Published by The Lawfare Institute
in Cooperation With
On March 1, 2018, the governor of Colorado issued the first-ever state emergency declaration based on a ransomware attack. He did so to deploy cybersecurity specialists in the state’s National Guard.
A week earlier, a variant of the SamSam ransomware had infected 150 servers and more than 2,000 workstations owned by the Colorado Department of Transportation (CDOT). With private assistance, state employees successfully contained the attack, only to see the malware reappear. Following the governor’s verbal emergency declaration, Guard specialists mobilized within a day, providing “significant support to incident command, threat identification and analysis, and technical expertise.” Roughly three weeks later, CDOT had restored 80 percent of lost functionality.
In the aftermath of costly ransomware attacks on Baltimore, Atlanta, and two cities in Florida, the cybersecurity community would be wise to reexamine the March 2018 Colorado declaration. These incidents underscore persistent challenges posed by vulnerability management and incident response in a resource-constrained context—even with private-sector assistance. Yet public reporting does not indicate that city leaders in the affected municipalities have requested assistance from the National Guard. They should consider doing so—for the same reason that many states, including Colorado, are examining how the Guard might play a more prominent role in their cybersecurity strategies.
Election security is a case in point. In preparation for the 2018 elections, Washington National Guard personnel with day jobs at Amazon and Microsoft were on call to help with election security. In Wisconsin, the governor also placed the Guard on standby, as did the governor of Illinois. Ohio did the same before the 2016 elections. Moreover, the chief of the National Guard Bureau—the federal instrument responsible for the administration of the National Guard—recently testified that Guard units provided relevant network monitoring in 27 states. With FBI Director Chris Wray’s warning that Russian efforts to interfere in the 2018 elections were a “dress rehearsal” for 2020, more observers are holding up the Guard as a critical element of cyber defense.
Despite increased attention at the margins, existing policy and law limit the Guard’s potential to enhance cybersecurity in government and business. This post argues why the Guard should be taken more seriously as a national cybersecurity asset, reviews the authorities under which it operates, and makes recommendations for integrating it into national cybersecurity strategy and operations.
Limited Federal Capacity for Assistance
Establishing and sustaining a mature information security program is a difficult enterprise, even with adequate resources. State and local government agencies are sorely understaffed and underfunded, and the same goes for countless regional and local businesses. And a focus on staffing and funding tends to underrate real-world preparedness, which depends on many other factors. Recognizing this, the U.S. Department of Homeland Security (DHS) and the FBI have tried to build cybersecurity capacity for these types of entities. But despite their best efforts, demand outstrips the supply of resources that Congress is willing to provide.
Out of 102 advisers DHS employs to “provide technical assistance and perform security assessments for all 16 critical infrastructure sectors,” only 12 focus on cybersecurity. DHS also employs hunt and incident response teams (HIRTs) that provide “onsite incident response” to outside organizations. DHS leadership has repeatedly stated it lacks capacity to provide day-to-day technical assistance to the countless entities that need it—not surprisingly, given the scale of the problem. A recent report from the House Appropriations Committee cited a yearlong backlog in DHS requested vulnerability assessments, and, in 2017, DHS faced a nine-month backlog for state and local agencies.
Similarly, the FBI cannot fill this gap. As an investigative agency, its role in prevention and helping others defend themselves is limited to threat sharing and recommendations on cyber hygiene. In an incident response scenario, the FBI’s primary objectives are data collection and forensic analysis, not response and recovery. Even then, the FBI generally reserves its attention for the most serious cases only. More alarmingly, the FBI has been losing cybersecurity talent for some time.
A search for greater capacity inevitably leads to the U.S. Department of Defense (DOD). As a preliminary matter, the Pentagon is not a realistic option for scaling preventive assistance for resource-limited entities. Setting aside the significant legal hurdles involved, leveraging active-duty military assets in this way would ignite intense displeasure in multiple quarters. The department’s potential role during a significant cyber incident, however, is far less controversial and has been formalized via Defense Support of Civil Authorities (DSCA) and Defense Support to Cyber Incident Response (DSCIR).
Yet the Pentagon’s active-duty-force structure—centered in the Cyber Mission Force (CMF)—is fundamentally oriented toward defending federal assets and offensive operations. With more than 4,400 personnel spread across 133 teams—and a target of nearly 6,200 personnel—the CMF has four assignments centered on supporting offensive military operations, protecting DOD information networks (DOD-INs), and defending the nation. This latter mission falls to 38 teams: 13 national mission teams (NMTs) and 25 support teams. NMTs train and prepare for defensive cyberspace operation response actions, described as “deliberate, authorized defensive measures or activities taken external to the DOD-IN to defeat ongoing or imminent threats to defend DOD cyberspace capabilities or other designated systems.”
