This past weekend at SXSW, two Congressmen suggested that the U.S. create a cybersecurity reserves system, similar to the National Guard, but the idea has received a mixed welcome from the cybersecurity community.
According to House Rep. Will Hurd, a Republican from Texas, a national cybersecurity reserve could help strengthen national security and bring in a diversity of experience. Hurd, who has a degree in computer science from Texas A&M, has served as an undercover CIA officer and has worked as a partner at cybersecurity firm FusionX.
He has been pitching the idea of a Cyber National Guard for a while, and has suggested that the government could forgive student loan debt for those who serve. It would also help ensure a cross-pollination of experience between government and industry.
"Neither the private sector nor public sector can protect our country from our cyber adversaries alone," he said in an opinion piece last summer.
Fellow Representative Ruben Gallego, a Democrat from Arizona and a former Marine Corps veteran, said that a specialized Cyber National Guard could help attract much-needed technical talent to the reserves.
"We have to accept that, look, this person is not going to man a machine gun, why would we put them through bootcamp, we're never going to send them to the front line," Gallego told CNN. "But we could definitely use their knowledge in service to our country."
The need is critical
"This is a fantastic idea," said Hank Thomas, partner and COO at Strategic Cyber Ventures.
The government system for recruiting cybersecurity talent is broken, he said.
"And there are no signs it will be fixed anytime soon, mostly because of the war for cyber talent in the commercial space is too competitive," he said. "The war on talent is real and the only way we will win the current cyber war, or World War 3, will be to have a much larger and more capable cyber force."
Military recruiting just hasn't been able to keep up, said John Chirhart, federal technical director at Tenable Network Security.
"We have military reserves for all the traditional branches of the armed services, but nothing for the cyber realm, largely because of restrictive military hiring policies that discourage information security professionals from joining up," he said.
For example, typical reservists are trained to shoot a rifle, or pilot a helicopter, he said, but cyber professionals are already trained. Plus, there's the culture gap, he added. "Being forced to cut their hair, having to work out, being deployed away from their families."
"There are plenty of patriots in the ranks of the cybersecurity elite, but not many who are going to leave lucrative corporate and consulting gigs to join the military," said Jonathan Sander, vice president of product strategy at Lieberman Software. "However, offer them an option to keep their income but be on call to come to the national defense when it’s needed and you may have a winning formula."
Paul Calatayud, CTO at FireMon, has personal experience with exactly that situation.
"I was in the military for eight years supporting cybersecurity and one big conflict was balancing my growing civilian career with my desire to serve my country the best way I knew how," he said. "By establishing ideas such as a national guard-like structure, folks like me can get back in and help while not being conflicted.”
Many experts were hopeful that a National Cyber Guard can help address some of the cybersecurity talent shortage at the government level.
"The government should be aggressive in growing and hiring security professionals and expanding cybersecurity programs," said Blue Lang, senior product manager at Veracity, a network security firm that is is working with the Department of Energy to reduce cyberattacks against industrial and utility networks. "It's as critical as any other part of our shared infrastructure -- maybe more so because of the current lack of visibility. We can see value in an ongoing program of keeping security professionals 'warm' and familiar with government systems, vulnerabilities, and pain points."
"Cybersecurity isn't going to be addressed with any single solution, but anything that suggests stable funding and organizational focus towards getting boots on the ground to keep America's data safe has my attention," said Dan Kaminsky, co-founder and chief scientist at White Ops. "It is specifically interesting that reservists create a lot of cross-pollination between the public and private sectors. Attackers don't pay much attention to organizational boundaries -- effective defense is going to require cooperation across those boundaries."
The U.S. could look abroad for successful examples.
Eran Barak, CEO at Hexadite, served for years in an elite intelligence unit of the Israeli Defense Forces. However, the country does have a big advantage.
"We have mandatory military service in all units including intelligence and cyber," he said. "If someone doesn't show up, they can be prosecuted. To implement the same kind of system in the U.S., you'd need to have an incentive that is big enough to attract cybersecurity talent while at the same time giving incentive to the private sector employers that employ these professionals."
Morey Haber, vice president of technology at BeyondTrust
Another country that can serve as a role model is Estonia, said Kenneth Geers, senior research scientist at Comodo Group, and a NATO ambassador.
"Today, Estonia is the leader in this area," he said.
Estonia's financial and government infrastructure was hit by a massive attack in 2007 that was widely attributed to Russia. Since then, the nation's Estonian Defense League has created a Cyber Unit with hundreds of civilian volunteers who can be called on in an emergency.
Not a job for the government
Other security experts, however, are concerned that a Cyber National Guard would be a step in the wrong direction.
"In my personal opinion, this is an awful idea," said Morey Haber, vice president of technology at BeyondTrust. "It represents all the things that are wrong with big government."
