2. Introduction

In the darkest hours of World War II, a swarm of hidden foreign attackers wreaked devastation on America’s security and economy. Unprepared and under-resourced, the defenders in the employ of the U.S. government were too often absent when the attackers struck, which only incentivized them to come back for more.

But on July 11, 1942, America’s civilians struck back. Two pilots in a private G-44 Widgeon floatplane spied a Nazi U-Boat lurking beneath the waves. When it surfaced to periscope depth to scout for prey, the men instead dropped two bombs that had been fastened onto their plane, sinking the submarine. Due to the efforts of America’s civilian volunteers, a clear threat to American security, commerce, and communication had been eliminated.

The two men, however, hadn’t been out there acting on their own. They were part of the newly formed Civil Air Patrol (CAP), an organization created in the days after Pearl Harbor. Made up of aviation-minded volunteers, the CAP was used fill key shortages in U.S. military pilots, aircraft, and resources; it was a back-up force that could fill in for what the regular military and National Guard lacked. CAP pilots aided with everything from anti-submarine patrols to training missions. Nor was the CAP the only of its kind. Its maritime parallel was the Coast Guard Auxiliary, volunteer civilian sailors, who similarly set up a picket line off the American coast, and often patrolled in unison with the volunteers of the CAP.¹

Today, we face the modern version of hidden attackers who seek to undermine our security and economy; now they use malware instead of torpedoes. And so too are the U.S. military and government resources necessary to safeguard against this danger stretched too thin. But, while the Civil Air Patrol and Coast Guard Auxiliary organizations are still operating today, providing critical services in education, emergency services, and youth education for the air and maritime domain, we have no equivalent in the realm of cybersecurity.

It is time to fill this gap and form a U.S. Cyber Civilian Corps.

Just as the onset of World War II found a United States struggling to meet its new security needs, today we face a series of challenges when it comes to cybersecurity that organizations are unable to solve on their own.

One is an overall lack of human capital. There is simply not enough trained talent to go around for the military, civilian agencies, and private sector, which means we must both expand the pipeline feeding into the cybersecurity workforce and find ways to allow people already in the field to cross train and work across roles wherever possible.

There are just under 300,000 open cybersecurity positions in the United States at this time which companies and government are unable to fill; future needs project as high as one million unfilled positions. ² As New America’s Laura Bate writes, this labor gap has become a “national security liability.”³ It has not just hit the federal government and major corporations, which find it challenging to find and then compete over the same small pool of talent, but is even more of a pain point for “small businesses and state governments, many of whom control very valuable and sensitive data sets and systems (for example, drivers’ license and voter registration databases).” ⁴

There is simply not enough trained talent to go around for the military, civilian agencies, and private sector.

Related to this labor problem are key organizational gaps. Over the last decade, the U.S. government has made great advances in building out for the new needs of cybersecurity, but these still do not fill what is required. The U.S. military’s Cyber Command, for instance, has recently become fully operational, creating 133 cyber mission teams. However, the demand for military cybersecurity still outweighs the supply. The Department of Defense needs to maintain, test, and defend over 15,000 of its own computer networks, with over 3 million users.⁵ The scale of this undertaking makes for a daunting task on its own for these teams, let alone the increasing requests for them to engage in everything from offensive cyber actions in support of troops in the field to aid to defending civilian critical infrastructure at home and abroad. Most importantly, the active duty military’s legal ability and technical expertise to aid in defending civilian networks will always be limited.

As part of this expansion and organization of military cyber organization, the National Guard has also begun to gain greater cybersecurity capability, with the major effort starting with the National Defense Authorization Act (NDAA) for FY 2014.⁶ Since then, a cyber brigade has been created to oversee units across 30 states, which are working to support Cyber Command and better leverage civilian talent within the National Guard for cybersecurity related civil defense needs.

Here again, though, the size of these units is nowhere close to the needed scale, and some, particularly in the Air National Guard, are drastically understaffed. Of special concern, the small number of National Guard cyber units would be stretched thin if called upon to respond to multiple major incidents simultaneously, while also fulfilling other defensive duties that would come from such a scenario. In addition, while National Guard can swing between State Active Duty (SAD), Full-Time National Guard Duty (Title 32) and Active Duty (Title 10), there are still legal limits in what roles they can undertake and under what circumstances beyond governmental networks, as they are fundamentally military units.

Most important, they still don’t solve the larger human resourcing issue. Since the National Guard remains part of the U.S. military, it is fundamentally limited in who can join these units and the requirements set upon them. Service in these units entails meeting everything from physical fitness requirements⁷, which notably only 23 percent of American youth can meet⁸, and age limitations, to being willing to deploy to any location in the world, at any time, for any duration. Many with cybersecurity talent are either unable or unwilling to meet these requirements. In short, as talented as the active duty Cyber Command and the National Guard are, they will never be able to tap the full potential of cybersecurity talent that lies within the broader nation, nor solve its needs for a larger capacity building program.

Similar inherent limitations limit capability within civilian agencies. At the federal level, the Department of Homeland Security has the national mandate to protect our Nation’s federal government networks and civilian critical infrastructure from cyber threats, as well as collaborate with State, Local, Territorial, and Tribal (SLTT) entities to defend against cyber threats.⁹

However, as recent GAO reports have found, DHS still has a long way to go in solving its own cyber workforce problems, let alone others.¹⁰ Secondly, its outreach to SLTT institutions and the private sector lags from a lack of resources. Furthermore, DHS is fundamentally limited in what it can enforce at the SLTT level, where it remains in a coordination and services role.

