A joint military/civilian event examines roles in homeland cyberdefense.
A recent exercise in San Antonio revealed how homeland security cooperation among civil authorities and the military involves more than hardware and software interoperability. Issues such as military capabilities, obligations and restrictions weighed heavily as participants sought to establish procedures to counter a potential cyberattack.
The exercise emerged from a challenge from Rep. Ciro Rodriguez (D-TX) to the city of San Antonio, Bexar County and the surrounding region to test the ability of local, state and federal organizations to respond to a cyberattack. The exercise, named Dark Screen, involved representatives from government agencies at the local, state and federal levels; industry; local military bases; and academia. More than 220 individuals participated in phase I of Dark Screen, which consisted of a tabletop scenario conducted in September 2002. The event emphasized communication channels that need to be in place to share indications and warnings of possible cyberattacks effectively and to conduct timely reporting of actual attacks in progress.
For the purposes of the exercise, responsibility for addressing a cyberattack was largely that of city, county and state governments; however, a significant amount of time was devoted to examining the role the military might play in such an event. Participants in the exercise included representatives from all San Antonio-area military facilities, including the Air Intelligence Agency (AIA), headquartered at Lackland Air Force Base. Representatives from the Texas National Guard also were present, and members of Guard units from two other states participated as observers.
While the U.S. Air Force and other services have conducted exercises relating to computer network defense for their own benefit, Dark Screen may have been the first in which military organizations collaborated with local municipalities in this type of exercise. Key questions were how could an Air Force intelligence agency best use its knowledge and experience in computer network defense to assist the Dark Screen organizers during the exercise and, more importantly, what assistance could the Air Force, specifically the AIA, provide to local officials in the event of a cyberattack.
To determine the AIA’s specific role in responding to a cyberattack, members of the planning committee met with AIA principals responsible for security, legal matters, the Freedom of Information Act, operations security, homeland security and operations. All agreed that the AIA had much to offer in the way of solid experience in exercise preparation and operations, computer network defense and vulnerability assessments. However, the central issue remained—determine how to extend that expertise to civilian counterparts.
To explore this question, the planning committee established the ground rules and physical layout of the exercise. Tables were set up for the city of San Antonio, Bexar County, the state of Texas, critical infrastructure agencies, industry, the media, combined federal agencies and the military. Agency participants at each of the tables worked exclusively on specific scenarios drafted for their respective agencies with no exchange of information between tables. The reason for this format was to establish the manner in which these organizations would react immediately to such situations. Each agency needed to identify critical questions to be answered if a cyberattack occurred. Who would they call? From whom would they expect to receive information during a cybersecurity incident? Would city officials talk to federal authorities, and vice versa? If the AIA or another military organization had relevant information, could it lawfully share the information with local or state officials?
One of the main issues in answering these questions lies in the legal concept of posse comitatus, “the power of the county.” In the mid-19th century, as the United States developed to the west, posse comitatus enabled sheriffs to form a posse to help in a crisis. Initially a useful tool for law enforcement purposes, these powers eventually became misused by the U.S. Army during the South’s reconstruction after the Civil War. Army troops were used in a law enforcement capacity to thwart resurgence from Southern soldiers and their supporters.
The Posse Comitatus Act, which governs military participation in civilian law enforcement activities, first was passed in 1878 and modified over the years. It states that “whoever, except in cases and under circumstances expressly authorized by the Constitution or Act of Congress, willfully uses any part of the Army or the Air Force as a posse comitatus or otherwise to execute the laws shall be fined under this title or imprisoned not more than two years, or both.” The statute also has been expanded to apply to the U.S. Navy and the U.S. Marine Corps. While this law still applies today, its relevance to the war on terrorism is being reviewed by federal and military authorities as they determine how the military can support homeland security.
As the planning committee identified exercise participants and began formulating how they would “play,” the issue of military participation continuously presented more questions than answers. In addition to the Posse Comitatus Act, numerous U.S. Department of Defense regulations, as well as other federal statutes, address the type of support the U.S. military is authorized to provide to civilian authorities.
Maj. Gen. Paul Lebras, USAF, AIA commander, led the AIA table through the three-module exercise. Discussions included policies and procedures for the Air Force Computer Emergency Response Team (AFCERT). In addition, the AIA examined the reporting chain up through the Air Force and the Defense Department. In each module, AIA exercise participants brainstormed ideas on how the AIA could assist local authorities. Some of the information was collected and packaged by AIA personnel and will be presented to the Center for Infrastructure Assurance and Security at the University of Texas at San Antonio for inclusion in the final report.
