A $46 billion annual business of protecting infrastructure from cyberattacks largely revolves around the federal government. But within the past year, efforts have ramped up to bring federal-level cybertools and resources to state and local governments — and the National Guard may be the vehicle for driving that collaboration.
The feds have been trying to go at cybersecurity alone for years, but they’re finally coming around and including states and localities, said Heather Hogsett, director of the National Governors Association’s (NGA) homeland security and public safety committee. Last year, the NGA backed a bill called the Cyber Warrior Act of 2013, which would have directed the Department of Defense to establish “Cyber and Computer Network Incident Response” teams composed of National Guard members in each state.
Although the measure failed to pass last year, it drew attention to the issue. And state-level efforts — like the National Guard’s cyberteam in Washington state — continue to expand the Guard’s cyberprotection role.
Congress is hearing from lower governments on the cyberissue. Last September, Michigan Gov. Rick Snyder briefed Congress on the NGA’s cybersecurity efforts, emphasizing the importance of state government’s growing role. During the event, Snyder released a paper called Act and Adjust: A Call to Action for Governors for Cybersecurity, a-six page document outlining recommendations for states that want to improve their cybersecurity. Snyder also released a piece of software, now being tested in Michigan and Maryland, that allows governors to see an overview of their state’s cybersecurity environment.
“Governors are very focused on cybersecurity, and we at NGA are trying to provide them with any tools and resources available to help them better protect critical fiber infrastructure and assets that reside in their state,” Hogsett said. Bringing the nation’s governors into the world of cybersecurity would be mutually beneficial for states and the federal government, and it makes sense for the guard to fill that role, she said.
“The National Guard is unique in the fact that it can serve both the governors and the president. It’s the only military service that can do that,” she said. “Both the federal government and states have pretty widely put out there that there’s a shortage of trained, qualified personnel to help perform cybersecurity functions.” And the National Guard is in a perfect position to recruit skilled private-sector professionals to assist the government with cybersecurity. Concerned IT professionals wouldn’t need to join the guard, Hogsett said — they could just help during their free time because the National Guard has the ability to do that.
The National Guard is trusted, well known and cost-efficient, she added. “For the cost of a single active-duty soldier, you can essentially provide two to three National Guard members,” she said. “It’s a really solid resource that we believe can and should be better leveraged.”
The timeline on this isn’t five or 10 years, she said — this is more likely something that could happen in the next 12 to 18 months.
South Carolina learned its cybersecurity lesson the hard way in 2012. The state’s Department of Revenue was the target of an attack that exposed millions of Social Security numbers, thousands of credit card numbers, along with lots of other personal information. The months-long ordeal cost South Carolina at least $14 million and damaged the government’s reputation with citizens, making the state just one victim in a string of large attacks to hit the public sector over the past few years.
At the very least, states need to have a cybersecurity emergency preparedness plan, recently retired South Carolina CIO Jimmy Earley said. “You do not want to go through the process of thinking through what needs to happen and who needs to do what, while you’re reacting to it,” he said. “You need to have that plan and that process nailed down before you actually have to react to something like this.”
South Carolina contracted with Deloitte to help resolve its security issues last March, Earley said. They’ve assessed three agencies, will assess 15 more agencies and are establishing a security framework and governance model for the whole organization.
“As a state, we have a very decentralized model for using IT,” Earley said. “We have 70-plus agencies in the state, and most agencies procure, manage and implement IT independent of each other and really outside of any central framework or structure. Each agency is doing the best they can, making decisions about security controls that need to be in place, and how to best manage security for their agency. That environment is ripe for problems. What we really felt we needed was a simpler approach to manage security in the state.”
Working together and sharing information is one of the best things organizations can do in the face of cyberthreats, Earley said.
South Carolina isn’t unique, said Doug Robinson, executive director of NASCIO. “From the CIO perspective, there is a definite gap in terms of a documented response and recovery plan,” he said, and many organizations are still figuring out what their roles are supposed to be in the world of cybersecurity. Clearly defined roles is one of the things the NGA is trying to establish as governments at all levels determine what their jobs are in the national effort to protect computer networks.
Roles in cybersecurity are changing and many of the changes are for the better, Robinson said. State CIOs have in recent years been allowed security clearance in order to access more information held by federal agencies like the Department of Homeland Security (DHS), but the National Guard could help further bridge the gap between local and federal government, giving states and localities more autonomy and knocking down some of the institutional barriers.
In states like Washington, the guard has a head start on demonstrating its ability to coordinate cybersecurity activities and response. The National Guard adjutant general, a position currently held by Bret Daugherty, also serves as state homeland security adviser and director of emergency management, three roles that allow one individual to bridge jurisdictions and simplify command of federal resources and the Washington State Fusion Center, while leading the state’s cybersecurity team, said Kelly Hughes, director of plans and programs at the Washington Air National Guard.
