National Guard October 2015 : Page 20
DoD and the Guard are surging the development of expert teams to protect networks from attacks growing in size and frequency 20 NATIONAL GUARD OCTOBER 2015 WWW . NGAUS . ORG |
Building A Cyber Force
DoD and the Guard are surging the development of expert teams to protect networks from attacks growing in size and frequency
IN JULY, PENTAGON SECURITY OFFICIALS DISCOVERED THAT SOPHISTICATED HACKERS—most likely Russians, they said—had infiltrated an unclassified email system used by the Joint Chiefs of Staff.
Rattled cyber defenders shut down the system for two weeks and scrubbed it for malicious software.
Weeks earlier, the U.S. Office of Personnel Management in Washington, D.C., discovered that Chinese hackers had stolen 21.5 million personnel records, including security-clearance files, Social Security numbers and even fingerprints. Cyber experts assessing the damage said the victims may include several million military personnel.
In April, the White House and the State Department discovered that their email systems, too, had been hacked by foreign adversaries.
The barrage of cyberattacks is relentless and growing.
The Syrian Electronic Army claims to have hacked the U.S. Army’s main website and the Islamic State’s Cyber Caliphate boasts of breaking into social-media sites of U.S. Central Command. Although these attacks were more nuisance than substance, in July Attorney General Loretta Lynch said the possibility of a serious cyberattack by the Islamic State is “the thing that keeps me and many of my colleagues in law enforcement up at night.”
And in a cyber-mission analysis sent
to Congress in 2014, Pentagon cyber experts noted, “In 2014, the Director of National Intelligence identified cyber threats first among the strategic threat to the United States, surpassing terrorism.”
Targets for cyberattackers extend well beyond U.S. military and government websites and networks to include banks, retailers, hospitals and critical infrastructure such as power grids and communications lines.
So far it has been mostly “low-to-moderate-level cyberattacks,” James Clapper, the director of national intelligence, told the Senate Armed Services Committee in February. There has been no “cyber Armageddon,” he said, and the chances of that “are remote.”
Other officials, however, are concerned about just such an event.
“While there has not been a major cyber catastrophe that has brought a city or a major service to a sudden halt, the threat of that is very real,” says Maj. Gen. Bill Reddel, the New Hampshire adjutant general. He heads the Adjutants General Association of the United States’ committee on cyber issues, geographic information systems and information technology.
Even without a cyber-enabled catastrophe, the ongoing torrent of cyberattacks “will impose cumulative costs on U.S. economic competitiveness and national security,” Clapper said.
That’s already happening, Reddel says. He cites estimates from the Center for Strategic and International Studies, which puts global losses due to the digital theft of intellectual property at $400 billion or more.
Clearly, the United States needs stronger cyber defenses. And increasingly, that’s being seen as a job for the U.S. military, including the National Guard.
When U.S. Cyber Command (CYBERCOM) was created in 2009, the military mapped out a relatively narrow role for itself in cyberspace: to defend military information networks and conduct military cyber operations. The rest of the government and the private sector were on their own for cyberdefense.
But as the attacks have increased, thinking about the military’s role in cyberspace has evolved. The newest U.S. cyber strategy, released by the Pentagon in April, broadens the military’s role in the cyber domain substantially, adding responsibility to “defend the U.S. homeland and U.S. national interests against cyber attacks of significant consequence.”
Instead of expecting the separate sectors—defense, domestic agencies and private industry—to each tackle cyberdefense for itself, strategists now call for a “whole-of-nation” approach that combines military capabilities with those of the other sectors.
“The U.S. government, the states and the private sector can’t defend their information systems on their own against the most powerful cyber forces,” Adm. Michael Rogers, the CYBERCOM commander, told the House Armed Services Committee in March.
“We have to be prepared to respond to cyberattacks with concerted actions across the whole of government” and “in cooperation with the private sector,” Rogers said.
In accordance with the new strategy, cyber attacks are now on the list of potential disasters in which the U.S. military could step in to help overwhelmed state and local governments.
The Defense Support of Civil Authorities manual, updated just last month, spells out scenarios in which the military could be called in to assist overwhelmed state and local governments, such as during natural disasters. It adds a chapter on cyberattacks.
“Cyberspace technical assistance may be provided in response to a request from a lead federal agency,” the manual reads.
To bolster military cyber capabilities, the Defense Department is creating a 133- team cyber force of 6,200 troops, primarily active-component personnel. And those teams are to be augmented by 2,000 Guardsmen and Reservists. The active-component force reached the halfway point early this year and expects to have all teams and troops in place in 2018.
Meanwhile, the Army Guard has created one full-time Title 10 (federal status) cyber protection team and is setting up 10 part-time, Title-32 (state status) CPTs. The Air Guard is preparing Title-32 cyber squadrons to staff two of the 133 teams and part of a third team. In all, the Air Guard will create or redesignate 15 cyber operations squadrons, Air Guard officials say.
