U.S. Cyber Command focuses on deterring cyberthreats from impacting the homeland, but could hold less direct authority if an internal threat targets the critical infrastructure of a state. That’s why 40 states have representatives in an annual large-scale cyber exercise that kicked off late last week.
Cyber Shield 19, which runs until April 20, brings together members of the National Guard, who answer to the governors of their respective states, and has them work with industry to improve incident response to cyber events.
“The purpose is to develop and train internal defensive measures, incident response, coordinate train and assist activities,” Brig. Gen. Jeffrey Burkett, vice director of domestic operations for the National Guard Bureau, told reporters April 9 during a briefing at the Pentagon.
“It’s a collective training event for us. It will enhance our war-fighting skills and that’s very important to us.”
Overarching themes, Burkett said, are to protect the Department of Defense Information Network and coordinate, train and assist critical infrastructure partners in how they do their mission sets.
For the National Guard, however, working on building partnerships with private industry is essential.
“Cyber Shield is unique in the fact that we bring in partners that we work with … This is really key for us because our critical infrastructure, our networks are primarily private,” Brig. Gen. Richard Neely, Adjutant General with the Illinois National Guard, said.
“When bad guys go after things ... it’s probably going to be outside the DoDIN.”
While primarily a training event, Cyber Shield really is also about building relationships so if an event does happen, the right entities know who to call and how to work with one another.
“Part of the goodness with the Guard is that dual-status technician, that dual-use soldier who may work at the department of public works in his everyday job and then he drills on the weekend,” George Battistelli, chief of defense cyber operations at the National Guard, said.
“He has the inside knowledge of how that system works and he gets that training through the Guard and now he’s a very valuable asset because he can help protect that infrastructure if on a defensive cyber operation element or a different cyber team.”
Battistelli noted that Cyber Shield is a “detection” event, with participants practicing their ability to identify malicious activity on the network and then remediate it. While declining to offer specifics, he said that activity emulates behavior seen in the news and the exercise has evolved each year to keep up with adversarial methods.
“We used to have attacks that were very noisy and now we have attacks that are going over encrypted channels,” he said.
“As the adversary changes their [tactics, techniques and procedures], we change our TTPs, so it would be very naïve to do the same scenario every single year because cybersecurity changes.”
For example, as recently as two years ago, offensive intrusions were just dropped into the exercise because they lacked the ability to properly simulate a real breach.
“Blue teams couldn’t see how we got there and they weren’t able to trace back,” said Col. Teri Williams, deputy commander of the 91st Cyber Brigade in the Virginia National Guard, noting this is problematic for real-world training.
Now, the offensive teams have to work their way into the networks and show the trail of how they got in and what they are doing so that our defensive forces can do the forensics, she added.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.