Feylite/Shutterstock

The US Needs a Cybersecurity Civilian Corps

Like the auxiliaries that arose during WWII, a new volunteer organization will help face today’s threats.

In the darkest hours of World War II, a swarm of hidden foreign attackers wreaked devastation on America’s security and economy. Unfortunately, the defenders in the employ of the U.S. government were too often absent when the attackers struck, which only incentivized them to come back for more.

In response, the government formed new organizations, made up of civilian volunteers, who were able to fill in key gaps in U.S. security. The Civil Air Patrol and the Coast Guard Auxiliary aided with everything from patrols to training, providing the government a novel means to tap expertise and manpower unable to join the active duty and reserves.

Today, we face the modern version of hidden attackers, who seek to undermine our security and economy; now they just use malware instead of torpedoes. And so too are the U.S. active and reserve military and government resources stretched too thin to meet the need. But while the Civil Air Patrol and Coast Guard Auxiliary are still operating today, providing valuable services in public education, testing, and emergency services for the air and maritime domain (and saving U.S. taxpayers literally billions of dollars along the way), we have no equivalent in the realm of cybersecurity. The time has come to fill this gap, through the creation of a Civilian Cybersecurity Corps.

The Corps would be made up of security-screened volunteers, willing and able to give of their time to aid in our nation’s cybersecurity needs. The concept would draw upon a mix of successful models of how other nations have successfully organized to defend themselves better than the U.S. against cyber threats (such as Estonia’s Cyber Defense League), nascent state-level organizations (like Michigan’s Cyber Civilian Corps), and non-cyber examples like the Civil Air Patrol and Coast Guard Auxiliary, which show both the value and legal and bureaucratic possibility. Functioning as an auxiliary of the Department of Homeland Security, it could have national scale and coordination, but tailored to aid at the local level, with its subunits set up at each state.

The Corps personnel would be drawn from those interested in “giving back” to their country, honing their skills by working on problems beyond their daily job, networking among peers, as well serve as a place to tap retired or job transitioning talent. It would particularly provide an avenue of participation for “white hat” hackers, such as the tinkerers who presently participate in bug bounty programs during their free time (such programs also show the latent interest; the first “Hack the Pentagon” program in 2017 drew 1,410 participants). Finally, it would create a place to recruit and identify youth into a field with a major looming talent crunch.

The volunteer nature of the corps makes its formation and activities more digestible than the typical policy proposal. An initial budget outlay of $50 million would provide the basis for an organization with the capacity to take in roughly 25,000 members spread across all 50 states. (As a point of comparison, the Civil Air Patrol received $43 million in federal funding last year, while the Michigan civilian cyber unit received $300,000 in state funding.)

The goal of C3 would be to provide needed resources on three key areas that the government is unable to do well on its own and the private sector is not motivated to fill, especially at the state and local level: Education and Outreach; Testing, Assessments, and Exercises; and On Call Expertise and Emergency Response

Much as the CAP and Coast Auxiliary, a cyber auxiliary could provide a pool of members able to engage with education programs across multiple age groups, as well as better meet the local or professional community need. Presently, cybersecurity education is either too costly for most public organizations, when sourced from the private sector, or draws on too limited resources and time, when provided by the public sector (an hour meeting with a local business or school to raise cyber awareness is an hour spent not defending the agency’s network or investigating the origins of an attack).

Similarly, there are not enough testing and assessment teams to go around to cover present need. Even more, these activities are costly; many local and state agencies, non-profits, or education institutions simply do not have the resources to afford them. The same holds true for the ever widening count of small and medium size companies that still are critical infrastructure, meaning an increasing number fail to qualify for the attention of DHS or National Guard (which are themselves also stretched thin).

Finally, there is regularly a need to surge testing for large scale functions (such as sporting events or elections), where public-sector resources are simply not to the scale needed. This has been a valuable role that Estonia’s version of the Corps has played, helping to protect the vote in a nation with both greater digitization of democracy and longer experience at facing threats to it.

Finally, whenever emergencies occur, an auxiliary would provide a now missing pool of talent and quick mechanism for government to tap it. A recent illustration of both the need and value was provided in Atlanta, when a ransomware attack crippled city services for several days, forced the city to sign emergency contracts with eight different cybersecurity firms, and costing over $17 million services, all unplanned for in city budgets.

A Civilian Cyber Corps would not just build upon the lessons of history and successful models, but also provide the United States a valuable means to building capability and talent for the future. With cyber threats only growing, and present approaches clearly insufficient, it is time for new ideas…and new organizations.

The authors co-wrote "The Need for C3: A Proposal for a United States Cybersecurity Civilian Corps," a new report from New America.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.