The United States has been engaged in cybersecurity for over a generation, but there continues to be organizational and human gaps that leave the nation insecure.

We propose the creation of a Civilian Cybersecurity Corps as an innovative answer to many of these key needs. The organization would be modeled after a blend of cybersecurity organizations in other nations and proven models in other domains of security and safety inside the United States, specifically the Civil Air Patrol, Coast Guard Auxiliary, or Volunteer Firefighters. The goal would be to better involve and mobilize the wider community in tackling core needs that are unlikely to be met through existing structures.

Functioning as an auxiliary of the Department of Homeland Security, it would augment existing programs to raise the security level of the ecosystem writ-large and provide additional needed resources on three key areas:

1. Education and Outreach
2. Testing, Assessments, and Exercises
3. On Call Expertise and Emergency Response

In this piece, we will first explore the organizational landscape that drives the need for such a program, second, summarize lessons that can be learned from other similar programs, and third, describe how such an organization could be constructed and launched in a relatively low cost, low risk manner.

With cyber threats only growing, and present approaches clearly insufficient, it is time for new ideas…and new organizations.

In the darkest hours of World War II, a swarm of hidden foreign attackers wreaked devastation on America’s security and economy. Unprepared and under-resourced, the defenders in the employ of the U.S. government were too often absent when the attackers struck, which only incentivized them to come back for more.

But on July 11, 1942, America’s civilians struck back. Two pilots in a private G-44 Widgeon floatplane spied a Nazi U-Boat lurking beneath the waves. When it surfaced to periscope depth to scout for prey, the men instead dropped two bombs that had been fastened onto their plane, sinking the submarine. Due to the efforts of America’s civilian volunteers, a clear threat to American security, commerce, and communication had been eliminated.

The two men, however, hadn’t been out there acting on their own. They were part of the newly formed Civil Air Patrol (CAP), an organization created in the days after Pearl Harbor. Made up of aviation-minded volunteers, the CAP was used fill key shortages in U.S. military pilots, aircraft, and resources; it was a back-up force that could fill in for what the regular military and National Guard lacked. CAP pilots aided with everything from anti-submarine patrols to training missions. Nor was the CAP the only of its kind. Its maritime parallel was the Coast Guard Auxiliary, volunteer civilian sailors, who similarly set up a picket line off the American coast, and often patrolled in unison with the volunteers of the CAP.¹

Today, we face the modern version of hidden attackers who seek to undermine our security and economy; now they use malware instead of torpedoes. And so too are the U.S. military and government resources necessary to safeguard against this danger stretched too thin. But, while the Civil Air Patrol and Coast Guard Auxiliary organizations are still operating today, providing critical services in education, emergency services, and youth education for the air and maritime domain, we have no equivalent in the realm of cybersecurity.

It is time to fill this gap and form a U.S. Cyber Civilian Corps.

Just as the onset of World War II found a United States struggling to meet its new security needs, today we face a series of challenges when it comes to cybersecurity that organizations are unable to solve on their own.

One is an overall lack of human capital. There is simply not enough trained talent to go around for the military, civilian agencies, and private sector, which means we must both expand the pipeline feeding into the cybersecurity workforce and find ways to allow people already in the field to cross train and work across roles wherever possible.

There are just under 300,000 open cybersecurity positions in the United States at this time which companies and government are unable to fill; future needs project as high as one million unfilled positions. ² As New America’s Laura Bate writes, this labor gap has become a “national security liability.”³ It has not just hit the federal government and major corporations, which find it challenging to find and then compete over the same small pool of talent, but is even more of a pain point for “small businesses and state governments, many of whom control very valuable and sensitive data sets and systems (for example, drivers’ license and voter registration databases).” ⁴

There is simply not enough trained talent to go around for the military, civilian agencies, and private sector.

Related to this labor problem are key organizational gaps. Over the last decade, the U.S. government has made great advances in building out for the new needs of cybersecurity, but these still do not fill what is required. The U.S. military’s Cyber Command, for instance, has recently become fully operational, creating 133 cyber mission teams. However, the demand for military cybersecurity still outweighs the supply. The Department of Defense needs to maintain, test, and defend over 15,000 of its own computer networks, with over 3 million users.⁵ The scale of this undertaking makes for a daunting task on its own for these teams, let alone the increasing requests for them to engage in everything from offensive cyber actions in support of troops in the field to aid to defending civilian critical infrastructure at home and abroad. Most importantly, the active duty military’s legal ability and technical expertise to aid in defending civilian networks will always be limited.

As part of this expansion and organization of military cyber organization, the National Guard has also begun to gain greater cybersecurity capability, with the major effort starting with the National Defense Authorization Act (NDAA) for FY 2014.⁶ Since then, a cyber brigade has been created to oversee units across 30 states, which are working to support Cyber Command and better leverage civilian talent within the National Guard for cybersecurity related civil defense needs.

