Pandemic duties for National Guard include cyber help

On March 12, Maryland Governor Larry Hogan called in the National Guard to aid in the coronavirus pandemic response by executive order. Since then, the Guard has been helping the state increase with COVID-19 tests and screening and assisting but also pitching in with cybersecurity assessments.

For Maryland the need is acute: the state is just a year removed from a devastating ransomware attack that hobbled Baltimore city's networks, preventing government officials from doing basic tasks like sending emails.

Col. Reid Novotny, Maryland National Guard's Joint Staff (J6) lead for IT and cyber, told FCW that Baltimore was seeing similar cyber threats during the pandemic.

"During this crisis, we are in daily contact with them [in] an elevated status," he said. "There have been ransomware attacks that have affected hospitals that are treating COVID patients."

Novotny wouldn't name the hospital or county but said notices were disseminated to ensure "patients and the residents of that county that went to that hospital were assured that everyone was up and working."

When pressed about observing cyberattacks in Baltimore and Baltimore County, Novotny said "Yes, that stuff is attempting to be happening and has actually happened and the department of IT has responded back and the Guard has supported that response."

The Guard works in concert with other state entities including Maryland's chief information security officer and Department of Information Technology, the state's Defense Force, a volunteer military organization, all of which make up the Maryland National Guard's joint cyber task force.

Chip Stewart, Maryland's chief information security officer, confirmed to FCW via email that the state has seen an increase in malicious activity but didn't specifically address the hospital ransomware activity.

"Maryland has noticed an increased frequency of attempted cyber-attacks as have many other states throughout the country, ranging from phishing emails to sophisticated attempts to bypass security measures," he wrote.

Maryland has established a security operations center to monitor infrastructure threats and the guard, per Stewart, is performing "routine external assessments of the state's websites and networks to identify issues proactively."

DoIT continues to engage in proactive security that includes regular patching and vulnerability management, as well as ongoing penetration testing to identify weaknesses before our adversaries can exploit them.

But despite those efforts, attacks accumulate, Stewart said.

"From an attacker standpoint, things are worse, with the number and sophistication of attacks increasing every day," he said. "As with everything in security, defense-in-depth is the answer."

That includes technical controls, management and oversight for security awareness and training for state employees "to extend our firewall to the end-users, which is critical in preventing these attacks."

As the pandemic's impact spread, Maryland's CISO selected a number of data repositories, websites, such as those for the state health and labor departments. The Maryland Guard, as result, produced a report with suggestions to fix vulnerabilities found during the assessments.

The guard has also observed spear-phishing campaigns, tagging Cyber Command for input via a relationship with Joint Task Force Echo, and relayed back to Maryland, which then passed intel to the FBI, state, local, and federal partners.

As of May 15, the Maryland National Guard has provided over 3,000 man hours to four different state agencies across four counties, or about $1 million in commercial value of cyber support, according to Novotny.

The National Guard's cyber role isn't limited to the pandemic. The guard has been instrumental in providing election security support as the threat to voting infrastructure rises and other events, including ransomware support to municipalities such as Louisiana which suffered massive ransomware attacks last year.

But the guard's capabilities are mired in complex policy and culture norms that make calling in cyber units for network help less reflexive than having guards stack sandbags to prevent flooding after a hurricane.

"It should be no different that when there is a hurricane and you need to have a National Guard troop help you with sandbagging or something to the like of driving a Humvee down the streets of Baltimore," Novotny said. "It is often very difficult in the policy world that we live in to have a National Guard troop do the same in cyberspace."

However, that could change post-COVID, as the pandemic and governments' responses are scrutinized.

"There will be a lot of change and churn coming out of this specific incident to further clarify who is responsible for what and when in responding to a national emergency or state emergency under FEMA, in coordination with DHS, with the National Guard and all the other federal and local stakeholders," Novotny said.

"The actual law is there," he said, referring to the Stafford Act which has cyber listed as one of the critical infrastructure threats FEMA can respond to. "This is a cultural movement and an ability to get around some internal policies in the DOD. But we will continue to advocate but this doesn't inhibit us from helping the state of Maryland."