Recent hacks of the Democratic National Committee and Hillary Clinton’s campaign headquarters underscore just how widespread and constant are the threats to this nation’s cybersecurity. The nation’s critical infrastructure too is being subjected to increasing cyberattack. Much of this infrastructure is privately owned and its security, therefore, is also largely the responsibility of the private sector. There is an additional slice of critical infrastructure, notably electric power generation, water and sewage and transportation, that is the responsibility of state and local governments.
In the event of an attack that threatens the functioning of critical infrastructure, the first lines of defense are the operators of the plants, systems and networks and the state and local governments. For this reason, the National Guard, deployed in all the states and territories, is a logical player if a governor sees the need to respond to an attack on infrastructure in that state. The Guard has always played a role when natural or manmade disasters cause a disruption in local critical infrastructure. With its recent but growing investments in cyber capabilities, the Guard is well positioned to play a larger role in protecting critical infrastructure from cyber as well as physical attacks. This is particularly true of the electric power grid, for which Guard units in a growing number of states have begun building sophisticated cyberdefense capabilities.
Americans have become dependent upon an uninterrupted supply of electricity for day-to-day functions of business and society. Meanwhile, the grid’s own vulnerabilities are exacerbated by factors which include its increased reliance on digital commands across the internet, industrial and distributed control systems, and in many cases unclear responsibilities for preventing attacks.
Without public fanfare, the National Guard has been building up its cyber capabilities. Some 13 states now have cyber units within their Guard complement. Soon, every state will have such a capability. In addition to meeting defined requirements to support the active duty military under Title 10, (the portion of the Federal Code that defines the roles and responsibilities of the National Guard during times of Federal Service) individual Guard units have shaped unique capabilities and concepts of operations that reflect the specific conditions and needs of their particular state. When there is a crisis with critical infrastructure in a state, who would the governor call out but the National Guard? This is as true of cyberattacks as natural disasters or a physical threat.
The National Guard seems uniquely well-positioned for vital aspects of this undertaking, including communication between government entities, authority to act and understanding the operations of utility companies where Guardsmen and women work in their day jobs. Guard cyber units in California, Maryland, Wisconsin and Washington, for example, have established collaborative relationships with local utilities. In some instances, the Guard unit and the utility have conducted joint exercises. It is also an approach well-suited to the organization and operation of the National Guard. As a result, its increasing profile in this vital space appears to be welcomed and supported by all players involved in the grid’s operation and regulation.
With the Guard assuming an ever-broader role, observing certain principles of engagement are important to ensuring its success. While these will likely need to evolve as the role itself does, Guard functions and responsibilities presently underway in different states would seem to make principles such as these important sooner rather than later:
Ensure governor-activated State Active Duty activities observe required limitations. As Brigadier General John Tuohy, Assistant Adjutant General of the Washington Air National Guard, describes, their cybersecurity assessment for a public utility company came at the direction of the governor and request of the utility. This allowed the engagement to occur in State Active Duty, utilizing state equipment, “hence no conflict of fiscal law or purpose violations.”
Establish Parameters to Title 10 Active-Duty Engagement. Ensure that activities carried out as part of training under Title 10 authorities of the U.S. Code legitimately serve the defined missions assigned to said Guard unit. In other words, federal dollars require performing training related to a federal mission.
Define roles and responsibilities clearly so that the Guard does not assume work that should be the responsibility of utilities or other grid operators. Protecting grid assets from cyberattack is a new and, in all likelihood, quite expensive mission for which it is not at all clear who will be responsible financially.
Observe appropriate protocols for handling information that protect privacy and proprietary knowledge. Comprehensive nondisclosure agreements and terms safeguard grid operators, including when Guard personnel deployed for this work hold day jobs in related industries, possibly for competitors. While consumer privacy activists have not yet voiced concern, information regarding business and household customers’ use of the grid can be particularly sensitive when shared improperly.
Promote Public-Private Partnerships. The strength of the Guard is that it is embedded in American culture and communities. The Guard is uniquely positioned to leverage relationships with local governments, private companies and other institutions in the area of cybersecurity. A prime example of this might be to enhance military veterans’ job placement by offering companies individuals with enhanced cyber training if they agree to also take a position with the Guard.
Define the Cyber Role in Statute. The Guard’s full-time duty in their state is presently defined in law for homeland defense activity under Title 32 of the U.S. Code. Including definitions for cybersecurity missions for critical infrastructure, most particularly the power grid, under Title 32, could prove useful or even necessary, particularly if federal funding to support this work is to be appropriated.
The United States is entering a new era in homeland security, one in which direct attacks by other nation states remain rare but so-called gray area activities by our enemies, including cyberattacks, become commonplace. Inevitably, the National Guard will be drawn into the cyberdefense of critical infrastructure whether from a hostile nation, terrorist group or so-called lone wolf. Defining a common set of principles that will guide the National Guard in each state and territory in developing its capabilities and executing its missions is an important step towards making this country safer from cyberattacks.
Don Soifer is Executive Vice President of the Lexington Institute, a nonpartisan think tank headquartered in Arlington, VA that he helped found in 1998.
Dr. Dan Goure is a Vice President of the Lexington Institute. He is involved in a wide range of issues as part of the institute’s national security program.
Image: Virginia National Guard