This story first appeared on CyberScoop
Prior to the 2018 midterm elections, multiple states activated their National Guard forces to protect the vote from cyberthreats. It was a big step for the Guard’s role in national cyberdefense, and an annual drill held by the Guard made it more effective.
In Illinois, for example, the National Guard’s participation in the cybersecurity drill meant that “when the midterm 2018 elections came around and it was time for us to work together, those relationships were already there,” said Brig. Gen. Richard Neely, the Illinois National Guard’s adjutant general.
That exercise, known as Cyber Shield, is now in its eighth year and taking place through April 20 at Camp Atterbury in Indiana. What started as a simple red-and-blue-team affair has grown into an 800-person event that reflects the greater role the Guard is playing in national cyberdefense.
In an earlier iteration of the exercise, “our offensive piece wasn’t very strong,” Col. Terry Williams, deputy commander of the Virginia Army National Guard’s 91st Cyber Brigade, said at a press briefing last week. “We would actually just drop the injects into the [cyber] range – the blue teams couldn’t see how we got there.”
Now, the red-team participants have to “actually show the trail of how they got in [to a network] and what they are doing so that our defensive forces can do the forensics piece,” she said.
National Guard units from 40 states are participating this year, along with people from the private sector and federal agencies like the FBI and National Security Agency, according to Williams. Participants are tested on their ability to detect suspicious activity on a network, such as a rogue device beaconing out information, and lock down unauthorized access to that system.
“It’s a collective training event for us, so it will enhance our warfighting skills. And that’s very important to us,” said Brig. Gen. Jeffrey Burkett, vice director of domestic operations of the National Guard Bureau, told reporters.
The National Guard’s role in the digital domain has grown in the last few years as federal and state officials have thought more about maximizing available resources for cyberdefense. A 2016 report from a White House cybersecurity commission singled out the Guard for having “a talent pool that can be regularly trained, equipped, and called on” to defend against hacking.
The 2018 midterm elections proved to be an inflection point. In Washington State, for example, National Guard members who worked for Amazon or Microsoft by day were on call to help with election security.
The Guard is trying to build on that momentum with Cyber Shield. When not on federal orders, Guard units are at the disposal of states. That makes them well positioned to respond to breaches in their backyards, which is motivating them to hone their incident-response capabilities.
George Battistelli Jr., a cybersecurity program manager at the Army National Guard who also helped planned the drill, said the exercise scenario has tried to keep up with real-world events.
“The attacks tend to change,” he said. “We used to have attacks that were very noisy. Now we have attacks that are going over encrypted channels. So as the adversary changes their TTPs [tactics, techniques, and procedures], we change our TTPs.”
Asked for more information on the exercise scenario, Battistelli, Jr. declined to go into detail in an unclassified setting. “It is safe to stay that it emulates adversary behavior that you’ve probably seen in the news from other nation-states,” he said.
Military officials see Cyber Shield as a key piece of the digital maturation of the Guard, which expects to have more than 3,800 cybersecurity personnel by 2022.
“The National Guard is getting into the cyber business with the Department of Defense, and we’re trying to determine where it makes sense to place units and how we can partner with defense on the Air Force side and the Army side in growing cyber capability,” Burkett said.