Soldiers Guard Their States from Cyber Vulnerabilities
With an ever-rising threat on the cyber battlefield, there exists a growing need for the Nation to fortify its cyber defenses. The Army National Guard is responding to that need by dedicating its expertise to strengthening the cybersecurity posture of both government and civilian organizations in the United States.
The Guard is conducting cyber vulnerability assessments in States across the country. Cyber vulnerability assessments are evaluations used to look for cyber shortcomings in an organization’s network and then determine how those shortcomings can best be remedied.
Multiple States have assigned dedicated teams of National Guard Soldiers to conduct vulnerability assessments. Ohio National Guard Soldiers used cyber vulnerability assessments to defend their State’s election system from hackers in 2016, while California wrote into law that funding be augmented to support a team of California National Guard Soldiers performing assessments.
Each State that conducts assessments does so in its own manner with different means of funding, depending on State guidelines. That said – despite varying protocols and funding sources – the mission remains the same for each State. With each assessment, Soldiers are tasked with strengthening the Nation’s shield against cyberattacks.
“The National Guard is mostly known for protection from civil disturbances and natural disasters, so I think it’s a win-win situation for the States and governors utilizing those [cyber] skillsets of National Guard Soldiers,” said CPT Michael Kane of the 91st Cyber Brigade. “It adds a different dynamic and dimension to the capabilities of the Guard.”
CPT Kane spearheaded the process of standing up a unique cyber vulnerability assessments program in Virginia. He reached out to the heads of other States’ programs to see how they handled their cyber assessments, then began to build Virginia’s program from the ground up.
“With Virginia being within ‘arm’s reach’ of the federal government and it being the hub for many federal municipalities, protecting the cybersecurity posture of the State [is vital not only to the State, but also to the Nation],” CPT Kane explained.
Thanks to a 2015 funding initiative spearheaded by then-Governor Terry McAuliffe, Virginia National Guard Soldiers were indefinitely placed on State active duty to conduct vulnerability assessments throughout the State. The assessments are provided at no charge to the Virginia organizations that request them.
“There are smaller localities and municipalities out there that cannot afford full-blown cyber assessments conducted by well-known companies,” said OIC for Virginia Vulnerability Assessments 2LT Warren Thompson of the 134th Cyber Security Company. “We provide a service essentially free of charge [because it is] covered by a sum of money that the State has set aside.”
Organizations request an assessment through the Virginia Information Technologies Agency (VITA). VITA then coordinates with the Virginia Department of Military Affairs, which then tasks the 91st Cyber Brigade with the vulnerability assessments. The requests eventually filter down to the 134th Cyber Security Company.
The weeklong assessments typically include a team of four to six service members who are a mix of Virginia Army National Guard, Virginia Air Guard and the Virginia Defense Force. Assessments are conducted on localities throughout Virginia, including counties and school systems. Since 2016, the team has conducted 14 cyber vulnerability assessment missions.
“Our main goal is to strengthen and modernize organizations,” said MAJ David Bustamante of the 134th Cyber Security Company. “The majority of [the organizations] have been county governments or district government networks that support two or three counties within Virginia.”
The assessments begin with a briefing from the leaders of the organization to discuss where they feel they are lacking and what they are looking to gain from the assessment. The team then conducts industry penetration testing – an authorized simulated attack on the organization’s network.
“The assessments take a look at the localities and municipalities’ network infrastructure – whether it be hardware or software – and determine if there are any holes in the network that a malicious attacker can take advantage of to exploit and extract information,” said 2LT Thompson.
SSG Thomas Peterson, NCOIC for the Virginia vulnerability assessments and member of the 144th Cyber Warfare Company, brings a unique perspective to the assessments he conducts.
“I come from an infantry background and ended up getting a degree in computer science from the GI Bill,” said SSG Peterson. “My background allows me to see these environments and networks as more of terrain, like you would on a map. I see a network diagram, but look at it in terms of ‘What are the key pieces of terrain on this diagram? Where do you need to start protecting these key pieces of terrain?’ You can bring that type of mentality to it, and it makes it a little more effective.”
