In the darkest hours of World War II, a swarm of hidden foreign attackers wreaked devastation on America’s security and economy. Unfortunately, the defenders in the employ of the U.S. government were too often absent when the attackers struck, which only incentivized them to come back for more.
In response, the government formed new organizations, made up of civilian volunteers, who were able to fill in key gaps in U.S. security. The Civil Air Patrol and the Coast Guard Auxiliary aided with everything from patrols to training, providing the government a novel means to tap expertise and manpower unable to join the active duty and reserves.
Today, we face the modern version of hidden attackers, who seek to undermine our security and economy; now they just use malware instead of torpedoes. And so too are the U.S. active and reserve military and government resources stretched too thin to meet the need. But while the Civil Air Patrol and Coast Guard Auxiliary are still operating today, providing valuable services in public education, testing, and emergency services for the air and maritime domain (and saving U.S. taxpayers literally billions of dollars along the way), we have no equivalent in the realm of cybersecurity. The time has come to fill this gap, through the creation of a Civilian Cybersecurity Corps.
The Corps would be made up of security-screened volunteers, willing and able to give of their time to aid in our nation’s cybersecurity needs. The concept would draw upon a mix of successful models of how other nations have successfully organized to defend themselves better than the U.S. against cyber threats (such as Estonia’s Cyber Defense League), nascent state-level organizations (like Michigan’s Cyber Civilian Corps), and non-cyber examples like the Civil Air Patrol and Coast Guard Auxiliary, which show both the value and legal and bureaucratic possibility. Functioning as an auxiliary of the Department of Homeland Security, it could have national scale and coordination, but tailored to aid at the local level, with its subunits set up at each state.
The Corps personnel would be drawn from those interested in “giving back” to their country, honing their skills by working on problems beyond their daily job, networking among peers, as well serve as a place to tap retired or job transitioning talent. It would particularly provide an avenue of participation for “white hat” hackers, such as the tinkerers who presently participate in bug bounty programs during their free time (such programs also show the latent interest; the first “Hack the Pentagon” program in 2017 drew 1,410 participants). Finally, it would create a place to recruit and identify youth into a field with a major looming talent crunch.
The volunteer nature of the corps makes its formation and activities more digestible than the typical policy proposal. An initial budget outlay of $50 million would provide the basis for an organization with the capacity to take in roughly 25,000 members spread across all 50 states. (As a point of comparison, the Civil Air Patrol received $43 million in federal funding last year, while the Michigan civilian cyber unit received $300,000 in state funding.)
The goal of C3 would be to provide needed resources on three key areas that the government is unable to do well on its own and the private sector is not motivated to fill, especially at the state and local level: Education and Outreach; Testing, Assessments, and Exercises; and On Call Expertise and Emergency Response
Much as the CAP and Coast Auxiliary, a cyber auxiliary could provide a pool of members able to engage with education programs across multiple age groups, as well as better meet the local or professional community need. Presently, cybersecurity education is either too costly for most public organizations, when sourced from the private sector, or draws on too limited resources and time, when provided by the public sector (an hour meeting with a local business or school to raise cyber awareness is an hour spent not defending the agency’s network or investigating the origins of an attack).
Similarly, there are not enough testing and assessment teams to go around to cover present need. Even more, these activities are costly; many local and state agencies, non-profits, or education institutions simply do not have the resources to afford them. The same holds true for the ever widening count of small and medium size companies that still are critical infrastructure, meaning an increasing number fail to qualify for the attention of DHS or National Guard (which are themselves also stretched thin).
Finally, there is regularly a need to surge testing for large scale functions (such as sporting events or elections), where public-sector resources are simply not to the scale needed. This has been a valuable role that Estonia’s version of the Corps has played, helping to protect the vote in a nation with both greater digitization of democracy and longer experience at facing threats to it.
Finally, whenever emergencies occur, an auxiliary would provide a now missing pool of talent and quick mechanism for government to tap it. A recent illustration of both the need and value was provided in Atlanta, when a ransomware attack crippled city services for several days, forced the city to sign emergency contracts with eight different cybersecurity firms, and costing over $17 million services, all unplanned for in city budgets.
A Civilian Cyber Corps would not just build upon the lessons of history and successful models, but also provide the United States a valuable means to building capability and talent for the future. With cyber threats only growing, and present approaches clearly insufficient, it is time for new ideas…and new organizations.
The authors co-wrote “The Need for C3: A Proposal for a United States Cybersecurity Civilian Corps,” a new report from New America.