3. A US Cyber Civilian Corps: How Would It Be Organized and Staffed?

Drawing upon the above models, the best approach seems to be a hybridization of the past historic models, proven to be workable in the U.S. political context, and state and foreign lessons learned with comparable cybersecurity auxiliaries. There is an ongoing conversation about where cybersecurity should rest within the U.S. federal system–what should be the responsibility of the federal government and what should be maintained in the realm of state and local governments–a U.S. Cyber Civilian Corps should be at the best of both worlds: nationally run and funded but operationally worked on a state and local basis.

Having such an organization at the national level allows it to take advantage of economies of scale, decrease friction from inconsistencies in local implementation, and adds to the toolkit for policymakers. Although multiple states have started down the path towards creating such an organization, a federal program would allow for easier access to federal funds and decrease the total resources per member needed for program development and training. A national effort would also simplify efforts for authorization and liability protection, which could be coordinated at the national level, and provide a vehicle for national-level, coordinated policy products such as public awareness campaigns.

Still, it is important to connect this national effort to local governments for three reasons. First, the state and local level is where there is a crucial gap, which is unlikely to be filled any time soon, by any existing organization. Second, it reflects a national need, but adapted to the US federal system; each state is unique in terms of its cybersecurity structure: where responsibility for cybersecurity lies and in how it coordinates with other stakeholders. Having a state-driven model would allow each division of an auxiliary to fit into their home state’s structure to provide the necessary services. Third, much of these services are dependent on the trust that comes from close and continuing relationships, which are necessarily built at a local level.

The best approach seems to be a hybridization of the past historic models, proven to be workable in the U.S. political context.

As it would be a civilian organization, the national agency that the Corps would be organized and funded out of would be the Department of Homeland Security, which presently lacks such an auxiliary. Although the organization should establish memorandums of understanding (MOUs) between federal partners such as FEMA or NCCIC, each state’s headquarters would be encouraged to form MOUs with their state establishment as well to facilitate local activities and response capabilities, much like Civil Air Patrol has today (again, illustrating the need for localized approach, there is variance in how states have handled their CISO-like position for cybersecurity responsibility).¹

It is important to note that one alternative in such an organization is having it structured under State Defense Forces (which act as a kind of reserve to local National Guard units), as Maryland has done with its Maryland Defense Force Cyber Unit. However, there are two flaws with this approach. First, less than half of states have such organizations. Secondly, it will just mirror the existing problems. Such placement of an auxiliary within a state defense unit wrongly assumes local cybersecurity as a primarily military in nature activity, placing military style organization and physical requirements that self-limit the pool. Placing the auxiliary under an active duty, National Guard, or Reserve DoD force would face similar issues.

It is important to note that the organization is neither meant to be an equivalent to an 18F-type or U.S. Digital Service, existing programs where technology industry professionals join the government for full-time work on a lengthy basis. There is great value in expanding such programs to ease the pathways for cybersecurity experts to join government.² However, the need goes beyond the hiring of full time employees and the self-limiting pool this means. The corps would be an auxiliary, allowing it to tap a larger pool of talent for use on a period, and as needed, volunteer basis.

Modeling after like programs, its makeup would be dual level, with an adult and youth element. The adult element would be made up of volunteers willing and able to provide cybersecurity services for public interest. They might range from professionals working in the cybersecurity field, interested in aiding the public good beyond their own particular company or clients; people with experience or expertise who have transitioned to other fields; and the wide set of individuals who have an IT skill set but are not interested in full time cybersecurity employment (such as the types of “white hat” hackers, who presently participate in bug bounty programs during their free time).

Of note, a particular pool of expertise will come from elements of the populace, who would otherwise go underutilized without such an organization. Although stereotypes would indicate that technology is a young person’s game and that cybersecurity is a new career field, in actuality this kind of work has existed for longer. The first firewalls were developed in the late 1980s; Air Force cyber units go back to the mid-1990s. Indeed, according to a 2016 report from the US Census bureau, roughly 22 percent of the current IT workforce, more than 32 million people, is over 55.³ These IT and cyber professionals (along with the wider pool of private sector, civilian agency, intelligence community, and military backgrounds), will be aging out of the workforce in the coming years; having a cyber auxiliary where they could donate time would allow the nation to take advantage of their expertise while allowing them, along with other professionals, to give back to their country and provide needed services. The auxiliary would also similarly provide a means to leverage talent within the pools of professionals who are in job transition, who want to stay engaged and keep their skills up, independent contractors looking to fill gaps in their time and expand their network opportunities, and even stay-at-home parents.

