How an annual ‘Cyber Shield’ drill helps the National Guard secure elections

The drill has grown way beyond its humble beginnings to include over 800 people from the Guard, private sector, and law enforcement.
Cyber Shield participants carry out network surveillance at Camp Atterbury, Ind. (Staff Sgt. George B. Davis, U.S. Army National Guard)

Prior to the 2018 midterm elections, multiple states activated their National Guard forces to protect the vote from cyberthreats. It was a big step for the Guard’s role in national cyberdefense, and an annual drill held by the Guard made it more effective.

In Illinois, for example, the National Guard’s participation in the cybersecurity drill meant that “when the midterm 2018 elections came around and it was time for us to work together, those relationships were already there,” said Brig. Gen. Richard Neely, the Illinois National Guard’s adjutant general.

That exercise, known as Cyber Shield, is taking place through April 20 at Camp Atterbury in Indiana. What started as a simple red-and-blue-team affair in 2013 has grown into an 800-person event that reflects the greater role the Guard is playing in national cyberdefense.

In previous years of the exercise, “our offensive piece wasn’t very strong,” Col. Terry Williams, deputy commander of the Virginia Army National Guard’s 91st Cyber Brigade, said at a press briefing last week. “We would actually just drop the injects into the [cyber] range –  the blue teams couldn’t see how we got there.”


Now, the red-team participants have to “actually show the trail of how they got in [to a network] and what they are doing so that our defensive forces can do the forensics piece,” she said.

National Guard units from 40 states are participating this year, along with people from the private sector and federal agencies like the FBI and National Security Agency, according to Williams. Participants are tested on their ability to detect suspicious activity on a network, such as a rogue device beaconing out information, and lock down unauthorized access to that system.

“It’s a collective training event for us, so it will enhance our warfighting skills. And that’s very important to us,” said Brig. Gen. Jeffrey Burkett, vice director of domestic operations of the National Guard Bureau, told reporters.

The National Guard’s role in the digital domain has grown in the last few years as federal and state officials have thought more about maximizing available resources for cyberdefense. A 2016 report from a White House cybersecurity commission singled out the Guard for having “a talent pool that can be regularly trained, equipped, and called on” to defend against hacking.

The 2018 midterm elections proved to be an inflection point. In Washington State, for example, National Guard members who worked for Amazon or Microsoft by day were on call to help with election security.


The Guard is trying to build on that momentum with Cyber Shield. When not on federal orders, Guard units are at the disposal of states. That makes them well positioned to respond to breaches in their backyards, which is motivating them to hone their incident-response capabilities.

George Battistelli Jr., a cybersecurity program manager at the Army National Guard who also helped planned the drill, said the exercise scenario has tried to keep up with real-world events.

“The attacks tend to change,” he said. “We used to have attacks that were very noisy. Now we have attacks that are going over encrypted channels. So as the adversary changes their TTPs [tactics, techniques, and procedures], we change our TTPs.”

Asked for more information on the exercise scenario, Battistelli, Jr. declined to go into detail in an unclassified setting. “It is safe to stay that it emulates adversary behavior that you’ve probably seen in the news from other nation-states,” he said.

Military officials see Cyber Shield as a key piece of the digital maturation of the Guard, which is looking to build out its roster of over 3,800 cybersecurity personnel.


“The National Guard is getting into the cyber business with the Department of Defense, and we’re trying to determine where it makes sense to place units and how we can partner with defense on the Air Force side and the Army side in growing cyber capability,” Burkett said.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts