None Too Soon

NATIONAL GUARD magazine
October 2016

By William Matthews
(read online digital version)

Only a portion of the Guard’s planned cyber units are in place, but they’re already responding to attacks on critical networks

A week of escalating protests in Baltimore erupted into riots April 25, 2015. As the violence spiraled, the governor called up 2,000 Maryland National Guardsmen for riot duty, among them were members of the 175th Cyber Operations Group.

Some of the cyber troops were sent downtown with their assigned weapons to help quell the violence. But others were sent to the group’s operations center to staff keyboards. There they battled an ad hoc army of “hacktivists” who had joined in the riot remotely, targeting police networks, trying to crash state computer systems and flooding social media with inflammatory, and often false, information intended to fuel the chaos in the streets.

While the armed Guardsmen worked to restore order in the streets, the Guard cyber experts dissected system-crashing malware and compiled information that would help state network operators recognize and neutralize the destructive computer code, says Col. Shawn Bratton, the group commander.

The 2015 Baltimore riot may have been the first time cyberattacks were a significant element in a domestic disturbance in the United States, but it wouldn’t be the last.

Early in 2016, as protestors took to the streets in Flint, Michigan, to demand remedies for the city’s lead-contaminated water, “hacktivists” from the shadowy group Anonymous launched a cyberattack against state websites. Anonymous warned Michigan officials, “We do not forget and we do not forgive.”

With Michigan under cyberattack, the 175th bundled up all that it had learned from the Baltimore experience and sent it off to Michigan, Bratton says.

It appears likely now that there may be an “online component” to any civil disturbance, Bratton says. The National Guard Bureau took the matter seriously enough to convene a meeting this summer to alert state Guard officials to this new cyber threat.

“At this point, we have captured and are applying the lessons learned” from Baltimore and Flint, says Col. Vic Macias, the chief of the Cyber Space Operations Division at NGB. Already, “we’ve seen it across several states.”

There are other cyber threats brewing, too, some as close as your state capital and your county seat. In June, the FBI’s cyber division warned election officials across the country to beef up computer security after discovering that hackers had broken into two state election systems.

In Illinois, election officials shut down the state’s voter registration system for 10 days in July after hackers downloaded personal information on up to 200,000 of the state’s voters. In Arizona, hackers inserted malicious software into the voter registration system, but apparently got no data.

Discovery of those two hacks came just after the disclosure that cyber intruders had broken into computers of the Democratic National Committee and downloaded embarrassing emails. They apparently had access to the DNC computer system for a year.

Some U.S. government officials have stated “with high confidence” that the election-related hacks were carried out for Russian intelligence agencies. So far, though, there is no official attribution. In California’s Riverside County, some voters went to the polls June 7 for the presidential primary only to discover that their party affiliations had been changed. Others found that their race, addresses and dates of birth had been altered. Still others had been removed from the voter rolls entirely. Election officials blamed hackers.

Last month, hackers who sided with opponents of an oil pipeline in North Dakota released online videos threatening President Barack Obama, North Dakota Gov. Jack Dalrymple, National Guard troops and others. The threats came after about a dozen Guardsmen were called up to help law enforcement with traffic control during an anti-pipeline demonstration.

Meanwhile, hospitals in California, Kansas, Kentucky, Maryland and Washington, D.C., have been hit by “ransomware” attacks that lock down essential computers until the hospitals pay to have them unlocked. Banks are robbed remotely in the blink of an eye. And increasingly, U.S. critical infrastructure, such as the nation’s power grids, water systems, communications networks and transportation hubs, are considered a prime target for cyberattacks by adversary nations, cyber jihadis, “hacktivists” and others.

“We live in unprecedented times of cyber risk, threats, vulnerabilities, exploitation, and outright attacks on virtually everything and anything that is connected to computers and the internet,” said Brig. Gen. John Tuohy, the assistant adjutant general of Washington state and the chief of the Washington Air National Guard, during a cybersecurity conference in Washington, D.C., this summer.

Growing Cyber Capability

In the midst of this raging cyberbattle stands the National Guard.

The Guard is in the process of standing up 23 dedicated cyber units, 12 in the Air Guard and 11 in the Army Guard, to bolster U.S. cyberdefenses, Macias says. The Air Guard plans to keep two of its cyber units on active duty at all times, rotating them one after another through six-month tours. The Army Guard is developing a similar plan.

About 30 cyber troops from the Maryland Guard are already serving full-time active-duty tours at U.S. Cyber Command (CYBERCOM) where they “execute a variety of missions,” Bratton says. He declined to elaborate on what they do.

Today, every state and territory has a Defensive Cyberspace Operations Element that’s able to provide basic defensive cyber capabilities to the Guard and to the state. Some states have much more, Macias says. Maryland, for example, “is pretty robust” with multiple cyber units and a total of about 350 “cyber warriors.”

The Guard’s cyber force is growing fast. “By 2019, we will have 34 states with extensive Cyber Protection Team capability,” Macias says. “All told, this force will provide over 3,000 additional cyber warriors to our nation’s capability.”

For Guard cyber units, “our first and foremost obligation is to carry out missions as assigned” by the Army and Air Force in coordination with the CYBERCOM and combatant commanders, Macias says. Today, Guard cyber troops already “are executing a broad set” of “real- world, day-to-day missions,” he says.

But the mission is certain to grow. Last March, Defense Secretary Ashton Carter said Guard units such as Washington state’s 262nd Network Warfare Squadron might be called to do cyberbattle against the Islamic State.

“Units like this can also participate in offensive cyber operations of the kind that I have stressed we are conducting, and actually accelerating, in Iraq and Syria, to secure the prompt defeat of ISIL,” Carter said during a visit to the 262nd at Joint Base Lewis-McChord in Tacoma.

So far it appears that hasn’t happened, but Guard officials won’t say much about what their cyber troops on active duty are actually doing, citing operational security.

On the domestic side, Guard cyber personnel are in increasing demand. Aside from calling them in during emergencies such as those in Baltimore and Flint, states are tapping the Guard to assess the security of state networks, help state and local government agencies toughen cyberdefenses and conduct vulnerability testing on power grids, water systems, natural-gas pipelines, communication networks and other parts of the critical infrastructure.

The 262nd has been a leader in that arena.

In 2015, members of the 262nd broke into the computer system of the Snohomish County Public Utility District. “I wanted them to break in,” Benjamin Beberness, the utility district’s chief information officer, told the web publication EnergyWire. It was a test to see where there might be weaknesses in the utility’s security system.

The Guard unit, which included a security expert from Microsoft, the founder of a cybersecurity firm and other cyber experts, opted not to mount a frontal assault. Breaking through the utility’s firewall might have taken days. Instead, they borrowed a tried and true hacker tactic known as “spear phishing.”

They composed what appeared to be a genuine work-related email and sent it to utility’s employees. When one opened it and clicked on a hyperlink inside, the email downloaded malicious software that opened a back door, providing the 262nd a beachhead into utility’s computer system. It took all of 22 minutes.

“We do this for a living,” Maj. Billy Rios, the cybersecurity- firm founder, explained to the chagrinned utility employees. Once inside the system, the Guard hackers “demonstrated that we could do a lot of crazy things,” Rios says. He declined to provide details. “At the end of the day, we got to tell [the utility cyber team] about all the things we discovered,” and to recommend steps for improving security.

For the utility, it was an eye-opener, Beberness admitted during a cybersecurity conference in Washington, D.C., last summer. The 262nd “demonstrated to my team that things they thought were impossible were in fact possible.”

The Guard is building the capacity to do that and more across the nation, says Macias of the Guard Bureau. A core mission spelled out in the Defense Department’s 2015 Cyber Strategy is for the military to be prepared to defend the U.S. homeland against “cyberattacks of significant consequence.”

That means the Guard “can assist state, local, and private- sector partners” when cyber threats pose a significant danger “to our national security and the health and well-being of our citizens,” Macias says. That would include cyberattacks against critical infrastructure, he says.

Ordinarily, though, the Guard won’t tackle such cyber missions alone. “If we are experiencing an attack of significant consequence at the national level, the Department of Homeland Security will have the lead in coordinating with the private sector, but it will be an all-hands effort with the FBI, the Guard, the broader Defense Department and state and local law enforcement all working together,” Macias says.

“At the individual state level, the National Guard would likely play a more pivotal role,” he says.

And it’s a critical role, he says. The Guard adds a degree of familiarity and trust to incident response. As a community- based organization, the Guard maintains close relationships with state and local governments, with private companies and with local emergency management agencies as well as with federal agencies such as the FBI and the Department of Homeland Security, Macias says.

But one key intra-agency relationship may not be as developed as it needs to be. The Government Accountability Office reported to Congress last month that the Defense Department “does not have visibility of all National Guard units’ cyber capabilities” because the Pentagon has failed to maintain a database of Guard cyber units, “as required by law.”

“Without such a database to fully and quickly identify National Guard cyber capabilities,” the GAO reported, “DoD may not have timely access to these capabilities when requested by civil authorities during a cyber incident.”

The GAO also said the Defense Department should conduct more expansive cyber exercises that include the Guard, other federal agencies and the private-sector owners of critical infrastructure. Past exercises have limited participants “because of a classified exercise environment.”

Looking for Many Good Men & Women

As the Guard builds toward a cyber force of 3,000 personnel, the active-component services are assembling a 133-team Cyber Mission Force. Their goal is to have 6,200 cyber experts operational by the end of 2018.

