Steve Elwart, P.E., Ph.D., is the executive research analyst with the Koinonia Institute and a subject matter expert for the Department of Homeland Security. He can be contacted at firstname.lastname@example.org.More ↓Less ↑
In a world where cyber attacks threaten to invade American shores at any time, from any direction, the Department of Homeland Security is now considering how to build a “digital militia” to defend the U.S. at a moment’s notice.
A cyber skills task force commissioned by DHS has recommended the government form a reserve army of cyber specialists from across government, industry and academia to address cyber emergencies.
DHS, seeing a need to involve other elements of the country into cyber warfare preparations, originally commissioned the task force to study different methods of obtaining expert help quickly in case of an attack.
Commissioning this study may be in response to recent congressional study on the possibility of a digital Pearl Harbor attack being launched on the United States.
Last week, the task force briefed DHS leaders on recommendations from their study for filling a talent void and recruiting subject matter experts on network operations and security to meet future, unknown network threats.
The primary recommendation of the study was to form a “cyber reserve to insure that cyber professionals were within easy reach in case they were needed.” These “digital minutemen,” just like their namesake, would be ready at a minute’s notice to respond to any threat to the nation’s digital infrastructure.
“Surge rosters do require active management,” said DHS Deputy Secretary Jane Holl Lute. “It’s not something where you type up a page and throw it in the drawer. People’s skills have to be current.”
She added, “If you go to an emergency room and something is critically wrong with, let’s say a spine, they just don’t call in any doctor. They call in a specialist.”
Lute expects the department would look to Defense Department components and veterans organizations, as well as outside groups, for people with rare skills.
Cyber squads already in action
This model has already been put in place, namely in the country of Estonia and the U.S. electric utility sector.
Estonian President Toomas Hendrik Ilves was quoted in 2011 as saying that his country’s government-funded “white-hatted hacker organization” supplements Estonia’s National Guard.
“Since we live in this modern era, it’s not only riding around in the woods with guns,” Ilves explained. “So why don’t we set this thing up where you can volunteer and we will support you materially to work on defense? It’s only about three months old, but it’s widely popular among geeks.”
The U.K. is another country looking at calling up cyber reserves as well.
The shadow defense Secretary Jim Murphy of the Labour Party said the Ministry of Defense must improve its own cyber expertise and ministers should consider creating a force of “cyber reservists” if the U.K. is to deal with emerging security threats.
“It was ‘individual knowledge’ and ‘ingenuity’ [that] could make the difference between ‘safety and insecurity’ in the U.K., arguing more professionals were now needed so the U.K. could securely maintain and develop systems,” he continued.
“Government should heighten awareness amongst CEOs and boards, who must take responsibility for developing skills within their workplaces,” Murphy continued. “We should … consider whether this could become a recognized discipline amongst the reservists to help test new systems and technologies.”
While the Labour Party welcomed cyber security efforts by the current government, Murphy said, “We can go further, ” and suggested the Defense Ministry could work with industry to reform defense procurement to favor companies with strong cyber protection.
America’s online minutemen
In their report, the DHS task force noted that in the U.S. power sector, electric companies have agreements with other companies, sometimes with local competitors, to restore service during weather emergencies.
Teams of technicians from one company are dispatched to another area of the country after tropical storms. Overtime pay and equipment resources are negotiated in advance. For the DHS cyber reserves, similar terms could be negotiated for specific cyber events.
The key to the program would be to ensure that DHS has up-to-date information on experts from the nation’s critical infrastructures who are trained in the latest techniques to combat a digital attack. They would also have to have ready access to the latest offensive and defensive cyber weapons in the nation’s arsenal.
This force would most likely be a group of professionals with specific, identified skills who could be commissioned as reserve military officers but limited to focusing on cyber emergencies. Barring new legislation, they may need to be part of a formal military reserve so that they could be accountable for responding in the time of crisis.
The task force counseled department officials to partner with the FBI’s regional InfraGard program, a public-private partnership gathering industry, federal officials, police and local communities to share information about crime and terrorism.