The main job for the Army Guard’s part-time CPTs is to provide surge capacity for the Army Cyber Command. The full-time unit, the 1636th CPT, is located in Laurel, Md., a short drive from CYBERCOM headquarters and the National Security Agency at Fort Meade. Its job is to support the Army Cyber Command and Second Army, which oversees Army networks and cyberspace operations.
As all Guardsmen do, the Guard’s Title-32 cyber troops will have a dual mission. In addition to providing surge capabilities for active- component cyber units, they will be available to respond when the nation’s governors need cyber experts to carry out state missions.
The first three Army Guard CPTs are being assembled in California, Georgia and by a three-state partnership of Indiana, Michigan and Ohio. Those three teams should be operational in 2017. Four more will begin standing up in 2017 and three others in 2018.
In the Air Guard, California’s 261st Network Warfare Squadron has already been redesignated as the 261st Cyberspace Operations Squadron. It will be one of 10 Air Guard squadrons that will take turns manning two Air Force CPTs as part of the full-time Cyber Mission Force.
“We’re pretty well stood up,” says Lt. Col. Douglas Hire, the commander of the 261st. A second squadron in Washington state is also preparing for the mission, he says.
In Georgia, work on the Army Guard’s new CPT is already “fairly far along,” says Chief Warrant Officer 3 Samuel Blaney, the team’s commanding officer.
The team will have 39 members, including seven officers, 16 warrant officers and 16 enlisted personnel, all with advanced cyber training.
They’re demanding jobs. Preferred candidates are warrant offices who have six or more years experience in communications. They should have at least an associate’s degree and be working on a bachelor’s degree in computer science, and already have several cybersecurity certifications, Blaney says.
Once selected for the team, training “is very intense,” he says. Depending on how expert applicants already are, training may take a year and “is very technical.” After that comes periodic training to maintain certifications.
Rigorous as the CPT requirements are, Blaney says he’s not lacking for qualified applicants. “We didn’t really have to go looking very hard for very long,” he says.
Most of those joining his unit already have a bachelor’s degree and three to five cyber certifications, he says. And there’s “one soldier with two undergraduate degrees and a master’s,” Blaney says.
In addition to meeting the education requirements, many CPT members maintain up-to-the-minute cyber skills through their jobs with private-sector technology companies, he says.
In recent years, Georgia has become a hub for cyber jobs and cyber talent, Blaney says. That’s one of the reasons the state was selected by the National Guard Bureau to receive a CPT.
Top-tier cyber companies in Georgia include Dell SecureWorks, telecommunications giant AT&T, and cable behemoth Turner Broadcasting. Kaiser Permanente is building a new health IT campus in Atlanta, and Home Depot, which is headquartered in Atlanta, is expanding its cybersecurity operations following a massive credit- card data breach in 2014.
California boasts similar high-tech credentials. From Silicon Valley outside San Francisco to Silicon Beach in Los Angeles, the state is awash in technology companies, high-tech defense companies, tech-oriented universities and cyber-savvy employees.
For the third team—the Indiana, Michigan and Ohio group— “the amount of physical infrastructure and secure training areas the three states brought to the table helped us” win a CPT, says Capt. Jon Rupel, a cyber-operations officer for the Indiana Guard.
Both Indiana and Michigan have cyber ranges where soldiers practice detecting and defeating cyberattacks and learn how to harden networks to fend off future attacks. In addition, Indiana has a “fully accredited 10,000 square-foot Sensitive Compartmentalized Information Facility” for secure handling of classified information.
Michigan has been a leader in preparing state agencies and private companies to respond in the event of cyberattacks. In 2014, the state created the Michigan Cyber Civilian Corps, which is made up of cyber experts from state agencies, the state police, private companies and the Michigan National Guard. The cyber corps was created to respond to cyber emergencies.
In all, 45 states and territories submitted proposals to NGB—some singly, some in groups—to win one of the 10 cyber-protection teams. With defense budgets shrinking and force structure being cut, cyber is one of the few military missions that’s still expanding. And with anxiety over cybersecurity on the rise, states are anxious to bolster their defenses.
Cyber is “a natural fit” for the Guard, says Reddel, the New Hampshire adjutant general. The Guard “already has the brain power— IT specialists—in-house.” The CPTs offer “an opportunity for the National Guard to expand its mission and add critical force structure to support the governors and the nation.”
And “in a budget period where ever dollar counts,” Guard CPTs will prove “very cost effective,” he says.
Of the three CPTs named so far, one is on the East Coast, one is on the West Coast and one is in the Midwest. For the remaining seven, “a big concern is where to put those units,” Gen. Frank J. Grass, the NGB chief, told a Senate appropriations subcommittee in April. “We don’t want them all piled in one region of the country.”
For now, the goal is to have one CPT in each of the 10 Federal Emergency Management Agency regions. In the longer term, Grass said he wants to have “a cyber capability in every state. That’s my commitment to the governors.”