One concern raised during the exercise relates to the need to balance public access to government information against the obligation to protect that same information from potential adversaries. Both state and federal laws govern this issue. Dark Screen identified a necessity to examine existing laws to ensure they provide adequate protection of information shared between agencies while simultaneously allowing limited public access to government data. During phase I, a representative of the Texas Attorney General’s Office provided information on the most recent change to the Texas Public Information Act, Section 552.136, which seeks to protect government records derived from computer network security operations and tests from public access.
The tabletop portion of the exercise examined the communication channels necessary for attack warnings and alerts. The exercise has now entered phase II, in which lessons learned from phase I can be addressed and network security for critical infrastructures can be enhanced in preparation for phase III, which is designed to be a live cybersecurity exercise. During phases II and III, the AIA will advise organizations such as the Texas Guard, which will be conducting evaluations of the security posture for state and local government networks.
The role of the military in cyberspace security is a key issue facing not only the local Dark Screen participants but also national authorities. National policy makers are continuously analyzing how the military can assist civilian officials lawfully. At the same time, officials throughout the Defense Department are examining the best ways for the military to address cyberspace security issues. Of particular importance is the decision on which military command should own the cyberspace security mission.
Central to this discussion is the formation of the new Northern Command (NORTHCOM), established in October 2002. The mission of this new organization is to protect the nation from outside attack as well as to assist civilian agencies should a natural disaster or attack occur. Other government agencies such as the Federal Bureau of Investigation and the Federal Aviation Administration have assigned personnel to NORTHCOM to assist it in its mission.
In addition to the personnel stationed in Colorado Springs, Colorado, NORTHCOM includes the Joint Task Force, Civil Support, in Hampton Roads, Virginia. Following the attacks of September 11, 2001, this organization spearheaded military efforts to assist civilian firefighters, rescue workers and police in New York and Northern Virginia. It will be responsible for supporting civil forces should any similar event occur in the future.
While NORTHCOM’s charter includes defending against chemical, biological, nuclear and radiological attacks on the United States, it also includes the responsibility to support recovery efforts should a domestic terrorist attack occur. Currently, however, defense of the nation’s cyberspace infrastructure is not the mission of NORTHCOM. That mission belongs to several agencies spearheaded by the National Infrastructure Protection Center, Washington, D.C. Within the military, responsibility for cybersecurity belongs to the Defense Department’s Joint Task Force, Computer Network Operations, formerly part of the U.S. Space Command and now part of the U.S. Strategic Command (STRATCOM). This newly reorganized command now has responsibility for command and control, protected satellite communications, computer network attack and defense, and space-based surveillance and early warning. How either command will work with civilian agencies is an issue under constant scrutiny by national policy makers.
One possible link between local and state government agencies, industry and the military was examined during the Dark Screen tabletop exercise. The National Guard increasingly has been considered as a possible key player in dealing with both active-duty military forces and civilian authorities. The Guard is unique in having both a state and a federal mission. Additionally, the Guard has investigated providing personnel for each state to form a state computer emergency response team, or CERT. How these individual state CERTs will function and what their exact responsibility will be for protecting state and local resources still needs to be solidified. How these CERTs can work with either STRATCOM or NORTHCOM in helping to defend the nation’s critical cyberresources also has to be formally determined.
Even with the state CERTs, additional resources are needed to perform other tasks associated with securing critical computer networks. One of these tasks is performing vulnerability assessments, which will examine a computer network for known insecurities. The assessment often will have both internal and external components to simulate the access a knowledgeable insider may have as well as access by the more numerous potential external attackers. For the Air Force, the 92nd Information Warfare Aggressor Squadron (IWAS), which is part of the AIA, performs this task.
The IWAS presents a full-spectrum assessment that simulates the abilities that a potential adversary may bring to a cyberconflict. Frequently referred to as a red team, this organization assesses vulnerabilities on computer networks to help an organization protect itself better from attack. Several states have expressed an interest in forming units with either the Army or Air National Guard to perform the red team mission.
While full-spectrum red teams probably are not necessary in each state, the formation of a “red team–light” is possible. These smaller units, located in each state, could be used to perform vulnerability assessments on critical state infrastructures and components of critical federal infrastructures that reside in their state. Responsibility for training these units could be borne by both the active-duty military and the Guard. In the event of an attack, these units could be called on to assist active-duty forces in maintaining the cybersecurity of both garrisoned and deployed forces.
Dr. Gregory B. White is the technical director of the Center for Infrastructure Assurance and Security at the University of Texas at San Antonio (UTSA). Joe H. Sanchez Jr. is the technical director of the 690th Information Operations Group at the Air Intelligence Agency (AIA) and serves as the AIA liaison to UTSA and the Center for Infrastructure Assurance and Security.