The study group also suggested working with the Secret Service’s Electronic Crimes Task Forces, which combine law enforcement, prosecutors, business and academics to investigate cyber incidents in various cities.
Secretary Lute also noted that as far back as 10 years ago, Congress had pushed for a cyber national guard. In 2002 a law was introduced to allow DHS to create a “NET Guard” comprising volunteer experts from across the country for cyber response. The House initiative would have mandated DHS consider using grants to jumpstart that initiative and maintain it through a “national volunteer experts registry system.”
The United States Air Force is also looking at recruiting reservists to help protect their information networks.
With looming budget cuts threatening the Air Force’s cyber warfare and defense programs, reservists are being viewed as “an effective alternative to help enable shifting strategies and operations,” according to a top Air Force official.
“We must leverage the strength of both our active and reserve components,” Lt. Gen. Christopher Miller, Air Force deputy chief of staff for Strategic Plans and Programs, said at the Armed Forces Communications and Electronics Association Air Force IT Day in Vienna, Va., last February.
The move to augment the Air Force Reserves signals the military’s increasing focus on IT and cyber capabilities, which Miller stressed as being critical to Air Force operations.
“Until recently the U.S. could rely on assured access [to the network], but it’s becoming more contested, congested and competitive,” he said. “We need to prepare to operate in situations of seriously degraded command and control and situational awareness.”
The role of military in cyberspace is complicated by a number of factors, Miller noted, including a reliance on civilian contractors, commercial off-the-shelf products, the technical difficulty of locating sources of cyber attacks and the political sensitivity surrounding offensive and defensive reactive measures.
As the Air Force sacrifices force size for modernization, it will work to institutionalize an emphasis on technological and cyber capabilities.
“The bottom line is the Air Force is serious about cyber in an organizational sense,” Miller said.
Government is not the only group that has toyed with the idea of a reserve cyber corps.
One proposal was to have a cadre of civilian experts dispersed across the country that would be able to store its own government-issued cyber weapons throughout the country.
This force could act from dispersed locations to assure the integrity of the system. They would also be able to store their own weapons locally to prevent a denial of access to these tools as a result of an attack. This was a proposal patterned after the Swiss Homeguard, who keep their weapons at home and on the ready.
While an interesting concept, it is not a practical one for digital warfare.
While weapons and ammunition can be stored for long periods of time, digital tools have a finite shelf life.
Once a possible cyber weapon is exposed, a great deal of its effectiveness is rendered impotent. Patches are developed, programming flaws (known as exploits) are protected and more, better tools are developed. If one was to keep digital tools locally, they would quickly lose their effectiveness.
Automatic updates, such as are done with antivirus software now, would dramatically increase the risk of sensitive tools and information getting out “into the wild,” as hackers say. Classified data would be kept on an unclassified home system, and even if sophisticated security systems are used at home of the office, security holes are bound to open.
Another danger is that given a large enough group of reservists, eventually someone is eventually going to get curious and try out the tools: “Just take it out of the box and put a few rounds down range,” as once cyber security expert noted.
While there are some challenges to overcome in implementing such a plan, there are some obvious advantages.
With most of the cyber assets in the United States located along the eastern seaboard of the United States, a cyber or EMP strike could have severe consequences on the United States ability to mount an effective cyber counterstrike.
A dispersed reserve force spread across hundreds of locations across the country would help act as a deterrent to cyber attack just as our dispersed nuclear forces (land, sea, and air) act as a deterrent to a nuclear strike.
One proposal would be to have a form of “arms room.” A reserve member could log into one of many dispersed arms room, using secure, three-element authentication. To prevent unauthorized access, these arms rooms could only be “unlocked” by a member of the regular cyber security forces.
In this manner reservists could have up-to-date, effective weapons at their disposal within a few minutes’ notice.
They would also need to be cleared for access to higher security intelligence than is normally granted to security specialists in industry, possibly to the counterintelligence clearance levels.
To clear someone at this level is a slow, tedious and expensive process that would require a long lead time to implement.
However long it takes, the United States is under pressure to act now. China has already stated publicly that “every Chinese is a potential cyber warrior” and is actively recruiting a vast army of up to one-half billion soldiers.