The National Guard recently focused on defending the Department of Defense’s networks during its premier annual cyber exercise, a departure from the last several years where it tested skills on state networks.
The Guard is typically owned by the governors of their perspective states and mobilized by those governors in what’s known as state active duty to respond to various crises or assistance efforts. However, the force can also be federalized and mobilized, which means it also needs to be versed in how the Pentagon’s networks work.
“We went with the DODIN-focused exercise for the supply chain because it’s something that was maybe different and something that we saw some gaps when we went through it in real time, through the real attacks. This gave us a chance to practice that,” Lt. Col. Seth Barun, deputy officer in charge for Cyber Shield, told FedScoop in a recent interview, referring to the DOD information network.
This year’s exercise, which took place June 5-17 in Arkansas, involved service members and civilians from 20 states and Guam.
A lot of personnel in the Guard don’t get the access to work on the DODIN, so this exercise provided an opportunity to broaden their scope and work on different authorities, tools and scenarios.
The exercises simulated a supply chain compromise similar to the SolarWinds incident.
While most compromises and attack chains are the same regardless of the type of network, the DODIN requires unique tools and permissions, which provided an opportunity for Guardsman to hone those skills.
“I think the biggest differences is the tools,” Lt. Col. Jeff Fleming, the officer in charge of the exercise, said regarding the differences between working on the DODIN versus a state active duty scenario. “Obviously, the government allows certain tools on the network. And when we do some of our other responses, we have a lot more freedom to maneuver in terms [of] tool space and open source, some things like that.”
Barun added: “When you’re on a state active duty mission, you bring your own tools. Usually the organization’s like, ‘Sure, that works for you, put it on,'” he said. “DODIN says, ‘Nope, you can use these and this is what you got.’”
Moreover, Guardsman get to better understand the various authorities they may be working under in the future.
“When you’re in the state active duty, you’ve got one hat on. It’s the applicable laws of that state that govern their constraints, limitations, or restraints [on] what they’re allowed to do. That is 50 different flavors of laws that govern what each of these National Guards can or cannot do in each state,” Capt. Cumah Blake, staff judge advocate for the exercise, said. “But then when you step back into that Title 32 status, it’s a whole set of different rules that come into play.”
Title 32 allows Guardsman to be activated in their state by the governor — at the direction of the federal government — and the federal government will foot their bill.
She added that it’s important for Guardsman to be trained in both because if they’ve only ever done state active duty, they might not be prepared to do something in Title 32.
One of the big takeaways during the exercise, according to Blake, was the need to educate lawyers on technical cyber jargon.
“Every year it validates that gap not just in the military, but just across the board, even the private sector, of really needing to get attorneys trained on what is the language of the technology, what the tools do, because it’s not a common space language that they’re used to,” she said. “It can be a little bit intimidating or a little bit hard to effectively have those communications to advise them because you’re bridging that gap of learning what is that operator saying, what are they trying to ask permission for, because they’re using a different language than your normal client is.”