Incoming: A Model for Building a Civilian Reserve Cyber Corps

A civilian reserve cyber corps deserves strong consideration as a way to add more capacity to the cyber work force, which the nation has struggled to do for a number of years. The Civil Reserve Air Fleet (CRAF) could serve as a model for the corps and ultimately help the U.S. government and the Defense Department shore up their shortfall of cyber resources.

The CRAF program was initiated after the Berlin Airlift and falls under the Department of Transportation, which is responsible for developing plans for a national emergency preparedness program. CRAF uses aircraft from U.S. airlines that have contractually committed to support Defense Department airlift requirements during emergencies when the need for airlifts exceeds the capability of military aircraft. This actually happens every day, given the sustained combat operations and the number of humanitarian crises the United States faces.

CRAF has three main segments: international, national and aeromedical evacuation. The international segment is divided further into the long-range and short-range sections; the national segment is divided into the domestic and Alaskan sections. The role of CRAF aircraft is to augment the Air Mobility Command’s (AMC’s) long-range intertheater C-5s and C-17s during periods of increased airlift needs through three stages. Stage I is for minor regional crises; Stage II is for major theater war; and Stage III is for periods of national mobilization. Assignment of aircraft to a segment depends on the nature of the requirement and the performance characteristics needed.

The commander of the U.S. Transportation Command (TRANSCOM), with approval of the secretary of defense, is the activation authority for all three CRAF stages. During a crisis, if the AMC needs additional aircraft, it asks the TRANSCOM commander to take steps to activate the appropriate CRAF stage.

Each stage is used only to the extent necessary to provide the amount of civil augmentation airlift needed by the Defense Department. Aircraft must be ready 24 to 48 hours after the AMC assigns a CRAF mission. The air carriers continue to operate and maintain the aircraft with their resources, but the AMC controls the CRAF missions.

Applying this framework to cybersecurity would be a little more complicated because a civilian cyber corps would not be simply augmenting the capacity of one command, such as the AMC. However, it could have the same effect when applied either narrowly or broadly to support two of U.S. Cyber Command’s (CYBERCOM’s) three primary missions: Defend Defense Department networks to ensure their data is held securely, and defend critical infrastructure. Additionally, oversight of the cyber initiative should come from the Department of Homeland Security, just as CRAF is overseen by the Transportation Department.

Similar to CRAF, the civilian cyber program would have multiple stages where assignment of capability to a segment would depend on the nature of the requirement and the specific capability needed. At a minimum, the program should initially focus on providing certified ethical hacker support to address shortfalls in supervisory control and data acquisition (SCADA) penetration testing and other types of testing against Defense Department networks and critical infrastructure. We should add threat analysts and forensics investigators to the mix, too. Anyone in the civilian cyber corps would need to pass a background check because most would need security clearances to work against certain mission systems.

The National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, published by the National Institute of Standards and Technology in August, could serve as a guide for the corps. The framework could provide a common lexicon that categorizes and describes cybersecurity work by category, specialty area and work role. As cyber roles evolve, the government and the private sector could build on this resource to develop additional publications or tools. These items would define or provide guidance on different aspects of work force development.

Bringing in the best talent, technology and processes from the private sector to benefit the government and the Defense Department not only helps deliver more comprehensive, secure solutions but also better protects our country. This innovative initiative will strengthen our digital defenses and ultimately enhance our national security.

Maj. Gen. Earl D. Matthews, USAF (Ret.), the former director of cyberspace operations in the Air Force’s Office of Information Dominance and Chief Information Officer, is vice president of the Enterprise Security Solutions Group for DXC Technology, U.S. Public Sector. The views expressed here are his own.