Uncertain State Role
But precisely how much the CPTs actually may be able to do to protect state networks, state critical infrastructure and private companies remains unclear.
The units were designed “to defend DoD networks. That was the intent,” says Rupel of Indiana. But under the command of governors, “they have the ability to do other things.”
Officially, the CPTs’ job is to “coordinate, train, advise and assist” in cyber operations, says Col. Tim Thombleson, the Indiana National Guard’s Army chief of staff. How much that enables them to do in a state or national cyber emergency “is still being defined,” he says.
Consider “assist.” What can Guard cyber teams actually do to “assist” stricken nondefense networks? The Guard, the governors, the Department of Homeland Security and others are working to determine that, Thombleson says.
“I do not want to portray that we’re going to go out in the global cyber world and operate there,” he says.
“It may take some time to figure out the exact role in accordance with current authorities,” Reddel agrees. For example, when it comes to critical infrastructure that the military depends on, how aggressive can the military, including the National Guard, go in response to a cyberattack? What about for critical infrastructure the military doesn’t depend upon, but civilians do?
“These are difficult questions that are currently being discussed within the DoD,” Reddel says. “In the meantime, individual states are developing cyber-incident response plans” for responding to cyberattacks against their critical infrastructure, and in some cases those plans involve specific Guard units, he says.
The role of Guard cyber units is a lot clearer when they are under federal control. In that case, what Guard CPTs do “is no different than what active-duty CPTs do,” says Blaney of Georgia. The teams analyze compromised networks, find and fix vulnerabilities, then pursue the attackers to discover “how far and how deep the adversary has gotten into the network,” Blaney says. They follow a “protect and pursue” strategy, he says.
Another role for the CPTs will be attack prevention. Before a commander launches an operation, he will call in a team to analyze and harden his critical networks so they can’t be successfully attacked, Blaney says.
Air Guard cyber-operations squadrons will do pretty much the same, says Hire, the California commander. “We scan networks, map key terrain, look for adversaries, harden the network and pull large amounts of information and analyze it.”
And the networks don’t have to be military networks, he says. “If the governor calls, we will do what he asks. That’s not a change for the Guard. We do wildfires and floods. Cyber fits right in.”
In the past, many private companies were skittish about giving government personnel access to their computer networks. For some, there is valuable proprietary information they don’t want to reveal. For others, it’s personal information of their customers that could lead to legal liability if it’s disclosed.
Here, too, Guard officials say the Guard can help.
“You need good relationships with your industry partners” and the Guard has that, Hire says. In some cases, members of Guard cyber units may work for the very companies that are targeted by cyber attackers, so they’re already trusted insiders.
The Guard Bureau has been delivering that message, too. “Our knowledge of local critical infrastructure vulnerable to cyber attack, combined with longstanding relationships with those owners and operators, enables us to respond quickly,” NGB says in its 2015 Posture Statement.
Pentagon officials seem to have taken notice. The new cyber strategy pledges to “draw on the National Guard and reserve components as a resource for expertise and to foster creative solutions to cybersecurity problems. The reserve component offers a unique capability for supporting each of DoD’s missions, including for engaging the defense industrial base and the commercial sector.”
WILLIAM MATTHEWS is a Springfield, Va.-based freelance writer specializing in military matters. He can be contacted at firstname.lastname@example.org.
The NGAUS Take
It wasn’t long ago that the National Guard was largely left out of cybersecurity planning in the Pentagon.
So NGAUS and Guard leaders took information on the Guard’s civilian-acquired cyber skills to Congress. Lawmakers responded with the Cyber Warrior Act of 2013, which would have created a Guard cyber-response team in each state, territory and the District of Columbia.
Though the measure didn’t pass, it drew attention to state capabilities and forced the Pentagon to include the Guard in the discussion.
Since then, the Guard’s cyber potential has been substantiated by reports from think tanks and congressionally created commissions. They all suggest the Pentagon give the Guard a significant role in cybersecurity.
And the Defense Department’s new cyber strategy pledges to “draw on the National Guard and reserve components as a resource for expertise and to foster creative solutions to cybersecurity problems.”
NGAUS continues to push awareness of Guard and other state cyber capabilities. The association is working with Rep. Steve Palazzo, R-Miss., and Rep. Tim Walz, D-Minn., co-chairmen of the House National Guard and Reserve Components Caucus, on the first State Cyber Day on Capitol Hill.
Representatives from 14 states are scheduled to share advances in cybersecurity coordination and partnership- building at the state level, many of them involving the Guard, during the event at the Rayburn House Office Building on Oct. 22.
Meanwhile, NGAUS continues to support the establishment of a Guard cyberresponse team in every state and the District of Columbia.
Read the full article at http://nationalguardmagazine.com/article/Building+A+Cyber+Force/2295172/276433/article.html.