Enable breadcrumbs token at /includes/pageheader.html.twig

Calling for a Civilian Cyber Corps

Experts tout the benefits of an army of civilian hackers.

With about 300,000 vacant cybersecurity positions in the United States, some experts recommend the creation of a civilian cyber corps of volunteers who could be called to take action when needed. Credit: BeeBright/Shutterstock

Some military and civilian experts are calling on the United States to create a civilian cyber corps to help fill the gap in cybersecurity expertise in times of need. Such a corps could enhance state and local emergency response efforts, help protect Defense Department networks and other critical infrastructure or combat social media information warfare campaigns.

Proposals vary, but experts seem to agree that a volunteer force of civilian cyber experts could be modeled on existing organizations, such as the Civil Reserve Air Fleet, also known as CRAF. The CRAF uses selected aircraft from commercial airlines to augment Defense Department airlift requirements during emergencies in which the need for airlift exceeds the capability of military aircraft. The airlines contractually pledge that planes will be ready when needed.

Arguably the most prominent proposal for a civilian cyber force came in October from New America, which is described on its website as a new kind of think and action tank: a civic platform that connects a research institute, technology lab, solutions network, media hub and public forum. Natasha Cohen, a fellow in New America’s Cybersecurity Initiative, and Peter Warren Singer, a New America strategist and senior fellow, issued a report suggesting a civilian cyber corps could be launched at relatively low cost and with little risk.

Cohen and Singer make the case that with an estimated 300,000 cybersecurity-related job vacancies in the United States, there simply is not enough talent for the military, civilian agencies and industry, including small businesses. The New America report argues that the CRAF, volunteer fire departments and the Coast Guard Auxiliary—volunteer boat owners who assist the Coast Guard when needed—could all act as models for a volunteer cyber force.

“The best approach seems to be a hybridization of the past historic models, proven to be workable in the U.S. political context, and state and foreign lessons learned with comparable cybersecurity auxiliaries,” the report states. “There is an ongoing conversation about where cybersecurity should rest within the U.S. federal system—what should be the responsibility of the federal government and what should be maintained in the realm of state and local governments—a U.S. Cyber Civilian Corps should be at the best of both worlds: nationally run and funded but operationally worked on a state and local basis.”

The New America experts foresee the volunteers fulfilling three primary roles: education and outreach; testing, assessments and exercises; and on-call expertise and emergency response. Cohen points out that the Department of Homeland Security (DHS) lacks the manpower for outreach to all of the state and local governments.

“DHS has cybersecurity advisors and physical security advisors in and around the country. For cybersecurity advisors, there are 12 for the entire country. That’s not a lot of people to do outreach,” she says. “An auxiliary, especially when it comes to education, would be able to take a lot of that off the plate of folks who could be doing other things that may be better suited for a central agency.”

Additionally, federal departments or agencies lack enforcement authority at state, local and territorial levels, meaning the DHS cannot tell state or local governments what to do with their own information technology systems or force them to share information. “They can encourage it, but they don’t have the ability to enforce it,” Cohen notes.

During emergencies, Cohen and Singer envision, the volunteers largely assist with recovery efforts. “They could be called in to image computers. They could be called in to swap out machines, reinstall programs and help the recovery from an incident,” Cohen explains. “If it’s the entire country experiencing a massive attack, of course you’re going to have federal assets used in that kind of a response, but they could be aided by civilian cyber corps members.”

She notes that many civilian cybersecurity experts want to “give back” and serve a larger cause but are unwilling or unable to join the military or accept government jobs. “A lot of folks who work in this industry are prior government, and there’s a lot of patriotism there, but there’s no way for folks to give back unless they’re literally an employee of the government or a member of the National Guard,” she says. “Returning veterans, or prior DHS, prior intelligence community, all these folks have fantastic skill sets but no way to give back and continue to be involved in that public service aspect of cybersecurity and response.”

