Homeland Security and Public Safety

Cybersecurity Gets a Boost from the National Guard

The National Guard has a critical role to play in coordinating cyber-resources across federal, state and local governments.

Brig. Gen. Michael Stone, of the Michigan National Guard, wants to create a multistate network of cyber-research facilities. Photo by Jim Carlson

A $46 billion annual business of protecting infrastructure from cyberattacks largely revolves around the federal government. But within the past year, efforts have ramped up to bring federal-level cybertools and resources to state and local governments — and the National Guard may be the vehicle for driving that collaboration.

The feds have been trying to go at cybersecurity alone for years, but they’re finally coming around and including states and localities, said Heather Hogsett, director of the National Governors Association’s (NGA) homeland security and public safety committee. Last year, the NGA backed a bill called the Cyber Warrior Act of 2013, which would have directed the Department of Defense to establish “Cyber and Computer Network Incident Response” teams composed of National Guard members in each state.

Although the measure failed to pass last year, it drew attention to the issue. And state-level efforts — like the National Guard’s cyberteam in Washington state — continue to expand the Guard’s cyberprotection role.

Congress is hearing from lower governments on the cyberissue. Last September, Michigan Gov. Rick Snyder briefed Congress on the NGA’s cybersecurity efforts, emphasizing the importance of state government’s growing role. During the event, Snyder released a paper called Act and Adjust: A Call to Action for Governors for Cybersecurity, a-six page document outlining recommendations for states that want to improve their cybersecurity. Snyder also released a piece of software, now being tested in Michigan and Maryland, that allows governors to see an overview of their state’s cybersecurity environment.

“Governors are very focused on cybersecurity, and we at NGA are trying to provide them with any tools and resources available to help them better protect critical fiber infrastructure and assets that reside in their state,” Hogsett said. Bringing the nation’s governors into the world of cybersecurity would be mutually beneficial for states and the federal government, and it makes sense for the guard to fill that role, she said.

“The National Guard is unique in the fact that it can serve both the governors and the president. It’s the only military service that can do that,” she said. “Both the federal government and states have pretty widely put out there that there’s a shortage of trained, qualified personnel to help perform cybersecurity functions.” And the National Guard is in a perfect position to recruit skilled private-sector professionals to assist the government with cybersecurity. Concerned IT professionals wouldn’t need to join the guard, Hogsett said — they could just help during their free time because the National Guard has the ability to do that.

The National Guard is trusted, well known and cost-efficient, she added. “For the cost of a single active-duty soldier, you can essentially provide two to three National Guard members,” she said. “It’s a really solid resource that we believe can and should be better leveraged.”

The timeline on this isn’t five or 10 years, she said — this is more likely something that could happen in the next 12 to 18 months.

Photo: Stone, top right, works with members of the National Guard’s 110th Communications Flight, 110th Airlift Wing in Battle Creek, Mich. Photo by Jim Carlson

South Carolina learned its cybersecurity lesson the hard way in 2012. The state’s Department of Revenue was the target of an attack that exposed millions of Social Security numbers, thousands of credit card numbers, along with lots of other personal information. The months-long ordeal cost South Carolina at least $14 million and damaged the government’s reputation with citizens, making the state just one victim in a string of large attacks to hit the public sector over the past few years.

At the very least, states need to have a cybersecurity emergency preparedness plan, recently retired South Carolina CIO Jimmy Earley said. “You do not want to go through the process of thinking through what needs to happen and who needs to do what, while you’re reacting to it,” he said. “You need to have that plan and that process nailed down before you actually have to react to something like this.”

South Carolina contracted with Deloitte to help resolve its security issues last March, Earley said. They’ve assessed three agencies, will assess 15 more agencies and are establishing a security framework and governance model for the whole organization.

“As a state, we have a very decentralized model for using IT,” Earley said. “We have 70-plus agencies in the state, and most agencies procure, manage and implement IT independent of each other and really outside of any central framework or structure. Each agency is doing the best they can, making decisions about security controls that need to be in place, and how to best manage security for their agency. That environment is ripe for problems. What we really felt we needed was a simpler approach to manage security in the state.”

Working together and sharing information is one of the best things organizations can do in the face of cyberthreats, Earley said.

South Carolina isn’t unique, said Doug Robinson, executive director of NASCIO. “From the CIO perspective, there is a definite gap in terms of a documented response and recovery plan,” he said, and many organizations are still figuring out what their roles are supposed to be in the world of cybersecurity. Clearly defined roles is one of the things the NGA is trying to establish as governments at all levels determine what their jobs are in the national effort to protect computer networks.

Roles in cybersecurity are changing and many of the changes are for the better, Robinson said. State CIOs have in recent years been allowed security clearance in order to access more information held by federal agencies like the Department of Homeland Security (DHS), but the National Guard could help further bridge the gap between local and federal government, giving states and localities more autonomy and knocking down some of the institutional barriers.

Photo: Stone: "Eighty-five percent of all people operating networks for critical infrastructure are civilians.” Photo by Jim Carlson

In states like Washington, the guard has a head start on demonstrating its ability to coordinate cybersecurity activities and response. The National Guard adjutant general, a position currently held by Bret Daugherty, also serves as state homeland security adviser and director of emergency management, three roles that allow one individual to bridge jurisdictions and simplify command of federal resources and the Washington State Fusion Center, while leading the state’s cybersecurity team, said Kelly Hughes, director of plans and programs at the Washington Air National Guard.

“If a utility gets hacked really badly, they reach out to the Department of Homeland Security, they can get teams or support to help them mitigate it and figure out what happened,” Hughes said. “Before, they would just go direct to those agencies by themselves. Now, they go through the state military department, so we coordinate those efforts.”

Colin Wood Colin Wood  |  former staff writer

Colin Wood wrote for Government Technology and Emergency Management from 2010 through most of 2016.