The recent Russian “SolarWinds” cyberattacks on supply chains and the Chinese “Hafnium” cyberattacks on Microsoft servers underscore the high degree of vulnerability that inadequately protected information technology can generate. Establishing a resilient capability to deal with these and other types of cyberattacks, such as ransomware that freezes a user’s operations while holding its data at risk, will require a substantially increased number of talented cybersecurity operators. A focused effort that increases the cybersecurity capabilities of the National Guard would significantly improve the nation’s ability to deal with such cyberattacks.
One of the most important national sectors, yet least effectively protected against cyber intrusions, are state, city and local governments — which the National Guard is statutorily positioned to protect. Similarly, in the context of natural disasters such as hurricanes or tornados, the National Guard regularly works with critical infrastructures such as the electric grid or water supplies and is equally well-positioned to support those infrastructures prior or in response to a cyber incident. Moreover, in the event of a high-end cyber conflict, expanded National Guard cyber capabilities could support Department of Defense cyber missions.
In substance, enhancing the National Guard’s cyber capabilities should be a key part of a national cyber strategy to deal with future cyberattacks within the United States.
The National Guard generally works under the authorities of the governor of the state but can be federalized by the president when required. In the cyber arena, according to the National Guard Bureau, “There are more than 3,900 Army and Air National Guard personnel serving in 59 DOD cyber units in 40 states.” The Guard’s cyber missions are wide-ranging: at the federal level directly supporting U.S. Cyber Command, and at the state level:
“27 states used Guard members in a non-federal status to support state and local agencies in 2019. This support included response and remediation of cyber incidents; cyber defense analysis; cyber incident response planning; election security planning, threat assessment, and interagency planning. . . National Guard cyber teams responded to ransomware attacks in Texas, Louisiana, California, Colorado and Montana in 2019”
Congress has recognized the contributions that the National Guard brings to cybersecurity and has directed the Defense Department to evaluate expanding Guard cyber missions. Section 1725 of the FY21 National Defense Authorization Act provides for analysis of multi-state Guard activities, and specifically for a “pilot program” authorizing National Guard units in one state to support the cyber efforts of another state’s guard units. Similarly, section 1729 of the NDAA requires a briefing to Congress by the Security of Defense and the Secretary of Homeland Security as to how the National Guard will work with DOD and DHS on significant cyber incidents. Combined, sections 1725 and 1729 underscore the opportunity for recommending an expanded National Guard cybersecurity role for the nation. Five steps should be taken:
First, the number of National Guard personnel directed toward the cyber mission should be significantly increased. Congress has asked DOD to do an assessment of National Guard cyber capabilities, but a reasonable initial step would be to increase Guard end strength in order to increase the number of cyber personnel to approximately double the current levels. That would allow the Guard to do a great deal more assessments and other interactions with key critical infrastructure providers “left of boom” (i.e., before an incident), which would help increase the resilience of entities like the electric grid or water treatment plants that have become increasingly at risk. Similarly, an increase in Guard cyber personnel could be particularly helpful for states to establish effective resilience programs in support of local governments which face continuing ransomware and other attacks, and yet, for the most part, do not have the resources to establish effective cybersecurity for themselves.
Second, it will be important to determine how best to recruit highly capable people into the Guard’s cyber units. This might require different “nontraditional” arrangements, including perhaps monetary incentives or flexible working arrangements. As a starting point, however, the federal and state government leaders could work together to approach chief executives of cybersecurity, cloud and telecommunications company about recruitment of Guard personnel into the National Guard. Such an effort would help enable leveraging the best of America’s talent in the private sector to support federal and state cyber protection missions.
Third, the Guard’s capabilities need to be included in established response planning and procedures which need to be regularly exercised. This is particularly true for the Guard’s support to states and localities. The Army Cyber Institute, as a result of a series of exercises that it undertook with state and local governments, has now developed digital tools and processes that state military departments can use to help communities assess and improve their cyber posture. The National Guard could become the maintainer and sustainer of this tool set as part of its expanded National Guard cybersecurity mission ensuring that the capabilities are widely available for homeland defense. As a recent New York Cyber Task Force analysis found:
“[C]ities may not know how to properly use National Guard units deployed to help them in a crisis, due to a lack of knowledge of National Guard capabilities and organizational structure. For the capabilities and expertise of potential response forces, like the National Guard, to be deployed to the greatest advantage in a cyber crisis, these capabilities and integration process must be understood, mapped, and practiced well in advance.”
Fourth, as section 1725 of the FY21 NDAA suggests, it will be important to build regional capabilities between and among Guard units. High-end cyber defense capabilities fall into a category that the Defense Department characterizes as “high demand, low density,” which is to say a lot may be needed but not so many providers are available. Generating regional capabilities will help ensure that a critical mass of highly capable cybersecurity professionals will have had the opportunity to train and exercise together prior to a contingency in which their talents are needed. Moreover, like the Washington National Guard which has deep expertise in industrial control system security, certain Guard units — because of the nature of businesses in their state — may have particular expertise that could then be more broadly provided. As part of this effort and to meet the needs across state lines, federal and state government leadership should work to develop cross-state agreements for regional support.
Fifth, several National Guard units currently engage on an ongoing basis on cybersecurity with a number of United States allies as part of the Guard’s State Partnership Program. Lessons learned and information generated from such activities can usefully be applied to the Guard’s role in defending back in the United States and can be shared from one Guard unit to another.
In sum, an enhanced National Guard cybersecurity role is both achievable and critical to national security. Congress should undertake to approve and enable such activities in the upcoming National Defense Authorization Act.
Franklin D. Kramer is a distinguished fellow and on the board of the Atlantic Council and a former assistant secretary of defense. Robert J. Butler is the co-founder and managing director of Cyber Strategies LLC, and served as the first Deputy Assistant Secretary of Defense for Space and Cyber Policy. They are co-authors of “Cybersecurity: Changing the Model.”