Proposal for Cybersecurity Civilian Corps Gets Mixed Reception
31.10.2019 securityweek BigBrothers
Although the U.S has been engaged in cybersecurity for over a generation, "there continues to be organizational and human gaps that leave the nation insecure." Few people would disagree. What is less clear is any realistic and effective solution to the problem.
Now the bi-partisan New America think tank, based in Washington D.C. with additional offices in New York City and Oakland, has put forward its own proposal. A new paper, 'The Need for C3 -- A Proposal for a United States Cybersecurity Civilian Corps' (PDF), recommends the formation of a 25,000-strong volunteer force of cybersecurity personnel to cover the whole United States.
Its purpose would be to engage the wider cybersecurity community to tackle core needs that are unlikely to be met through existing structures, thereby improving the overall security ecosystem through three key areas: education and outreach; testing, assessments and exercises; and on-call expertise and emergency response (a sort of cybersecurity parachute brigade).
Although the corps would be populated by unpaid volunteers, it would still need to be enshrined in legislation. Here, New America sees it as an extension and replacement for NETGuard. A National Emergency Technology Guard was included in the Homeland Security Act of 2002. "Due to DHS disorganization and disinterest at the time, the NETGuard did not launch, leaving the nation with the gap discussed above," says the paper. Nevertheless, NETguard could be used as a starting and reference point for the proposed U.S. Cyber Civilian Corps (C3) -- and it should remain under the organizational purview of the DHS.
"Given awareness of both the threats to our nation's cyber posture, as well as the skills shortage, we're at the point where we must try novel approaches," comments David Ginsburg, VP of marketing at Cavirin. "An advantage of a grass-roots effort like the Cyber Civilian Corps would provide local resources and skills if we were in a situation where 'primary responders' were overstretched."
There is little doubt that the basic idea is good -- the main question is whether it is workable. The paper's authors maintain throughout that it is indeed workable, and cite numerous existing volunteer organizations as examples -- such as the 788,250 volunteer firefighters. "They donate their time as a public service," say the authors; "similarly, citizens with a different skill set could work on cybersecurity programs that affect their communities."
But cybersecurity is already a profession in staffing crisis. "There are just under 300,000 open cybersecurity positions in the United States at this time which companies and government are unable to fill," admit the authors; "future needs project as high as one million unfilled positions."
With a small degree of circular argument, finding 25,000 volunteers in an already overstretched workforce is expected to help reduce the overall staff shortage over time. It may -- but gaining enough initial volunteers is going to be difficult. Michigan already has a state-level C3 (unsurprisingly known as MiC3). New America acknowledges that MiC3 is "part inspiration for the national concept," but notes that activation requires a governor-declared state of emergency that has never occurred.
MiC3 was formed in 2013, and draws its members from local companies, universities and civil society. It is open to any Michigan state resident with 2 years infosec involvement, can "demonstrate basic knowledge of networking and security concepts, as well as basic IR and forensics skills," and has employer support. In the five years of its existence it has grown to approximately 100 members -- which makes the average 500 members per state envisaged by New America appear somewhat ambitious.
Industry opinion on the value of New America's proposal varies widely. "The proposal for a United States Cybersecurity Civilian Corps is a great idea," comments Joseph Carson, chief security scientist at Thycotic, "and has been something that has been done in Estonia for many years with the 'kaitseliit', also known as the Cyber Defense League. It is a voluntary organization that brings together experts from both military and the corporate world to practice and prepare to defend the country when attacked. Countries are being attacked by cyberattacks more often than ever before today, so it is more important than ever to be prepared."
Nathan Wenzler, chief security strategist at AsTech, takes an opposing view. "The call for a Cybersecurity Civilian Corps seems like an entirely misguided approach to addressing the various issues we face as a society -- including the lack of qualified, well-trained and experienced security professionals that most organizations deal with while trying to defend against a seemingly endless number of attacks from malicious entities."
He points out that most companies are already pushing their understaffed security teams to work more than the typical 40-hour week just to keep up with their own needs. "There's not a lot of hours left in the day to expect that these folks would volunteer their time to participate in this proposed Corps," he told SecurityWeek.
New America suggests that the Corps would just need a federal budget of $50 million to get started. "This budget would go towards the purchase of devices, training materials, software licenses, and office space." It justifies the budget by noting that NotPetya ransomware outbreak cost FedEx $400 million, and Merck $670 million.
"If a cyber corps is able to prevent just a few of these breaches and/or mitigate their damage and costs," suggests New America, "especially through its relatively cheap supplementary volunteer model, the investment will more than pay itself off in both economic and national security terms."
It is unlikely that a volunteer force will be any more capable than the existing FedE x and Merck security teams -- but collaboration and intelligence sharing between members of the Corp could potentially provide an early warning system. But Wenzler is concerned that the concept could be abused. Firstly, he wonders, "If materials are being provided, would that come in the form of computers and free Internet access and software licenses to security tools? If so, you may find a lot of people signing up just to get these free items, but be unwilling or unable to volunteer the kind of quality services that would be expected."
Secondly, he wonders if the Corps itself would become a target. "What if this corps was given access to a central database or network that connects all the other participants so they could collaborate? Seems like a valuable target for most aggressor nation-states to want to join in and monitor so that they can better understand what they're up against when potentially attacking U.S. organizations."
Overall, the consensus seems to be that New America's proposal is an interesting, but unworkable idea. Carson believes it is aimed at the wrong level of participant. "I don't believe this is realistic as it is a voluntary service," he told SecurityWeek, "and you want to influence the right professionals to participate so it must be focused on seasoned professionals who can cooperate with government officials with a common goal on protecting civilians from cyber-attacks."
"All in all, it's a noble idea," said Wenzler, "but not a particularly useful or clever way to make better use of the limited number of people and the ever-shrinking amount of time they have to contribute their expertise for the betterment of society as a whole. We're already doing that, and efforts like this Cybersecurity Civilian Corps would be better served by supporting the groups and organizations out there who are already fulfilling this purpose."