This emphasis accurately reflects the Defense Department’s core objectives to counter foreign adversaries and preserve its own freedom of action, but it likely leaves the NMTs ill-equipped to supplement capacity for civilian or industry partners. From a technical perspective, many of the sensitive techniques that NMT personnel cultivate, and the tools they use, would be off-limits when providing technical assistance to civilian agencies. From an organizational perspective, training for defensive cyberspace operation response actions does not establish the trusted relationships with state and local stakeholders that would prove critical in a crisis. One of the first rules of emergency management is to exchange business cards before an incident, not after.
Even assuming that NMTs are organized and trained to assist civilian entities during a high-consequence attack on the homeland, the entire DSCA/DSCIR process is geared toward catastrophic scenarios. That leaves many serious cybersecurity incidents, such as Colorado, Baltimore, or Atlanta, outside the Defense Department’s ambit.
Cybersecurity Capacity in the National Guard
In an environment characterized by limited federal capacity for preventive assistance and response and recovery operations, the Guard offers clear opportunities. Although capabilities vary across states and individual units, the Guard’s full complement of cyber-related talent totals approximately 3,880 personnel nationwide.
The first line of defense for the Guard’s information systems are defense cyber operations elements (DCOEs, previously known as computer network defense teams). Each DCOE generally has 10 billets, and today the Army Guard has 54 DCOEs in each of the 50 states, three territories and the District of Columbia. DCOEs are not integrated with the federal CMF or mobilized for federal missions.
The Guard’s other primary repository for cybersecurity specialists is a contingent of cyber protection teams (CPTs). These larger units (between 35 and 39 members each) can span multiple states and are assigned according to the 10 Federal Emergency Management Agency regions. One-third of the 68 CPTs in the Defense CMF are Army or Air Guard CPTs, but most of those 23 Guard teams serve part time; only one Army Guard CPT and two Air Guard CPTs (called cyber operations squadrons) serve full time in Title 10 status. The other 20 Army or Air Guard CPTs are mostly staffed by volunteers and can be activated under state active duty (SAD), Title 32, or Title 10 authorities. Based on state statute and policy as well as supported by state funds, SAD is activated by the state governor in response to natural or human-made disasters or homeland defense missions; Title 32 allows the governor, with the approval of the president or the secretary of defense and federal funds, to order a member to duty for operational homeland defense activities; and Title 10 allows the president to “federalize” Guard forces by ordering them to active duty.
The Army and Air Guard maintain an additional 36 cyber units that do not fit neatly into the DCOE or CPT categories. Excluding the DCOEs, this brings the total number of teams to 59 spread across 38 states. The Guard is also running a pilot program to establish three so-called cyber mission assurance teams (CMATs) meant to protect private infrastructure deemed critical to military installations. Both Ohio and Washington are piloting CMATs, which presumably draw on existing force structure in the DCOEs or CPTs.
The Hybrid Benefits of the Guard
Numbers aside, Army and Air Guard cyber units enjoy unique characteristics that provide important advantages over cyber-related assets in DHS, the FBI, or U.S. Cyber Command (USCYBERCOM). Capable of operating under SAD, Title 32 (state), or Title 10 (federal) status, Guard units offer a highly flexible “hybrid” platform that can build trusted relationships among government, private industry and civil society.
When activated in SAD status, a Guard unit falls under the command of the state’s governor, who exercises control via the adjutant general—a state-level position that serves as the commander of the state’s military forces, including the Guard. Under Title 32 of the U.S. Code, governors can, working through the adjutant general and with Defense Department approval, deploy Guard members to support federal or state-federal activities—with federal funds. Once “federalized” under Title 10, Guard units answer only to the president for the duration of their federal service. This flexibility forms the foundation of the Guard’s value. As a case in point, the 2017 hurricane season saw more than 50,000 Guard personnel across 43 states assist state and local recovery efforts, while from 2001 to 2015, 428,000 members of the Army National Guard and Air National Guard deployed overseas to support federal missions.
Guard units operating under SAD or Title 32 status are not bound by the Posse Comitatus Act, which restricts the ability of Title 10 forces to operate on U.S. territory. The application of posse comitatus to cyberspace—and precisely how that application limits Title 10 activities in cyberspace—is beyond the scope of this post. It is clear, however, that posse comitatus does not constrain Guard activities undertaken while in SAD or Title 32 status. Thus, as a matter of statutory law, Guard units have more flexibility than CMF components to provide assistance to resource-limited entities inside U.S. borders, whether before, during or after a cyber incident.
