Threats

Nakasone says Cyber Command did nine ‘hunt forward’ ops last year, including in Ukraine

U.S. Cyber Command's Gen. Paul Nakasone says Russian cyberattacks against Ukraine have been destructive and he is still bracing for potentially serious cyberattacks domestically.

By Suzanne Smalley

May 4, 2022

An aerial view shows a destroyed apartment building on May 4, 2022 in Borodianka, Ukraine. (Photo by Alexey Furman/Getty Images)

National Security Agency Director and U.S. Cyber Command Gen. Paul Nakasone said Tuesday that Cyber Command conducted nine “hunt forward” operations in different countries last year, a data point he shared to illustrate why the command’s use of persistent engagement is critical to its success.

“These are countries that have asked for our assistance, deploying our defensive teams for being able to identify malware and tradecraft our adversaries were using and then sharing that broadly with a commercial provider,” Nakasone said in prepared remarks delivered at Vanderbilt University.

U.S. Cyber Command’s use of persistent engagement — defined as the need to constantly interact with adversaries in cyberspace and the importance of speed and agility to success — and what Nakasone calls a “defend forward” strategy has been a topic of discussion recently amid reports that the Biden administration had planned to pare back cyber authorities given to the Department of Defense under National Security Presidential Memorandum-13 (NSPM-13).

Nakasone told the Vanderbilt audience the American approach to the conflict in Ukraine has been informed by a philosophy of “continual action,” which was articulated in the 2018 Department of Defense strategy that NSPM-13 enabled.

The nine hunt-forward operations conducted last year are an example of the persistent engagement model of cyber operations which grew out of the 2018 DOD strategy, Nakasone said.

Cyber National Mission Force Commander Maj. Gen. William Hartman said in a March speech that the command had deployed defense-oriented, hunt-forward cyber protection forces to foreign nations seeking support in strengthening their cyber defenses 27 times in the last four years.

Russia and Ukraine

Nakasone also spoke about the Russian invasion of Ukraine, saying those who are scoffing at the relative lack of Russian cyber aggression outside of Ukraine are speaking too soon.

“We don’t necessarily believe that by any means this is done and so we have, obviously, a completely vigilant approach to what’s going on,” Nakasone said in an on-stage interview after his speech.

Nakasone said that in the past couple of weeks he has gleaned more intelligence on what’s happened in Ukraine, and that the cyberattacks there have been severe.

“This idea that nothing has happened is not right,” Nakasone said. “There have been destructive attacks, a series of infrastructure attacks [where] satellite communications have been targeted.”

He said a Cyber National Mission Force hunt-forward team traveled to Ukraine in December to help build resilience against cyberattacks.

“There was a decision made somewhere in Russia to not escalate outside of the immediate theater of Ukraine with cyber. And because of that, nobody knows what will trigger an escalation, or what the escalation will be.”
Kevin Mandia, CEO OF Mandiant

National Security Agency Director of Cybersecurity Rob Joyce, speaking at the same Vanderbilt event, agreed with Nakasone, saying “there was some really, extra-unethical cyber pressure brought to Ukrainian internet networks by Russia. You know, don’t be dismissive that just because that didn’t come directly at the U.S. as much as it did Ukraine that we didn’t have a major event.”

Mandiant CEO Kevin Mandia appeared at the Vanderbilt conference as well, and said in an interview with CyberScoop that he believes “there was a decision made somewhere in Russia to not escalate outside of the immediate theater of Ukraine with cyber. And because of that, nobody knows what will trigger an escalation, or what the escalation will be.”

Mandia said he worries about a “pretty broad zone of potential outcomes to that.”

He dismissed the possibility that Russian cyberattacks against the West have been muted because the Russians aren’t as skilled as their reputation suggests.

“Speaking as a victim of a SolarWinds breach the one domain I know they’re good at is the cyber domain — maybe their tanks aren’t doing really well,” Mandia said. “We’re not seeing their most skilled intruders doing anything out of the ordinary right now. I hate saying that, because somewhere, those guys will be like, ‘Oh, they’re not seeing us right now. We are seeing them.’”

Vanderbilt University provided CyberScoop’s travel to the event.