Welcome to New America, redesigned for what’s next.

A special message from New America’s CEO and President on our new look.

Read the Note

Close

freestocks-I_pOqP6kCOI-unsplash

Civilian Cyber Corps: A Model Law for States

Table of Contents

Background

In 2023, over 880,000 cyber crimes in the U.S. resulted in around $12.5 billion in losses, according to the FBI’s Internet Crimes Complaint Report.1 Ransomware attacks alone directly impacted at least 2,200 hospitals, schools, and governments across the U.S. that year.2 Those estimates almost certainly undercount the problem’s scope because it is likely that a number of cybersecurity incidents go unreported. In addition to financially motivated crimes, politically motivated cyber attacks also represent significant concerns. In early 2024, the Cybersecurity and Infrastructure Security Agency (CISA) reported that a foreign state-sponsored cyber actor was discovered to have maintained access to critical infrastructure systems across the U.S., in some cases, for as long as five years.3

While the cyber threat landscape continues to evolve rapidly, the number of cybersecurity professionals needed to defend against those threats has not kept pace. In mid-2024, cybersecurity job openings numbered around 470,000.4 By one estimate, the U.S. would need to train 40 percent of all people entering the workforce in cybersecurity over the next seven years to meet the growing cyber workforce gap.5 However, efforts to increase the size of the cybersecurity workforce, even if successful, are unlikely to be sufficient to meet that goal. In a 2023 congressional hearing, Representative Mike Gallagher (R-W.I.) remarked, “Since 2013… we have tried to address the civilian and military cyber workforce dilemma 45 times… And the country’s collective capabilities and readiness are, seemingly, no better off because of it.”6 In addition to the cybersecurity workforce shortage, software developers continue to develop insecure software, increasing the burden and potential vulnerability of under-resourced organizations who utilize the software.7 In 2023, nearly 29,000 common vulnerabilities and exploits (CVEs), which are weaknesses in software that can be exploited, were recorded.8

“By one estimate, the U.S. would need to train 40 percent of all people entering the workforce in cybersecurity over the next seven years to meet the growing cyber workforce gap.”

In the United States, those under-resourced organizations are often state, local, tribal, and territorial governments (SLTTs) and small- and medium-sized businesses (SMBs), which operate much of the country’s critical infrastructure and provide many essential services. For example, according to CISA, there are “approximately 153,000 public drinking water systems and more than 16,000 publicly owned wastewater treatment systems in the United States.”9 SLTTs and SMBs must navigate the same cyber threat landscape as the federal government and global corporations, but with far fewer resources.10 According to a 2023 report from NetDiligence, the average cost of cyber incidents for SMBs in the five years leading up to 2023 (excluding business interruption and certain other costs) was over $1 million.11

Examples from recent years highlight the total costs of cybersecurity incidents. For instance, a 2018 ransomware attack on the City of Atlanta, Georgia, resulted in costs estimated to be around $17 million.12 A 2019 ransomware attack on the City of Baltimore, Maryland, cost taxpayers over $18 million,13 and a 2022 ransomware attack on Suffolk County, New York, resulted in costs estimated as high as $25 million.14 More recently, a 2023 ransomware attack on Dallas County, Texas, resulted in around $8.6 million in costs for recovery efforts, including the purchase and installation of new devices and equipment; temporary staff; credit monitoring and identity theft protection services; call center support; forensic accounting; application and system recovery; and software licenses.15

In the private sector, according to one survey, 60 percent of companies go out of business within six months of a significant cyber attack.16 The same study notes that 30 percent of SMBs do not have a written information security incident response plan; 21 percent of SMBs do not have backup copies of data sufficient to restore systems following a cyber attack; and only 28 percent would survive beyond seven days after a ransomware attack taking their operations offline.17

