Responding to ransomware across states is a new mission for the National Guard and it doesn’t show signs of going away anytime soon.
The National Guard Bureau has worked to establish cyber teams that serve the governors of their respective states to respond to cyber incidents.
With a wave of ransomware attacks in the last year, the National Guard’s believes this is a critical role and a unique domestic military mission.
"Look at the ransomware attacks in places like Louisiana and Texas and Montana and the governors calling up the Guard to be able to do this,” Gen. Paul Nakasone, the head of U.S. Cyber Command said in September. “This is a new venue, this is a new capability, this is a new possibility for what we’re doing to build this capacity.”
Ransomware is “obviously new and emerging enterprise for us. It’s just when they first developed cyber, I’ll just share with you, people thought well there’s really no domestic mission for a governor to use his cyber force in a state capacity. Now we’re seeing how wrong that could be,” Gen. Joseph Lengyel, chief of the National Guard Bureau, told reporters at the Pentagon Nov. 5. “Now as this ransomware case comes up, we’re able to access people with superb civilian skill sets that have jobs working for Dell or working for other cyber companies … they can bring actually capabilities to bear that sometimes the military forces don’t have.”
This attack vector is viewed to be the “new norm,” said Kenneth Donnelly, who works on special projects at the Louisiana National Guard. He said that at the state level, officials are not expecting many federal resources, so the Guard has to be able to take these tasks on themselves.
Adversaries are “preying on soft targets. Those targets are like the school board ... system[s] that don’t have the IT resources or the budgets to be able to defend themselves with the infrastructure that they need and the training that they need,” he said. “Most of these individuals that are IT directors at the school level are teachers who have the additional role of being the IT person as well.”
Texas and Louisiana response actions
Texas fell victim to two ransomware attacks within the last year. The first was relatively small and slowed services in just one county, Jackson County, disrupting property transfer and police background checks. The Texas Guard was called in to conduct an initial assessment and then worked to get the county’s IT systems back up to 25 percent recovered, a standard practice for Texas Guard teams. Once at that threshold, the local IT administrators work to get the networks back to full health.
In June, however, ransomware hit 22 counties said, Maj. Gen. Tracy Norris, Adjutant General of Texas, said.
Overall, it took about two weeks to get networks back – without paying the ransom – but after the practice from the Jackson County incident, the teams were able to pick the most critical counties to work on first.
In Louisiana a July ransomware incident hit the school system two weeks prior to school, Donnelly said. This mainly affected the entire school board system K-12.
Given the work that the Louisiana did over the last two years working with state and federal agencies, officials there were able to act fast and recover the entire school system prior to school starting. Because of this partnership, they were able to go after a target list of indicators of compromise to prevent further damage, he added.
Officials also noted that across the states, ransomware information is shared with U.S. Cyber Command and other federal entities as well as the National Guard Bureau to provide greater situational awareness.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.