Jeffrey Alston is a member of the United States Army National Guard and a graduate of the United States Army War College.  He can be found on Twitter @jeffreymalston.  Divergent Options’ content does not contain information of an official nature nor does the content represent the official position of any government, any organization, or any group.

National Security Situation:  The United States has not organized its battlespace to defend against cyberattacks.  Cyberattacks are growing in scale and scope and threaten surprise and loss of initiative at the strategic, operational and tactical levels.  Shortfalls in the nation’s cybersecurity workforce and lack of division of labor amongst defenders exacerbates these shortfalls.

Date Originally Written:  July 23, 2017.

Date Originally Published:  September 4, 2017.

Author and / or Article Point of View:  This paper is written from a perspective of a U.S. Army field grade officer with maneuver battalion command experience who is a senior service college graduate.  The officer has also been a practitioner of delivery of Information Technology (IT) services and cybersecurity for his organization for over 15 years and in the IT industry for nearly 20 years.

Background:  At the height of the Cold War, the United States, and the North American (NA) continent, organized for defense against nuclear attack.  A series of radar early warning lines and control stations were erected and arrayed across the northern reaches of the continent to warn of nuclear attack.  This system of electronic sentries were controlled and monitored through a series of air defense centers.  The actual air defense fell to a number of key air bases across the U.S. ready to intercept and defeat bombers from the Union of Soviet Socialist Republics entering the NA airspace.  The system was comprehensive, arrayed in-depth, and redundant[1].  Today, with threats posed by sophisticated cyber actors who directly challenge numerous United States interests, no equivalent warning structure exists.  Only high level, broad outlines of responsibility exist[2].  Existing national capabilities, while not trivial, are not enough to provide assurances to U.S. states as these national capabilities may require a cyber event of national significance to occur before they are committed to address a state’s cyber defense needs.  Worse, national entities may notify a state after a breach has occurred or a network is believed to be compromised.  The situation is not sustainable.

Significance:  Today, the vast Cold War NA airspace has its analog in undefended space and gray area networks where the cyber threats propagate, unfettered from active security measures[3].  While the capabilities of the myriad of companies and firms that make up the critical infrastructure and key resource sectors have considerable cybersecurity resources and skill, there are just as many that have next to nothing.  Many companies and firms cannot afford cyber capability or worse are simply unaware of the threats they face.  Between all of these entities the common terrain consists of the numerous networks, private and public, that interconnect or expose all of these actors.  With its Title 32 authorities in U.S. law, the National Guard is well positioned to take a key role in the unique spot interface between private industry – especially critical infrastructure – in that it can play a key role in this gray space.

There is a unique role for the National Guard cyber forces in gray space of the internet.  The National Guard could provide a key defensive capability in two different ways.

Option #1:  The National Guard’s Defensive Cyberspace Operations-Element (DCO-E), not part of the Department of Defense Cyber Mission Force, fulfills an active role providing depth in their states’ networks, both public and private.  These elements, structured as full-time assets, can cooperatively work to negotiate the placement of sensors and honeypots in key locations in the network and representative sectors in their states.  Data from these sensors and honey pots, optimized to only detect high-threat or active indicators of compromise, would be aggregated in security operations centers manned primarily by the DCO-Es but with state government and Critical Infrastructure and Key Resources (CIKR) participation.  These security operations centers provide valuable intelligence, analytics, cyber threat intelligence to all and act to provide depth in cybersecurity.  These units watch for only the most sophisticated threats and allow for the CIKR private industry entities to concentrate their resources on internal operations.  Surveilling gray space networks provides another layer of protection and builds a shared understanding of adversary threats, traffic, exploitation attempts returning initiative to CIKR and preventing surprise in cyberspace.

Risk:  The National Guard cannot be expected to intercept every threat that is potentially targeted at a state entity.  Negative perceptions of “mini-National Security Agencies (NSAs)” within each state could raise suspicions and privacy concerns jeopardizing the potential of these assets.  Duplicate efforts by all stakeholders threaten to spoil an available capability rather than integrating it into a whole of government approach.

Gain:  Externally, this option builds the network of cyber threat intelligence and unifies efforts within the particular DCO-E’s state.  Depth is created for all stakeholders.  Internally, allowing National Guard DCO-Es to focus in the manner in this option provides specific direction, equipping options, and training for their teams.

Option #2:  The National Guard’s DCO-Es offer general support functions within their respective states for their Adjutants General, Governors, Department of Homeland Security Advisors, etc.  These elements are tasked on an as-needed basis to perform cybersecurity vulnerability assessments of critical infrastructure when requested or when directed by state leadership.  Assessments and follow-on recommendations are delivered to the supported entity for the purpose of increasing their cybersecurity posture.  The DCO-Es fulfill a valuable role especially for those entities that lack a dedicated cybersecurity capability or remain unaware of the threats they face.  In this way, the DCO-Es may prevent a breach of a lessor defended entity as the entry point for larger scale attacks or much larger chain-reaction or cascading disruptions of a particular industry.

Risk:  Given the hundreds and potentially thousands of private industry CIKR entities within any particular state, this option risks futility in that there is no guarantee the assessments are performed on the entities at the greatest risk.  These assessments are a cybersecurity improvement for the state overall, however, given the vast numbers of industry actors this option is equivalent to trying to boil the ocean.

Gain:  These efforts help fill in the considerable gap that exists in the cybersecurity of CIKR entities in the state.  The value of the assessments may be multiplied through communication of the results of these assessments and vulnerabilities at state and national level industry specific associations and conferences etc.  DCO-Es can gradually collect information on trends in these industries and attempt to use that information for the benefit of all such as through developing knowledge bases and publishing state specific trends.

Other Comments:  None.

Recommendation:  None.



[2]  Federal Government Resources. (n.d.). Retrieved July 22, 2017, from

[3]  Brenner, J. (2014, October 24). Nations everywhere are exploiting the lack of cybersecurity. Retrieved July 21, 2017, from