To date, the U.S. has not taken adequate measures to defend SLTTs and SMBs against cyber attacks. However, a cyber volunteer ecosystem is emerging to fill the gap. In some states, universities have established cybersecurity clinics where professors and students work to improve the cyber resiliency of SLTTs and SMBs and train the next generation of cybersecurity professionals.18 Across the U.S., nonprofit organizations, like the Cyber Peace Institute and, recently, DEFCON’s Project Franklin, have created opportunities for cybersecurity professionals to volunteer to assist beneficiaries with cybersecurity needs.19

Government entities have also taken action. At the federal level, the U.S. Marine Corps established a Cyber Auxiliary to provide education and training to the Marine Corps. Meanwhile, state governments have established volunteer civilian cyber corps (C3s) to improve the resiliency of SLTT entities within their borders. Maryland, Michigan, Wisconsin, Ohio, and Texas have formed C3s to provide cybersecurity services to beneficiaries. Other states are considering this option as a replicable and scalable solution to help address cyber workforce challenges, improve cyber resiliency, and develop cyber emergency response capabilities accessible to local entities. Outside the United States, countries such as Estonia, Sweden, Switzerland, and others already take a whole-of-society approach to cybersecurity and utilize civilian cyber volunteers.

Citations
  1. FBI, Internet Crimes Complaint Report 2023 (Washington, DC: FBI, 2023), 3, source.
  2. Emsisoft Malware Lab, The State of Ransomware in the U.S.: Report and Statistics 2023 (Emsisoft: 2024), source.
  3. Cybersecurity and Infrastructure Security Agency, PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure (Washington, DC: Cybersecurity & Infrastructure Security Agency, 2024), source.
  4. Cyber Seek, “Cybersecurity Supply/Demand Heat Map,” source.
  5. Nick Merrill, “The Cybersecurity Workforce Has an Immigration Problem,” Tech Policy Press, August 9, 2024, source.
  6. Mike Gallagher, “Cyberspace Operations: Conflict in the 21st Century,” Hearing before the House Armed Services Committee, Cyber, Information Technologies, and Innovation Subcommittee, March 30, 2023, 23:19, source.
  7. See Christian Vasquez, “Easterly: Cybersecurity Is a Software Quality Problem” CyberScoop, August 9, 2024, source.
  8. CVE, “Metrics: Published CVE Records,” source.
  9. “Water & Wastewater Systems,” CISA, accessed August 25, 2024, source.
  10. Natasha Cohen and Peter Warren Singer, The Need for C3: A Proposal for a United States Cybersecurity Civilian Corps (Washington, DC: New America, 2018), source.
  11. NetDiligence, Cyber Claims Study 2023 Report (NetDiligence, 2024), 17, source.
  12. Stephen Deere, “Confidential Report: Atlanta’s Cyber Attack Could Cost Taxpayers $17 Million,” Atlanta Journal-Constitution, August 1, 2018, source.
  13. Adam Bednar, “Cost of Baltimore Ransomware Attack So Far: $18 Million,” Daily Record, June 4, 2019, source.
  14. Alan J., “Ransomware Recovery Effort Cost Suffolk County $25.7 Million, Prompting Investigation,” Cyber Express, July 22, 2024, source.
  15. “Data Security Breach Reports,” Attorney General of Texas, accessed Aug. 19, 2024, source.
  16. Joe Galvin, “60 Percent of Small Businesses Fold within 6 Months of a Cyber Attack. Here’s How to Protect Yourself,” Inc. Magazine, May 7, 2018, source.
  17. Cybercatch, “Small- and Medium-Sized Businesses Ransomware Survey 2022,” (Cybercatch, 2022), 3, source.
  18. “What is a Clinic?,” Consortium of Cybersecurity Clinics, accessed August 16, 2024, source.
  19. See “Cybersecurity for Social Impact,” CyberPeace Builders, accessed August 16, 2024, source; and see Jake Braun, “DEF CON 32 – Jake Braun – DEF CON Franklin Project,” August 10, 2024, YouTube (video), source.

Close

Background

View as PDF

Table of Contents

Close

Civilian Cyber Corps: A Model Law for States