The corps would be an auxiliary, allowing it to tap a larger pool of talent for use on periodic and as needed basis, on a volunteer basis.

As opposed to the physical requirements of the National Guard or active duty, a civilian cybersecurity auxiliary would have a different focus of screening. Following the model of the Michigan organization, the requirements might include prior experience in information security (the Michigan organization requires 2 years) and/or the ability to pass “a series of tests to demonstrate basic knowledge of networking and security concepts, as well as basic incident response and forensics skills.”⁴ A proposal from a team at the University of Pittsburgh studying the prospects of what it calls “Modern Minuteman” proposes pairing that background with a directory of open-source training programs drawn from a “public facing version of Army Cyber’s training course” that ensure volunteers have shared understanding and terminology. Those presently employed should also be required to provide documentation that their employer is aware of their participation in the program and that no proprietary knowledge is being shared or conflicts of interest.

It is important to note here that having Top Secret-level security clearance should not be a requirement for participation in such a volunteer organization. While there should be background screening for criminal history, professional issues, and a National Agency Check with Local Agency Check with Credit Check (NACLC), the reality is that, for all the mystique, not every cybersecurity need of the nation requires someone who could work in the NSA’s TAO.

Modeled after the Civil Air Patrol cadets program, the youth element would be made up of those under the age of 18 (or 21), who are interested in learning more about cybersecurity, developing hands-on experience, and pitching in where appropriate. Through training, activities, and connections with a far more diverse set of mentors than they would normally be in contact, the creation of such a youth program would expand the pool of talent entering the field and prepare to contribute at earlier stages. The youth element would also act as another supplementary pool of untapped potential for the nation. It is presently possible for young “white hat” hackers to do everything from form their own penetration testing companies to engage in sophisticated cybersecurity competitions. But the one thing they can’t presently do is help their own community. This should change.

The activities of such a corps would be designed to aid public cybersecurity in a manner that does not replace existing activities, but rather supplements and fills key gaps. In particular, such a force would be able to provide needed support in three primary areas:

• Education and Outreach
• Testing, Assessments, and Exercises
• On Call Expertise and Emergency Response

It is important to note that the two latter services described below would be designed to help the public good, and would not be focused on private sector institutions except in the case of a declared state of emergency. This also limits the potential concerns from companies operating in these service areas. Security is not a zero-sum game, and any services provided to increase the overall security of the ecosystem are benefit to all of us. Secondly, the program would be designed to serve the currently underserved, not the typical clientele of existing vendors. For a variety of reasons, including the cost of such services and geographic isolation, smaller SLTT and other public institutions such as K12 or community colleges do not have access to the kind of resources they need. Finally, much as in fields that range from medicine to law, firms should welcome the participation of their talent in such pro-bono programs, as it doesn’t just aid their communities, but provides their workforce with expanded experience and knowledge that they can bring back into their work.

Education and Outreach

There is a broad need for quality cyber education and outreach across the United States, for both private citizens and for public, private, and nonprofit organizations. While raising cybersecurity awareness and hygiene is far from a silver bullet solution, it would appreciably lower risks and consequences of breaches. The problem is that present cybersecurity education and outreach programs draw resources and time from other limited resources (an hour meeting with a local business or school to raise cyber awareness is an hour spent not defending the agency’s network or not investigating the origins of an attack).

Security is not a zero-sum game, and any services provided to increase the overall security of the ecosystem are benefit to all of us.

A cyber auxiliary could provide a pool of members able to engage with education and outreach programs across multiple age groups, and who are better suited to meet the local need or professional community (by drawing upon members with that particular background). Its structure into a national program would, in turn, also allow a more rapid dissemination of new information or changed priorities or points of emphasis.

