Op-Ed: “The Old Line” state, serving on the front line, needs authority to respond online
By Colonel Reid J. Novotny, Maryland National Guard J6
In today’s battle against COVID-19, Maryland has great latitude to employ its National Guard in the physical domain, but is hamstrung by policy and perception from fully engaging its cyber force. And while COVID-19 is a biological malady rather than an electronic one, the hobbling of our cyber capabilities will, indeed, cost lives. In fact, in all likelihood it already has.
To understand the situation, imagine for a moment a natural disaster—say a flood—has struck. Waters are rising, and the National Guard had been called out. Fortunately, the Guard has a plentiful supply of sandbags and shovels with which to fill them, and there are hundreds of Guardsmen present and ready to get to work, called up under the auspices of state law to respond to a natural disaster. With a quick reaction and some hard work, the worst impacts of the flood can be mitigated, perhaps even prevented altogether.
Now imagine that the federal government steps in and says, “no, no, National Guardsmen in a state active duty status cannot use sandbags and shovels procured with federal money.” Or perhaps the Guardsmen are on federal active duty under Title 32 of the U.S. Code. Now they can use the supplies and equipment provided by the feds—except, wait, their FEMA mission assignment prohibits flood-defense operations. It’s inconceivable, and yet that’s just the situation we face in the online realm.
At this very moment, Marylanders are under attack in cyberspace. According to the Department of Homeland Security, the global cybersecurity threat has increased as bad actors seek to exploit fear and confusion caused by the COVID-19 pandemic whether for criminal purposes or to sow mistrust and disinformation.
Health Department systems in St. Mary’s County, Maryland, were crippled during an April 2020 ransomware attack that impacted reporting and access to national infectious disease databases. Fortunately, the county was prepared, and with help from the state it recovered quickly. But even in this best of possible outcomes, the hours and days that were lost had a direct impact on their ability to serve the community during an urgent public health crisis—just as their attackers intended.
The disparity in authorities between the physical and cyber domains is thrown into sharp relief by the fact that while Maryland Guard medical teams had coordinated COVID-19 support with the same county employees only a week prior, our cyber professionals were not permitted to respond to the cyber attack.
It’s important to be clear here: we’re not talking about unleashing military cyber warriors on an unsuspecting public, or even unleashing them upon online criminals. While the Maryland National Guard is trained and equipped to fight our adversaries in cyberspace, that is a federal wartime mission and is fundamentally different from the capability we could bring to bear in a domestic operation.
What we’re talking about is network defense—probing for vulnerabilities so they can be fixed and looking for indications that an intruder has already made his way onto the system so that access can be removed. That, in essence, is it.
And yet, as of today, we are not allowed to use the federally procured cyber tools we have on hand, even though we know cyber criminals and their ilk are seeking to exploit the pandemic for their own ends and their activities in the cyber realm pose a direct threat to the lives and property the Guard has been called up to protect. It’s the electronic equivalent of the Guardsmen blocked from filling a federal sandbag to prevent a state flood I described at the outset. In Maryland, this has resulted in the expenditure of more than $100,000 in state funds to purchase the tools we needed to help our partners in state and local agencies—when we already had the tools we needed on hand, but were prevented from using them.
With that said, I think the problem lies in the perception of cyber rather than the law itself.
The National Guard’s authorities to operate and most of the funding to respond to COVID-19 came from the Mission Assignment (MA) from the Federal Emergency Management Agency (FEMA) governed by 42 U.S.C. 5121, commonly referred to as the Stafford Act. This MA authority allows for reimbursement of our medical professionals to assess nursing homes and our transportation professionals to deliver ventilators and personal protective equipment. But when asked if cyber professionals could use their talents under this authority it was denied, multiple times, for multiple bureaucratic reasons.
The bottom line was that despite the profusion of people, organizations, and bureaucracies that claim legal responsibility in the cyber realm, no one wanted to authorize our use of FEMA authorities to respond to the cyber threat. Although a cyber response could reasonably be authorized under the Stafford Act—you can clearly see it in the plain language of the law—it just has never been done because of bureaucratic inertia and, quite frankly, fear of the unknown. But our anemic response in the online world has consequences, and cyber criminals aren’t thinking about the finer points of the Stafford Act while they work to compromise our systems.
The Maryland National Guard possesses the capability to provide state and local emergency cyber assistance to save lives, protect property and preserve public health and safety. In the pandemic we now face, cyber capabilities have the potential to lessen or even avert a catastrophe, such as a successful ransomware attack on a hospital.
There is no doubt we can perform these missions if authorized. The only question is whether that authorization will be forthcoming before it’s too late.