There has been a lot of talk recently with regards to the potential implementation of a US Cyber Civilian Reserve. Think of this as something comparable to the Civil Air Patrol and Coast Guard Auxiliary, but for cyber experts. The thinking is that these folks can be called upon for immediate action for municipalities, schools, and even non-government entities that may require their assistance.
A government funded program like this ultimately helps protect organizations that either can’t afford to or don’t need to have a full time security team on staff. Michigan rolled out a program at the state level which has been garnering attention and could act as the model for how this program could be implemented in other states or at the federal level. Today, we will explore the pros and cons of this potential program.
Immediate Assistance – As small towns and schools are habitually underfunded, which of course includes IT and security, they are constantly targeted by attackers as they are often the lowest hanging fruit. Unfortunately, due to their lack of resources, they continue to fall victim to these attacks, which include things like ransomware. With a Cyber Civilian Reserve in place, they can call on a team immediately following a compromise to try and reduce any additional impacts, determine how to restore operations, and learn to prevent similar attacks in the future.
Leverage Security Professional’s Expertise – The cybersecurity profession is extremely technical and requires a certain level of experience. Additionally, it is well known that the security community supports each other for the greater good of society. This program would allow individuals to be challenged and give back to the community all at the same time.
Educate – If leveraged properly, the Cyber Civilian Reserve could assist in educating users on cybersecurity awareness as well as educating IT workers on how to properly secure their networks. In a perfect world, this body could even assist in performing tests to ensure that the underfunded entities are properly secured and less susceptible to an attack, prior to a breach or compromise occurring.
Complete Dependency – As with any volunteer or “free” program, you run the risk of abuse. Certain entities may be inclined to call in the task force for suspected incidents with little to no evidence or problems that are not in scope of the program. This could lead to “the boy who cried wolf” scenarios. Any services would have to have clear scoping boundaries and a requirements that are met prior to engaging.
Failure to Fund Security Program at All – Unfortunately, this program may also lead to entities continuing to under fund or completely pull funding for their security program, instead choosing to rely on the government task force when something goes wrong. This would be detrimental to both this entity as well as the task force.
Ignoring the True Problem at Hand – Depending on how the Cyber Civilian Reserve is structured, you run the risk of missing the true mark of trying to prevent cyber attacks before they happen in the first place. Organizations still need to improve and incorporate security controls proactively to avoid falling victim, or at least make it more difficult for attacks. The need for incident response and assistance when responding to a security incident is still there, however, if the resources were also dedicated to proactively thwarting events via activities like Penetration Testing and Security Awareness Training, you could drastically improve the security posture of target companies.
As the world progresses and technology evolves, the need for experts in the technology realm continues to grow. By proactively working as a country to put together a Cyber Civilian Reserve, we further strengthen our position in preventing and responding to cyber attacks. We will continue to monitor this at the federal and state level to see how things progress and how the programs are implemented.