TMCnet News
Cyber Uncertainty [National Guard](National Guard Via Acquire Media NewsEdge) Governors want to tap the Guard's growing cyber capability. The Guard wants to help, but a lack of clear policy from Washington is an impediment SOUTH CAROLINA holds a dubious record: It's the state that's been hit hardest so far by hackers. Foreign cyber thieves broke into the state tax agency's computers in 2012 and stole 3.6 million Social Security numbers, 657,000 business tax records and 387,000 creditand debit-card numbers. It was a "crown jewel" of a computer heist, cybersecurity experts said. By stealing the Social Security numbers, personal information and credit-card numbers for hundreds of thousands of people, the thieves acquired all the ingredients needed for tax fraud, credit-card fraud and identity theft. The massive security breach forced South Carolina to spend at least $14 million to tighten computer security and provide the affected taxpayers and businesses with credit monitoring and identity-theft protection. It also triggered a wave of alarm among the nations governors who worry about their own states computer systems, and also about the vulnerability of systems, mostly privately owned, that control electric grids, water systems, pipelines, hospitals, banks, manufacturing plants and other critical infrastructure. Increasingly, governors are turning to the National Guard for help. In January, Colorado Gov. John Hickenlooper, the vice chair of the National Governors Association (NGA), warned his fellow governors that "the next battlefront is likely not a field or town, but a computer network that supports our critical infrastructure." He added that "the National Guard should be mobilized to support federal and state efforts to prost tect networks and respond to incidents." In some states, Guard cyber units are already at work. Maryland taps the Air Guards 175th Network Warfare Squadron to perform security assessments on state computer networks. The squadron teams with state agencies to launch simulated attacks against state networks. When they succeed, the squadron then helps develop countermeasures to block future attacks. Washington state uses its Joint Forces Defense Assessment Team, which includes Army and Air Guard personnel, to search for security gaps in state networks and to conduct cyber-emergency planning. In California, a joint Computer Network Defense Team performs vulnerability assessments, risk identification, incident response and other services for state agencies, and the team "never charges for the government-to-government services we provide," the Guard emphasizes. California also has an Air Guard cyber unit, the 261st Network Warfare Squadron, near Los Angeles that can be called on by the governor to test the security of state networks. Every state has capacity for an eight-person Computer Network Defense Team that is designed mainly to protect Guard networks, but is also available to respond to cyber incidents, according to the National Guard Bureau. Michigan's cyber-sawy Gov. Rick Snyder has emerged as a national leader in cybersecurity. In March, he included the Michigan Guard as part of a statewide cyber range that is used to train college students, technology workers and now Guardsmen to detect and prevent cyberattacks. Snyder, a former chairman of Gateway computer company, warns that cyberattacks are "the single greatest threat to our national security" and he urges other governors to prepare to defend against them. Michigan counted 568,724 attacks against its computers during an eight-month period in 2013, according to the state's chief information officer. "As governors, we are directly responsible for ensuring the security of a wide array of state-owned assets and personally identifiable information such as tax records, driver's licenses and birth records," Snyder said in a speech to the NGA last fall. "We also play a critical role in ensuring that private-sector assets within our states are secure." Facing Reality The proactive approach adopted by Snyder, Hickenlooper and some other governors is relatively new. "A lot of people see cyber as a federal problem and a national problem" to be dealt with by the Defense Department and the Department of Homeland Security, says Brig. Gen. Michael Stone, Michigan's assistant adjutant general-installations. In reality, it's a local problem. "You can talk about the National Security Agency and Cyber Command, but when an attack occurs," there will be no surge of federal experts arriving to help restore cyber-damaged critical infrastructure, he says. Electricity, water, communications and other vital services may be turned off, the local economy may be shut down and people may be hurt, just as in a flood, a fire or a hurricane, he says. "All disasters are local," including cyber disasters. "When you look at it that way, it changes how you perceive the problem." And it's a problem for which the federal government is ill-prepared to respond. The Defense Department has the largest force of cyber warriors with 30,000-plus at the National Security Agency and another 5,000 planned for U.S. Cyber Command. But those forces are dedicated to defending military computer networks and launching offensive cyberattacks against U.S. adversaries. The Pentagon is generally prohibited from operating domestically. On paper, the Department of Homeland Security is the lead agency for protecting critical U.S. infrastructure against cyberattacks. But DHS lacks a corps of cyber experts who could be deployed to help when states are besieged by such attacks. "DHSs mandate is, at best, weak," says Andreas Mueller of the Truman National Security Project, a Washington, D.C.,-based think tank. DHS can offer the states information about cyberattacks, suggest methods for defending against them, and help coordinate responses when an attack occurs. But other than that the agency's other cyber capabilities "are limited," Mueller says. That's not reassuring to governors who worry about the security of the cyber systems that control electricity grids, water distributions systems and data centers, Mueller says. Even though a cyberattack on such systems could be disastrous, it would not trigger the same type of federal response that a natural disaster or kinetic attack within the United States would, he says. Governors are starting to realize that, and some have begun preparing their own defenses. In a cybersecurity "call to action" paper published last fall, NGA pointed to the Guard as a resource governors should capitalize on. "The National Guard's unique role serving governors and the president, combined with its ability to attract and retain individuals who have full-time employment in information technology and related fields make it an ideal solution to help address the shortage of highly skilled personnel necessary to protect critical networks and systems," the governors association said. Missouri, which established a Computer Network Defense Team in 2012, discovered there are plenty of IT experts eager to help. "I've got security professionals who work in Fortune 500 companies, [and] I've got soldiers who travel from Texas, Oklahoma and Nebraska on their own dime" to serve on the Missouri cyber team, says Maj. Arthur Roark, the team's commander. Among the team's 26 part-time members are a programmer, a computer systems analyst, some network administrators, and an engineer, Roark says. They train at the historic Jefferson Barracks on a high bluff overlooking the Mississippi River south of St. Louis in a building originally built in 1898 to house cavalry soldiers. For now, the team's job is to defend Guard networks, but the team expects to do more. "We have started table-top exercises with the state government and the owners of critical infrastructure and were in the initial stages of working with them," Roark says. Formal memoranda of understanding still must be negotiated and cyber-emergency response procedures must be established, but the team hopes eventually to provide cyberdefense services to state agencies and the operators of critical infrastructure. Other Issues Remain "In a perfect world," cyberdefense for privately owned critical infrastructure "would be handled by the civilian sector," says Col. Tim Lunderman, NGB's director of cyber operations. After all, private entities own 85 percent of the nations critical infrastructure. But many of the private companies that operate the nation's power plants, electric grids, water systems, hospitals, pipelines and other critical infrastructure have not developed the capability to defend against cyberattacks, says Lunderman, who also serves as the Guard Bureau's advisor to U.S. Cyber Command. So governors say, call in the Guard. But calling in the Guard is not that simple, Lunderman says. Liability questions must be answered, privacy issues must be resolved, and there is great reluctance on the part of many private companies to give government officials, including Guardsmen, access to data in private computer systems. There are even questions about Guard cyber units helping other Guard cyber units, Lunderman says. While states have entered Emergency Management Assistance Compacts that enable Guard units to cross state lines to assist other states during hurricanes, floods and wildfires, does a cyberattack constitute an EMAC emergency, Lunderman wonders. Can Washington state, with its significant cyber capability, come to the aid of Florida during a cyberattack? That's still under discussion, he says. And while governors and adjutants general want to use the Guard for domestic cyberdefense, the wishes of the active component must also be taken into account, Lunderman said. "The services really want the Guard to do service-mission sets," he says. Just as the Army supplies the Guard with helicopters, transport planes and trucks primarily to be used in war, but also available for domestic missions, the Army and Air Force say Guard cyber units should be organized and trained for military purposes, but perhaps also be available for use in domestic emergencies, he says. However, precisely "how we respond to cyber incidents domestically is still being worked through," Lunderman says. For governors and other state officials, the slow pace of sorting all this out is frustrating, Mueller says. "The states want butts in seats in case there's a disaster," and that includes Guard butts, he says. But what the Guard can do or would do is still unclear. State officials "would say, 'Can you help?' and the Guard would say 'Yes, sir.' But there's no real plan. They'd have to figure it out on the fly," Mueller says. "The problem with cyber and the Guard is that no real policy has filtered down from the Defense Department." The active-component military is busy building its own cyber capabilities and has not yet focused on the Guard, he says. Congress has tried to help, but so far to little effect. The fiscal 2014 National Defense Authorization Act did include a provision ordering the Defense Department to assess the Guard's cyber capabilities, including how they can be used to meet state needs. The report is due this month. In 2013, lawmakers in both the House and Senate introduced the Cyber Warrior Act that would create a Guard Cyber and Network Incident Response Team for each state. The teams would leverage private-sector IT experts who serve part time in the Guard and could be called on by governors and the defense secretary to respond to cyber incidents. The bill would allow the Guard to respond to cyber disasters just as it does to natural disasters, says Sen. Christopher Coons, D-Del., one of eight co-sponsors in the Senate. "Delaware's 166th Network Warfare Squadron is a model for what can be achieved when the Guard leverages the unique private-sector skills and experiences of its members, and this bill will help other States build similar capacity," Coons says. The legistration was introduced with fanfare in March 2013, then was referred to House and Senate committees where it has languished since-no hearings, no votes, no progress. It did, however, spark some internal discussion. The bill's lack of apparent progress doesn't bother Lunderman. The Cyber Warrior Act of 2013, he says, "is probably not the perfect solution." It would create 54 new cyber-incident response teams. Half that many would be plenty, he says. "If we were able to get teams in 25 states, or two per FEMA region (there are 10 Federal Emergency Management Agency regions], that would be enough." Growing Capability The Army and the Guard have been in discussions for a year about setting up new 39-member cyber-protect ion teams. Originally, plans called for establishing 10 teams, but more recently the number was increased to 11, Lunderman says. That would provide one team for each FEMA region with an extra team to be on Title 10 status, ready to be called