Computer experts at some of the most important companies in the U.S. are getting a lesson in humility, courtesy of an elite unit in the Washington Air National Guard.
“We basically hacked a utility company about three years ago, and we’re actually working on a plan right now to do another one,” Col. Gent Welsh, the top commander for the Guard wing that contains the crack cyber operatives, told the Washington Examiner.
These hacking jobs come at the invitation of the private entities so that both sides can sharpen their cyber skills. But those local operations raise broader fears: power companies and other critical infrastructure around the country have woefully inadequate cyber defenses. Worse yet, there are no credible plans for how to cooperate with the government in the aftermath of these attacks, Welsh has warned lawmakers.
Rep. Derek Kilmer, D-Wash., wants to change that. He has introduced legislation that would mandate the formation of “cyber security civil support teams” within the Guard, nationwide. The Maj. Gen. Tim Lowenberg National Guard Cyber Defenders Act is named in honor of the officer who led Washington’s Army and Air National Guard through most of the wars in Afghanistan and Iraq. And the program it would establish is designed to ward off the digital version of the Sept. 11 attacks.
“The primary goal here is to build capacity on the ground to address cyber attacks,” Kilmer told the Washington Examiner. “Right now, most states don’t have that capacity to deploy the cyber equivalent of firefighters to respond to cyber attacks that might compromise critical infrastructure.”
Modeled on Guard units trained to respond to the potential threat of “loose nukes” after the fall of the Soviet Union, the cyber teams would work with private companies and state governments to provide protection from hackers, making for a nimbler defense system than anything already in place.
“What you want to have is the capacity to have a specialized team of this nature so that if there is a significant cyber attack, that states have a tool in their toolbox to do something about it,” Kilmer said. “Most states currently do not have a robust budget for or capability to address cyber attacks. What that means is there is enormous vulnerability.”
Industry and national security experts have warned of the threat of cyber attacks for years, but the danger has dominated national debates only rarely. Russian-linked hacks of the Democratic Party and subsequent release of private emails during the 2016 election campaign represent a rare exception. In 2015, hackers stole sensitive personal information about millions of federal employees from the White House Office of Personnel Management. In December of that year, a cyber attack apparently launched by Russian operatives shut down a power grid in Ukraine for several hours.
Could such an attack take place in the U.S.? It took the Guardsmen just 17 minutes to hack Snohomish County Public Utility District, which provides power to 325,000 people in Washington state. Welsh’s team is training to fight attacks “where the foreign adversary gets in there and for the most part they’re not letting control go of the system until you get them out of there.”
An extended loss of power could be a humanitarian disaster, with potentially severe national security implications; an array of major U.S. military installations can depend on individual private energy companies. If such an attack were to happen tomorrow, Welsh predicts that government officials at all levels would struggle with each other and the affected company.
“[The Defense Department] has the mission of protecting the nation; what they don’t have, though, is information and sensors for the most part at every state level,” Welsh said. “Someone like Puget Sound Energy, they don’t know how to get information up to Cyber Command. Cyber Command has no idea how to push some of the stuff that they have back to the company that may be of benefit to them.”
And the afflicted utility company might not be able to find good help in the private sector if the hackers are backed by foreign government intelligence or cyber operatives. “Generally, civilian companies don’t specialize in that area because some of the stuff that we find or have is classified,” Welsh said.
Kilmer’s bill would allocate $50 million to the project, but it leaves the details of how such civil support teams might work to the discretion of the National Guard. As introduced calls for a report from the National Guard Bureau outlining such plans by Sept. 30, 2018, and then sets a five-year deadline to have cyber defenders operating in every state and territory.
That deadline will almost certainly get bumped, due to the pace of the legislative process. “Congress is not exactly a legislative juggernaut these days,” Kilmer said wryly.
He hopes that the proposal will make it into the defense authorization bill for fiscal year 2019, which will be drafted and debated throughout 2018; that legislative behemoth is one of the few packages to move through Congress every year, but last year’s version wasn’t signed into law until December. The bill has two Republican co-sponsors.
“I think Republicans and Democrats can support the notion that this is an avenue to provide immediate help to states in the wake of a cyber attack or a cyber emergency,” Kilmer said. “I think that’s why you see bipartisan support for the bill.”
Welsh, who first developed the idea for the cyber support teams while studying at the Air War College, worries that won’t be fast enough to prevent the next major attack, but he credits Kilmer with jumpstarting the debate.
“At least there is discussion on the topic,” he said. “Before, there was no discussion on it. Everybody had their head in the sand.”
