malware, which the command has shared with US partners.

While CYBERCOM did not respond to Breaking Defense’s request for specifics beyond Moore’s comments, Moore said the new, aggressive stance has prompted increased demand for partnerships from foreign nations.

CYBERCOM Commander Gen. Paul Nakasone has previously characterized hunt forward as deploying CYBERCOM teams to allied nations to help proactively identify adversary operations and cyber vulnerabilities on their networks. That information is then shared with partners and used to bolster US defenses. Hunt forward can also entail elements of offensive and information operations, as Moore alluded today and Nakasone has hinted in the past.

Hunt forward is one of two “constructs” of persistent engagement, Nakasone has said. Persistent engagement is the CYBERCOM doctrine that total cyber deterrence is futile, and the best defense is, in part, a good offense. Or, as Moore said today, the US has to be in “constant contact” with adversaries in cyberspace.

“Without a doubt, our operations to get forward into [overseas] networks — where we’ve been able to uncover our adversaries’ intentions, infrastructure, tools, malware, weapons — we’ve been able to locate a lot of those kinds of things and expose a lot of those things. We’ve been able to stop attacks,” Moore said at the 2021 C4ISRNet CyberCon virtual event.

Moore also discussed how persistent engagement, which was formalized in the 2018 National Cyber Strategy, has influenced CYBERCOM’s thinking on offensive and defensive cyber.

Although CYBERCOM in the past has said, rather paradoxically, that hunt forward is strictly defensive, the fact is it can be difficult to draw a hard line between offense and defense in cyberspace. For instance, if CYBERCOM disrupts an adversary’s infrastructure ahead of a suspected attack against the US, is that an offensive or a defensive operation?

Moore likened CYBERCOM’s evolution from that of a football team where only the offense or defense is on the field at one time to more like a hockey team, where any given line change plays both an offensive and defensive role.

“Cyber is a domain best utilized when you’re operating in that manner,” Moore observed. “In execution of those offensive operations, it’s given us an opportunity to impose costs. Measurements in this space can be challenging, but when we know there was something we stopped, that’s something we can measure.”

Moore did not quantify exactly how many adversary operations CYBERCOM has stopped.

Moore also indicated the command’s wish for more resources. He said CYBERCOM will never raise its hand and say it doesn’t need more resources. If CYBERCOM had more, “we’d be doing even more of these hunt-forward operations,” he said.

As it stands now, Moore noted that CYBERCOM has requested more resources for hunt-forward operations and to staff more teams as part of its Cyber Mission Force.

Moore said half the new teams are slated to be involved in defending the Defense Department’s space assets, which has become an increasing focus of the Joint Chiefs of Staff. Moore predicted that the new teams could be integrated with Space Command by the end of 2024.

Moore also said CYBERCOM is also closely tracking China, which he said continues its operations focused on stealing intellectual property, including data from the US defense industrial base.

“China is the number one priority for DoD. Therefore, it’s Gen. Nakasone’s number one priority,” Moore said. “We’re working with INDOPACOM to see what types of cyber effects are needed.” But, he noted, it’s not just within Indo-Pacific region. “China has aspirations from a global perspective,” Moore said, adding, “They also have vulnerabilities from a global perspective.”