Creating a Civilian Cybersecurity Reserve

I was recently asked about a Civilian Cybersecurity Corps and how to maximize its scale and potential by NextGov. The pace at which the Biden administration and the 117th Congress are addressing gaps in our national cybersecurity strategy, including by nominating and appointing incredibly talented and experienced individuals like Chris Inglis (National Cyber Director), Jen Easterly (Director, CISA), and Anne Neuberger (National Security Council), is impressive. And so is the pace at which our adversaries act. The clock is ticking, and we must adopt a posture that is as bold, agile, and creative as the criminals and nation-states that are embedded in our networks and carrying out operations against us.

For example, today, a bipartisan group of lawmakers has introduced legislation to create a “Civilian Cybersecurity Reserve”, a National Guard-like program under the auspices of both the Department of Homeland Security (DHS) and Department of Defense (DoD) to address growing cybersecurity vulnerabilities and breaches faced by the U.S. government. Under the bill, which is being cosponsored by Sen. Jacky Rosen (D-Nev.) and Sen. Marsha Blackburn (R-Tenn.) and cosponsored in the House by Reps. Jimmy Panetta (D-Calif.) and Ken Calvert (R-Calif.), the DOD and DHS secretaries would appoint members of the cyber reserve to six-month positions in the department as federal civil service employees. Joining the reserve corps would be voluntary and by invitation only and requires prior federal government or military service. This effort would augment the work being done already by the National Guard’s reserve corps, which has successfully leveraged civilian talent to build cybersecurity capability within its ranks to both defend its own networks as well as provide support when called into service by states or the federal government. The proposal follows the recommendations of the National Commission on Military, National, and Public Service and the Cyberspace Solarium Commission, and builds on the 2021 National Defense Authorization Act that directed DOD officials to look into options for building a cyber reserve force.

Legislatively, the idea for a Civilian Cyber Corps was proposed almost 20 years ago in the bipartisan proposal for a National Emergency Technology Guard (NETGuard) that was in the Homeland Security Act of 2002. The Homeland Security Act of 2002 envisioned but did not follow through with the creation of a National Emergency Tech Guard program, a corps of volunteers whose training is funded by the government and who can be deployed during periods of crisis to restore critical systems and services to their communities. 

There is no question that finding ways to shore up cybersecurity talent and mobilize that talent in times of crisis is critical. While a Civilian Cybersecurity Reserve should help address existing talent gaps when responding to federal, state, and perhaps local government entities, it still leaves a critical gap with respect to cybersecurity needs in the private sector, which is under similar assault by both malicious nation-state adversaries as well as criminal organizations. While starting with a Reserve Cyber Corps that addresses U.S. government needs makes sense, Congress should consider quickly organizing and funding a similar program focused on private sector needs, tapping private sector expertise, especially with respect to technical knowledge of private-sector networks.

Today, by and large, the target of ransomware attacks is small and midsize businesses and government entities that hold valuable information but are under-resourced when it comes to IT and cybersecurity. These organizations often do not have the budget to build specialized security teams and, even if they do, have difficulty recruiting and retaining top talent. As a result of their limited resources, they have limited ability to respond to ransomware attacks in real-time. Ultimately, it is the communities that suffer when their schools, hospitals, and small businesses are taken down by cyber adversaries. While the current proposal would potentially support municipalities in recovering from these attacks, the private sector organizations impacted would still have to fend for themselves.

Much as there is a pool of government and military workers who can be tapped for a government reserve corps, there is a vast pool of private-sector cybersecurity talent that can be cultivated and mobilized when there is a widespread incident impacting tens of thousands of organizations simultaneously as we are experiencing right now. The federal government, and especially the military, limits who can join their ranks with some combination of physical fitness, college degree, citizenship, and age qualifications and limitations, as well as a security clearance requirement. These limitations together with the six-month service requirement will disqualify a large portion of the cybersecurity workforce who would otherwise be motivated to serve their nation and their communities during times of crisis. As pointed out by Natasha Cohen and Peter Singer in their proposal for a Cybersecurity Civilian Corps over two years ago, true civilian corps could tap (a) older and retired cybersecurity professionals, (b) professionals working in the cybersecurity field with a desire to do volunteer work and perform civic service using their skills, (c) “white hat” hackers who don’t work full time in a cybersecurity job, (d) people who are in job transition, (e) independent contractors looking to fill gaps in their time and expand their networks, and even (f) stay-at-home parents. Removing the physical fitness, citizenship, age, and clearance requirements, as well as prior government or military service, creates the opportunity to tap this vast pipeline of talent.

There is no question that the Biden administration and Congress are moving fast. But our adversaries are faster, more creative, persistent, and unconstrained by law and regulation. Unless we change our approach, they will continue to identify vulnerabilities in software used across varied networks for maximum impact with little to no fear of retaliation. They will continue to advance intrusion tools and tradecraft faster than gaps in cyber defenses can be closed. They will continue to use common anonymization platforms, open-source capabilities, and generalized toolkits and leverage inherent functionality built into operating systems to obfuscate their activity and make attribution difficult. They will continue to leverage our laws and regulations to enable their operations for maximum effect. And they will do all this at a pace and on a scale that will continue to be breathtaking. 

The first half of 2021 has been, should be, a wake-up call. And let’s be clear, there are no silver bullets when it comes to cybersecurity. It will take a series of actions, persistent and purposeful, to prevent, defend, and have resilience to cyber threats. The Civilian Cybersecurity Reserve proposal builds on our existing military reserve programs, and it is an important step forward.  

We need to begin taking leaps forward.