POLICY BRIEF - A Case for a DC Cybersecurity Civilian Corps for Fighting Cyber Attacks on Washington DC’s Critical Infrastructure
What do we know about the feasibility of a civilian cybersecurity corps?
A bipartisan group of lawmakers introduced legislation to create a “Civilian Cybersecurity Reserve” (Rosen’s Bipartisan Bill, 2021).
A pilot program has already been established in the United States – Michigan Cyber Civilian Corps (MiC3) (Bergal, 2017).
Metropolitan Police Department (MPD), and a higher education institution, Howard University, have been attacked.
It is already a proven model internationally – volunteer-led Estonia’s Cyber Defense Unit (Küberkaitse Üksus) (Cohen & Singer, 2018).
A proven historical model exists - Civil Air Patrol (CAP) during World War II (Cohen & Singer, 2018).
What is the challenge?
The nation’s capital critical infrastructure is undergoing constant and sophisticated cyberattacks that include the Metropolitan Police Department (MPD) and Howard University. These attacks are increasingly becoming advanced and continue to override the current defense system’s capabilities, strategy, and policy. These attacks are not only local to DC, they are also becoming a national phenomenon with far-reaching security and economic implications on both the public and private sectors. As these sectors continue to find meaningful measures to respond defensively, and two main components remain a challenge – strategy, and talent.
Strategy – these attacks reveal gaps in the effectiveness of the city’s current cyber security defense capabilities and require an urgent need for a new defense strategy. This new strategy should include a policy change that makes civilian participation possible in the cybersecurity defense of Washington DC.
Talent – there is a gap in the skilled talent pool of cybersecurity experts, and this limits the city’s capacity to respond to threats and attacks. According to Bate (2017). “There are just under 300,000 open cybersecurity positions in the United States at this time which companies and government are unable to fill; future needs project as high as 1,000,000 unfilled positions.”
The Policy Case
This policy brief is a recommendation to address and create a defense strategy for the threat from foreign and domestic cyber adversarial forces. This policy recommends the creation of a DC Cybersecurity Civilian Corps as a specific defense strategy for fighting cybersecurity attacks on its critical infrastructure apparatus. This brief makes the case for the viability of such an initiative as proven by historical defense measures while considering ongoing efforts at the federal and international levels. Recommendations outlined in this policy brief draw from an existing proposal, The Need for C3 - A Proposal for a United States Cybersecurity Civilian Corps (Slat & Worp, 2019).
Why is it important?
The Washington DC Cybersecurity Civilian Corps is an expansive defense strategy proposal for fighting the threats of cybersecurity on the district’s entities, namely a part of the city’s critical infrastructure - the police department, is important because the police are responsible for “safeguarding freedom, preserving life and property, protecting the constitutional rights of citizens and maintaining respect for the rule of law” (American Bar Association, 2020). This Corps will not only serve and contribute towards the city’s cyber defense strategy but it will also establish a mechanism that can be deployed elsewhere in the United States. Research shows that this measure will be effective, and the following models confirm its viability:
Historical Model – America’s security repeatedly being attacked by foreign forces during World War II gave rise to the Civil Air Patrol (CAP); an organization created in the days after Pearl Harbor. This civilian-led team of volunteers crowd and open-sourced their expertise in response to what was equivalent to a cybersecurity threat of their day (Cohen & Singer, 2018).
Domestic Model - On October 31st, 2017, Michigan Republican Governor, Rick Snyder, signed the Michigan Cyber Civilian Corps bill into law. This measure was geared towards the city’s cyber defense strategy. Michigan Cyber Civilian Corps mandate is to expand the reach of a highly trained group of volunteer cybersecurity experts from the public and private sectors (Bergal, 2017).
Federal Model – On July 14, 2021, Civilian Cyber Security Reserve Act, a bipartisan legislation was introduced by U.S. Senator Jacky Rosen (D-NV) and Senator Marsha Blackburn (R-TN).
International Model – Outside of the United States, The Estonia Cyber Defense Unit (Küberkaitse Üksus) exists. This group is comprised of volunteer citizens from the private sector with expertise that maybe lacking within the government’s defense apparatus (Cohen & Singer, 2018).
What should policymakers do?
This policy brief recommends and calls for the establishment of a DC Cybersecurity Civilian Corps under the Mayor’s Office on Volunteerism and Partnership in conjunction with the DC National Guard (Serve DC, n.d.). The referenced proposal by Natasha Cohen and Peter Singer of New America, already establishes the necessary composition, membership, and priorities of such a program. The proposal priorities identified by Cohen & Singer (2018) are as follows:
The Corps would be able to provide needed support in three primary areas:
Education and Outreach
Testing, Assessments, and Exercises
On Call Expertise and Emergency Response
The Corps composition will include the following:
Older and retired cybersecurity professionals,
Professionals working in the cybersecurity field, with a desire to do volunteer work and perform civic service using their skills,
“White hat” hackers, who don’t work full time in a cybersecurity job,
People who are in job transition,
Independent contractors looking to fill gaps in their time and expand their networks, and
Stay-at-home parents.
By removing the physical fitness, citizenship, age, and clearance requirements, as well as prior government or military services, creates the opportunity to tap this vast pipeline of talent.
References
American Bar Association. (2020). Police Function Standards. Criminal Justice Standards. ABA. https://www.americanbar.org/groups/criminal_justice/publications/criminal_justice_section_archive/crimjust_standards_urbanpolice/
Bate, L. K. (2017, May 17). The Cyber Workforce Gap: A National Security Liability? War on the Rocks: https://warontherocks.com/2017/05/the-cyber-workforce-gap-a-national-security-liability/
Bergal, J. (2017, October 31). Michigan Governor Signs Volunteer Cyber Corps Bill. Government Technology. https://www.govtech.com/security/michigan-governor-signs-volunteer-cyber-corps-bill.html
Cohen, N., & Singer, P. (2018, October 25). The Need for C3: A Proposal for a United States Cybersecurity Civilian Corps. New America. https://www.newamerica.org/cybersecurity-initiative/reports/need-c3/
Jacky Rosen U.S. Senator for Nevada. (2021, July 14). Rosen’s Bipartisan Bill to Establish Civilian Cybersecurity Reserve Passes Senate Committee Unanimously. https://www.rosen.senate.gov/rosens-bipartisan-bill-establish-civilian-cybersecurity-reserve-passes-senate-committee-unanimously
Serve DC. Mayor’s Office of Volunteerism and Partnerships (n.d.). What We Do. Government of the District of Columbia. https://communityaffairs.dc.gov/servedc