Here again, though, the size of these units is nowhere close to the needed scale, and some, particularly in the Air National Guard, are drastically understaffed. Of special concern, the small number of National Guard cyber units would be stretched thin if called upon to respond to multiple major incidents simultaneously, while also fulfilling other defensive duties that would come from such a scenario. In addition, while National Guard can swing between State Active Duty (SAD), Full-Time National Guard Duty (Title 32) and Active Duty (Title 10), there are still legal limits in what roles they can undertake and under what circumstances beyond governmental networks, as they are fundamentally military units.

Most important, they still don’t solve the larger human resourcing issue. Since the National Guard remains part of the U.S. military, it is fundamentally limited in who can join these units and the requirements set upon them. Service in these units entails meeting everything from physical fitness requirements⁷, which notably only 23 percent of American youth can meet⁸, and age limitations, to being willing to deploy to any location in the world, at any time, for any duration. Many with cybersecurity talent are either unable or unwilling to meet these requirements. In short, as talented as the active duty Cyber Command and the National Guard are, they will never be able to tap the full potential of cybersecurity talent that lies within the broader nation, nor solve its needs for a larger capacity building program.

Similar inherent limitations limit capability within civilian agencies. At the federal level, the Department of Homeland Security has the national mandate to protect our Nation’s federal government networks and civilian critical infrastructure from cyber threats, as well as collaborate with State, Local, Territorial, and Tribal (SLTT) entities to defend against cyber threats.⁹

However, as recent GAO reports have found, DHS still has a long way to go in solving its own cyber workforce problems, let alone others.¹⁰ Secondly, its outreach to SLTT institutions and the private sector lags from a lack of resources. Furthermore, DHS is fundamentally limited in what it can enforce at the SLTT level, where it remains in a coordination and services role.

As an illustration, DHS’s Cybersecurity Advisor (CSA) Program is designed to provide direct coordination, outreach, and regional support to private industry and SLTT governments. It is a worthy program, that has only 12 active advisors. Even if DHS meets its ambitious plan to triple this amount by the next year, it will still be fundamentally limited in it capacity to reach out and aid the full range of actors involved in cybersecurity nationally, from SLTT governmental organizations to the thousands of small but vital companies that, together, make up the bulk of the U.S.’s critical infrastructure. The situation is no better at the other federal regulatory agencies, from energy to health and medical devices, each of which act as agency hubs for cybersecurity in their own domains. For them, the talent gaps are even more dire, and they lack even the limited authorities of DHS; in some cases, they are only able to convene at best.

There is similar gap in capability and organization at the state and local level, just magnified by far less capability and resources. Like in the federal government, authorities are often split between multiple agencies within state and local governments, which complicates efforts to address the issue from a multidisciplinary or comprehensive approach. SLTT efforts to build a cybersecurity program often struggle because of the even greater challenges of competing for local talent with the private sector, which tend to offer significantly higher pay and shorter hiring processes. The outcome is that SLTT entities are typically focused towards protecting only the public sector, and, in most cases, only executive branch computer networks of the state or large cities. Both critical infrastructure and surrounding municipalities are often left to struggle on their own, only able to seek help after a significant breach.

This situation is tough enough, but the challenge is heightened by the fact that the cyber threat environment is always changing. Not a single one of the challenges, from foreign threats to cybercrime, which first motivated the creation of organizations like Cyber Command or SLTT cybersecurity programs, have been resolved. Instead, they have only been added to with new trends like the collapse of cyber deterrence in the wake of the 2016 election hacks, an increasing pace of mega-breaches, new threat vectors like ransomware, and a shift to the Internet of Things, which makes physically-damaging, life-costing cyberattacks more likely.¹¹

There is a clear need to expand US government and military capacity in protecting cyberspace. But part of this need could be met more efficiently and effectively by leveraging the citizen talent that already exists outside of the military and government. Compared to both other issue areas and the models presented by other nations, the American approach to cybersecurity so far has not sufficiently tapped the immense capacity of its civilians. In particular, it is missing an opportunity to leverage volunteers and part-time talent.

In seeking how to pull citizen volunteers into areas of public cybersecurity concern, there are a number of models that might be drawn upon for inspiration. Some lie outside the realm of computers. As discussed, the Civil Air Patrol and the US Coast Guard Auxiliary have a successful history and organizational model that is proven to work inside the American political context. CAP, for instance, presently consists of over 56,000 aviation-minded volunteers, who both meet regularly to hone their aviation skills and pitch in to aid with government needs.¹² While it no longer patrols for submarines, CAP now provides volunteer support in search and rescue missions, humanitarian disaster assistance, forest fire patrols, and training operations. In 2016, 29 lives were directly saved by volunteer CAP missions, while also saving the U.S. government approximately $167 million that would have otherwise been spent out of the federal government budget to accomplish the same tasks.¹³ Notable to the problems of cybersecurity labor gaps and pipeline, the CAP also runs a cadet program that provides over 24,000 youth with an entry point into aviation activities and the ethic of public service, as well as runs weekly aerospace and STEM programs that touch some 1,500 communities.