There's no need for an on-demand group of white hat hackers, he said.
"Vendors should be responsible for the cybersecurity they build into their products, organizations like Underwriters Laboratory and Consumer Reports are stepping up with cybersecurity testing and ratings, and basic legislation for cybersecurity is already in motion," he said. "We do not need a version of the FDA protecting the internet and connected devices. Let’s commercialize and allow companies to profit from cybersecurity protection versus giving way to more big government and loss of personal privacy."
And the Cyber National Guard will not address the root causes of the staffing shortages, said Philip Lieberman, president at Lieberman Software.
"The suggested solution of a Cyber National Guard is disconnected from financial reality," he said, calling it "dead on arrival and a misguided idea grounded in fantasy economics."
Project would face skills, budget issues
If a National Cyber Guard were to be created, the project would be facing significant obstacles, experts say.
For example, there is the issue of coordinating responses to attacks against critical infrastructure both in the private sector and owned by local government jurisdictions. Would the Cyber National Guard step in? Who would be in charge?
All of that would need to be planned out, said Rich Barger, director of security research at Splunk.
And creating and testing this framework would take time and resources away from other government and civilian projects, he said.
Then there are the significant staffing issues.
"Our government, similar to corporate America, is struggling to find qualified cyber security experts," said Andrew Howard, CTO at Kudelski Security. "The concept of a national guard cyber security capability is a good idea, but only to help grow the number of qualified military experts, not to actively defend US interests."
And there are limits to how much a team of part-time reservists can accomplish.
"The government clearly has a problem finding and retaining talent, and the idea of leveraging private citizens in a part-time role to backfill some functions in response to major issues could work," said Brian Vecci, technical evangelist at security vendor Varonis Systems. "However, it’s unlikely that a reserve cyber guard would be able to help detect or prevent a major attack or breach."
"Major breaches like OPM cannot be prevented by Band-Aids or weekend warriors," he added.
In fact, a part-time corps could actually create more security problems than it solves.
"In the wake of the most significant leak of CIA documents in US history and investigations focused on contractors, the first issue to overcome is how to manage security clearance for a massive group of civilian professionals with access to government systems or technologies on a short-term basis," said David Vergara, head of global product marketing at VASCO Data Security.
He wasn't the only one worried about this.
"If these temp workers are to find and patch bugs and audit and upgrade the systems, they will need a lot of privileged access to these systems," said Igor Baikalov, chief scientist at Securonix. "And, as any insider threat specialist will tell you, temporary workers with privileged access can do a lot of damage, intentional or not. Edward Snowden's and Harold Martin's affairs will pale in comparison to the sheer volume of incidents this army of cybersecurity volunteers is bound to cause, even without any malicious intent.”
"I don’t see it working," said Michael Lipinski, CISO and chief security strategist at Securonix. "It takes far too long to get screened and get access to systems. Even Congress right now is complaining that it’s taking months to get access to government systems for investigators into the 'Russian influence' investigation."
And it's just not security clearances that slow down response times.
Peter Tran, general manager and senior director at RSA Security
"In cyber, technologies rapidly changing threat conditions have massive attack surfaces crossing geopolitical borders and vary within seconds," said Peter Tran, general manager and senior director at RSA Security. "As a result, mobilizing 'weekend warriors' during critical breaches stands to introduce ramp up delays and additional 'dwell time' for early detection and response when reservist need to get up to speed on the tools, tactics and procedures."
A better approach could be to use private sector experts on continuous rotations to keep skills fresh and to help knowledge transfer.
"You certainly wouldn't want your fighter pilot in the seat only a few weeks out of the year, would you?" he said.
We already have a National Guard for cybersecurity
Finally, some experts pointed out that we already have cybersecurity projects underway in the National Guard. Last year, the National Guard said it plans to have 30 cyber units in at least 30 states by 2019.
"Massachusetts, my state, is already developing a Cyber ISR Group and other states have developed complementary centers," said Ernesto DiGiambattista, founder and CEO at Cybric. "Look at what some of the proactive states are doing for cybersecurity -- Massachusetts, Rhode Island, Washington, Michigan."
There are also federal cybersecurity groups, said Robert Capps, vice president of business development at NuData Security.
That includes the Cyber Security Division of the Department of Homeland Security, the US Computer Emergency Readiness Team, and the National Cybersecurity Center.
"Assuming inter-agency cooperation could be obtained," he said, "one approach could be to promote and centralize an existing high-functioning cyber risk team and let it spread its wings with other high achievers from departments around government and military."
By drawing on existing state and federal efforts, a Cyber National Guard wouldn't have to start from scratch.
"But the ultimate long-term viability of such a unit will depend on the mandate it is given, and the authority and financial support required to fulfill its mandate," he said.