Brig. Gen. Michael Stone of the Michigan National Guard said that the federal government has wanted a nationwide network of unclassified cyberexercise facilities for years, but he’s bringing the idea to state and local government -- starting with his home state of Michigan. If the state receives funding for this purpose, he says the first hub of the network should be ready by Oct. 1.
The network of facilities would allow IT professionals without security clearance to practice for cyberattacks in multi-state and multi-stakeholder efforts. Such facilities are uncommon today, he said, and unclassified interstate efforts don’t exist.
Congress succeeded with this goal to an extent, but it missed a crucial part of the idea, Stone said. The National Science Foundation, which teamed with the Defense Advanced Research Projects Agency on the project, was allocated $110 million to create cyber-ranges. While it did create cyber-ranges, those ranges are not accessible to those without security clearance.
“They did some wonderful work for the country, but they did it all in the top secret domain,” Stone said, adding that this was unfortunate for a few reasons.
The second reason unclassified cyber-ranges are needed, he said, is a practical one: When a cyberattack hits state or local government, officials don’t want to sit around waiting for the federal government to come rescue them, he said.
“There are folks who work at the federal level -- policy makers -- who believe the domain of cyber falls entirely on the federal government,” Stone said. “The problem with that, though, is that requires perfect resources and perfect execution of the federal government. And being a person who works for the state and local level, just ask yourself, ‘How long is it going to take before the response is there? And how perfect is federal government execution all the time?’”
Stone’s vision is a nationwide network of cyber-range facilities that's anchored in the advisory of the National Guard, which is in the unique position of spanning the federal, state and local levels, he said. Most people are familiar with the National Guard acting as a second responder during such events as hurricanes or floods, but the Guard also is in a perfect position to bridge the gap between federal involvement and state and local participation.
And ultimately, Stone said, it doesn’t make sense to put federal agencies in charge of critical infrastructure such as power grids and dams, because that’s not who’s operating them.
“Eighty percent of all critical infrastructure is privately owned,” he said. “And 85 percent of all people operating networks for critical infrastructure are civilians, non-federal government.”
Almost without exception, Stone said, IT organizations will agree that the most valuable resource they have and the thing highest in demand is talented human capital. So why would government ignore 85 percent of its capital, particularly during a time of crisis?
To take advantage of this capital, the Michigan National Guard partnered with the California National Guard; California Polytechnic State University, San Luis Obispo (Cal Poly); Michigan’s Merit Network; EADS North America; and nonprofit Electricore, the organization that applied for the Department of Energy grant on behalf of the team’s members to get unclassified cyber-ranges going.
The costs for establishing each facility in the network, Stone said, is in the hundreds of thousands of dollars -- as opposed to the millions spent by the federal government.
“The dollar figure to stand up hubs is really the cost of running fiber optic to the buildings we want, which is about $50,000 a mile to run this fiber,” he said. “Once you’re there, it’s really the human capital cost.”
In addition to Cal Poly, the network would include many major universities in Michigan, starting with the state’s Merit Network, the longest-running fiber optic network in the country. And the first hubs will be military bases and academies in Michigan. Stone said he is also in talks with the National Guard Bureau in Little Rock, Ark., and organizations in Kansas. The idea, he says, is to cast a wide net while also creating a culture of cybersecurity awareness.
“We’re going to need special guardsmen with civilian skill sets,” he said. “We’re going to need recent college graduates, we’re going to need an abundance of IT experts to really be able to surge, to overcome those problems.”
This network, he said, is part of a larger effort to set the right conditions for a workforce that can handle these issues.
“We have to do this,” Stone said, adding that it’s one thing to teach individuals to troubleshoot a network or solve a computer problem, but they need teams of people who can work together. They need collective training tools, he said. “I think that this is going to happen one way or another, whether or not there are federal dollars,” he continued. “This is a clear trend. There’s a demand. Every time we ask a corporation if they want to participate, if they have any information assurance requirement, they get to yes really fast.”
It’s going to happen, Stone said, the only question is who the players will be.
And the bulk of this effort consist of Stone’s strategy and the work that organizations like Cal Poly will do, said Electricore Executive Director Deborah Jelen.
“A lot of the value is in the ability to test different products,” she said. “The nature of a cyberthreat is changing all of the time, and there are going to be many different solutions to address those threats. Ao I think having that ability, that bandwidth to be able to conduct the testing, really is going to be a critical success factor.”
She has no way of knowing today whether they will receive the funding they requested, she said, but a project like this could lead to very important work in the area of research and development, and emergency management.