As an illustration, DHS’s Cybersecurity Advisor (CSA) Program is designed to provide direct coordination, outreach, and regional support to private industry and SLTT governments. It is a worthy program, that has only 12 active advisors. Even if DHS meets its ambitious plan to triple this amount by the next year, it will still be fundamentally limited in it capacity to reach out and aid the full range of actors involved in cybersecurity nationally, from SLTT governmental organizations to the thousands of small but vital companies that, together, make up the bulk of the U.S.’s critical infrastructure. The situation is no better at the other federal regulatory agencies, from energy to health and medical devices, each of which act as agency hubs for cybersecurity in their own domains. For them, the talent gaps are even more dire, and they lack even the limited authorities of DHS; in some cases, they are only able to convene at best.

There is similar gap in capability and organization at the state and local level, just magnified by far less capability and resources. Like in the federal government, authorities are often split between multiple agencies within state and local governments, which complicates efforts to address the issue from a multidisciplinary or comprehensive approach. SLTT efforts to build a cybersecurity program often struggle because of the even greater challenges of competing for local talent with the private sector, which tend to offer significantly higher pay and shorter hiring processes. The outcome is that SLTT entities are typically focused towards protecting only the public sector, and, in most cases, only executive branch computer networks of the state or large cities. Both critical infrastructure and surrounding municipalities are often left to struggle on their own, only able to seek help after a significant breach.

This situation is tough enough, but the challenge is heightened by the fact that the cyber threat environment is always changing. Not a single one of the challenges, from foreign threats to cybercrime, which first motivated the creation of organizations like Cyber Command or SLTT cybersecurity programs, have been resolved. Instead, they have only been added to with new trends like the collapse of cyber deterrence in the wake of the 2016 election hacks, an increasing pace of mega-breaches, new threat vectors like ransomware, and a shift to the Internet of Things, which makes physically-damaging, life-costing cyberattacks more likely.¹¹

There is a clear need to expand US government and military capacity in protecting cyberspace. But part of this need could be met more efficiently and effectively by leveraging the citizen talent that already exists outside of the military and government. Compared to both other issue areas and the models presented by other nations, the American approach to cybersecurity so far has not sufficiently tapped the immense capacity of its civilians. In particular, it is missing an opportunity to leverage volunteers and part-time talent.

In seeking how to pull citizen volunteers into areas of public cybersecurity concern, there are a number of models that might be drawn upon for inspiration. Some lie outside the realm of computers. As discussed, the Civil Air Patrol and the US Coast Guard Auxiliary have a successful history and organizational model that is proven to work inside the American political context. CAP, for instance, presently consists of over 56,000 aviation-minded volunteers, who both meet regularly to hone their aviation skills and pitch in to aid with government needs.¹² While it no longer patrols for submarines, CAP now provides volunteer support in search and rescue missions, humanitarian disaster assistance, forest fire patrols, and training operations. In 2016, 29 lives were directly saved by volunteer CAP missions, while also saving the U.S. government approximately $167 million that would have otherwise been spent out of the federal government budget to accomplish the same tasks.¹³ Notable to the problems of cybersecurity labor gaps and pipeline, the CAP also runs a cadet program that provides over 24,000 youth with an entry point into aviation activities and the ethic of public service, as well as runs weekly aerospace and STEM programs that touch some 1,500 communities.

Volunteer Firefighter programs provide another useful illustration of how Americans from a variety of backgrounds contribute to community public safety. There are currently 788,250 volunteer firefighters in the United States.¹⁴ Some of these volunteers are reimbursed for their time for response or training, but others receive only training, equipment, and/or tax credits.¹⁵ They save local governments close to $140 billion a year over the cost of having career staff on duty.¹⁶ They donate their time as a public service; similarly, citizens with a different skill set could work on cybersecurity programs that affect their communities.

Directly in the realm of cybersecurity, the closest volunteer model would be what has been attempted at the state level with entities like the Michigan Cyber Civilian Corps (MiC3). Organized just a few years ago under the state’s Department of Technology, Management, and Budget, the organization has pulled in just under 100 civilian volunteers willing to aid their home state with cybersecurity questions. However, the MiC3has never been fully activated (it requires the governor to declare state emergency) and there remain significant policy and legal issues for its greater use and deployment (the exact status of its members is still uncertain; for instance, in acting in response to an incident are they protected from lawsuits?). Virginia is also exploring a civilian volunteer cyber force, but so far the organization is still in the planning stages.

Outside the United States, one of the most lauded volunteer cybersecurity models is Estonia’s Cyber Defence Unit (Küberkaitse Üksus). The organization is part of the nation’s Defence League, appropriately enough itself modeled on the volunteer Minutemen of the American Revolution.¹⁷ As Monica Ruiz describes in a study of the Estonian model’s feasibility in the United States, the volunteer unit “…is made up of average citizens outside of government, who are specialists in key cyber-security positions, patriotic individuals with information technology skills, and experts in other fields (e.g., lawyers and economists) who wish to volunteer outside of their daily jobs to protect Estonian cyberspace.”¹⁸ It provides support in cybersecurity activities that range from training exercises and testing Estonian election systems for vulnerabilities to being on-call to aid the government in national cyber-related emergencies.

This model of engaging the broader populace to counter foreign cyber threats is not so coincidentally being adapted across a number of other nations that have experienced Russian threats first hand. Both Sweden and Norway have similarly set up new programs on civil resilience, each with a cybersecurity element. Their philosophy is to treat the population, as Elizabeth Braw writes, not as a vulnerability, but “as a national security resource [that] can boost a society’s resiliency, and even its deterrence.”¹⁹