When it comes to defending the country from cyber attacks, Defense officials have made abundantly clear that they plan to leverage the military’s National Guard and reserve components as much as possible, including, most recently, by tasking the Army Guard and Reserve to build 21 cyber teams on top of the 133 U.S. Cyber Command had planned as part of its Cyber Mission Force.
But those cyber protection teams make up only a slice of the cyber capabilities scattered across 54 states and territories that could theoretically be called upon as first responders in the event a major cyber incident happened somewhere on U.S. soil. The trouble is, DoD has no central database that tracks exactly what those capabilities are, and there are no immediate plans to build one.
That would change under legislation that’s just been introduced by four senators who argue the lack of such a database is a major gap in the department’s readiness to support civil authorities, especially considering the breadth and depth of cyber expertise already resident in the Guard and reserve, where many service members are IT and cyber professionals in their civilian careers.
“Aggressive Russian cyber activities, China’s 2015 hack into the Office of Personnel Management, and efforts by Iran and non-state groups all demonstrate that we must make greater efforts to strengthen our cyber defenses,” said Sen. Chris Coons (D-Del.), one of the bill’s sponsors. “The Pentagon does not have adequate understanding of all Guard unit cyber skills, which could inhibit our response to a major cyberattack.”
The new legislation was prompted in large part by a September 2016 Government Accountability Office audit, which found that the absence of such a database may put DoD on the wrong side of a 2007 law that already requires the department to identify and track all of the National Guard’s emergency response capabilities.
DoD answered the 2007 legislation with the Defense Readiness Reporting System, a database that catalogs Guard units’ abilities to respond to natural disasters or more traditional terrorist attacks, but doesn’t specifically track units with cyber expertise, particularly those whose primary missions are to help defend state and local government networks.
Despite calls by GAO and Congress to remedy the problem, DoD does not appear to have considered it a priority.
When Adm. Michael Rogers, the commander of U.S. Cyber Command, was queried on the issue by Sen. Joni Ernst (R-Iowa) at a hearing one week after the GAO report was published, he said he was unfamiliar with the concerns raised by the report, but promised to “take it for action.” When Ernst repeated the question at another of Rogers’ appearances before the committee in January, he said that he had conferred with military service officials and the Office of the Secretary of Defense about the matter, but could only reply that “I don’t think we have a good answer for you.”
In a written response to Ernst a week after the January hearing, Rogers said the National Guard is in the midst of “unprecedented growth” in its cyber capabilities, but the decision to build a software module that would track guard units’ cyber capabilities was the responsibility of the National Guard Bureau, not Cyber Command, and that she should contact that organization for further details.
He added that the National Guard reports the overall readiness of its some of its units — those with federal missions — in quarterly reports to Congress and that “readiness reporting on cyber capabilities should be no different in the cyber domain than in any other domain,” but as GAO noted, publishing reports is not the same thing as creating a database that can be quickly queried in an emergency when the government needs to find its best experts to respond to a crisis.
DoD’s lackluster response to those findings is part of what prompted the four senators to introduce legislation. In addition to Coons and Ernst, Sens. Deb Fischer (R-Neb.) and Kirsten Gillibrand (D-N.Y.) are also co-sponsors.
Specifically, the bill would require DoD to set up a database that tracks the cyber capabilities of all of its guard and reserve units within one year. Using an existing data system would be perfectly permissible, as long as the data is updated at least once every-other-year.