This speech was given by Brigadier General John Tuohy at the Lexington Institute’s Capitol Hill event on the National Guard’s Role in Cybersecurity for the U.S. Power Grid on June 21, 2016. BG Tuohy is the Assistant Adjutant General of the Washington Air National Guard.
Click here to watch a video of Brigadier General Tuohy’s speech.
Good afternoon. My name is Brigadier General John Tuohy and I have the great honor to be the Commander of the Washington Air National Guard and also the Assistant Adjutant General. My boss, Major General Bret Daugherty, is unfortunately unable to attend this forum and asked me to step in. Now I have to warn you that my background is as a knuckle dragging aviator in B-52 bombers, and not that of a cyber wizard. In truth, I depend on my kids to run the TV and program my VCR, so the good news is I won’t lose anyone in geek speak today.
But here’s what I do know: We live in unprecedented times of cyber risk, threats, vulnerabilities, exploitation, and outright attacks on virtually everything and anything that is connected to computers and the internet by bad actors and cyber criminals. And hence, I want to thank the Lexington Institute for bringing this subject to light today – The National Guard’s Role in Cybersecurity for the Power Grid. It is my intent to share a few very basic reasons why the National Guard offers one more layer of defense to this significant threat.
As you know, the National Guard, since its very inception in 1636, has been “at the ready” to defend and protect the citizens of this nation, whether by federal or state decree. This dual-role allows the Guard to uniquely leverage capabilities and capacity for both state and federal missions. My comments this morning do not necessarily reflect that of all 50 states and territories, nor the United States Air Force or National Guard Bureau, but only that of the state of Washington. In fact, I stand before you in my state employee status and not federal.
In our state we look at the response to cyber threats the same as any other natural or man-made disaster. When directed by the governor, we seek to respond, limit, mitigate, defend, deter and restore, regardless the crisis. And I must emphatically point out we are always tasked, directed and under the control of civil authorities; we are never just out there on our own.
So why the Guard in this equation of Cybersecurity and the Power Grid? The first reason and word that comes to mind is trust. Trust based on our competency, our experience, our expertise, our community relations, our long-standing stability, and our proven results in support of our civilian and federal partners, and most importantly that of the American people. In a few minutes you will hear from Mr. Beberness, CIO, from one of our public utility companies in Washington State and I’ll defer to his comments on the assessment that was conducted by the Guard.
Needless to say, you will hear that the process was well coordinated and executed by a comprehensive memorandum of agreement, inclusive non-disclosure agreements, and explicit rules of engagement with stringent controls in place. In addition, this process took nearly two years to bring from concept to achievement, along with months of legal review and refinement by a multitude of state and corporate attorneys to ensure all applicable rules, regulations, policies and laws were conformed to. And given it was directed by the governor to the National Guard, at the invitational request of the public utility company, it was conducted not in federal status but in State Active Duty, with state equipment and software; hence, no conflict of fiscal law or purpose violations. I also want to publicly acknowledge Mr. Beberness and his company for their insightful, progressive, and groundbreaking leadership, partnership and information sharing. They are true pioneers in this important effort!
I need to also note that this consultation only highlighted areas for review and in no way “fixed” any issues found. The Guard’s mandate was to assess, not correct. The “fixing” is left for the customer to do, whether by internal means or by commercial private enterprise; hence, we are not in competition with the private sector. In fact, one could easily argue that in our steps to ensure public safety and confidence through these kinds of engagements, we are actually creating potential opportunities for the private sector to capitalize on.
Again, why the Guard? At the very core of the Guard is its people. And in this domain of cyber the Washington National Guard is exceedingly blessed with tremendously talented members who bring to the fight a plethora of industry leadership, technical experience, business acumen, depth of capability and esprit de corps. And yes, because of our physical location to the giants of cyber industry in the local area, these members are at the center of excellence and on the cutting edge of technology, tactics, techniques, innovation and training. But I would argue that many states, as my colleagues here today from California and Maryland will attest, are also gifted in much the same way and hence they too are capitalizing on the talents of their Guard members for their respective state and federal missions.
Speaking of federal missions, the creation of Cyber Protection Teams (CPTs) is clearly a step in the right direction. As part of US Cyber Command’s Cyber Mission Force, these teams will ensure network security and defense for our Department of Defense (DoD) information networks worldwide. What makes Washington a bit unique is that part of their CPT unit tasking is to conduct Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) in their mission directives. Several of these special tasked members assisted with the assessment that you will hear about in a few minutes.
