When Ransomware Hits, Governors Are Calling the National Guard - Foundation for Defense of Democracies

May 6, 2026 | Insight When Ransomware Hits, Governors Are Calling the National Guard Johanna Yang CCTI Policy Analyst Jessica Ho Intern Minnesota called in its National Guard last month. Not because there was a flood, a fire, or even civil unrest. This time, Winona County needed support after a cyberattack. It was the second such attack the county had experienced in just three months. Gov. Tim Walz authorized the Minnesota National Guard’s cyber protection team to join the incident response efforts to “ensure continuity of municipal operations.” As cyberattacks continue to grow in frequency and scope, the need for cyber response capabilities grows, too. The National Guard’s cyber units, when trained and equipped effectively, are a necessary piece of U.S. cyber defenses. But not every state has one. According to the governor, the April 6 attack “caused significant disruptions and impaired Winona County’s ability to provide vital emergency and critical services.” The county’s own personnel and commercial cybersecurity firms were unable to contain the cyberattack. The FBI is investigating the attack, but its remit does not include recovering and rebuilding systems. As a result, the Minnesota National Guard deployed 15 soldiers from its cyber protection team to assist. This is the Minnesota National Guard’s second cyber response in less than a year. In July, the team aided incident response efforts in a St. Paul cyberattack that prompted the citywide shutdown of first responders’ dispatch systems, used in ambulances, police vehicles, and firetrucks to share patient information, GPS, and incident updates. The systems were offline for a week. And even with National Guard support, it took the city months to recover. Unlike other government organizations, National Guard units have the resources and qualifications to deal with similar situations and have done so in states such as Louisiana and Texas. In 2019, 54 Louisiana schools were hit by a large-scale ransomware attack. After declaring a state of emergency, the governor sent the Louisiana National Guard’s cyber team to respond. They were able to recover school systems within two weeks, and the Guard’s response mitigated attacks in countless other schools across the state. One month later, 22 Texas counties fell victim to a ransomware attack that disrupted local services and financial operations in information technology systems. There were problems with utility payments and accessing birth and death certificates in a number of places. In one case, the mayor of Keene, Texas, shared, “Well, just about everything we do at City Hall is impacted.” The scope of the attack exceeded the abilities of local IT services to fix, which prompted 40 members from the Texas National Guard’s cyber unit to respond. The Guard is uniquely suited for a cyber incident response mission because, unlike active-duty military members who move every two to four years, National Guard members stay rooted in their communities. This provides the stability necessary to build long-lasting relationships with regional partners at the local, state, and federal levels. Additionally, many members of National Guard cyber units hold cyber jobs as civilians. All of this helps bridge the gap between industry and government. But not each state has a National Guard cyber unit, and the states that do have disparate capabilities. Virginia, for example, is home to the 91st Cyber Brigade, a unit with 1,000 people that hosts annual exercises testing Virginia’s cyber response plan. Montana, on the other hand, just appointed its first cyber warfare officer. While states’ forces and capabilities do not need to be the same, America’s adversaries don’t discriminate — the same attack can be directed at local entities in either Virginia or Montana. They both need to be ready. To solve this, all National Guard cyber protection teams should receive standardized initial training. Establishing a training baseline is the first step to ensuring an effective and strong domestic cyberattack response. These units should be formally certified to respond to cyber incidents within their state or region. Certification ensures that National Guard cyber units possess the basic skills required for effective response while creating a shared understanding of what National Guard cyber units are trained and prepared to handle. The National Guard is an integral part of the cyber incident response force. As cyberattacks continue to rise, it is necessary to provide the proper training and capabilities for the Guard to effectively combat these growing threats. Johanna “Jo” Yang is a policy analyst at the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies, where she works on issues related to nation-state cyber threats, critical infrastructure protection, and U.S. cybersecurity policy. 2nd Lieutenant Jessica Ho is a U.S. Army Officer currently interning at CCTI, where she is researching the United States’ domestic cyber response enterprise. The views expressed or implied in this commentary are solely those of the authors and do not necessarily represent the views of the U.S. Army or the Department of War. For more analysis from the authors and CCTI, please subscribe HERE. Follow Jo on X @JohannaYang_. Follow FDD on X @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.