The creation of civilian cyber reserves has gained traction over the past several years as US federal and state governments come up against the same constraints the private sector faces when recruiting and paying the high salaries of scarce cybersecurity talent.
The Homeland Security Act of 2002 first floated the concept of government-run volunteers to help with cybersecurity risk management and incident response. That legislation authorized the creation of NET Guard, a local team of volunteers “with expertise in relevant areas of science and technology, to assist local communities to respond and recover from attacks on information systems and communications networks.”
In 2013, Michigan pioneered the concept of civilian cybersecurity volunteers at the state level by creating the Michigan Cyber Civilian Corps (MiC3), with Wisconsin, Ohio, Texas, California, and Maryland following Michigan’s lead since then. Oklahoma is launching its own volunteer civilian cyber volunteer program with Washington, Montana, Colorado, and West Virginia, investigating the creation of their own programs.
At the federal level, the National Defense Authorization Act for 2024 (NDAA) passed in December authorized the Secretary of the Army to conduct a pilot program to establish a Civilian Cybersecurity Reserve to provide US Cyber Command with human resources to effectively respond to malicious cyber activity and conduct cyberspace operations, among other efforts. This pilot program was a piece of a legislative package sponsored by Senators Jacky Rosen (D-NV) and Marsha Blackburn (R-TN).
One piece of that package that didn’t make it into the enacted NDAA would have also created a civilian cybersecurity reserve program within the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). The lawmakers modeled both components of this legislative package based on recommendations contained in reports by the National Commission on Military, National, and Public Service and the Cyberspace Solarium Commission. Under the legislative package, participation in the Civilian Cybersecurity Reserve would be voluntary and by invitation only and would not include members of the military Selected Reserve.
Cyber reserve program successes and challenges at the state level
Experiences with cyber reserve programs at the state level could offer insight into some of the successes and challenges that CyberCommand, or possibly CISA, might face at the federal level in creating a civilian cyber reserve force. Most state programs use civilian volunteers to help local jurisdictions and other organizations, such as school systems, engage in incident response, basic skills assessment, and training to improve cybersecurity across their states’ public sector organizations.
Most states have established working group structures that cooperate with local governments and other related organizations, such as state-level cyber commands, the National Guard, and military reserve organizations. Most operate under state-level organizations, with Michigan operating under the Department of Technology, Management and Budget, Wisconsin operating under the state’s Emergency Management Department, and Ohio operating under the Adjutant General’s Department.
Most states usually operate with no more than two full-time personnel to manage the reserve recruiting and operating process and purchase equipment and technology for the volunteers. The modest budgets range from an estimated $250,000 to $750,00 per year, according to 2022 to 2023 levels.
So far, the coordinators for the state-level programs count them as successes. “It’s been fantastic to the point now I’m starting to figure out exactly what this would cost versus what we’re saving people,” Craig Baker, program administrator for the Ohio Cyber Reserve, tells CSO. “When I came in, there was a little under 50 personnel. We’re now at 144. I’ve got another 15-plus people working through the process to join us. So, it’s been fantastic.”
One particularly successful initiative the Ohio Cyber Reserve has run involved three-hour seminars for a dozen school districts across the state on strengthening their networks. Ohio volunteers have also conducted three to four dozen assist missions for local governments to conduct audits based on NIST 800-53 to tell them where they stand regarding their security and privacy controls.
As is true for all public and private organizations, the challenge is finding enough qualified cybersecurity personnel to meet the tasks. In Ohio, volunteers must have five years of relevant experience, undergo a background check, and pass a SANS test, although no educational degree or certifications are required. “We’ve got a wide variety of people, everything you can think of, some super experienced that do international IR jobs,” Baker says. “We’ve got people high up in their companies, CISOs and all that. We’ve got academics that are very well-known in their field. We’ve got PhDs, people with master’s degrees, people that work for the state, people that work for the government, people that work in different industries across the spectrum while working in cybersecurity or a strong IT field with some cybersecurity knowledge.”
Still, Ohio faces competitive headwinds when it comes to attracting talent. “There are a lot of challenges,” Baker says. “The people that you’re looking for are people that have been doing this for 10, 15-plus years. But then you do the common-sense check on those people. They’re going to be in their thirties and generally have families, so it’s tougher for them to provide that volunteer time. So, we’re constantly looking.”
Is CISA’s cyber reserve still in the offing?
US Cyber Command gained its test pilot cyber reserve program in the NDAA. In contrast, the proposal for a similar pilot program at CISA was shut out under pressure from Senator Rand Paul (R-KY), a top critic of the agency. Mark Montgomery, senior director of the Center on Cyber and Technology Innovation and director of CSC 2.0, the successor organization to the Solarium Commission, tells CSO, “I think it was smart to give it to the Army. I think the Army’s got the most effective cybersecurity program of the services.”
But, he adds, “The pilot program for CyberCommand was useful, but it was not the most useful thing we could have gotten done. It would’ve been preferable to have had the Rosen” legislation setting up a pilot initiative at CISA. “It addresses a more dramatic challenge: the lack of sufficient talent inside” non-military federal agencies. “I’d want the CISA one because the higher need is in the .gov, not the .mil domain,” he says.
“I like the concept” of a CISA cyber reserve, Padraic O’Reilly, founder and chief innovation officer of CyberSaint, tells CSO. “Anything that addresses the talent shortage that’s just across our whole industry and takes a structured way to address it is great.”
“I think Jacky Rosen and the people who worked with CIS on this probably heard loud and clear that there are times when incidents are happening in a particular sector, and they just are short, pure analytical expertise,” OâReilly says. “And to me, it seems like a way to address some of the shortfalls CISA sees when it comes to the response and communication side of dealing with critical infrastructure.”
Rosen’s effort to create a reserve program at CISA that didn’t make it through the NDAA process was the lawmaker’s second bite at the apple. A bill she introduced in 2021 also contained provisions to create a CISA program. Rosen is mum on whether she will yet again introduce legislation to create a non-military cyber reserve pilot effort at CISA. Her office did not respond to CSO’s requests for comment.