The Guard’s part-time status also provides long-term access to otherwise elusive talent found mostly in the private sector. It is no secret that the federal workforce faces a shortage of cybersecurity knowledge, skills and abilities. The economy more broadly has its own skills gap. As White House cybersecurity coordinator Rob Joyce warned back in 2017, the United States lacks somewhere around 300,000 cybersecurity experts needed to defend the country. Serving part time in Guard cyber units strikes an attractive balance for many part-time Guard volunteers who work full time in the private sector, where many experts enjoy high-paying jobs but are nevertheless drawn to public service. By a conservative 2017 estimate, in 2015, the Army National Guard and the U.S. Army Reserve had more than 100,000 members with “some degree of cyber competence, including thousands with deep or mid-level cyber expertise”—many of whom perform information security functions in their civilian careers.
Day-to-day experience in the private sector cultivates key skill sets, access to outside professional networks and general exposure to cutting-edge innovation. At the same time, volunteer service in the Guard provides unique training opportunities not found in the private sector. The interest is such that, in some cases, commanders do not have to mobilize Guard members to conduct training; members simply show up because they want to be there. Ultimately, the Guard tends to retain private-sector talent, offering many benefits of government service “with little career and lifestyle sacrifice.”
With one foot in the private sector, Guard units are also closely integrated with federal, state and local governance processes. At the federal level, the National Guard Bureau coordinates between the Guard and the Defense Department to support unified action and ensure that Defense Department planning supports the needs of civilian agencies that might request assistance from USCYBERCOM. The Guard joint force headquarters-state (JFHQ-State) provides command and control of all Guard forces for the governor and can act as a joint headquarters for national-level response efforts during operations. The Guard JFHQ-State is also staffed with liaison officers from the active-duty services. This shared command and control and funding give it immense capability, adaptability and ability to support both state and federal efforts.
The Guard’s reach into state and local communities stands out as well. The Guard is an essential partner for state emergency management agencies, building familiarity with processes and procedures. In some cases, such as in Washington or Wisconsin, the adjutant general dual-hats as the state emergency manager. This facilitates the process of integrating the Guard with state cyber disruption response plans and sharing cyber-related resources across state lines through the Emergency Management Assistance Compact (EMAC).
On a more personal dimension, many Guard personnel live in their communities and can more easily establish face-to-face relationships with potential victims who might need assistance down the line. In the words of a lieutenant colonel in the Colorado National Guard: “[Information technology] is all about trust; you have to trust someone before you are going to allow them to do anything on your network.”
Finally, the Guard’s State Partnership Program allows it to engage internationally, widening the scope of participation and creating another avenue for relationship building, training and skills refinement. Started in 1991, the Defense Department’s State Partnership Program pairs Guard elements with partner nations worldwide. For example, the Maryland-Estonia National Guard Partnership established in 1993, and respective Sister Cities partnerships, includes several bilateral projects relating to training and cyber defense. This includes the Estonia Defence League Cyber Defence Unit international cooperation effort with the 175th Network Warfare Squadron of the Maryland Air Guard, which allows joint scenario training, where members leverage their knowledge and skills from both civilian and military backgrounds.
Moving Forward: Empowering the Guard as a Cybersecurity Asset
The Guard’s deep force structure and hybrid characteristics leave it well positioned to scale vulnerability management and incident response for resource-limited entities. But long-standing barriers limit the full potential of many Guard elements. Treating the Guard more seriously as a national cybersecurity asset will require commitment from state and federal leaders.
First, policymakers must prioritize understanding Guard capabilities. Two separate Government Accountability Office reports have admonished the Defense Department for its poor understanding of Guard cyber elements. Any researcher who has tried to map the Guard’s complex structure of state-by-state cyber units could forgive the Pentagon for failing on this count. But planning a whole-of-government approach cannot occur without something akin to an order of battle establishing a coherent picture.
Second, key stakeholders must recognize and strengthen the Guard’s role in preventive cybersecurity assistance. At the state level, state constitutions or statutes often limit deployment of Guard personnel in SAD status outside of governor-declared emergencies. This blocks or complicates the use of appropriate Guard capabilities to improve preventive cybersecurity measures in government and businesses. Given the growing list of incidents that resulted from basic lapses in security practices, the Guard’s potential to make a dent here should not be underrated. A higher tempo of activities drives up costs, and the federal government should not be expected to bear the burden alone. Cybersecurity is a shared responsibility, and states should increase funding for Guard operations in cyberspace to pay for preventive assistance that could save millions in incident response costs.
One standout example is the Washington Guard’s security assessments for an in-state utility. Directed by the governor at the invitation of the public utility company, the assessment was conducted by the Guard not in federal status but in SAD, with state funds, equipment and software. This collaborative venture with the utility company helped shape processes and developed training. It also helped to forge a path on how best to conduct future consultations—not only within the public utility sector but also within state agencies that could prove vulnerable to cyberattacks and exploitation at the potential cost of billions of dollars if compromised.