This collaborative venture with the utility company proved invaluable in shaping our processes and developing training, while forging a clear path on how best to conduct future consultations not only within the public utility sector, but also within state agencies that could prove vulnerable to cyber-attacks and exploitation at the potential cost of billions of dollars if compromised. In other words, the approach we have developed has a broad spectrum of application which will go a long way to developing and implementing better strategies, policies, and framework for cybersecurity solutions for our critical stakeholders and ultimately the American people we serve.
So what is needed now to ensure the National Guard’s success in this work continues at the national level? I would start by stating that the recent Policy Memorandum 16-002, from the Deputy Secretary of Defense, is a welcomed document which provides, and I quote, “guidance for the DoD to coordinate, train, advise, and assist (CTAA) cyber support and services provided incidental to military training to organizations and activities outside DoD and for National Guard personnel use of DoD information networks, software, and hardware for State cyberspace activities.” But please don’t misconstrue or conclude this memo allows a blank check to conduct cyber operations at will. On the contrary, it stipulates very strict guidance and definitions on who may receive cyber support and services within the United States and its territories, along with a strict approval process. But it is a great step in codifying the Guard’s role in cyber defense with respect to domestic missions, whether in federal or state status.
Continued dialogue at the national level in such forums as this one today is also important in educating industry, political leaders, and government officials as to what’s possible. If we all agree that domestic cyber is a mission area for the Guard, there does need to be a national level debate on whether the Guard is appropriately structured and resourced for this “dual mission.” We may find that the mission is too great and we may need to look at other innovative solutions.
One idea being bantered about is the development of a “cyber” version of our Civil Support Team concept, which does not necessarily have a direct federal tasking. It would be designed to respond to cyber threats or incidents on short notice or used in a preventive manner through exercises and assessments. But as we all know this depends on funding and resources, which ostensibly is in short supply. However, we cannot allow funding and restrictive thinking to limit the art of the possible. We have too much to lose.
Another area seemingly in short supply is effective and available training in the art of ICS/ SCADA. As part of our own internal efforts to develop our unique ICS/SCADA warriors, we have developed an in-house training program designed to train our practitioners up to speed more rapidly. We are in discussion with how to perhaps extend this “schoolhouse” training to other CPT states and federal partners so they too can be better prepared to defend critical infrastructure. Again, the long pole in the tent will continue to be the lack of resources, funding and approval authorities to conduct such training.
Let me now spend just a moment focusing on what activities and actions I believe should be taking place at the state and local level. One of the questions often posed is how can power utilities and their regulators most effectively work with the National Guard in this effort to protect critical infrastructure? Now I could be completely off track here but it could be perceived that utilities and regulators might possibly at times have a “strained” relationship rather than one that is open and collaborative. We need to create an environment whereby utilities and regulators can discuss vulnerabilities without the fear that the information divulged may lead to punitive or castigatory actions against the Utility. As mentioned in my opening remarks, the Guard is known because it is trusted. Washington State believes using the Guard as the “trusted agent” and “go between” is an innovative solution and helps with developing an atmosphere built upon collaboration, communication, cooperation and coordination.
Over the last several years Washington has conducted numerous open forums and workshops to explore the “what ifs” of a cybersecurity crisis. The last one we conducted included mission partners from DoD, Department of Homeland Security, Federal Emergency Management Agency, state, local, county, city, and Tribal officials, public and private utility companies, State agencies along with a large contingent of attendees from major businesses like Boeing, Verizon and Microsoft. In the end, what truly transpired was like-minded professionals coming together, exchanging ideas and business cards, and agreeing that this threat is a real and present danger. It really is about partnerships, partnerships, partnerships.
In closing, I believe the leveraging of the National Guard in this critical fight to protect and safeguard the power grids across this great nation only makes sense. Without question, we are ready, reliable, and responsive. And yes, we are great asset and dollar for dollar the best investment at the lowest cost.
Back in 2012, the President said, “The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront.” It’s now 2016 and that statement has not changed and still rings 100% true today. But what has changed is the start of new and innovative efforts by the National Guard, empowered by outstanding partnerships such as that of Snohomish County Public Utility District, state and local agencies, federal partners, and other critical stakeholders, which will ultimately lead to a nation better prepared to defend and protect against dangerous, sophisticated, stealthy and relentless cyber threats and the dastardly bad actors behind them.
We no longer have the luxury to study and ponder the problem or to debate it until blue in the face. Now is the time for action. Failure to do so ultimately means to fail the American people, and that, Ladies and Gentlemen, is unacceptable. Or as Secretary of Defense, Ashton Carter said while visiting a few months back in Seattle, “These issues matter. It’s not a game. This is about our protection and our security, and creating a world in which our citizens can wake up in the morning, hug their kids, take them to school, go to work, dream their dreams, live their lives. That’s what it’s all about, and you can’t do that if you don’t have security.”
Find Archived Articles: