When Dorchester County reported a ransomware attack on a majority of its servers this past January, Maryland turned to a program recently established by U.S. Cyber Command and the National Guard.
Less than 48 hours after the late-January 2020 attack, the Maryland Air National Guard was onsite at the county offices along with their state partners, ready to assist.
The “Cyber 9-Line” is a template of questions that participating National Guard units use to quickly communicate a cyber incident to USCYBERCOM. The data provided enables USCYBERCOM's Cyber National Mission Force to further diagnose a foreign attack and provide timely, unclassified feedback back to the unit, who shares with state and county governments to address the cyber incident. This process is a key aspect of how USCYBERCOM helps strengthen America’s cybersecurity, and enable election integrity.
Securing the 2020 presidential elections is NSA and USCYBERCOM’s No. 1 priority.
“This level of cooperation and feedback provides local, state and Department of Defense partners with a holistic view of threats occurring in the United States and abroad,” said U.S. Army Brig. Gen. William Hartman, USCYBERCOM’s Election Security Group lead and CNMF Commander. “Dealing with a significant cyber incident requires a whole-of-government defense; bidirectional lines of communication and data sharing enables the collective effort to defend elections.”
Establishing the Cyber 9-Line
The Cyber 9-Line operates similarly to the military reporting used by battlefield medics to quickly and accurately report combat injuries while in the field. It represents the first step in the information exchange program (IEP) created in late 2019 under the direction of U.S. Air Force Col. Samuel Kinch, the National Guard Advisor to USCYBERCOM, and in partnership with the Joint Cyber Command and Control program office.
Currently most states and territories have Cyber 9-Line training planned or are establishing accounts. To date, 12 states have completed the registration process and are now able to leverage DOD resources against foreign adversaries and strengthen U.S. networks.
By better informing USCYBERCOM on the range of foreign cyber activity in the U.S., Cyber 9-Line enables the defense of elections-- the number-one priority of both the command and the National Security Agency.
“These relationships have been cultivated for many years via personal connections made by our Citizen-Airmen, which allows us to respond quickly,” said U.S. Air Force Col. Reid Novotny, Maryland National Guard J6. "Knowing that the Maryland Department of IT was handling restoration and the FBI was doing investigation, the 175th Cyber Operations Group provided the connectivity to the national resources located in our backyard at USCYBERCOM through a Cyber 9-line.”
Maryland’s quick response to the incident generated an immediate investigation by the FBI, building upon the FBI’s strong relationship with the state’s National Guard Cyber Protection Team. The FBI successfully identified the vector of attack and shared the critical information with the affected state and National Guard partners.
Working together, the FBI and National Guard collected evidence and developed a mitigation strategy, generating a Cyber 9-Line to USCYBERCOM.
Leveraging Big Data Against Adversaries
Thanks to the open lines of communication across government agencies, USCYBERCOM can now leverage key insights from stateside cyber incidents through the National Guard. This valuable data on cyber incidents in state and federal government is captured in the second part of what the IEP provides: intelligent use of USCYBERCOM’s existing unclassified cyber Big Data Platform (BDP).
The BDP specifically focuses on malign cyber activity, providing critical defense capabilities for participating state and national cyber forces. By having the ability to inform incident response at the state and local levels, the BDP allows USCYBERCOM to better combat foreign activity.
“The CNMF, via the National Guard, may enable states to quickly identify additional indicators of threats, which then states can then implement and defend themselves quicker than ever before,” Kinch said. “That’s going to be a huge collective win for us all.”
Additionally, the BDP provides all participants access to previous malware reports and states’ submissions in order to proactively employ and improve their cyber defenses.
“The Cyber 9-Line is still in its infancy, but after standing up this program a few months ago, we have already [seen an impact],” said U.S. Air Force Lt. Col. Jeff Pacini, CNMF Future Operations Deputy Chief. “Ultimately, the goal is to provide mutual support to each other.”
Impact on Election Security and Beyond
The implications of Cyber 9-Line go beyond diagnosing ransomware: the implementation of the Cyber 9-Line plays a key role in the whole-of-nation effort to defend elections from foreign interference.
“A consistent message we hear in our engagements with the election security community is a desire for more robust and timely exchanges of information – we need their insights and they need insights from the intelligence community and U.S. Government,” said David Imbordino, NSA’s Election Security Group lead. “The Cyber 9-Line has been an excellent step to improve that issue.”
Cyber information provided through the National Guard units contributes to NSA and Intelligence Community insight-driven operations, allowing CNMF teams to pursue bad actors on foreign partner networks. The data ingested into the BDP through the Cyber 9-line notifies USCYBERCOM’s “Hunt Forward” operations. This is one way the agency and the command are imposing time, money, and access costs to disrupt and disable the adversary’s capabilities to impact U.S. elections.
“The whole-of-government must capitalize on information exchange to successfully reinforce defenses against potential cyber threats at home and abroad,” said Hartman. “U.S. Cyber Command will continue to strengthen our alliances with our partners, persistently engage our adversaries, and when authorized, impose costs on those foreign actors who threaten to interfere with the U.S. democratic process.