Tens of thousands of National Guardsmen support overseas operations on any given day. Thousands more are on the border. Others are on alert to defend U.S. airspace.
And, increasingly, more Guardsmen are getting the call to respond to a relatively new threat to the nation — a cyberattack that can cripple a computer network and cost millions of dollars.
These attacks can originate from nearly every corner of the globe, but often have ties to individuals in Iran, North Korea or Russia. Their targets aren’t military bases or networks, but instead are local government agencies, utilities and hospitals.
And their latest weapon of choice is malicious software known as ransomware, which is designed to block access to computer systems until money is paid in cryptocurrency.
In Colorado last year, ransomware placed in the network of the state’s Department of Transportation (CDOT) required weeks of work from a team that included state, federal and private sector officials. Those efforts ultimately cost the state more than $1.5 million.
That attack underscored the vulnerabilities of government agencies and other entities that have become ransomware targets, according to Lt. Col. Brad Rhodes, the commander of the Colorado Army Guard’s Cyber Protection Team 174. But the response highlighted best practices for fending off such an attack and another way the Guard can assist state and local authorities in need, he says.
Guardsmen, Rhodes says, are uniquely suited to bridge the divide between government and civilian entities. And state agencies around the country agree, leaning on the growing cyber force more and more not only to respond to cyberattacks, but also to help thwart them in the future.
“We’re built to be the [cyber] first responders,” he says. “We’re trained to move out, draw fire and help them solve their problems.”
The Guard has some cyber-protection capability in every state, territory and the District of Columbia through a collection of units that include Cyber Protection Teams, Cyberspace Operations Squadrons and Defensive Cyber Operations Elements.
Many are part of the Defense Department’s cyber force of 133 teams, which have a primary mission of protecting military networks. Guard teams are able to assist state and local authorities when not on federal orders.
But the force, which will soon include more than 3,800 Guard soldiers and airmen, is grossly outnumbered by the growing number of bad actors worldwide that can potentially wreak havoc on critical networks.
Brig. Gen. Jeffrey Burkett, the vice director of domestic operations for the National Guard Bureau, says the Guard’s cyber force will continue to grow and evolve in response to the threat.
“There is nothing that cannot be hacked."
—Brig. Gen. Jeffrey Burkett, the vice director of domestic operations at the National Guard Bureau
“There is nothing that cannot be hacked,” he says. “We are dependent upon our cyber infrastructure for critical systems to support our way of life. As long as we are dependent upon those systems, we are going to have to defend them.
”One driver of the evolution of the Guard cyber force is the annual two-week Cyber Shield Exercise at Camp Atterbury, Indiana. This year’s exercise, in April, gathered 800 Army and Air Guard network defenders from 40 states, world-class cybersecurity professionals, and representatives from federal and state agencies.
“The purpose is to develop and train internal defensive measures, incident response, coordinate train and assist activities,” Burkett says. “It’s a collective training event for us. It enhances our warfighting skills and that’s very important to us.”
No two Cyber Shields are alike, officials say. They liken the action to what ground troops experience at the National Training Center in the California desert. A skilled opposing force uses the latest techniques to exploit any vulnerabilities in networks defended by a blue team. Little is scripted.
The involvement of industry is key, says Brig. Gen. Richard Neely, the Illinois adjutant general, whose previous assignment was as deputy director of the Air Guard for cyber and space operations.
"Our critical infrastructure, our networks are primarily private,” Neely says. “When bad guys go after things ... it’s probably going to be outside the [Defense Department network].”
RHODES SAYS the relationships built in exercises were critical to the success in fending off the CDOT ransomware attack in February 2018.
Officials with CDOT had been working around the clock for days before then-Gov. John Hickenlooper began treating the situation like he would if it was a natural disaster, declaring a state emergency and calling in the Guard.
“We had literally done this training with the people who were in the room with us,” Rhodes says. “When we walked in the door, we knew everybody. We had built those relationships and there was a comfort level with us coming in to help.”
The CDOT attack began when a hacker discovered a remote desktop tied to the network and used a so-called brute-force attack to access an administrator account by using some 40,000 machine-generated password guesses. Once inside, the attacker installed and activated a strain of malware known as “SamSam,” which has also been used against municipalities in Georgia, New Mexico and North Carolina.
The ransomware quickly overtook CDOT computers. Officials were able to disconnect the network from other state systems before it could spread, but significant damage was already done. The ransomware infected roughly half of CDOT’s computing environment, around 400 servers, all databases and applications and around 1,300 workstations.
While it did not affect the state’s traffic operations, the incident knocked the agency’s internal business systems offline, forcing officials to find workarounds to pay vendors and employees.
Rhodes and his team provided the state with relief and helped them to organize for the prolonged fight. They split the effort into teams and began to focus on rebuilding and redrawing the network diagram, containing the ransomware and wiping it clear from the network.