So the competition for people with cyber skills is intense. There are more than 200,000 cyber jobs in the United States that are unfilled, according to Stanford University. And with salaries in the $100,000 and up range, the military has a hard time competing with private industry.

For the Guard, it seems a bit easier.

“There’s no shortage of people trying to join” Maryland’s 175th Cyber Operations Group, says Bratton, the group commander. In part it’s because the group is located near Washington, D.C. and Baltimore, a region filled with federal agencies and high-tech companies that employ lots of cyber specialists.

The 175th has another draw: Its troops work for the CYBERCOM and the National Security Agency, two organizations at the pinnacle of cyber operations. And there’s a third incentive: “The training we offer is just fantastic. It’s a great opportunity” for cyber specialists to improve their cyber skills and become even more valuable to civilian employers, Bratton says.

Cyber training for Guard troops can take from 18 months to three years, depending on how much training the student already has and what cyber skills he or she is trying to learn, Bratton says. Guard soldiers go to Fort Gordon, Georgia, while airmen start out at Keesler Air Force Base in Mississippi and move on to Hurlbert Field on the Florida panhandle.

“There are multiple schools, it takes a long time,” but when they’re done, Guard cyber troops “come out as some of the best operators the country has,” Bratton says.

Cyber talent isn’t always obvious. When the North Dakota Guard began assembling a seven-person cyber squad this year, Chief Warrant Officer 4 Keil Skager was skeptical. “In North Dakota, we don’t have a university turning out a lot of cyber experts,” nor are there many high-tech companies to draw from, he says.

So to find seven soldiers who would be part of a 39-member Cyber Protection Team drawn from four states, Skager, the North Dakota Guard’s information- technology branch chief, decided he had to search for cyber-inclined soldiers already in the Guard. “We thought we would have a great deal of difficulty finding people,” he says, “but we got a lot more interest than we expected.” And some who responded had already been through formal cyber training. “We ended up with a pretty extensive list,” he says.

The North Dakota team has until 2019 to complete Army cyber schooling, training and certification. Skager is no longer skeptical.

In southern Virginia, the Air National Guard’s 185th Cyber Operations Squadron is more demographically blessed. Based at Langley Air Force Base in Hampton, the new cyber unit attracted members from the Hampton Roads area, but also from as far south as North Carolina’s Research Triangle and as far north as the Washington, D.C., area, says Maj. Nathan Brown, the 185th’s operations director.

After the Guard Bureau announced last December that it was creating the new squadron, “we had a huge amount of interest,” Brown says.

Today “we have a good mix of people.” Some “are really good in civilian cyber jobs and want to serve” and the Guard makes that practical. Others see “an opportunity to get some highly specialized training” from the military. And still others see the Guard as a place where they can get access to cyber tools that they won’t have a chance to use in the civilian world, he says.

As the Guard increases the size of its cyber force, it also wants to broaden its reach. One way to do that, Guard officials have concluded, is to encourage civilian companies to seek out cyber-trained Guardsmen and hire them as full-time employees.

“We have begun partnering with industry for dual- employment of part-time members of the National Guard [to serve] as cyber defenders of critical infrastructure in their full-time civilian role,” Macias says.

The arrangement would benefit both employers and the Guard. The companies would get well-trained cyber experts, and the Guard would get members who work inside the very organizations the Guard might have to defend in the event of a cyberattack.

That’s actually happening today, but mostly by chance, Guard officials say. They want it to start happening by design.

WILLIAM MATTHEWS is a Springfield, Va.-based freelance writer specializing in military matters. He can be contacted via magazine@ngaus.org.


OUR TAKE

It should come as no surprise that National Guard units are helping defend vulnerable state and local government networks and computer systems from increasing cyberattacks.

State authorities have long turned to the force in times of disaster, whether natural or manmade. The Guard has people with advanced, civilian-acquired cyber expertise. And they have the latitude to share those skills in a state status.

There is a lesson here. Not only is the Guard already a repository of cyber talent, it can help retain in the U.S. military the brightest cyber minds in the active-component services when they exit for the lucrative salaries of the private sector.

Sometimes the Pentagon gets it. The Defense Department’s new cyber strategy pledges to “draw on the National Guard and reserve components as a resource for expertise and to foster creative solutions to cybersecurity problems.”

Unfortunately, budgets don’t always match strategy. Despite an Army plan to activate 11 Army Guard Cyber Protection Teams by the end of 2019, there was no money in the president’s fiscal 2017 budget request for the service to establish the teams.

But thanks to NGAUS, there now will be money in the fiscal 2017 Army budget next year for Army Guard CPTs. The association worked with Capitol Hill and there is nearly $8 million in the defense appropriations bill Congress will attempt to finalize and send to the president after the November election.