Volunteer Firefighter programs provide another useful illustration of how Americans from a variety of backgrounds contribute to community public safety. There are currently 788,250 volunteer firefighters in the United States.¹⁴ Some of these volunteers are reimbursed for their time for response or training, but others receive only training, equipment, and/or tax credits.¹⁵ They save local governments close to $140 billion a year over the cost of having career staff on duty.¹⁶ They donate their time as a public service; similarly, citizens with a different skill set could work on cybersecurity programs that affect their communities.

Directly in the realm of cybersecurity, the closest volunteer model would be what has been attempted at the state level with entities like the Michigan Cyber Civilian Corps (MiC3). Organized just a few years ago under the state’s Department of Technology, Management, and Budget, the organization has pulled in just under 100 civilian volunteers willing to aid their home state with cybersecurity questions. However, the MiC3has never been fully activated (it requires the governor to declare state emergency) and there remain significant policy and legal issues for its greater use and deployment (the exact status of its members is still uncertain; for instance, in acting in response to an incident are they protected from lawsuits?). Virginia is also exploring a civilian volunteer cyber force, but so far the organization is still in the planning stages.

Outside the United States, one of the most lauded volunteer cybersecurity models is Estonia’s Cyber Defence Unit (Küberkaitse Üksus). The organization is part of the nation’s Defence League, appropriately enough itself modeled on the volunteer Minutemen of the American Revolution.¹⁷ As Monica Ruiz describes in a study of the Estonian model’s feasibility in the United States, the volunteer unit “…is made up of average citizens outside of government, who are specialists in key cyber-security positions, patriotic individuals with information technology skills, and experts in other fields (e.g., lawyers and economists) who wish to volunteer outside of their daily jobs to protect Estonian cyberspace.”¹⁸ It provides support in cybersecurity activities that range from training exercises and testing Estonian election systems for vulnerabilities to being on-call to aid the government in national cyber-related emergencies.

This model of engaging the broader populace to counter foreign cyber threats is not so coincidentally being adapted across a number of other nations that have experienced Russian threats first hand. Both Sweden and Norway have similarly set up new programs on civil resilience, each with a cybersecurity element. Their philosophy is to treat the population, as Elizabeth Braw writes, not as a vulnerability, but “as a national security resource [that] can boost a society’s resiliency, and even its deterrence.”¹⁹

Drawing upon the above models, the best approach seems to be a hybridization of the past historic models, proven to be workable in the U.S. political context, and state and foreign lessons learned with comparable cybersecurity auxiliaries. There is an ongoing conversation about where cybersecurity should rest within the U.S. federal system–what should be the responsibility of the federal government and what should be maintained in the realm of state and local governments–a U.S. Cyber Civilian Corps should be at the best of both worlds: nationally run and funded but operationally worked on a state and local basis.

Having such an organization at the national level allows it to take advantage of economies of scale, decrease friction from inconsistencies in local implementation, and adds to the toolkit for policymakers. Although multiple states have started down the path towards creating such an organization, a federal program would allow for easier access to federal funds and decrease the total resources per member needed for program development and training. A national effort would also simplify efforts for authorization and liability protection, which could be coordinated at the national level, and provide a vehicle for national-level, coordinated policy products such as public awareness campaigns.

Still, it is important to connect this national effort to local governments for three reasons. First, the state and local level is where there is a crucial gap, which is unlikely to be filled any time soon, by any existing organization. Second, it reflects a national need, but adapted to the US federal system; each state is unique in terms of its cybersecurity structure: where responsibility for cybersecurity lies and in how it coordinates with other stakeholders. Having a state-driven model would allow each division of an auxiliary to fit into their home state’s structure to provide the necessary services. Third, much of these services are dependent on the trust that comes from close and continuing relationships, which are necessarily built at a local level.

The best approach seems to be a hybridization of the past historic models, proven to be workable in the U.S. political context.

As it would be a civilian organization, the national agency that the Corps would be organized and funded out of would be the Department of Homeland Security, which presently lacks such an auxiliary. Although the organization should establish memorandums of understanding (MOUs) between federal partners such as FEMA or NCCIC, each state’s headquarters would be encouraged to form MOUs with their state establishment as well to facilitate local activities and response capabilities, much like Civil Air Patrol has today (again, illustrating the need for localized approach, there is variance in how states have handled their CISO-like position for cybersecurity responsibility).²⁰

It is important to note that one alternative in such an organization is having it structured under State Defense Forces (which act as a kind of reserve to local National Guard units), as Maryland has done with its Maryland Defense Force Cyber Unit. However, there are two flaws with this approach. First, less than half of states have such organizations. Secondly, it will just mirror the existing problems. Such placement of an auxiliary within a state defense unit wrongly assumes local cybersecurity as a primarily military in nature activity, placing military style organization and physical requirements that self-limit the pool. Placing the auxiliary under an active duty, National Guard, or Reserve DoD force would face similar issues.

