During a time of civil unrest in April 2015, fires and violent outbursts filled the streets of Baltimore causing Maryland’s governor, Larry Hogan, to declare a state of emergency and activate the Maryland National Guard. About 1,700 local Airmen and Soldiers entered the city to support the law enforcement officials in charge.
While daily challenges on the streets remained visible to those watching the national news, another, lesser-known battle was taking place online. A group of “hacktivists” shared malicious software to impede Maryland’s government networks from functioning at full capacity. Ready to respond, Airmen from the Maryland Air National Guard acquired the malware, isolated it, and reverse engineered it, to determine a defense method for the state’s critical information systems from the malicious software.
The Airmen deterred additional cyber threats and provided key knowledge to combat similar attacks faced by those government agencies. In just a few days, the city streets calmed and so did the negative online cyber activity. Likewise, the state of emergency ended, the Maryland National Guard returned to their home units, and the cyber personnel moved on to other missions.
The 175th Cyberspace Operations Group would not officially stand-up for another year, but they were already fulfilling their integral mission to support national cyber operations and maintain state cybersecurity.
Today, the 175th COG encompasses a collaboration of distinct skillsets. They stand out not only based on the talent of their personnel, but also because they are the only COG in the Air Force that operates as both an offensive and defensive force.
“The 175th COG is a full-spectrum cyber operations unit; the only one in the nation that does that,” said U.S Air Force Lt. Col. Joed Carbonell, deputy commander of the 175th COG, Maryland Air National Guard. “We possess a very unique and awesome skillset here in the Maryland Air National Guard’s cyber ops group.”
Prior to their official stand-up in May 2016, the COG had already mobilized their first team of cyber operators. They are currently in their seventh mobilization, translating into 144 Airmen activated for over 26,000 total man-days. The group continues to improve their skillset and knowledge through education, training and mission qualification of all their Airmen.
The COG is composed of three operations squadrons and one operations support squadron. Their offensive cyber operations mission, an exclusively federal mission, is the responsibility of the 175th and 276th Cyberspace Operations Squadron’s. These two squadrons, along with their sister squadron from the Delaware Air National Guard, the 166th COS, are responsible for providing forces to a National Mission Team belonging to the Cyber National Mission Force at U.S. Cyber Command. Between the three squadrons they present the only National Guard NMT, all other reserve component cyber mission teams conduct defensive cyber operations.
The COG’s defensive cyber operations mission is the responsibility of the 275th COS which provides forces to the 856th Cyber Protection Team. Last month, the 856th CPT executed an operational certification event, GREEN DRAGON, this was the first time a CPT organically hosted this type of event at a home station.
“This exercise showed how a mission is expected to run from beginning to end,” said U.S. Air Force Master Sgt. J. Anthony Dell, a cyberspace operator assigned to the 275th COS, Maryland Air National Guard. “It allowed us to showcase all the preparation that occurred leading up to the event, including training, development, and documentation. We were able to prove … that we are prepped and ready to go, but also showed where our weaknesses are and what we can work on during mobilization to become even better.”
During the training, the COG presented a single unit of 13 members that supported multiple aspects and teams including the Mission Element, Intelligence and Infrastructure Analysts, and the Leadership Element. The CPT members executed operations against three Joint Mission Essential Tasks comprised of 78 subtasks to determine certification. The event was conducted in just seven days, rather than the usual 10 day requirement.
Cyber Airmen receive intense military training to complete their missions but many of these professionals also bring expertise from their civilian jobs. However, it is more than just additional cyber skills they are bringing to the National Guard. They are bringing their relationships with key civilian companies and government agencies, according to U.S. Air Force Col. Victor Macias, commander of the 175th COG.
“With decades of diverse experiences, they are a national treasure,” said Macias. “It is their steadfast selfless-service combined with first-class military and civilian cyber skills that allows others to trust our airmen during times of crises. As others have said, you just can’t surge trust. It has to be earned.”
With that trust, the MDANG has also developed a highly scalable cyber response element aligned with private sector capabilities for transportation, elections, energy, water, communications and finance. Cyber Airmen with personal connections in each sector, through direct employment or working in the same industry, serve as the leads for their response element.
Members of the 175th COG are committed to ensure that Maryland’s infrastructure and citizens are as safe as possible from cyber threats, therefore, they are able to advise and assist civilian counterparts before it becomes a state emergency. If called upon in an emergency, they are ready to support state and local governments, as well as private sector partners working through the Maryland Emergency Management Agency, according to Macias.
Along with the many accomplishments of the 175th COG, the National Guard Bureau’s State Partnership Program relationship with Estonia has provided an opportunity to discuss open source software, hardware, network mapping and forensics techniques that will help the joint Maryland National Guard and Estonia team succeed as international partners.
One example where this happened was during Spring Storm, an Estonian Defense Force annual exercise where U.S. Air Force Staff Sgt. Edgar Castellano, a cyber-warfare operator assigned to the 275th COS, Maryland Air National Guard, described the training as “invaluable.”
“We gained real-world experience on how to identify possible threats and how to specifically respond to each incident,” said Castellano. “During the exercise, the Estonian forces demonstrated their capabilities in identifying and deconstructing malware behavior. Along with the expertise that our Airmen brought, in terms of forensics and reverse engineering malware, both Estonian and MDANG forces benefited from the cyber exercise… in order to reach our ultimate goal, to defend our critical assets.”
The communication and work structure of the robust partnership is recognized by the United States European Command as a blueprint for other National Guard state partnerships to follow. The relationship is critical as nation states are conducting campaigns of malicious activity daily.
The need for a proactive cyber approach remains necessary and the 175th COG continues to grow and develop its capabilities and talent. Two new buildings, one at Fort George G. Meade and one at Warfield Air National Guard Base, are set to open in early 2020. These buildings will help unify the COG in central locations and provide them with much needed space to train and operate from.
The collective talent serving in multiple missions understand real-world threats never stop, they have to stay ready to take on any challenge placed in front of them.
“I could not be any more proud of how dedicated the women and men of our organization are to the security of our state and nation,” said Macias. “Every day they push themselves and each other to deliver more than they did the day before. They prove each time that they are ready when the nation calls.”