Cyber Warrior Act Introduced in Senate and House

Identical versions of the Cyber Warrior Act (S 658 and HR 1640) have now been introduced in both the Senate and the House. Originally introduced by Sen. Gillibrand (D,NY) the bills would require DOD to establish National Guard Cyber and Computer Network Incident Response Teams (CCNIRT) in each State. These teams would be roughly patterned on the current weapons of mass destruction response units.

CCNIRT Requirements

The CCNIRT would “perform duties relating to analysis and protection in support of programs to prepare for and respond to emergencies involving an attack or natural disaster impacting a computer, electronic, or cyber network” {§3(a)(1)}. This would be accomplished by amending 10 USC §12310 by adding a new paragraph (d) that is roughly patterned on paragraph (c) dealing with Operations Relating to Defense Against Weapons of Mass Destruction and Terrorist Attacks. There are some significant differences:

• Authorizations for pay and allowances for team members would come from active duty force authorizations not from National Guard budget authorizations {10 USC §12310(d)(4)};

• CCNIRT would specifically be authorized to “to assist the combatant commands in developing and expanding their capacity relating to analysis and protection in support of programs to prepare for and respond to emergencies involving an attack or natural disaster impacting a computer, electronic, or cyber network” {10 USC §12310(d)(2)}; and

• The Secretary of Defense must certify to Congress that the individual CCNIRT “members possess the requisite skills, training, and equipment to be proficient in all mission requirements” {10 USC §12310(d)(2)}.

The bill would also amend 32 USC Chapter 9 by adding §902a addressing the State homeland defense activities of these units. The unit responsibilities would include:

• Training for State and local law enforcement and governmental personnel on analysis and protection to prepare for and respond to emergencies involving an attack or natural disaster impacting a computer, electronic, or cyber network {§902a(a)(1)}; and

• Assist State and local government agencies in preparing for and responding to emergencies involving an attack or natural disaster impacting a computer, electronic, or cyber network {§902a(a)(2)}

The §902a(d) would exempt the CCNIRT from certain existing limitations on National Guard units found in 32 USC 904. Those exemptions include:

• The 180 day deployment limitation in §904(b);

• The weekend and two week annual drill requirements of §502(a); and

• The requirement to maintain the military skills of the unit or member in §904(d).

Section 3(e) of the bills would require the Secretary of Defense to ensure that the training that the CCNIRT receive would “be equivalent to the training provided members of the regular component of the Army and the Air Force on such matters” {§3(e)(1)}. To that end the bills would require a report to Congress on the current status of such training and what changes would need to be made to meet that requirement.

The same section requires a separate report to Congress on the recruiting and retentions requirements to support these National Guard units and similar units in active Army and Air Force. There are two interesting and vague requirements of that report:

• Address potential deployment options (specifically including ‘virtual deployment’) “under which members of the reserve components with computer network defense duties can be managed without the geographic relocation of such members” {§3(e)(2)}; and

• Describing the “training requirements and physical demands” {§3(e)(3)} of the military occupational specialties involved in these units.

Analysis

There are a couple of closely related items that are not addressed in these two bills that would have a significant impact on the establishment and operations of the CCNIRT units. While these units are roughly patterned on the current WMD response teams, there is a significant difference. The WMD units were formed from a large number of existing chemical warfare units in the National Guard and Reserves. The military already had the personnel, equipment and basic skill training in place for these units. That is not the case with the CCNIRT.

Second, the active duty components of the military are already having problems attracting and retaining personnel to form cyberwarfare units. The CCNIRT units will be an additional impediment to the staffing of those units.

Finally, I think that there needs to be a discussion of the posse comitatus status of these units. An argument could be made that a legitimate response by these units to a cyberattack could include a counter-attack on the computer systems of the entity conducting the attack. If that attacking system were located in the United States this could be considered the use of military force against American citizens if the attacker were some domestic terrorist.

Moving Forward

This is such a novel concept that I really don’t have any basis for estimating the potential political response to these bills. I don’t really see any big push to bring these bills to floor consideration, but the bills do have bipartisan sponsorship so they might be able to move forward if the leadership can be convinced to bring them to the floor. We’ll have to see how they fair in the respective Armed Services committees. I would not be surprised, however, to see them rolled into the DOD authorization bills if they receive the support of committee leadership.