It is important to note that the organization is neither meant to be an equivalent to an 18F-type or U.S. Digital Service, existing programs where technology industry professionals join the government for full-time work on a lengthy basis. There is great value in expanding such programs to ease the pathways for cybersecurity experts to join government.²¹ However, the need goes beyond the hiring of full time employees and the self-limiting pool this means. The corps would be an auxiliary, allowing it to tap a larger pool of talent for use on a period, and as needed, volunteer basis.

Modeling after like programs, its makeup would be dual level, with an adult and youth element. The adult element would be made up of volunteers willing and able to provide cybersecurity services for public interest. They might range from professionals working in the cybersecurity field, interested in aiding the public good beyond their own particular company or clients; people with experience or expertise who have transitioned to other fields; and the wide set of individuals who have an IT skill set but are not interested in full time cybersecurity employment (such as the types of “white hat” hackers, who presently participate in bug bounty programs during their free time).

Of note, a particular pool of expertise will come from elements of the populace, who would otherwise go underutilized without such an organization. Although stereotypes would indicate that technology is a young person’s game and that cybersecurity is a new career field, in actuality this kind of work has existed for longer. The first firewalls were developed in the late 1980s; Air Force cyber units go back to the mid-1990s. Indeed, according to a 2016 report from the US Census bureau, roughly 22 percent of the current IT workforce, more than 32 million people, is over 55.²² These IT and cyber professionals (along with the wider pool of private sector, civilian agency, intelligence community, and military backgrounds), will be aging out of the workforce in the coming years; having a cyber auxiliary where they could donate time would allow the nation to take advantage of their expertise while allowing them, along with other professionals, to give back to their country and provide needed services. The auxiliary would also similarly provide a means to leverage talent within the pools of professionals who are in job transition, who want to stay engaged and keep their skills up, independent contractors looking to fill gaps in their time and expand their network opportunities, and even stay-at-home parents.

The corps would be an auxiliary, allowing it to tap a larger pool of talent for use on periodic and as needed basis, on a volunteer basis.

As opposed to the physical requirements of the National Guard or active duty, a civilian cybersecurity auxiliary would have a different focus of screening. Following the model of the Michigan organization, the requirements might include prior experience in information security (the Michigan organization requires 2 years) and/or the ability to pass “a series of tests to demonstrate basic knowledge of networking and security concepts, as well as basic incident response and forensics skills.”²³ A proposal from a team at the University of Pittsburgh studying the prospects of what it calls “Modern Minuteman” proposes pairing that background with a directory of open-source training programs drawn from a “public facing version of Army Cyber’s training course” that ensure volunteers have shared understanding and terminology. Those presently employed should also be required to provide documentation that their employer is aware of their participation in the program and that no proprietary knowledge is being shared or conflicts of interest.

It is important to note here that having Top Secret-level security clearance should not be a requirement for participation in such a volunteer organization. While there should be background screening for criminal history, professional issues, and a National Agency Check with Local Agency Check with Credit Check (NACLC), the reality is that, for all the mystique, not every cybersecurity need of the nation requires someone who could work in the NSA’s TAO.

Modeled after the Civil Air Patrol cadets program, the youth element would be made up of those under the age of 18 (or 21), who are interested in learning more about cybersecurity, developing hands-on experience, and pitching in where appropriate. Through training, activities, and connections with a far more diverse set of mentors than they would normally be in contact, the creation of such a youth program would expand the pool of talent entering the field and prepare to contribute at earlier stages. The youth element would also act as another supplementary pool of untapped potential for the nation. It is presently possible for young “white hat” hackers to do everything from form their own penetration testing companies to engage in sophisticated cybersecurity competitions. But the one thing they can’t presently do is help their own community. This should change.

The activities of such a corps would be designed to aid public cybersecurity in a manner that does not replace existing activities, but rather supplements and fills key gaps. In particular, such a force would be able to provide needed support in three primary areas:

• Education and Outreach
• Testing, Assessments, and Exercises
• On Call Expertise and Emergency Response

It is important to note that the two latter services described below would be designed to help the public good, and would not be focused on private sector institutions except in the case of a declared state of emergency. This also limits the potential concerns from companies operating in these service areas. Security is not a zero-sum game, and any services provided to increase the overall security of the ecosystem are benefit to all of us. Secondly, the program would be designed to serve the currently underserved, not the typical clientele of existing vendors. For a variety of reasons, including the cost of such services and geographic isolation, smaller SLTT and other public institutions such as K12 or community colleges do not have access to the kind of resources they need. Finally, much as in fields that range from medicine to law, firms should welcome the participation of their talent in such pro-bono programs, as it doesn’t just aid their communities, but provides their workforce with expanded experience and knowledge that they can bring back into their work.

