Amid the Covid-19 pandemic, ransomware attacks have increased 148 percent over baseline levels from February 2020. This follows an already devastating surge in ransomware attacks against state and local governments. Hackers made headlines on August 16, 2019, after they remotely blocked access to critical data in 22 localities in Texas. That same year, Baltimore’s city government computers, three school districts in Louisiana, computer systems in Garfield County, Utah, and the city governments of Riviera Beach and Lake City in Florida were attacked. Going against official U.S. government guidance, some cities even paid the ransom in desperation to regain access to critical files or because it was simply cheaper than restoring systems and recovering data from backups. That response likely incentivizes future attacks and emboldens perpetrators, who are a combination of individuals looking for monetary gain and nation-states, as seen in a security alert released by the FBI.
For years, school districts, hospitals, and businesses have been targets of ransomware attacks. More recently, hackers have shifted their focus to state and local governments. A U.S.-based threat intelligence firm found at least 169 examples of hackers breaking into government computer systems since 2013. These incidents reveal alarming gaps in resilience and vulnerabilities that could be exploited to interfere in the 2020 elections. State and local agencies simply do not have the resources to close these gaps on their own. With Congress unlikely to disburse sorely needed federal dollars to upgrade systems and hire experts, the nation’s chief cybersecurity risk coordinators—governors in every state capital and the Cybersecurity and Infrastructure Security Agency (CISA)— need to get creative.
The National Guard offers a potential solution, with a bottom-up structure capable of reaching in-state societal talent and the ability to transition between state and federal authorities to protect U.S. democracy as the situation demands. But maximizing the value of the National Guard in cyberspace—an organization more commonly perceived as the frontline for physical disasters—will require leadership and proactive assistance from CISA.
First, CISA should help develop a doctrine that captures best practices in the deployment of state Guard units and statewide coordinated response. As governors increasingly make state emergency declarations to deploy cybersecurity specialists in their state’s Guard, siloed efforts could lead to unnecessary duplication and fail to apply hard-won lessons. This doctrine should examine existing protocols for how a Guard unit works with the federal government (e.g., FEMA) in responding to a natural disaster and draw parallels for cyberspace; identify a standardization of cyber roles and baseline levels of necessary capabilities for prevention, response and recovery; and capture how the Guard best works with law enforcement during cyber incidents to define its mission set.
Standardization is also key. CISA should work with the National Guard Bureau (NGB) to develop a training regime that builds consistency and limits variability across states. Unequal levels of preparedness and resources—especially as ransomware attacks against state and local government increase—are indicative of why it is necessary to have baseline requirements, which could then be integrated into the doctrine. In support of this measure, General Joseph Lengyel, chief of the NGB, said that “standardization between state emergency response operations is needed to properly address and prevent cyber-attacks.”
Finally, as the 2020 U.S. presidential election approaches, CISA should capture and disseminate information on how different states are effectively using their Guard units for election security. In 2018, for example, Washington Secretary of State Kim Wyman entered an agreement with their Guard to survey networks, secure and improve voting systems, and protect elections through deep dives—in advance of their general election. That same year, Wisconsin and Illinois placed their Guard cyber response teams on standby to assist local and state election officials in the event of a cybersecurity incident during the elections, improving overall preparedness across the states. This year, North Carolina and Colorado had their Guard cyber specialists defend the integrity of the states’ electoral systems before and during “Super Tuesday” elections on March 3 by assessing possible threats. In a 2019 Congressional hearing, Lengyel testified that Guard units provided relevant network monitoring in 27 states. Different states and territories seem to be operationalizing their Guard units in different ways, which is “kind of a strength” that surfaces “different opportunities for how to employ the Guard,” said Colonel George Haynes, the Guard’s chief of cyberspace operations. It’s clear the Guard is already taking proactive measures, particularly in election security, which need to be captured and disseminated.