Maj. Gen. Earl D. Matthews, USAF, (Ret.), a senior vice president and chief strategy officer with Verodin, a McLean, Virginia, cybersecurity company, also proposes the creation of a civilian cyber corps modeled on the CRAF and overseen by the DHS. But his focus is strictly on supporting two of U.S. Cyber Command’s three primary missions: defending Defense Department networks and critical infrastructure. “At a minimum, the program should initially focus on providing certified ethical hacker support to address shortfalls in supervisory control and data acquisition (SCADA) penetration testing and other types of testing against Defense Department networks and critical infrastructure. We should add threat analysts and forensics investigators to the mix, too,” Gen. Matthews advises in the December 2017 issue of SIGNAL Magazine.

The general adds that the framework for building such a force already is in place. “The National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, published by the National Institute of Standards and Technology in August, could serve as a guide for the corps. The framework could provide a common lexicon that categorizes and describes cybersecurity work by category, specialty area and work role,” he writes.

Gen. Matthews also makes the case that a civilian force could bolster American security. “Bringing in the best talent, technology and processes from the private sector to benefit the government and the Defense Department not only helps deliver more comprehensive, secure solutions but also better protects our country. This innovative initiative will strengthen our digital defenses and ultimately enhance our national security,” he concludes.

Capt. Iain Cruickshank, USA, a Ph.D. candidate in societal computing and a National Science Foundation graduate research fellow at Carnegie Mellon University, and his wife Jennifer, a theologian, propose a Cyber Disinformation Civil Defense Force managed jointly by social media platforms in cooperation with the Defense Department and the DHS. The proposal, floated in a July 2018 Task and Purpose article, essentially uses the power of crowdsourcing to combat social media-centric information warfare campaigns, such as the one launched by Russia leading up to the 2016 election. That effort continues today, according to numerous national security experts.

The couple points out that crowdsourcing often offers better results than individual experts or systems. Additionally, the general public likely will trust itself more than government agencies or social media providers. “There’s a very big fear of government or other kinds of oversight or regulation inhibiting free speech,” the captain notes in a phone interview. “You can imagine if Facebook executives or the government itself policed it with unknown rules or poorly understood methods, there’s going to be a lot of suspicion on the part of the populace. If this is spread out to the populace writ large, it helps to diffuse the mistrust.”

The Cruickshanks also propose that flagged content on social media could be highlighted in some way, such as using a red typeface, until the social media provider gets a chance to investigate. “If there’s a large body of people flagging content … everybody in the system could see it has been flagged as suspect, and people like my grandmother may be more wary of sharing it,” adds Jennifer.

The crowdsourcing team would undergo some training to help them spot disinformation. The couple envisions the project as a partnership between the social media platforms, government and academia. “My gut tells me DHS would hold responsibility for it. But if you consider that the information space has become militarized in a very real way—it’s a big part of Russia’s hybrid warfare doctrine—there is a very fair point that DOD should have a hand in it, since it is arguable military actions are being directed against the U.S. populace,” Capt. Cruickshank explains.

They also recommend the social media providers offer monetary rewards to crowdsourcing team members who develop a solid track record. “Right now they’re paying people to sift through huge amounts of flagged content,” Jennifer points out.

Furthermore, her husband adds, if the social media platforms are unable to police their own content, the government may feel forced to do so. “A lot of these data brokerage companies are under heavy scrutiny following the revelations with Cambridge Analytica and various others, and it’s entirely possible if they don’t clean up fake news and other issues, they’re going to come under government regulation and lose millions. So, it behooves them to find a system that fixes things up.”

The couple admits the proposal faces some challenges. The crowdsourcing group could exhibit biases, or be unfairly accused of doing so. Or, agent provocateurs could attempt to infiltrate the group or adversely affect the data using bots or other means. But they also suggest the model would be self-correcting to some degree. For example, involving larger numbers of people from diverse backgrounds could help minimize biases. And bad actors would “self-identify” when they routinely submit flawed information, so they could be decertified and removed from the process.

Civilian cyber forces are not unheard of. Ukraine recruited civilian activist hackers, or hacktivists, after it suffered debilitating cyber attacks from Russia. In the United States, both Michigan and Maryland have developed state-level cyber civilian corps, and other states are considering the possibility.

Cohen notes that even if the idea of a federally funded civilian cyber corps is accepted, building it will take time. “If we’re talking about whether it will be adopted in the next six months, I’d say the chances are fairly low. These things take time. I’m hopeful that in the next couple of years something like this proposal would be adopted,” she says.