Education and Outreach

There is a broad need for quality cyber education and outreach across the United States, for both private citizens and for public, private, and nonprofit organizations. While raising cybersecurity awareness and hygiene is far from a silver bullet solution, it would appreciably lower risks and consequences of breaches. The problem is that present cybersecurity education and outreach programs draw resources and time from other limited resources (an hour meeting with a local business or school to raise cyber awareness is an hour spent not defending the agency’s network or not investigating the origins of an attack).

Security is not a zero-sum game, and any services provided to increase the overall security of the ecosystem are benefit to all of us.

A cyber auxiliary could provide a pool of members able to engage with education and outreach programs across multiple age groups, and who are better suited to meet the local need or professional community (by drawing upon members with that particular background). Its structure into a national program would, in turn, also allow a more rapid dissemination of new information or changed priorities or points of emphasis.

Much as Civil Air Patrol members conduct regular aerospace and STEM programs that touch some 1,500 communities, the cybersecurity version could provide a new means to connect cybersecurity concerns to a wider network at the state and local level across the United States. An obvious parallel is that of school outreach (from running clinics on the basics of cybersecurity and organizing extracurricular cybersecurity competitions at secondary school level to supplementing stretched thin faculty at university and community college programs). Its activities could also help to augment the Federal cybersecurity awareness program, as well as conduct community outreach to municipal level institutions, small and medium businesses, and nonprofits. The outcome would be to supply a wider suite of local programs that provide training on best practices, as well as to provide a human connection point for local organizations to the resources already provided by institutions such as the MS-ISAC, Cyber Emergency Response Teams, Information Sharing and Analysis Organizations, fusion centers, etc. The bigger, better, and more local, the network working on cybersecurity awareness can only yield better outcomes.

The corps concept would also offer an internal education element. It would provide a more systematic means for members to maintain current skills and gain new expertise, which would feed back into overall community cybersecurity, given the roles that these volunteers would play in their other professional identities. The organization might provide its members preparatory experiences though MOOC courses to train on and simulation exercises to hone skills, as well as the gain in insights that come from working on real world problems outside one’s regular job. A useful illustration of this duality comes from a Pew Center on the States report highlighting the experience of Paul Dumbleton, a member of Michigan’s voluntary program, which is part inspiration for the national concept. Dumbleton is a security engineering manager at a manufacturer of over-the-counter medicine, but joined the organization “to give back to the community.”²⁴ While he has engaged in activities that range from cybersecurity presentations at churches and Boy Scouts troop meetings, he has also found membership “beneficial for himself and for his company,” especially thorough networking with other professionals and improving his skills.

Testing, Assessments, and Exercises

Testing and assessment services are presently available from the private sector to all institutions willing to contract them, and to SLTT organizations and critical infrastructure companies through various DHS and National Guard programs. However, there are three problems with this availability, where an auxiliary corps would be able to contribute to solutions. The first is that there are simply not enough testing and assessment teams to go around to cover the need, especially for SLTT organizations. The competing demands of personnel and time mean that not all entities are covered, nor in a timely or regular manner. The second is that these activities are costly; many organizations, be they local and state agencies, nonprofits, or education institutions simply do not have the resources to pay for private sector services and/or fail to qualify for the attention of DHS or National Guard (which are themselves, of course, stretched thin). Finally, there is regularly a need to surge resources for large scale functions such as sporting events or elections, where public-sector resources are already being brought to bear to support security needs, but are not to the scale often needed.

Here an apt parallel to the possibilities is offered by the Coast Guard Auxiliary. Operating in both teams alongside and in roles independent from active duty Coast Guard members, the Auxiliary contributes over 4.5 million hours of service each year.²⁵ These include conducting over 150,000 safety examinations of vessels, and provide boater safety instruction to over 500,000 students. What we regularly provide for the maritime domain has no parallel for the cyber domain. Similarly in Denmark, Sweden, and Norway, Heimevernet or “home guard” units serve as the connection for crisis management exercises involving government, business, and civil society organizations, designed to build resilience against threats.²⁶ Finally, in Estonia, its Cyber Defense League engages in activities that range from supplementing wargames to red-teaming election systems, seeking to find vulnerabilities before actual threats can exploit them.

An American version of a cyber auxiliary could provide a needed pool of human resources to existing testing, assessments, and exercises, multiplying their scale, presence, and effectiveness. It could also provide its own similar track of such activities for SLTT organizations, especially for networks that may be lower priority for national level resources, but are just as essential in the cyber ecosystem.

