A unique exercise held this summer demonstrated the evolution of the National Guard’s relationship with U.S. Cyber Command as the nation faces increased threats in cyberspace.
This year’s Cyber Yankee exercise, which took place June 5-18 in Connecticut, sought to mature the Guard’s partnership with Cybercom through a threat-sharing portal called Cyber 9-Line.
This tool allows participating Guard units from their respective states to quickly share incidents with the combatant command’s elite Cyber National Mission Force, which conducts operations aimed at disrupting specific nation-state actors. The force is able to provide analysis of discovered malware and offer feedback to the states to help redress the incident, while also potentially taking action against the threat outside U.S. borders. Cyber Command can also, in turn, share threat data discovered in their operations outside U.S. networks with these states as a warning against potential attacks.
Cyber Yankee is a one-of-a-kind exercise that acts as a dry run of sorts in which members of the Guard in the six New England states work side by side with the private sector, utilities and other federal agencies to protect critical infrastructure in a simulated attack.
Given many defensive cyber teams in the Guard are spread across several states — and the fact that in the event of an incident, Guardsmen will have to work in private utility networks — the exercise acts as a dress rehearsal, enabling the organizations involved to gain partner trust, work through technical chops, and learn how to better run incident responses and operations.
“We had this year probably the strongest partnership we’ve ever had with Cyber Command in using the Cyber 9-Line tool,” Lt. Col. Cameron Sprague, executive director for Cyber Yankee and a Connecticut Guardsman, said in an interview. “I think last year, we might have done one or two Cyber 9-Lines. This year, I believe we did over 30 Cyber 9-Lines into Cyber Command.”
Those 9-Lines went directly to Cybercom’s joint operations center floor where they were actioned as part of the exercise.
Improving this relationship and exercising the use of the 9-Line had a two-pronged effect, Sprague said: First, it educated Guardsman in the six New England states on the tool and how to employ it.
“There are people that go home and realize, ‘Hey, this thing exists and I used it in an exercise. If something happens in my state, I can then use it during that incident,’” Sprague said.
He found the 9-Line beneficial in an actual real-world situation when in 2020 the city of Hartford, Connecticut, was hit with a major cyberattack.
One of the first real-world instances of using the 9-Line, Sprague said it was very successful with Cybercom exploiting the intelligence the state provided it and taking action with it.
“Our goal this year [at Cyber Yankee] was to push that experience out to the other states in New England and train all their people how to do that,” he said.
The second effect was Cyber Command continuing to mature the 9-Line and even beginning to develop policy guidance for it.
“They’re going to go out and develop more granular policy and what they’re looking for, which will benefit like everyone nationwide,” Sprague said.
Cyber Yankee “really advanced the 9-Line quite a bit,” he said. “It will be very critical if this ever happens in the real world.”
This year’s exercise also saw unique participation from active-duty cyber teams under a construct known as Defense Support to Civil Authorities. The U.S. military is barred from conducting operations on domestic soil unless explicitly asked to assist in disasters under this mechanism.
“If there was a large-scale cyber event, we want to do it with active components. That’s why we exercised it this year,” Sprague said of the active-duty participation from the Navy, Coast Guard and Air Force.
The goal is to work on these relationships before a crisis occurs.
One of the key successes at this year’s event, according to Sprague, was standardized communications and platforms to share information among the participants.
In the past, participants have been confused as to where information is posted, be it email, a Slack channel or elsewhere.
“We’re able to standardize a lot of that and print a playbook. That really, I think, lessened the confusion and enhanced training value of all the participants,” Sprague said. “This year we centralized on one communication platform, Hive-IQ. We also used that platform for assessments and it was this year much, much better than the previous patchwork of platforms we used in the past. We had a much, much smoother exercise. There weren’t as many hiccups.”
The playbook has been shared with other states so they can improve their cyber defenses.
“Any state that wants to do a regional exercise, we like to bootstrap them into doing it,” Sprague said. “We have people come visit us all the time. I think we have people from Illinois this year, with the intent of taking our material and running their own infrastructure, their own regional exercise with our infrastructure, our stuff … our playbook, things like our scenario.”
The simulated threat this year was also more advanced than in years past.
“The biggest difference from last year to this year is that we elevated our game because the threat has elevated,” Sprague said. “The very first day we kicked off the hands-on exercise, we had a real world FBI threat brief with all of our private sector partners in the room. That further drove home the point that this isn’t just a notional thing anymore. This is real world, this could really happen and you need to take it very seriously.”