Civilian Cyber Reserve Program ProposedLegislation Would Create Nation Guard-Style Program to Counter Cyberthreats
A bipartisan group of lawmakers is backing a legislative proposal that would create a program, similar to the National Guard, to deploy those with tech and security skills during significant cyberthreats, such as the recent SolarWinds supply chain attack and exploits of vulnerabilities in on-premises Microsoft Exchange servers.
The Civilian Cyber Security Reserve Act would create a pilot program that would provide the departments of Defense and Homeland Security with additional skilled personnel during large-scale cyberthreats.
The pilot program, which would be open to those who previously worked with the federal government or served in the military, would provide invited volunteers with additional training, according to the legislative proposal.
Under the bill, the two departments could call up these cybersecurity reservists to serve in temporary positions as federal civil service employees.
Those volunteering to serve in the reserve program would need to have an active security clearance to access classified information.
"The recent, unprecedented cyberattacks targeting the United States demonstrate the risks of not addressing our severe cyber workforce shortage. As cybersecurity threats continue to grow in scale, frequency and sophistication, it’s critical that we find innovative solutions to address this deficiency," says Sen. Jacky Rosen, D-Nev., who introduced the bill in the Senate with Republican Sen. Marsha Blackburn of Tennessee.
The House version of the bill was introduced by Reps. Jimmy Panetta, D-Calif., and Ken Calvert, R-Calif.
"Having access to additional qualified and prescreened individuals with technical skills in these times of need can provide tremendous benefits," Calvert says.
Call for Action
In addition to this legislative effort, the Biden administration is expected to propose a series of executive orders to help address cyberthreats, including adopting a security scorecard and ratings system for U.S. software (see: White House Preparing 'Executive Action' After SolarWinds Attack).
The White House recently issued sanctions against Russia, which it blamed for the SolarWinds supply chain attack that resulted in follow-on attacks against nine federal agencies and 100 companies.
During a speech Wednesday before a joint session of Congress, President Joe Biden acknowledged the cybersecurity and other challenges that the U.S. faces, calling for strengthening and modernizing the country's electrical grid as well as other critical infrastructure (see: 100-Day Plan to Enhance Electrical Grid Security Unveiled).
"No one nation can deal with all the crises of our time alone - from terrorism to nuclear proliferation to mass migration, cybersecurity, climate change - and as we're experiencing now, pandemics," Biden said.
Bolstering Cyber Defenses
The idea of a cybersecurity reservists program was first proposed in a report issued in August 2020 by the National Commission on Military, National, and Public Service.
"A reserve program that permits agencies to call up cybersecurity experts could ensure additional cyber capacity at times of greatest need," the report noted. "By building the reserve program around cybersecurity experts who have left government service for other opportunities, the program would also help the government to maximize the value of taxpayer investment in developing their expertise."
Scott Shackelford, chair of Indiana University's cybersecurity program, notes: "The notion of a civilian reserve corps that could be called upon in the event of a major cyberattack is one that has been circulating for some time. In fact, Estonia founded a similar Cyber Defense League years ago. Similarly, the National Guard has been building out its cyber defense capabilities … In my opinion, this is a stop-gap measure at best, though one that could help make a positive difference."
Since November 2020, units of the National Guard have been called in to assist hospitals dealing with ransomware attacks (see: National Guard Cybersecurity Units Ready to Protect Election).
Creating the cybersecurity reservists program would require addressing credentialing and indemnification issues, says Mike Hamilton, a former vice chair of the Department of Homeland Security's State, Local, Tribal, and Territorial Government Coordinating Council.
"How someone is identified and trusted as an emergency response volunteer for IT and OT systems is not universally defined," says Hamilton, now the CISO for CI Security.
Meanwhile, other lawmakers are working on separate legislation to address cybersecurity issues.
In a speech this week, Sen. Mark Warner, D-Va., who chairs the Senate Intelligence Committee, noted that committee members are working on a national breach notification law that would create a mandatory structure for reporting certain incidents to the federal government. Many previous such proposals have failed to advance in Congress.
Warner and other senators began discussing the issue during hearings related to the SolarWinds attack and national security matters (see: Senators Push for Changes in Wake of SolarWinds Attack).
"Can we create a structure that would allow some limited mandatory reporting for government contractors and critical infrastructure that doesn’t get to the full data breach negotiations?" Warner asked in his presentation, according to The Hill.