On Call Expertise and Emergency Response

When there is an aviation related emergency, such as a search and rescue of anything from a missing plane to a lost child in a national forest, authorities are able to request volunteer aid from the Civil Air Patrol, requesting them in via the Air Force Rescue Coordination Center. As discussed above, these supplementary services both directly and indirectly save scores of lives and government funds. Similarly, when needs arise in the maritime domain, the Coast Guard and local fire/rescue can turn for help in widening the response via the Coast Guard Auxiliary. Last year, Auxiliarists conducted almost 500,000 missions in support of full-time government, which assisted in the rescue of nearly 15,000 distressed boats, credited with saving approximately 500 lives.²⁷

Unfortunately, there is no such force multiplier to turn to for emergencies in the cyber realm. This is particularly the case for SLTT entities, especially at the local city and county level. They often do not have enough trained resources to provide for proper response services in the case of an incident, nor frankly the need to have such personnel serving on staff on a full-time basis. This can even strike large cities; for instance, when Atlanta, the 7th largest metropolitan area in the United States, was struck by SamSam ransomware, disrupting services in five of the city's 13 local government departments, it was forced to sign emergency contracts with eight different cybersecurity firms.²⁸

Incident response would not be the primary mission of the Cyber Civilian Corps, but in the case of a large scale incident, volunteers would provide a pool of already vetted and capable volunteers, able to assist with some of the less sensitive tasks, freeing up local, national level or Guard resources for more sensitive activities. Because of their proximity and mandate, the volunteers would also arrive into the situation with familiarity and local trust, which are crucial in a crisis.

Furthermore, such an organization could provide a conduit for existing experts to report findings and understand where there is a current need for research or study. There is no effective manner today for the public sector to crowdsource the expertise available in the wild and then rapidly transfer it back to the state and local level, on scale. The Corps could provide a method for sharing priorities and also receiving information back.

For all its potential value, the policy and financial requirements to make a Cyber Civilian Corps a reality are far less daunting than so many other cybersecurity or policy challenges. It is also a concept that doesn’t fit within any one ideological framework, important during our hyper-partisan times.

Legislatively, the concept would build upon the bipartisan proposal for a National Emergency Technology Guard (NETGuard) that was in the Homeland Security Act of 2002²⁹. Due to DHS disorganization and disinterest at the time, the NETGuard did not launch, leaving the nation with the gap discussed above³⁰. However, the 2002 legislation provides the basis for an updating, using it as a reference point to establishing the US Cyber Civilian Corps (our sense is that a name change is needed from NETGuard, both to distinguish from the program that never launched and because it is no longer 1995).³¹ The responsibility for its launch and supervision should be given to the planned Cybersecurity and Infrastructure Security Agency (CISA) within the planned DHS reorganization. This national agency would provide leadership and coordination among the various related entities (including NCCIC, SECIR, FEMA, etc…), create national standards for training, manage the overall budget, and provide the other corporate resources (general counsel, public affairs, etc.) necessary for such an organization.

The policy and financial requirements to make a Cyber Civilian Corps a reality are far less daunting than so many other cybersecurity or policy challenges.

Once there is an authorization, there must also be an appropriation. While budget is often a sticking point for any new organization, the volunteer nature of the corps makes its formation and activities more digestible. As a point of comparison, the Civil Air Patrol received $43 million in federal funding the FY18 budget, while the Michigan civilian cyber unit received $300,000 in state funding.³² While the scoping of a full budget should be part of the proposed legislation process, our estimate is that a budget outlay of $50 million would provide the basis for creating an organization with roughly 25,000 members spread across all 50 states.

This budget would go towards the purchase of devices, training materials, software licenses, and office space. Part of the savings would come from the fact that the corps could make use of, and help contribute to the ecosystem around, cyber ranges where they exist (a growing number of states have been building/funding them, both as part of university programs and to attract cyber talent).³³ In turn, it would invest in new infrastructure in locations that do not currently have capacity and nationally as membership rises. Much along the lines of the Civil Air Patrol model, the cyber auxiliary would provide services with payment for materials only – all time would be donated.

The case for the value of such spending is perhaps best made not by comparisons to other budget outlays (for instance, the cost for a cyber auxiliary would be roughly 2.5 percent of just the amount spent on just building construction at Fort Meade during the expansion of Cyber Command), but by the spending it will keep from being needed.

2017 was the costliest year in cybersecurity. In the NotPetya attacks, for instance, Fedex says its cost was $400 million, Merck at $670 million.³⁴ 2018 bodes to pass this. In cleaning up after just that one ransomware attack, the city of Atlanta had to pay $9.5 million beyond what it had budgeted for cybersecurity, and, even that was unable to prevent the paralysis of city services for six days (citizens unable to pay or access water bills, courts unable to function etc.), which had a much larger economic impact on the region.³⁵ Indeed, the full cost of an incident isn’t summed up for years. As an illustration, the OPM breach irreparably harmed national security, but it also left OPM forced to provide the 22 million victims of the breach with $5 million in identity theft insurance for the following 10 years.

