The pace at which the Biden administration and the 117th Congress are addressing gaps in our national cybersecurity strategy, including by nominating and appointing incredibly talented and experienced individuals like Chris Inglis for national cyber director, Jen Easterly as director of the Cybersecurity and Infrastructure Security Agency, and Anne Neuberger for the National Security Council is impressive. And so is the pace at which our adversaries act. The clock is ticking and we must adopt a posture that is as bold, agile and creative as the criminals and nation-states that are embedded in our networks and carrying out operations against us.
Recently, a bipartisan group of lawmakers introduced legislation to create a “Civilian Cybersecurity Reserve,” a National Guard-like program under the auspices of both the Homeland Security and Defense departments to address growing cybersecurity vulnerabilities and breaches faced by the U.S. government.
Under the bill, which is being co-sponsored by Sens. Jacky Rosen, D-Nev., and Marsha Blackburn, R-Tenn., and in the House by Reps. Jimmy Panetta, D-Calif., and Ken Calvert, R-Calif., the DOD and DHS secretaries would appoint members of the cyber reserve to six-month positions in the department as federal civil service employees. Joining the reserve corps would be voluntary and by invitation only and requires prior federal government or military service.
This effort would augment the work being done already by the National Guard’s reserve corps, which has successfully leveraged civilian talent to build cybersecurity capability within its ranks to both defend its own networks as well as provide support when called into service by states or the federal government. The proposal follows the recommendations of the National Commission on Military, National and Public Service, the Cyberspace Solarium Commission, and builds on the 2021 National Defense Authorization Act that directed DOD officials to look into options for building a cyber reserve force.
There is no question that finding ways to shore up cybersecurity talent and mobilize that talent in times of crisis is critical and while the Civilian Cybersecurity Reserves proposal should help address existing talent gaps when responding to federal, state and perhaps local government entities, it still leaves a critical gap with respect to cybersecurity needs in the private sector, which is under similar assault by both malicious nation-state adversaries as well as criminal organizations. While starting with a reserve corps that addresses U.S. government needs makes sense, Congress should consider quickly organizing and funding a similar program focused on private-sector needs, tapping private-sector expertise, especially with respect to technical knowledge of private-sector networks.
Today, by and large, the targets of ransomware attacks are small- and medium-sized businesses and government entities that hold valuable information but are under-resourced when it comes to IT and cybersecurity. These organizations often do not have the budget to build specialized security teams, and even if they do, have difficulty recruiting and retaining top talent. As a result of their limited resources, they have limited ability to respond to ransomware attacks in real time. Ultimately it is the communities that suffer when their schools, hospitals and small businesses are taken down by cyber adversaries. While the current proposal would potentially support municipalities in recovering from these attacks, the private-sector organizations impacted would still have to fend for themselves.
Much as there is a pool of government and military workers who can be tapped for a government reserve corps, there is a vast pool of private-sector cybersecurity talent that can be cultivated and mobilized when there is a widespread incident impacting tens of thousands of organizations simultaneously as we are experiencing right now.
As pointed out by Natasha Cohen and Peter Singer of New America, in their proposal for a Cybersecurity Civilian Corps over two years ago, true civilian corps could tap (a) older and retired cybersecurity professionals, (b) professionals working in the cybersecurity field, with a desire to do volunteer work and perform civic service using their skills, (c) “white hat” hackers, who don’t work full time in a cybersecurity job; (e) people who are in job transition; (f) independent contractors looking to fill gaps in their time and expand their networks; and even (g) stay-at-home parents. Removing the physical fitness, citizenship, age, and clearance requirements, as well as prior government or military services, creates the opportunity to tap this vast pipeline of talent.
There is no question that the Biden administration and Congress are moving fast. But our adversaries are faster, more creative, persistent and unconstrained by law and regulation. Unless we change our approach, they will continue to identify vulnerabilities in software used across varied networks for maximum impact with little to no fear of retaliation. They will continue to advance intrusion tools and tradecraft faster than gaps in cyber defenses can be closed. They will continue to use common anonymization platforms, open source capabilities, generalized toolkits, and leverage inherent functionality built into operating systems to obfuscate their activity and make attribution difficult. They will continue to leverage our laws and regulations to enable their operations for maximum effect. And they will do all this at a pace and on a scale that will continue to be breathtaking.
The first half of 2021 has been, should be, a wake-up call. And let’s be clear, there are no silver bullets when it comes to cybersecurity. It will take a series of actions, persistent and purposeful, to prevent, defend and have resilience to cyber threats. The Civilian Cybersecurity Reserve proposal builds on our existing military reserve programs and it is an important step forward.
We need to begin taking leaps.
Niloofar Razi Howe is a fellow in New America’s International Security Program. She is on the board of directors of Pondurance (as Chair), Morgan Stanley Bank, NA, Recorded Future, and Swimlane.