The National Governors Association endorsed measures in an upcoming defense spending package that would grow the National Guard’s role in responding to cyberattacks, including making it easier for individual units to respond to incidents across state lines.
In a letter published last Friday, NGA Executive Director Bill McBride told the leaders of the House and Senate Armed Services committees that governors would like to see the final form of the National Defense Authorization Act — the annual spending bill that lays out the Pentagon’s year budget — include measures that relate to the National Guard’s cyber capabilities.
National Guards in all 50 states have at least one unit dedicated to cybersecurity, with members of those units assisting their states with duties including responding to ransomware attacks and protecting election infrastructure.
Some states, like Maryland, have also used their Guards’ cyber groups to help protect government websites — like unemployment benefit portals — that could be targeted for fraud or other online crimes during the coronavirus pandemic. And once again this fall, Guard units are being called up to help election administrators protect voter registration databases, websites and other assets.
But draft forms of this year’s NDAA contain two sections that could formalize and expand the National Guard’s cyber activities even further. One proposal, which exists in both the House and Senate versions of the bill, would direct the Defense Department to develop guidance on how National Guard units should collaborate with civilian agencies, such as the Cybersecurity and Infrastructure Security Agency, the FBI, information-sharing groups and state-run fusion centers.
The second proposal, which currently only exists in the Senate’s NDAA draft, could greatly broaden the scope of individual Guard cyber units by authorizing the Army and Air Force to develop pilot programs in which Guard units from one state could offer remote assistance to the government or National Guard of another state. The assistance could involve “training, preparation, and response to cyber incidents,” the bill reads.
Any pilot projects would be required to be conducted in coordination with the FBI, Department of Homeland Security and any relevant state agencies, and would not be allowed to go outside the confines of any existing mutual-aid agreements between states, like the Emergency Management Assistance Compact.
The interstate assistance proposal was proposed by Sen. Gary Peters, D-Mich., a frequent sponsor of legislation promoting cybersecurity assistance to state and local governments. Peters introduced it as a standalone bill in June, though it was later incorporated as an amendment to the broader defense bill in July.
The NDAA is considered “must-pass” legislation, and is often approved by Congress in the waning days of its December lame-duck sessions.