Story by Sgt. 1st Class Jon Soucy, National Guard Bureau
ARLINGTON, Va. - National Guard members continue to be an integral element in cyber defense, the Guard's top general said during a recent roundtable discussion at the Pentagon on the cyber mission set.
"When I first joined the National Guard cyber was not part of our vocabulary," said Air Force Gen. Joseph Lengyel, chief of the National Guard Bureau. "Now, it's one of our daily battlegrounds."
More than 3,900 troops make up the Guard's cyber element, said Lengyel, adding that includes traditional part-time units as well as full-time units that work directly for U.S. Cyber Command.
"The Air National Guard always provides two [cyber protection teams], and on the Army side, the Army [National Guard] always provides one, that are continuously mobilized and doing duty for U.S. Cyber Command and the cyber mission force," said Lengyel.
Guard cyber teams have also responded in support of local and state authorities, including earlier this year in Texas and Louisiana.
"In May, one county -- Jackson County -- got hit with ransomware," said Army Maj. Gen. Tracy Norris, the adjutant general of the Texas National Guard. "It disrupted county services. People weren't able to transfer property, the police doing a background check weren't able to pull up that information."
County officials realized that a response to the attack was beyond the scope of their information technology staff and looked to the Guard for assistance, said Norris.
"We had people out there within 12 hours to do an assessment on what had happened and to get that county back online," said Norris. "We helped them get to a recovery point where their IT professionals could come in and get the county back to where it could deliver services."
That, it turned out, was just a dress rehearsal. A month later 22 Texas counties were hit with ransomware attacks, and again the Texas Guard was called out.
"Immediately the [Texas] Department of Emergency Management called over to us and we got people on the phone to assess and figure out where to go to start [responding to the attack]," said Norris.
From there, a team of 50 or so Soldiers and Airmen responded to get the networks back online, said Norris, adding it took about two weeks to get everything back to normal.
Jackson County, the county hit in the May attack, was also one of the 22 counties hit in June, but the attackers were quickly stopped.
"They did not get past [the network] firewall," said Norris, adding that was in large part because of measures Guard members had put in place after the earlier attack.
Similar attacks occurred in Louisiana in July. Those attacks affected five parishes -- the Louisiana equivalent to a county -- and 54 schools.
"It was two weeks prior to school [starting for the year]," said Kenneth Donnelly, executive director of the Louisiana Cyber Security Commission. "Mainly it affected the parish school board systems for [grades] K through 12."
Louisiana National Guard cyber teams were called in.
"The governor declared a state of emergency, which allowed us to expand our [response] capability," said Donnelly. "We were able to use those [Guard] assets and were able to build the capability and capacity in Louisiana to get on the ground quickly and recover the parishes' school systems before school started."
The response also mitigated attacks in other parts of Louisiana.
"We were able to prevent seven other parishes from being severely impacted by the ransomware attack," said Donnelly.
That was, in part, because of assistance from the Louisiana Guard.
"This is the new norm," he said. "We currently have ongoing two additional cyberattacks that took place recently and we have the same resources on the ground right now."
Because of that "new norm," cyberattacks are often treated no differently than a hurricane or other large-scale disaster and the Guard is brought in to assist, said Lengyel.
"When they first developed cyber, people thought there really is no domestic mission for a governor to use a cyber force in state capacity," he said. "Now, we're seeing how wrong that could be."
But unlike a natural disaster, Guard cyber teams can be brought in ahead of time to mitigate possible attacks and were key to doing just that during recent elections.
"In 2018 the Guard was on duty in 27 states either monitoring the state.gov networks or on standby in case something happened," said Lengyel.
Plans are already underway for similar support during the 2020 elections.
As part of that, Guard teams would begin by assessing the network for any vulnerabilities, said Army Maj. Gen. Bret D. Daugherty, the adjutant general of the Washington National Guard, which has a large cyber element.
After that, said Daugherty, any vulnerabilities would be addressed.
"This is all side by side with Department of State IT people who do the keyboard entry," he said.
Finally, if needed, a team would then monitor the network.
"We [would] have that team on hand leading up to and during the election to monitor the network for any bad actors who may be trying to hack in, doing whatever we can to keep that from happening," said Daugherty.
If any hacking activity were to occur, it would then be turned over to law enforcement officials, said Lengyel.
"Once we find a crime scene in the cyber domain, we turn it over to law enforcement or call in the FBI," he said.
The Guard's ability to operate in the cyber domain is just another skill set Guard members bring to the fight, whether overseas or at home, Lengyel said.
"It's the role of the men and women of the National Guard to be able to offer these kinds of services to our governors to respond to a domestic event," he said. "Whether it's a hurricane, a fire or a cyber event, it's just another military skill set we can transfer into use."