Last month Rep Jackson-Lee introduced HR 119, the Cyber Defense National Guard Act. The bill would require the Director of National Intelligence to conduct a study on “the feasibility of establishing a Cyber Defense National Guard” {§2(a)}.
The Study
The DNI would consult with DOD and DHS to produce the required study within 240 days of the bill being enacted. A report to Congress on the study would be published in unclassified form, but a classified annex could be included. The items to be included in the study would include {§2(b)}:
• The cost of creating a Cyber
Defense National Guard,
• The number of persons who would
be needed to defend the critical infrastructure of the United States from a
cyber-attack or manmade intentional or unintentional catastrophic incident,
• The sources of potential members
of a Cyber Defense National Guard, including industry, academic institutions,
research facilities, and Federal contractors,
• Which elements of the Federal
Government would be best equipped to recruit, train, and manage a Cyber Defense
National Guard,
• The criteria required for persons
to serve in a Cyber Defense National Guard,
• The impact of the effectiveness
of a Cyber Defense National Guard of the possibility that the population of
potential recruits may be dominated by men and women without military,
intelligence, law enforcement, or government work experience,
• The recruitment and vetting costs
for a Cyber Defense National Guard,
• How well military discipline is
able to be adapted for use for creating command and control systems and
protocols for a Cyber Defense National Guard,
• The logistics of allowing
governors to use the Cyber Defense National Guard in States during times of
cyber emergency,
• The advantages and disadvantages
of creating a Cyber Defense National Guard on the cyber security of the United
States, and
• Whether a force trained to defend the networks of the United States in the event of a major attack or natural or manmade disaster will benefit overall efforts to defend the interests of the United States.
Moving Forward
Jackson-Lee is not a member of the House Intelligence Committee to which this bill was assigned for consideration. This means that it is unlikely that she has the influence necessary to see the bill considered in Committee. I see nothing in the bill that would cause organized opposition to its passage. I suspect that it would receive at least some bipartisan support if it were considered in Committee or on the floor of the House.
This bill is a potential candidate to be offered as an amendment to either the National Defense Authorization Act or the Intelligence Authorization Act.
Commentary
Ms Jackson-Lee made an interesting choice when she designated the DNI as the entity responsible for the conduct of this study. If the CDNG were to be considered as part of the traditional National Guard, the study should have been the responsibility of the Department of Defense. It is apparent from some of the study requirements that the CDNG is not envisioned to be primarily a military type of organization. That would make crafting legislation establishing such an organization challenging.
A CDNG as a third leg of the National Guard Bureau (the Army National Guard and Air National Guard are the two existing legs) would be able to draw on the authority and logistical support designed for the NGB. Existing National Guard statutory language for personnel issues, logistics, deployment, medical support, education and training, and retirement might have to be amended to address unique CDNG issues, but they would not have to be stood up from scratch. Standing up a CDNG outside of the National Guard Bureau would mean that an entirely new and duplicative administrative support structure would have to be included in the legislative authorization along with the necessary funding for that structure.
The other thing that bothers me about this bill is the underlying assumption that it is possible to ‘defend’ critical infrastructure from cyberattack. The cyber realm is much different from the classic defense situation. We cannot establish a navy or air force capable of interdicting enemy cyber forces off our shores. The internet provides an open highway for nation-state and less-than-state adversaries to enter our physical boundaries and probe for weaknesses in our cyber structure.
Defending critical infrastructure from a cyberattack would require taking control of the complete cyber and communications structure of the entity that the CDNG (or anyone else in the government, for that matter) was trying to protect. Private entities are not going to allow that to happen. Even where the guvmint has that control, they are not able to stop cyberattacks, see SolarWinds for example.
Where a CDNG would be more appropriate and effective would be
in providing cyber response support to entities that had already affected by a
cyberattack, particularly where a cyberattack has interfered with
communications or energy transmission. I would envision a Cyber Response
National Guard that was able to come in and help isolate and replace and/or
bypass affected equipment. The mission would be to help State and local
governments and important private sector operations get back into operation providing
critical services and products to the public.
No comments:
Post a Comment