Much as Civil Air Patrol members conduct regular aerospace and STEM programs that touch some 1,500 communities, the cybersecurity version could provide a new means to connect cybersecurity concerns to a wider network at the state and local level across the United States. An obvious parallel is that of school outreach (from running clinics on the basics of cybersecurity and organizing extracurricular cybersecurity competitions at secondary school level to supplementing stretched thin faculty at university and community college programs). Its activities could also help to augment the Federal cybersecurity awareness program, as well as conduct community outreach to municipal level institutions, small and medium businesses, and nonprofits. The outcome would be to supply a wider suite of local programs that provide training on best practices, as well as to provide a human connection point for local organizations to the resources already provided by institutions such as the MS-ISAC, Cyber Emergency Response Teams, Information Sharing and Analysis Organizations, fusion centers, etc. The bigger, better, and more local, the network working on cybersecurity awareness can only yield better outcomes.

The corps concept would also offer an internal education element. It would provide a more systematic means for members to maintain current skills and gain new expertise, which would feed back into overall community cybersecurity, given the roles that these volunteers would play in their other professional identities. The organization might provide its members preparatory experiences though MOOC courses to train on and simulation exercises to hone skills, as well as the gain in insights that come from working on real world problems outside one’s regular job. A useful illustration of this duality comes from a Pew Center on the States report highlighting the experience of Paul Dumbleton, a member of Michigan’s voluntary program, which is part inspiration for the national concept. Dumbleton is a security engineering manager at a manufacturer of over-the-counter medicine, but joined the organization “to give back to the community.”⁵ While he has engaged in activities that range from cybersecurity presentations at churches and Boy Scouts troop meetings, he has also found membership “beneficial for himself and for his company,” especially thorough networking with other professionals and improving his skills.

Testing, Assessments, and Exercises

Testing and assessment services are presently available from the private sector to all institutions willing to contract them, and to SLTT organizations and critical infrastructure companies through various DHS and National Guard programs. However, there are three problems with this availability, where an auxiliary corps would be able to contribute to solutions. The first is that there are simply not enough testing and assessment teams to go around to cover the need, especially for SLTT organizations. The competing demands of personnel and time mean that not all entities are covered, nor in a timely or regular manner. The second is that these activities are costly; many organizations, be they local and state agencies, nonprofits, or education institutions simply do not have the resources to pay for private sector services and/or fail to qualify for the attention of DHS or National Guard (which are themselves, of course, stretched thin). Finally, there is regularly a need to surge resources for large scale functions such as sporting events or elections, where public-sector resources are already being brought to bear to support security needs, but are not to the scale often needed.

Here an apt parallel to the possibilities is offered by the Coast Guard Auxiliary. Operating in both teams alongside and in roles independent from active duty Coast Guard members, the Auxiliary contributes over 4.5 million hours of service each year.⁶ These include conducting over 150,000 safety examinations of vessels, and provide boater safety instruction to over 500,000 students. What we regularly provide for the maritime domain has no parallel for the cyber domain. Similarly in Denmark, Sweden, and Norway, Heimevernet or “home guard” units serve as the connection for crisis management exercises involving government, business, and civil society organizations, designed to build resilience against threats.⁷ Finally, in Estonia, its Cyber Defense League engages in activities that range from supplementing wargames to red-teaming election systems, seeking to find vulnerabilities before actual threats can exploit them.

An American version of a cyber auxiliary could provide a needed pool of human resources to existing testing, assessments, and exercises, multiplying their scale, presence, and effectiveness. It could also provide its own similar track of such activities for SLTT organizations, especially for networks that may be lower priority for national level resources, but are just as essential in the cyber ecosystem.

On Call Expertise and Emergency Response

When there is an aviation related emergency, such as a search and rescue of anything from a missing plane to a lost child in a national forest, authorities are able to request volunteer aid from the Civil Air Patrol, requesting them in via the Air Force Rescue Coordination Center. As discussed above, these supplementary services both directly and indirectly save scores of lives and government funds. Similarly, when needs arise in the maritime domain, the Coast Guard and local fire/rescue can turn for help in widening the response via the Coast Guard Auxiliary. Last year, Auxiliarists conducted almost 500,000 missions in support of full-time government, which assisted in the rescue of nearly 15,000 distressed boats, credited with saving approximately 500 lives.⁸

Unfortunately, there is no such force multiplier to turn to for emergencies in the cyber realm. This is particularly the case for SLTT entities, especially at the local city and county level. They often do not have enough trained resources to provide for proper response services in the case of an incident, nor frankly the need to have such personnel serving on staff on a full-time basis. This can even strike large cities; for instance, when Atlanta, the 7th largest metropolitan area in the United States, was struck by SamSam ransomware, disrupting services in five of the city's 13 local government departments, it was forced to sign emergency contracts with eight different cybersecurity firms.⁹

Incident response would not be the primary mission of the Cyber Civilian Corps, but in the case of a large scale incident, volunteers would provide a pool of already vetted and capable volunteers, able to assist with some of the less sensitive tasks, freeing up local, national level or Guard resources for more sensitive activities. Because of their proximity and mandate, the volunteers would also arrive into the situation with familiarity and local trust, which are crucial in a crisis.