Third, Defense Department officials should encourage innovation by expanding the flexibility of Title 32 funding and procedures. A nonpublic (but unclassified) memorandum restricts how the Guard may “coordinate, train, advise, and assist (CTAA) cyber support and service provided incidental to military training.” According to one assistant adjutant general, the CTAA memo “stipulates very strict guidance and definitions on who may receive cyber support and services within the United States and its territories, along with a strict approval process,” although he calls it “a great step in codifying the Guard’s role in cyber defense with respect to domestic missions.” The CTAA memo reflects a compromise between those wary of draining funding that they view as intended for training focused on federal missions, and those who see Title 32 funding as potential financing for desperately needed, and chronically underfunded, cybersecurity assistance.
The statutory authority to unlock the Guard’s full potential—both for preventive assistance and response and recovery operations—already exists, and the CTAA memo and other restrictive guidance can change. Section 502(f) of Title 32 generally authorizes federal funding for state-controlled Guard activities “to perform training or other duty.” Experts have argued that the phrase “other duty” opens the door to “operational missions,” in addition to training. The terms of DSCA/DSCIR guidance accept this interpretation, citing 502(f) as authority for Guard operations to assist civilian agencies during a significant cyber incident. A separate section in Title 32 authorizes the Defense Department to provide funding assistance to states for “homeland defense activities of the National Guard” that the secretary of defense deems “necessary and appropriate” for the “military protection” of the people, territory or critical national security assets of the United States. Implementing Defense Department guidance specifies that governors may request funding for “deliberate, planned activities” or “exceptional circumstances.” It does not take a great deal of imagination to see how existing authorities could support a more permissive approach to Title 32 activities that could be formalized through updated guidance. It is just a matter of changing preferences at the Pentagon.
Fourth, exercises allow the Guard to deepen ties with a range of stakeholders. U.S. Cyber Command has been instrumental in providing resources and planning for key exercises such as Cyber Guard, a classified drill that began in 2012 with 75 participants and mushroomed to more than 800 in 2017. Defense Department leaders deserve credit for supporting these and other related initiatives. However, several challenges remain, including limited participant access because of a classified exercise environment, limited inclusion of other federal agencies and critical infrastructure owners, and inadequate incorporation of joint physical-cyber scenarios. Moreover, the Defense Department should expand unclassified exercises such as Cyber Shield, which tests the readiness and capabilities of the Guard’s DCOEs. This should be coupled with ensuring that assets in the Guard are available in every state, not only those that are home to major technology firms, such as California, Washington, Maryland and Massachusetts. To that end, exercises that test the EMAC procedures in the context of a cyber incident are essential.
Finally, Congress has an important role to play. In 2013, a bipartisan group of senators introduced the unsuccessful Cyber Warrior Act, which would have placed a Guard cyber and computer network incident response team in every state. The following year, the 2014 National Defense Authorization Act (NDAA) mandated an assessment of, and strategy for, the role that Guard and reserve components could play in federal cyber missions. The result was the CMF (see above). By 2017, another bipartisan group of senators introduced legislation that amended the 2007 NDAA and required the Defense Department to establish and maintain (within one year) a database of Defense Department emergency response capabilities that included the cyber capabilities of the reserves and the Guard. Other legislation that same year would have established “reserve component cyber civil support teams.” Known as the Major General Tim Lowenberg National Guard Cyber Defenders Act, this legislation calls for the prompt implementation of these teams, allowing for a five-year deadline that runs no later than September 30, 2022. These bills have not advanced, however.
In an April 2018 hearing, Eric Rosenbach, a former Defense Department official and political appointee with oversight of the Guard, stressed the need for state governments to strengthen the role that the Guard and state-run fusion centers play in election-related threat information sharing. At the time, Rosenbach’s comments were in the context of election security, but the same principle applies to critical infrastructure protection more generally. The Guard is a bottom-up resource with strong lateral reach and a unique ability to transition between state and federal missions. As such, it is a natural fit to help strengthen operational collaboration among federal authorities, state and local government, and private industry when it comes to protecting critical infrastructure.
More recently Rosenbach stressed that “the National Guard’s dual constitutional authorities make it exceptionally suited for cyber defense. Its geographically dispersed forces coupled with existing trust networks give way for hybrid benefits that should be utilized more broadly.” Cybersecurity policymakers in Washington, D.C., and every state should start treating the Guard as an indispensable component of a national cyber strategy. They can start by clarifying its express authority to engage in cyber defense and providing adequate resources to perform this critical mission.