Chinese and Russian hackers have everybody running scared. So whatever else happens with the president’s budget request for fiscal year 2015, we know it will include more money for things cyber, from purely defensive network security to black-budget “offensive cyber weapons” such as the Stuxnet worm. But one big thing remains in doubt: the role of the National Guard.
Cyber Command wants the Guard to help. Guard leaders want to help CYBERCOM. And the Army has at least considered a proposal to fund 390 positions in 10 new “Cyber Protection Teams” to be created in the Army National Guard. Whether this idea will get funded is being wrestled over behind locked doors and in the context of increasingly bitter fights between active-duty and reserve forces.
The budgetary question marks loom so large that one senior official at the National Guard Bureau emailed a warning to the Adjutants General, the Guard commanders of every state, territory, and the District of Columbia: Don’t get out in front of what the federal budget will support.
“We have entered a new normal called sequestration,” read the senior official’s email. “To fund ‘excess’ or ill-defined requirements out of hide is impossible. I continue to be concerned with further investments in Cyber and ISR [intelligence, surveillance, and reconnaissance] without definitive requirements documentation from COCOM/MAJCOMs [Combatant Commands and Major Commands]. In my opinion this posture could put [Guard] force structure at risk depending on strategic choices being made by DoD leaders.” (We agreed not to identify the official.)
So what are they choosing? “The Department continues to conduct analysis to determine the appropriate force structure for cyber in the Guard and Reserve components,” was all a DoD official would tell me, after I’d been harassing people for an answer for weeks. “At this time, the Department’s senior leadership has not made any decisions,” he said – which is one of the reasons we’re writing this story.
The outside experts we spoke to agreed that the Guard had a unique role to play. “I think they are the linchpin for being able to effectively defend the nation,” said John Quigg, a retired Army officer and former senior CYBERCOM official, in an interview with my colleague Colin Clark. “The thing that is not obvious and is wonderful about the Guard is that it sits between the federal government and the states, and that makes it very useful.”
Both budgets and bureaucracy, however, are getting in the way.
Gen. Alexander: “The Guard Can Play A Huge Role”
Despite all the obstacles, there’s certainly four-star support for giving the Guard a share of the cyber mission.
“The Guard can play a huge role,” Gen. Keith Alexander, the (outgoing) chief of both CYBERCOM and the embattled National Security Agency, told Congress last year. “There’s two key things that they can do. First… it gives us additional capacity that we may need in a cyber conflict. The second part is, it also provides us an ability to work with the states.”
For their part, state governments “are clamoring” for Guard help on cybersecurity, Gen. Frank Grass, the chief of the National Guard Bureau, told reporters in November when he outlined the proposal for the 10 Cyber Protection Teams.
“Gen. Alexander and our chief Gen. Grass believe the Guard has a key role to play in cybersecurity,” said Col. David Collins, the National Guard Bureau’s chief cyber staffer (the “J-6″), in an interview. “So there is resounding agreement on that — [but] we’re waiting for missions and force structure from the Army and the Air [Force]. We are still in the embryonic stages.”
“It’s not so much money,” Collins told me. “The fundamental first step in all of this is, what is the Guard’s place in the federal and DoD cyber response?”
The original Department of Defense (DoD) directives setting up the current cyber strategy “essentially took the reserve components out of consideration,” Collins said. Why? “The presumption was all those forces needed to be on active duty 24-7, 365,” he said. “[But] why can’t you surge us as you do for other things?”
In fact, the Guard is arguably better suited for cyberwar than for physical war. It takes weeks to months to mobilize, train, and prepare Guard forces for deployment overseas, potentially up to 110 days for the largest and most complex units. A Guard cybersecurity expert could (almost) roll out of bed, log on and start defending networks around the planet before his coffee gets cold.
But this subjective assessment needs to get encoded into the formal military requirements process before anything can happen in the budget. “The National Guard has to have forces that are built primarily for a federal purpose,” Collins said. Whenever state governors call out the Guard to control wildfires, floods, or rioters, the troops, trucks, and helicopters that respond are almost entirely paid for by the federal government for military missions.
On paper, the Department of Homeland Security would be in charge of defending the nation’s non-military networks, but against high-tech or large-scale threats DHS would have to ask the Pentagon to help. The Guard could be part of that homeland defense response, but “the government doesn’t have a plan that clearly indicates how that would be done,” Collins said bluntly. “The National Cyber Incident Response Plan, in my opinion, is not very thorough….I don’t mind going on record as the J-6 of the National Guard Bureau saying that the nation has a lot of progress that it needs to make.”
He’s hardly alone in that opinion, Not only is cybersecurity legislation chronically stalled on Capitol Hill, said Quigg, the former CYBERCOM official, “Cyber Command is increasingly attack-focused and the defensive mission has stalled….We’re actually in worse shape now in some ways than we were five years ago.”
What The Guard Can’t Do
If the Guard were allowed to help out in homeland defense, Collins argues it would have three advantages over the active-duty force:
- First and most important, he said, Guard troops are physically present in armories, communities, and indeed civilian workplaces across the country, not concentrated in a few large bases. That puts them in constant contact with civilian networks and their operators.
- Second, the Guard can operate either on federal orders (so-called Title 10 status) or on the orders of the state governor (Title 32). Guard troops under the governor’s command aren’t bound by the Posse Comitatus Act or other restrictions on using federal troops for law enforcement.
- Third and last, as part-time troops, Guard cyber warriors would have full-time jobs in the civilian information technology world, giving them a different and often deeper expertise than the active-duty force, which tends to be younger.
Those are in order of importance: “A lot of people want to jump to No. 3 when they talk about the Guard,” Collins emphasized. “That’s out of sequence.”
The Guard already has limited cybersecurity capability, but it’s “very ad hoc,” Collins said. Every state is authorized to have an eight-soldier Army National Guard network security team, though some Adjutants General didn’t even know this option even existed until recently, and they have to find the funding themselves without federal help. The Air National Guard has a range of “network warfare” and “information warfare” squadrons of varying sizes, structures, and skill levels.
Some of these Air Guard units are impressive, said Atlantic Council cyber expert Jason Healey: “[There's] the 262nd Network Warfare Squadron in Seattle (which includes lots of people from Microsoft), [and] the 175th Network Warfare Squadron at Fort Meade is deeply embedded in NSA work.”
“But states are increasingly trying to grab cyber mission for more budget, especially as more traditional missions are pared back,” Healey went on. “This threatens to poison the whole effort as so many state piranha are trying to feed from the same mission.”