Furthermore, such an organization could provide a conduit for existing experts to report findings and understand where there is a current need for research or study. There is no effective manner today for the public sector to crowdsource the expertise available in the wild and then rapidly transfer it back to the state and local level, on scale. The Corps could provide a method for sharing priorities and also receiving information back.

For all its potential value, the policy and financial requirements to make a Cyber Civilian Corps a reality are far less daunting than so many other cybersecurity or policy challenges. It is also a concept that doesn’t fit within any one ideological framework, important during our hyper-partisan times.

Legislatively, the concept would build upon the bipartisan proposal for a National Emergency Technology Guard (NETGuard) that was in the Homeland Security Act of 2002¹⁰. Due to DHS disorganization and disinterest at the time, the NETGuard did not launch, leaving the nation with the gap discussed above¹¹. However, the 2002 legislation provides the basis for an updating, using it as a reference point to establishing the US Cyber Civilian Corps (our sense is that a name change is needed from NETGuard, both to distinguish from the program that never launched and because it is no longer 1995).¹² The responsibility for its launch and supervision should be given to the planned Cybersecurity and Infrastructure Security Agency (CISA) within the planned DHS reorganization. This national agency would provide leadership and coordination among the various related entities (including NCCIC, SECIR, FEMA, etc…), create national standards for training, manage the overall budget, and provide the other corporate resources (general counsel, public affairs, etc.) necessary for such an organization.

The policy and financial requirements to make a Cyber Civilian Corps a reality are far less daunting than so many other cybersecurity or policy challenges.

Once there is an authorization, there must also be an appropriation. While budget is often a sticking point for any new organization, the volunteer nature of the corps makes its formation and activities more digestible. As a point of comparison, the Civil Air Patrol received $43 million in federal funding the FY18 budget, while the Michigan civilian cyber unit received $300,000 in state funding.¹³ While the scoping of a full budget should be part of the proposed legislation process, our estimate is that a budget outlay of $50 million would provide the basis for creating an organization with roughly 25,000 members spread across all 50 states.

This budget would go towards the purchase of devices, training materials, software licenses, and office space. Part of the savings would come from the fact that the corps could make use of, and help contribute to the ecosystem around, cyber ranges where they exist (a growing number of states have been building/funding them, both as part of university programs and to attract cyber talent).¹⁴ In turn, it would invest in new infrastructure in locations that do not currently have capacity and nationally as membership rises. Much along the lines of the Civil Air Patrol model, the cyber auxiliary would provide services with payment for materials only – all time would be donated.

The case for the value of such spending is perhaps best made not by comparisons to other budget outlays (for instance, the cost for a cyber auxiliary would be roughly 2.5 percent of just the amount spent on just building construction at Fort Meade during the expansion of Cyber Command), but by the spending it will keep from being needed.

2017 was the costliest year in cybersecurity. In the NotPetya attacks, for instance, Fedex says its cost was $400 million, Merck at $670 million.¹⁵ 2018 bodes to pass this. In cleaning up after just that one ransomware attack, the city of Atlanta had to pay $9.5 million beyond what it had budgeted for cybersecurity, and, even that was unable to prevent the paralysis of city services for six days (citizens unable to pay or access water bills, courts unable to function etc.), which had a much larger economic impact on the region.¹⁶ Indeed, the full cost of an incident isn’t summed up for years. As an illustration, the OPM breach irreparably harmed national security, but it also left OPM forced to provide the 22 million victims of the breach with $5 million in identity theft insurance for the following 10 years.

If a cyber corps is able to prevent just a few of these breaches and/or mitigate their damage and costs, especially through its relatively cheap supplementary volunteer model, the investment will more than pay itself off in both economic and national security terms.