if cyber forces are needed to bolster the active-component military's cyber capabilities. On June 5, the Army and the Army Guard signed a memorandum of understanding to create the first Army Guard cyber-protection team. The 1636th CPT based in Laurel, Md., is to serve in "active-duty, Title 10 status" to support Army Cyber Command and Second Army. The memorandum also calls for establishing 10 additional CPTs between 2016 and 2018. They are to be Title 32 state-controlled units, according to NGB. A number of states are already preparing proposals in hopes of receiving a team, says Roark, the Missouri Computer Network Defense Team chief. "We want to get one," says Stone of Michigan. But here again, progress is slow. The teams may not be established until 2015 or later "because of Army hesitance to set clear requirements," Mueller says. "The states want the capability," but "you don't get federal money for a unit unless there is a requirement." Some states are spending their own money to develop cyber defenses. You won't find Alphaville on any Michigan map. It's a hard luck kind of town. The city bank gets robbed on a regular basis, the water company and electric utility are under constant attack, the library's computer system has been hijacked to attack city hall and the elementary school's system is infected with malware. But Alphaville has a plethora of protectors, too. It's a virtual city that sprang to life in 2012 in the Michigan Cyber Range. Michigan set up the range to train civilian and military cyber defenders to detect and prevent cyberattacks on the state's critical infrastructure. Inspired by the mock towns used to train soldiers, Alphaville exists only as software, and is populated by utilities, local-government networks, schools and businesses that can be attacked and defended without causing any real harm. There are cyber-range "hubs" scattered across the state, three at Michigan universities and the newest one at the Air Guard's 110th Airlift Wing in Battle Creek. Two more are planned for the Michigan Army Guard's Fort Custer and Camp Grayling. Simply by plugging a laptop into a port at one of the hubs, Guardsmen, students and state and local cybersecurity personnel can journey to Alphaville to engage in cybercombat. When the Battle Creek hub opened in March, the Michigan Guard arranged for students at West Point to attack Alphaville while Guardsmen in Michigan and California acted as the city's defenders. Snyder, the computer executive turned governor, says placing cyber-range hubs at Guard bases will enable Guardsmen "to train at the highest level with the most sophisticated equipment to best prepare for any real-world threats that they may face." Such training is important because there is a nationwide shortage of as many as 30,000 cybersecurity professionals. And with budgets tight or even shrinking, states, localities and federal agencies have a hard time competing with the private sector for scarce cyber talent. The Guard, however, is an exception. It is able to tap the skills of top cyber professionals in the civilian sector. NGA notes that Guard cyber units across the country "include personnel from a significant number of the nation's top cybersecurity and information technology companies such as Microsoft, Cisco, Siemens, Intel, GE, Boeing, IBM and Google." That gives the Guard access to "leading-edge, civilian-acquired, cyber skill sets not readily available or easily built from within the federal government," the governors association said. Attracting top-tier cyber specialists to the Guard "has not been a problem," says Lunderman, the Guard Bureau cyber chief. One reason is that the Guard offers opportunities to serve without having to sacrifice civilian careers and civilian lifestyles. Another reason is that the Guard offers civilian cyber experts opportunities to conduct cyber operations, like the attacks on Alphaville, that they can't do legally in civilian life. What lags, cyber experts say, is direction from Washington on how to fully leverage those assets in the event of a significant cyber attack on critical nondefense infrastructure. f Cyberattacks are the single greatest threat to our national security. -Michigan Gov. Rick Snyder "How we respond to cyber incidents domestically is still being worked through. -Col. Tim Lunderman Director of cyber operations, National Guard Bureau The NGAUS Take EIGHTEEN MONTHS AGO, the National Guard was largely left out of Pentagon discussions about cybersecurity. So NGAUS and Guard leaders took Information about state vulnerabilities and the Guard's unique cyber capabilities to Congress. Lawmakers responded with the Cyber Warrior Act of 2013, which would create a Guard cyber team in each state, territory and the District of Columbia. Though residing still In the ever-growing repository of bills awaiting action, the Cyber Warrior Act forced the Pentagon to Include the Guard In the discussion. Since then, the Guard's cyber potential has been substantiated by reports from the National Commission on the Structure of the Air Force, the Center for Strategic and International Studies and others, each noting the role the Guard can play at the local level.They all suggest the Pentagon give the Guard a significant role In cybersecurity. Governors have turned up the heat, too, to include the Guard in this growing mission.The National Governors Association is now working with the Pentagon on cybersecurlty plans that leverage the skills that reside In the Guard. All of this Is progress.That's the good news.The bad news Is the threat Is growing faster than the pace of progress.The governors are acutely aware of state and local vulnerabilities and their potential impact on public safety and the economy, but Washington continues to focus on federal networks. More reliance on the Guard Is only part of the solution. Plans, policies and authorizations must be vetted and put in place to enable the governors to employ Guard assets In a cyber disaster the same way they would during a natural disaster, such as a tornado or hurricane. "The problem with cyber and the Guard is that no real policy has filtered down from the Defense Department." -Andreas Mueller Truman National Security Project Washington, D.C. WILLIAM MATTHEWS is a Springfield, Va.,-basedfreelance writer who specializes in military matters. He can be contacted via [email protected]. (c) 2014 National Guard Association of the United States |