If a cyber corps is able to prevent just a few of these breaches and/or mitigate their damage and costs, especially through its relatively cheap supplementary volunteer model, the investment will more than pay itself off in both economic and national security terms.

In cybersecurity, the problems are hard and the threats ever changing. That means there are no simple answers or silver-bullet solutions. But one thing is clear: It is time to re-evaluate not just what is and isn’t working in cybersecurity today, but also to be willing to take new approaches. Part of this is to be open to building new organizations to fill key gaps that existing ones have and will be unable to fill.

A Civilian Cyber Corps would not just build upon the lessons of history and successful models, but also provide the United States a valuable means to building capability and talent for the future. With cyber threats only growing, and present approaches clearly insufficient, it is time for new ideas…and new organizations.

About the Coast Guard Auxiliary and District 11 Southern Region. (n.d.). Retrieved 10 5, 2018, from US Coast Guard Auxiliary District 11 Southern Region: http://www.d11s.org/modules/narrative.mod.php?story=ABOUT

Alyson, J. (2018, 6 29). What Are the Army's Minimum Physical Requirements to Join? Retrieved from Chron: https://work.chron.com/armys-minimum-physical-requirements-join-13518.html

Bate, L. K. (2017, 5 17). The Cyber Workforce Gap: A National Security Liability? . Retrieved from War on the Rocks: https://warontherocks.com/2017/05/the-cyber-workforce-gap-a-national-security-liability/

Beckhusen, J. (2016, 8 16). Occupations in Information Technology. Retrieved from United States Census Bureau: https://www.census.gov/library/publications/2016/acs/acs-35.html

Braw, E. (2018, 3 15). There Are More and More Threats that Militaries Can’t Stop. People’s Forces Can Help. Retrieved from Defense One: https://www.defenseone.com/ideas/2018/03/norway-peoples-force-preps-threats-military-cant-stop/146705/?oref=d-river

Christy, G. (2016, 12 12). ‘Corsair Fleet’ – The Brave American Civilian Crews Who Took On WW2 Submarines To Protect The Coast. Retrieved from War History Online: https://www.warhistoryonline.com/world-war-ii/when-a-ragtag-group-of-foolhardy-men-took-on-u-boats-with-sailing_ship-x.html

Congresswoman Claudia Tenney Leads the Way in Fighting for the Civil Air Patrol. (2017, 4 6). Retrieved from US Representative Claudia Tenney: https://tenney.house.gov/news/documentsingle.aspx?DocumentID=16

Cybersecurity experts warn of growing workforce shortage. (2016, 6 28). Retrieved from US Chamber of Commerce: https://www.uschamber.com/article/cybersecurity-experts-warn-growing-workforce-shortage

Cybersecurity Supply/Demand Heat Map. (n.d.). Retrieved 10 5, 2018, from CyberSeek: http://cyberseek.org/heatmap.html

Diamant, A. (2018, 4 11). Ransomware attack cost city $2.7 million, records show. Retrieved from WSB-TV 2 Altlanta: https://www.wsbtv.com/news/local/atlanta/ransomware-attack-cost-city-27-million-records-show/730813530

Golson, J. (2015, 1 15). Of Course We Shoud Give Vounteer Firefighters a Tax Break. Retrieved from Wired: https://www.wired.com/2015/01/course-give-volunteer-firefighters-tax-break/

Greenberg, P. (2018, 7 27). Statewide Chief Information Security Officers. Retrieved from National Conference of State Legislatures: http://www.ncsl.org/research/telecommunications-and-information-technology/state-statutes-creating-chief-information-security-officer-ciso-positions-in-state-government.aspx

H.B. 4508 Cyber Civilian Corps Program. (2017, 9 7). Retrieved from Michigan Legisature: https://www.legislature.mi.gov/documents/2017-2018/billanalysis/Senate/pdf/2017-SFA-4508-L.pdf

Hatmaker, T. (2018, 6 6). The damage from Atlanta’s huge cyberattack is even worse than the city first thought. Retrieved from TechCrunch: https://techcrunch.com/2018/06/06/atlanta-cyberattack-atlanta-information-management/

Haynes, H. J., & Stein, G. P. (2017, 4). U.S. fire department profile. Retrieved from National Fire Protection Association: https://www.nfpa.org/News-and-Research/Fire-statistics-and-reports/Fire-statistics/The-fire-service/Administration/US-fire-department-profile

Hutcherson, K. (2018, 3 28). Six days after a ransomware cyberattack, Atlanta officials are filling out forms by hand. Retrieved from CNN: https://www.cnn.com/2018/03/27/us/atlanta-ransomware-computers/index.html