“If a utility gets hacked really badly, they reach out to the Department of Homeland Security, they can get teams or support to help them mitigate it and figure out what happened,” Hughes said. “Before, they would just go direct to those agencies by themselves. Now, they go through the state military department, so we coordinate those efforts.”
Coordinating the state’s efforts through a central authority has the advantage of increased awareness and shared resources, Hughes said. It also gives them the opportunity to work with the FBI and the state fusion center so they can reach out to other organizations that may have been affected by an attack but didn’t know it.
For the last few years, the Washington National Guard has been running cyberexercises with technical help from the DHS, Hughes said, but last fall the state was scheduled to test its cyberincident response plan without input from the federal agency. “We’re going to test that plan with a group of policy folks from state, local and hopefully some local private industry as well to say, ‘If we did have [an incident], how would we respond? Bring your Rolodex. How many smart guys can we call off our own phones before we have to ask somebody else to come in and help us?’”
The National Guard is a great partner, said Washington state CIO Michael Cockrill. “Security is my No. 1 focus overall,” he said. “Generally when someone asks me what my top three foci are, I say security, security and security. And then we talk about No. 4 and 5. ... The security landscape on a global basis is changing so fast that it takes a constant effort to keep up with it, and it has to be the highest priority of the state to keep citizens’ data safe.”
Using the National Guard for testing cybersecurity is great not just because it has access to federal resources and offers a more centralized command structure, Cockrill said, but it’s a cost savings to the state too. Using an outside organization for such testing would be costly and less secure. “We can keep it all in-house, and it’s going to be much more streamlined in doing this super-critical penetration testing.”
In Michigan, the National Guard applied for funding to begin an interstate network of cyber-range facilities that would allow for public and private industry to participate in joint exercises without needing security clearance. Existing federal projects, like the Defense Advanced Research Projects Agency’s (DARPA) $110 million National Cyber Range, are helpful, said Brig. Gen. Michael Stone of the Michigan National Guard, but only to those with top security clearance. An interstate network of cyber-range facilities would provide valuable research and analysis of cybervulnerabilities for state and local operators of critical infrastructure.
“There are folks who work at the federal level, policy makers, who believe the domain of cyber falls entirely on the federal government,” Stone said. “The problem is that requires perfect resources and perfect execution by the federal government. And how perfect is federal government execution all the time?”
It doesn’t make sense to put federal agencies in charge of critical infrastructure such as power grids and dams, Stone said, because that’s not who’s operating them. “Eighty percent of all critical infrastructure is privately owned,” he said. “And 85 percent of all people operating networks for critical infrastructure are civilians, nonfederal government.”
Not everyone favors more local control, though. Gartner Analyst Lawrence Pingree said the fed-centric model has some strengths. “I am unconvinced that the state and muni level is the right approach since the amount of spend should be more centralized and administered in a similar fashion to support efficient deployment of capital,” he said. “Also, one major problem government has is that it is often unwilling to pay the appropriate salary levels that security practitioners can demand in the private sector, significantly limiting their ability to execute or retain talent once it is developed.”
But Stone contends that a network of state cyber-ranges would be both valuable and economical. He said the cost for establishing each facility in the network is in the hundreds of thousands of dollars, as opposed to the millions spent by the federal government. “The dollar figure to stand up hubs is really the cost of running fiber optic to the buildings we want, which is about $50,000 a mile,” he said. “Once you’re there, it’s really the human capital cost.”
The Michigan National Guard partnered on the initiative with a handful of other organizations, including the California National Guard; California Polytechnic State University, San Luis Obispo (Cal Poly); and Michigan’s Merit Network, a high-performance network linking universities, K-12 schools, government agencies and nonprofits in the state. Electricore, a nonprofit group of public and private organizations established by DARPA to develop advanced technology, applied for a U.S. Department of Energy grant on behalf of the team’s members.
Michigan opened a public-private cyber-range in 2012. Other participants will include Cal Poly and major universities in Michigan. Some of the first hubs will be military bases and academies in Michigan. Stone said he is also in talks with the National Guard Bureau in Little Rock, Ark., and organizations in Kansas. The idea, he said, is to cast a wide net while also creating a culture of cybersecurity awareness. “We’re going to need special guardsmen with civilian skill sets. We’re going to need recent college graduates; we’re going to need an abundance of IT experts to really be able to surge, to overcome those problems.”
Michigan CIO David Behen views the cyber-range initiative as a way to strengthen his state’s cyber-readiness and spur economic development.
“I believe that the Michigan cyber-range, through a public-private partnership, is the exact model we need to build a cybersecurity industry here in Michigan,” he said. “That’s what we’re really excited about. How can we draw entrepreneurs? How can we use cybersecurity in a positive way around economic development?”