Based on assessment findings and cross-references with DoD standards, the cyber team develops recommendations for an organization to improve its system’s safeguards.
“In the in-brief, we ask [the organization’s leaders] if there are particular areas that they have been struggling with or that they are trying to improve,” said MAJ Bustamante. “Or maybe they need an additional team member that they are looking to hire. [The assessment] can validate those requests when they submit them to their superiors. They can take that information forward and show an analysis to help back up their request.”
All findings from vulnerability assessments are confidential. Only results that are seen to be trending across the State or in a region are tracked and reported on a larger level.
“We sign a nondisclosure agreement stating that whatever we discover and whatever happens stays within that group,” MAJ Bustamante explained. “We do not report that this specific county or locality [is] negligent in these particular areas. [The State] only sees overall trends and can use that information for future cybersecurity policy.”
Examples of common trends seen by the assessors are the lack of password complexity and a lack of knowledge about possible cyber threats.
“Cyber is a continually moving target. It’s not something that is stagnant. It’s not something where you can go to a range and fire your weapon once a year and [keep current]. It’s evolving and you have to evolve with it or else you are going to fail,” said MAJ Bustamante.
SPC Abhimanyu Trikha of the 134th Cyber Security Company emphasized the importance of understanding the complexities of cybersecurity and staying abreast of common tactics.
“We often see that people just don’t know how much is out there and how many different people can make an attack on a community,” said SPC Trikha. “What I focus on is where cyber and street smarts meet. My job is to teach that you can’t just rely on the technology alone to save you. Cyber is just a set of tools. Security is a culture and a way of life. The tactics used to exploit are timeless. Every community is vulnerable,” he said.
SPC Trikha continued, “We see unique situations where one community may be totally on top of their network accessibility. But they might be susceptible to someone getting on the phone and pretending to be one of their IT members, because maybe it is a large network with a lot of people who don’t necessarily know one another. You have to be street smart.”
The underlying lesson for the organizations being assessed is understanding that the cyber war is not conducted through individual, silo-type battles. Rather, each attack is interwoven and connected to a larger backdrop.
“In the current age where we are an interconnected society, I think no matter what level you participate on – whether it’s city, State, local or federal government – we are all interconnected by some amount of routers or switches,” said CPT Kane. “Whatever security assurance you can provide at your level will always work well in the grand scheme of things. If everybody does their part, then we’ll have the most secure network we can.”
SPC Trikha went on to explain that the 134th’s advisory role does not end with the vulnerability assessments.
“Part of the former governor’s initiative was to help bring Virginians closer together and help Virginians defend one another,” SPC Trikha said. “With every community we go to, we establish a relationship. Not only do we conduct these assessments for the period of time [we are there], but we also [continue to] serve as a trusted face and a trusted phone call in the event a cyber incident does happen.”
From the Soldiers’ perspective, conducting cyber vulnerability assessments allows National Guard Soldiers to gain valuable, hands-on experience while actively defending the Nation from cyber assailants.
“This program helped me take what was a lot of theoretical classroom knowledge from my military training and standard drills and put it into real life. It’s helped me [become] a more capable Soldier for other operations we will do in the future. It is an avenue of practical experience I was not otherwise able to get a hold of. Being involved with this program and enlisting in the Virginia Army National Guard is one of the few ways to get experience at a far faster rate than a civilian job would be able to offer,” noted SPC Trikha.
“It’s fantastic,” said SSG Peterson. “You get to feel like you are having an effect on things. You are actually helping to make America’s infrastructure stronger and more secure. It’s a very fulfilling and rewarding experience.”
Growing the cyber force is an Army National Guard top priority. Soldiers with a background in IT systems or a strong interest in being trained to join this crucial leg of our Nation’s fight, should reach out to their unit’s Readiness or Training NCO.
By staff writer Tatyana White-Jenkins