Issues for Firefighters. (2018, 8 14). Retrieved from IRS: https://www.irs.gov/government-entities/federal-state-local-governments/issues-for-firefighters

Join the Coast Guard Auxiliary. (n.d.). Retrieved 10 5, 2018, from Flotilla 5-3 Cincinatti, Ohio: http://a0820503.uscgaux.info/join.htm

Konkel, F. (2017, 4 18). 18F for Cybersecurity? Tech Think Tank Wants Congress to Consider It. Retrieved from Nextgov: https://www.nextgov.com/cybersecurity/2017/04/18f-cybersecurity-tech-think-tank-wants-congress-consider-it/137104/

Krebs, C., & Manfra, J. (2017, 10 3). Stateent for the Record Regarding Cybersecurity. Retrieved from US House of Representatives: https://docs.house.gov/meetings/HM/HM08/20171003/106448/HHRG-115-HM08-Wstate-KrebsC-20171003.pdf

Lohrmann, D. (2018, 3 10). Cyber Range: Who, What, When, Where, How and Why? Retrieved from Government Technology: http://www.govtech.com/blogs/lohrmann-on-cybersecurity/cyber-range-who-what-when-where-how-and-why.html

Michaels, J. (2018, 1 10). Physically fit recruits for Army are hard to find. Especially in these states. Retrieved from USA Today: https://www.usatoday.com/story/news/world/2018/01/10/physically-fit-recruits-army-hard-find-especially-these-states/1016030001/

Michigan Cyber Civilian Corps. (n.d.). Retrieved 10 5, 2018, from Michigan.gov: https://www.michigan.gov/som/0,4669,7-192-78403_78404_78419—,00.html

Nash, K. S., Castellanos, S., & Janofsky, A. (2018, 6 27). One Year After NotPetya Cyberattack, Firms Wrestle With Recovery Costs. Retrieved from Wall Street Journal: https://www.wsj.com/articles/one-year-after-notpetya-companies-still-wrestle-with-financial-impacts-1530095906

Newman, L. H. (2018, 3 30). The Ransomware That Hobbled Atlanta Will Strike Again. Retrieved from Wired: https://www.wired.com/story/atlanta-ransomware-samsam-will-strike-again/

O'Neill, P. H. (2018, 2 1). Pentagon's network defense headquarters is fully operational. Retrieved from CyberScoop: https://www.cyberscoop.com/dod-network-cyber-command-fully-operational/

Public Law 107–296 An Act to Establish the Department of Homeland Security and for Other Purposes. (2002, 11 25). Retrieved from Government Publishing Office: https://www.gpo.gov/fdsys/pkg/PLAW-107publ296/pdf/PLAW-107publ296.pdf

PUBLIC LAW 113–66 – National Defense Authorization Act for Fiscal Year 2014. (2013, 12 26). Retrieved from US Congress: https://www.congress.gov/113/plaws/publ66/PLAW-113publ66.pdf

Ruiz, M. M. (2018, 1 9). Is Estonia’s Approach to Cyber Defense Feasible in the United States? Retrieved from War on the Rocks: https://warontherocks.com/2018/01/estonias-approach-cyber-defense-feasible-united-states/

Singer, P. W. (2018, 1 30). The 2018 State of the Digital Union: The Seven Deady Sins of Cybersecurity We Must Face. Retrieved from War On the Rocks: https://warontherocks.com/2018/01/2018-state-digital-union-seven-deadly-sins-cyber-security-must-face/

Smith, G. (2012, 11 23). The Nerd Reserves: Sandy Recovery Renews Call For Tech National Guard. Retrieved from Huffington Post: https://www.huffingtonpost.com/2012/11/23/tech-national-guard_n_2168374.html

Stateline. (2017, 8 4). Michigan's Volunteer-Based Cybersecurity Strategy Catches On. Retrieved from Governing: http://www.governing.com/topics/mgmt/sl-cybersecurity-volunteers.html

Subramanian, S., & Robinson, D. (2016). 2016 Deloitte-NASCIO Cybersecurity Study. NASCIO and Deloitte. Deloitte Unversity Press. Retrieved from https://www.nascio.org/Portals/0/Publications/Documents/2016/2016-Deloitte-NASCIO-Cybersecurity-Study.pdf

The Estonian Defence League Act. (2013, 2 28). Retrieved from Riigi Teataja: https://www.riigiteataja.ee/en/eli/525112013006/consolide

The Net. (n.d.). Retrieved 10 5, 2018, from IMDB: https://www.imdb.com/title/tt0113957/plotsummary

US CERT About Us. (n.d.). Retrieved from US Department of Homeland Security: https://www.us-cert.gov/about-us

US Government Accountability Office. (2018). Cybersecurity Workforce. Retrieved from https://www.gao.gov/assets/690/689880.pdf