Ransomware now part of the regular drill for National Guard, generals say

A pair of ransomware attacks in Texas earlier this year weren’t just early tests of the state’s recent decision to include cybersecurity incidents in its emergency response protocols, they also left the state National Guard with a playbook to use the next time it responds to a similar event.

Maj. Gen. Tracy Norris, the adjutant general of the Texas National Guard, recounted for reporters at the Pentagon on Tuesday how cybersecurity experts among the 24,000-person force she leads were dispatched within half a day of receiving reports that local government networks were under attack.

The first event came in late May when the top official in Jackson County — a community of about 15,000 residents 100 miles southwest of Houston — reported to Gov. Greg Abbott’s office that several of her government’s systems had been compromised by malware demanding a ransom.

“People weren’t able to transfer property,” Norris said. “Police doing background checks couldn’t bring up that information. We sent a team out. We had people out there within 12 hours and helped that county start to get back online.”

Norris said her people assessed the county’s systems and were able to bring them back to about “25 percent recovery” before passing it off to other responding agencies, such as the Texas Department of Information Resources, a process she said took about two weeks.

[ransomeware_map ]

Norris said that Jackson County Judge Jill Sklar, who had just been inaugurated in January, was able to get National Guard members — as well as personnel from civilian state agencies — to respond so quickly because of a 2017 law that tweaked the governor’s ability to issue disaster declaration to include cyberattacks, opening up resources like the National Guard’s expanding number of cybersecurity units.

But helping state and local governments respond to cyberthreats like ransomware or attempts to hack election systems is a new normal for the National Guard, Air Force Gen. Joseph Lengyel, the chief of the National Guard Bureau, said at the Pentagon briefing.

“When they first developed cyber, people thought there was no domestic mission for a governor to use a cyber force in a state capacity,” Lengyel said in response to a question from the cybersecurity site Fifth Domain. “And now we’re seeing how wrong that could be.”

National Guard units have also been deployed to assist with responses to ransomware attacks in Colorado, Louisiana and Georgia, Lengyel said. In total, there are now 59 cybersecurity-dedicated units spread across the National Guards of 38 states, according to the Defense Department.

In Texas’ case, though, the May incident in Jackson County was just a dress rehearsal for a bigger August incident in which 22 local government organizations scatted across the state were hit with ransomware. Texas’ top IT officials, including Chief Information Officer Todd Kimbriel and Chief Information Security Officer Nancy Rainosek, recalled last month how the 2017 revisions to Texas’ emergency plan facilitated the response to the August attack. For the National Guard, Norris said part of the task was prioritizing where to deploy the roughly 50 Army and Air National Guard members in her cyber unit.

“We got people on the phone, figuring out assessments. We picked the places to go to help out on the recovery process,” she said, noting that Guard members spent about 15 days on the ground. “Now we have a battle drill.”