Last month, the Army, along with the rest of the military services, announced all of the active duty cyber teams they’re building for U.S. Cyber Command have reached their initial operating capability and are ready for offensive and defensive missions. Next in line: teams made up entirely of National Guard and Army Reserve personnel.
The Army contributed 41 teams to the 133 that make up the Cyber Mission Force, and it’s asked DoD for permission to designate an additional 21 Guard and Reserve teams as part of the CMF, in part because their personnel bring legal authorities and experience that can’t be found in the active duty Army.
Initial training for the active duty teams lasted from 2013 to 2016; similar training to build the newer teams — 11 in the National Guard and 10 in the Army Reserve — began in 2016 and is likely to take until 2019, said Ron Pontius, the number-two official at Army Cyber Command.
“It wasn’t that they were less of a priority or second fiddle, it’s more about what we could handle in the very extensive training pipeline. It’s also given the Guard and Reserve time to get organized around limited training days,” he said Thursday at a conference hosted by the Association of the U.S. Army in Arlington, Virginia. “But we need these folks. They have tremendous expertise in things like industrial control systems, for example, because that’s what they do every day in their civilian jobs, and these skill sets are critically important.”
In the case of the Guard, the teams can operate under various legal authorities, not just the federal Defense role prescribed in Title 10 of U.S. Code. A prime example occurred earlier this week, when John Husted, the Ohio Secretary of State said that state’s cyber protection team — the first of the National Guard teams the Army activated — was being used to conduct penetration testing against election systems in a crucial swing state for the 2016 presidential election.
Those types of uses are a double-edged sword. The Ohio team, like all of the others in the reserve components are being trained to the same standards as the active component teams, but they operate under a complicated mix of legal authorities and command structures that are well-understood in the context of natural disasters, but not necessarily for cyber incidents.
The Ohio team’s legal status was unclear, based on published reports. It had not been called to federal active duty status, nor had it been activated for state active duty by Ohio Gov. John Kasich (R) under Title 32.
And although building the additional teams under the auspices of the National Guard helps to geographically disperse DoD cyber capabilities throughout the nation and also makes them available to governors, the Army is still working through the vagaries of how to use their legal authorities and to maintain effective coordination and unity of effort with Army Cyber Command and U.S. Cyber Command.
The military expects to tackle those types of issues in January via Operation Cyber Shield, an annual National Guard table top exercise.
The picture is complicated by the fact that Guard units be ordered to duty by not only governors and presidents, but under a provision called Immediate Response Authority (IRA), Congress has given them explicit permission to respond to emergencies on their own initiative if they determine there’s no time to seek permission from higher headquarters — a contingency that’s easy to imagine when inbound “weapons” are arriving via fiber optic cables.
“If I have teams all across the country that have affiliations with local governments and local industry, there’s a very high likelihood that a governor’s emergency management director will know one of my cyber protection team commanders who happens to work on his IT staff for his civilian job, and turns around and asks for IRA help before anybody at Army Cyber Command knows anything about it,” said Col. James Chatfield, the cyber director for the Army’s 335th Signal Command. “A lot of this stretches the bounds of what the Guard has done before. If my team shows up at a non-federal entity, they need to know their left and right boundaries and be able to solve the problem without getting themselves in hot water.”
Congress has also expressed concern about the Guard’s role in responding to cyber incidents. In the 2016 Defense authorization bill, lawmakers asked the Government Accountability Office to assess DoD’s current capabilities to cobble together various legal authorities and deliver effective support to civilian authorities in the event of a domestic cyber incident. GAO responded with a report that concluded it’s unclear who would be in charge in such a circumstance.
Chatfield said the Army must work through the authority and jurisdictional challenges because of the additional defensive capabilities its part-time cyber soldiers offer.
“I happen to have a member of one of our Army Reserve teams who has 25 years of experience in the logistical processes of the electric grid,” he said. “On his drill weekends, CYBERCOM has him helping with emergency contingency plans for power management. The Guard has a large number of examples like this, people who are working for a state emergency management agency during the week and in a National Guard cyber role on the weekends.”
One, an Army National Guard colonel who’s currently deployed overseas in service of a more traditional Army signals mission, is also the cybersecurity chief for Florida’s judicial system.
“That guy has put together more honeypot concepts than just about anybody, because people are constantly trying to hack into their courts and steal vital information. He’s probably a pretty good adviser to the Army that we might want to leverage, especially if we’re called upon to defend legal and financial information systems,” Chatfield said. “These folks bring a lot of breadth and depth to supplement what we’ve already done. They’re trained to the same standards as our active duty cyber teams, but they give us a wealth of breadth and depth to tap into.”