Through the effort, the Guardsmen provided technical expertise and built bridges between all government workers and vendors in the fight.
“We weren’t in charge, but we were helping guide them,” Rhodes explains. “We helped them to put together a battle rhythm.”
The malware moved so fast that it far outstripped the state’s plan for such an attack, he says. At one point, Rhodes and others watched as the ransomware tried to take hold a second time, after officials thought their systems were clean.
“We watched it detonate on us and delete everything,” Rhodes says. “I saw stuff that just made my skin crawl.”
He says most ransomware attacks are crimes of opportunity. “Threat actors are either lazy or efficient,” he says. “Give them a door and all they have to do is pick the lock.”
Rhodes says the people behind the attack are still unknown. But the SamSam malware itself has been traced to two Iranian men.
“We're built to be the [cyber] first responders."
—Lt. Col. Brad Rhodes, commander, Cyber Protection Team 174, Colorado Army National Guard
Those men, Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri, were indicted in federal court late last year and accused of hacking into American hospitals, universities and government agencies while causing millions of dollars in damage.
According to the indictment, SamSam has claimed more than 200 victims, exceeded $30 million in damages and helped collect more than $6 million in ransom.
There have been more than 170 reported ransomware attacks affecting state and local governments since 2013, according to Recorded Future, a threat intelligence company. In 2017, Recorded Future tallied 38 such attacks. In 2018, that number jumped to 53. And in the first four months of 2019, at least 21 additional attacks had been reported.
ONE OF THE MOST high-profile attacks came last year, when a major attack on Atlanta using SamSam crippled networks connected to the municipal court system, Hartfield-Jackson Atlanta International Airport and the city’s planning and human resources departments.
The largest attack this year has been on Baltimore, which has been unable to issue water bills since attackers breached city servers in early May, demanding the equivalent of about $100,000.
Not every government fights the attackers. An unknown number of officials have simply paid the ransom, which critics believe encourages future attacks.
“This is a new norm,” Rhodes says. “It’s affecting more and more people. Until we figure out a way to stop the ransomware in its tracks or we keep people from paying it — as long as it continues to be profitable, we’ll see it out there.”
In the aftermath of the CDOT attack, Rhodes says the Colorado Guard is heavily involved in preparing the state to prevent and defend against future attacks. “We’re providing an outside look at critical networks, making sure we’re all doing the right thing,” he says.
Colorado was also one of 27 states that called on their Guard cyber forces to help secure vulnerable election networks and databases before last year’s midterms elections.
Many of the Colorado Guardsmen bring expertise from their civilian jobs in cybersecurity companies. Guard leaders say the ability to bring civilian-acquired skills into the cyber force enables the Guard to make unique contributions, both at the federal and state level.
“These strengths, combined with existing close relationships and partnerships at the local, state and federal levels, are incredibly powerful when it comes to securing and defending our critical networks and cyber infrastructure,” Burkett says.
But delays in the cyber training pipeline have meant the majority of the Guard’s cyber force comes from an existing cyber background. At the same time, the Guard is casting a wide net in its search for future cyber warriors to keep up with demand.
Officials in Maryland and West Virginia have had success building new cyber forces from airmen who previously served as aircraft mechanics.
“That person over in maintenance who has been turning wrenches on a jet for the past 15 years, has the capacity and innate ability to understand networks and get a better idea,” says Col. Jori Robinson, the vice commander of the Maryland Air Guard’s 175th Wing.” And they are turning out to make some of the most prolific and fantastic operators we have.”
Her unit’s cyber personnel mobilize frequently to help protect .mil networks. They have also performed network vulnerability assessments for state agencies, such as the Maryland State Police.
Burkett says the Guard expects to be fully mission capable across all of its cyber units and skill sets by 2022.
“We are building out all of our units, all of the training,” he says. “We see the future as bright for the National Guard ... and we definitely embrace the talent that’s out there to join our ranks and be part of a very cutting-edge mission that is absolutely necessary for the survival of our country.”
The Defense Department continues to underutilize the National Guard’s vast pool of civilian-acquired cyber skills and its capability to retain in the military those active-component cyber warriors who leave full-time service. A good step would be for Congress to establish Guard Cyber Security Incident Response Teams in each state, territory and the District of Columbia to troubleshoot critical network infrastructure and respond to emergencies. The teams would operate in the cyber realm similar to the way the Guard Civil Support Teams help prevent and respond to attacks involving weapons of mass destruction. Meanwhile, lawmakers need to ensure the Army and Air Force fully fund the required training for members of Guard cyber units. Responding to a NGAUS request, Congress added $1.8 million to the president’s fiscal 2019 budget request for Army National Guard Cyber Protection Teams. In addition, the Defense Cyber Operations Element in every state, territory and the District of Columbia Joint Force Headquarters need more full-time staff authorizations to better defend internal networks.