A new Senate bill proposes creating specific units for cyber defense within the National Guard.
The legislation would put “Cyber Guards” in every state that could “provide a scalable response,” according to a press release from its bipartisan Senate sponsors.
Depending on the severity of the emergency, the cyber units could be activated under Title 32 or Title 10. The bill hopes to leverage Guardsmen already working in IT in the private sector as well as retain more cyber professionals in the military.
“Unfortunately, we’ve been too slow to leverage the institutional IT talent in the Guard,” said Sen. Roy Blunt (R-Mo.), a co-sponsor of the bill, adding that it was “a good first step.”
The National Guard’s role in cyber security is not entirely new. Delaware and Missouri are among several states that already have special cyber Guard units. Both Delaware and Missouri Guardsmen have participated in training with the National Security Agency, the Department of Homeland Security, and the Federal Bureau of Investigation at Ft. Meade, Md. The bill hopes to replicate these capabilities nationwide.
The Cyber and Computer Network Incident Response Teams (CCNIRT), as the units would be formally called, could serve as first responders to an attack.
“The next cyber event is not going to look like Pearl Harbor–it’s going to look like 9/11,” said Ian Koski, spokesman for Sen. Chris Coons (D-Del.), also a co-sponsor.
If, for example, there were a wide-scale power outage, the Cyber Guards would already be deployed. They would be working with local police to determine whether it was a terrorist attack and how best to respond.
The “Cyber Warrior Act” comes after a slew of hearings on cyber security following the President’s February Executive Order on protecting critical infrastructure. In addition to Blunt and Coons, the bill is co-sponsored by Senators Kirsten Gillibrand (D-N.Y.), David Vitter (R-La.), Mary Landrieu (D-La.), Patrick Leahy (D-Vt.), Mark Warner (D-Va.) and Patty Murray (D-Wash.).
Koski said the bill has received support in meetings with the National Guard and U.S. Cyber Command. The National Guard Bureau declined to comment on pending legislation.
When asked about the legislation during a March 12 Senate hearing, Cyber Command’s chief Gen. Keith Alexander said he had been exploring ways to incorporate the Guard in its active duty cyber forces.
As for the bill itself, “the [Department of Defense] is currently examining a number of critical issues, including significant budgetary implications in a fiscally constrained environment, National Guard capacities and capabilities, training standards, and policy and legal issues associated with this legislation,” Cyber Command Public Affairs Officer Col. Rivers Johnson said.
Martin Libicki, a cyber security expert at RAND, said the bill only makes “a modest amount of sense.”
“The problem is that in order to defend the system it helps to have some familiarity with it,” he said. “Unless you’re lucky, the guys you’re going to be pulling in from the National Guard…aren’t going to have continuous knowledge of the systems.”
“It’s not a question of skills,” Libicki said, but that it isn’t an easy equivalent between the work the Guardsmen do in the private sector versus what they would be called in to do in an emergency.
Cyber security, he explained, is not like a forest fire–you can’t just throw more people at it to put out the problem.
“This is not an area in which quantity makes all that much of a difference,” Libicki said.
Although the details of implementing Cyber Guards have yet to be fleshed out, Koski said training would remedy the familiarity problem.
“The idea is that you’re not training them from zero,” he said. “You can’t rely on recruiting young 22-year-olds just out of college and training them. You want someone who’s been out there and seen a network before.”