The United States Government must rethink its domestic cyber defense strategy. Even though the Departments of Homeland Security (DHS) and Defense (DOD) have the nominal lead in defending America from cyber-attack, no federal agency has been tasked to protect key infrastructure during a significant cyber incident. Treating cyber disasters far differently from physical ones is a mistake because it deprives the country of a powerful resource, the National Guard. The upcoming National Defense Authorization Act (NDAA) is the perfect opportunity to remedy this situation.
The dangers of cyber attack are real, especially if directed toward critical or state infrastructure, such as electricity grids, water distributions systems, and data centers. Yet a cyber-attack on such systems would not trigger the same type of government response that a natural disaster or kinetic attack within the United States would. If a significant cyber-incursion hits American critical or state infrastructure tomorrow, the National Guard would be largely forced to sit on the sidelines as other government agencies attempted to respond.
This approach is illogical because the National Guard can respond to major domestic cyber incidents in ways that DOD and DHS cannot. DoD has significant cyber capabilities and throngs of cyber warriors, but its domestic legal authorities are rightly limited. It is therefore mainly charged with protecting its own networks and conducting offensive operations, absent a national catastrophe authorizing Title 10 authorities domestically.
And DHS’s mandate is at best weak, charged with “coordinating” the federal effort to “promote” the cybersecurity of critical and state infrastructure. In practice, this means sharing information (providing situational awareness) about cyber-attacks and methods to protect private organizations and individuals from them. DHS can provide technical support but its other response capabilities are limited.
Guardsmen perform myriad advanced operations to protect Americans from physical incidents, be it fire, flood, earthquake or hurricane. Its cyber capabilities skills could be critical in the face of a large scale cyber attack. However, the National Guard is not a substantial part of U.S. domestic cyber defense because DoD and DHS have not yet developed (or been directed to develop) a clear policy to utilize the National Guard in the cyber realm. Governors and adjutant generals have not been provided clear guidance from Washington on what their highly-trained cyber Guardsmen are authorized to do. This must change.
As Congress considers the FY15 NDAA, it should mandate that DHS and DoD develop clear policies to involve the Guard in the domestic cyber fight. Just as DHS’s FEMA is responsible for physical disasters, and can direct state National Guards (in coordination with governors) and federal agencies to mitigate those incidents, DHS’s National Cyber and Communications Integration Center (NCCIC) could be provided similar authorities and resources in the cyber realm.
Responding during cyber incidents is just one way the National Guard could be helpful. Guardsmen could also be requested to test networks, find weaknesses and train with local critical and state infrastructure operators, aiding in their familiarity with the networks they could be called on to protect.
To its credit, the National Guard Bureau (NGB) is trying to make inroads into the cyber domain. In a press conference last November, NGB Chief, General Frank Grass, asserted that state officials and homeland defense commanders are “clamoring for [National Guard involvement in domestic cyber defense],” and that the inherent qualities of the Guard make it a large, scalable pool of cyber talent. While DHS and DoD have problems with recruitment and retention of cyber personnel, the Guard does not. Most high-skill recruits join after they have found their career because they want to serve without the lifestyle sacrifices of the active military.
It is a mystery to many in Washington why scant policy effort has been made to include the National Guard domestic cyber efforts. One explanation is lack of public knowledge about cyber threats, or that no loss of life has occurred from a domestic cyber incident. However, that does not excuse the reality that a large reservoir of highly talented men and women, who have proven themselves time and time again in difficult, life-threatening situations, remain glaringly untapped.
Over the next month, the annual Defense Authorization bills will be marked-up in both chambers of Congress. The House and Senate have an opportunity to champion real cybersecurity protections for Americans with little effort that are tremendously cost-effective, moving past mere information sharing and providing serious cyber capabilities. The time to act is now.
Mueller is a partner at the Truman National Security Project. This article is based on his 2013 Georgetown University capstone thesis “The Federal Cyber Gap: Protecting U.S. State and Critical Infrastructure.”