Cyber Reserves are not a Silver Bullet
Cyber reserve models are often impractical and fail to materially address nascent policy challenges.
The most significant long-term challenge facing American and British cyber agencies is not China or Russia — it’s a shortage of cyber talent. This workforce deficit isn’t only affecting intelligence agencies. One recent study looked at 11 countries’ cyber skill shortages and extrapolated that the global deficit of qualified personnel sits at over four million unfilled positions and argues that the workforce needs to grow by a staggering 145 percent. Government agencies struggling to match the lucrative private sector salaries on offer naturally find themselves on the back foot. Cyber reserves, conscription models, and the use of volunteers are often touted as a panacea for boosting government recruits.
Yet, calls for a cyber reserve are not enough. Cyber reserve models are often impractical and fail to materially address nascent policy challenges. While cyber reserves can certainly play a limited role in improving security, states such as Britain and the United States should instead continue to focus on policy initiatives that are better aligned with their political cultures and operational requirements. Working with the private sector provides more scalable reinforcements and enables a coordinated approach to protecting what is often predominantly privately-owned infrastructure. Both approaches can certainly co-exist, yet robust public-private collaboration will often trump the whims of volunteers.
Practical Limitations of Cyber Reserves
Calls for expanded cyber reserves underestimate the logistical challenges of implementation. This has led to many policy proposals failing to address the nature of cyber operations or the lengthy timelines often involved. As much as anything, both offensive operations and securing networks are a collection of practices that require full-time staff and an organized approach.
Most large government departments defend their networks 24 hours a day. Security operations centers run around-the-clock monitoring for potential threats. Likewise, vulnerability management programs, used to patch high-severity flaws, require constant vigilance and active coordination in order to stay ahead of the threat. Within these contexts, full-time staff who have experience working together develop continuity and established workflow patterns to ensure threats aren’t missed.
Cyber espionage campaigns are no different. It is assumed that operations conducted by prominent state espionage groups, often referred to as advanced persistent threats, rely on technical wizardry alone. Yet, rather than their ability to exploit flashy zero-day vulnerabilities or deploy highly bespoke malware, it is often their operational capabilities that make the difference. This was captured by National Security Agency and former cyber security White House advisor Rob Joyce, who stressed that targeting large corporate networks requires plenty of patience and focus. This is largely due to the variety of stages involved in cyber operations. This can include extensive open source research on employees ahead of sending phishing emails, putting in the hours to fully understand a target’s infrastructure, or waiting for the right moment to move laterally within a network. Crucially, successful operations often come down to gritty abrasion. Full-time staff, shift patterns, and established routines are at the foundation of a successful campaign. Supplementary staff waltzing in with the occasional weekend or evening to spare might be able to contribute, yet these operational realities limit their ability to substantially move the needle.
An alternative approach would be to adopt a conscription model, the advantage being that cyber agencies would have access to full-time staff, even if for a limited period (e.g. between one to two years). Such initiatives could draw recent graduates from relevant fields. The idea is not without merit and is a model that has worked successfully in other parts of the world. Yet, prestigious degree certificates alone hold limited career capital within the cyber security community. The industry’s experts range from PhDs to those who failed high school. Above all, however, is a premium on practical experience.
While full of potential, a band of fresh-faced graduates with limited experience outside the classroom will need time to develop and might have less to offer at an operational level than some cyber policy commentators imagine. This is particularly important for cyber espionage operations. Campaigns will often deploy tools that are not publicly available, meaning operators can only be taught how to use them after they have joined on. Likewise, a single lapse in concentration, or the reuse of infrastructure from previous operations, is often all it takes for a campaign to be detected. This means that newcomers will require years of on-the-job training to fully master the required tradecraft and discipline.
Moreover, governments should have an easier time recruiting recent graduates. The gulf between private and public sector jobs pay is typically narrower with entry level positions. It is mid-career professionals, having developed technical skills and started to take on responsibilities, for whom making the jump to the private sector becomes increasingly tempting. Crucially, the government cyber skill shortage is frequently misunderstood. Of course, lower salaries and lengthy vetting processes will deter some graduates. Yet the government’s skill shortage is as much about retention as it is recruitment.
Discussions around supplementary staff are too often bereft of operational detail. What, precisely, are the government cyber functions that supplementary staffers should be tasked with? Would reservists be aiding offensive campaigns, exploit development, or security audits? Would graduate conscripts be assigned to penetration testing, digital forensics, or writing threat intelligence reports? Different defensive and offensive cyber functions require vastly different skill sets, security classifications, and operational tempos. Certain functions are clearly more suitable than others for more temporary staffing models, yet these questions remain largely unexplored. Substantive studies, such as Marie Baezner’s examination into multiple cyber reserve approaches, provide much-needed empirics for comparing volunteer and conscription-based models. It is therefore time that cyber reserve policy proposals get serious on details.
Cyber policy should not exist in a vacuum. Better, instead, for it to reflect a state’s pre-existing culture. Yet, herein lies a fundamental flaw in many cyber reserve prescriptions: Implicit in the proposal lies an assumption that states can replicate others’ approaches.
Israel, for instance, is well known for integrating conscripts into its cyber security agencies. As well as providing access to additional talent, the system fosters close relationships with industry; many of those who leave the government to set up their own organizations retain friendly links with the intelligence community. Likewise, Estonia’s voluntary Cyber Defence Unit is routinely praised and touted as a model for other Western states.
However, these approaches cannot necessarily be replicated elsewhere due to fundamental political and cultural differences. It is often argued that supplementary staffing policies have allowed states such as Estonia to overcome the natural barrier of a lower population and still develop impressive cyber capabilities. Yet, such states are able to implement these initiatives precisely because of their small size. This is because many low-population states operate a total defense model, where it is recognized that society as a whole must contribute to security. In other words, successful supplementary staffing models fit into a pre-existing culture of conscription and civilian involvement in defense.
By contrast, such an approach would not work in countries like the United Kingdom and United States. Conscription or mandatory civilian involvement in security is more likely to be perceived as illiberal government overreach. Emulating what works in a small Baltic state or Israel is neither feasible nor desirable. Rather than shoehorn in incompatible reserve models, states should explore how cyber policy can be aligned with their own requirements and political climate.
A Way Forward
Cyber reserves can continue to play an important role in almost all states. However, policy proposals must be compatible with both operational realities and a state’s pre-existing culture. For signals intelligence agencies with multi-billion-dollar annual budgets, the risks of integrating ad hoc volunteers would likely outweigh any benefits. Civilian volunteers can instead make a much more outsized contribution by working with pockets of government where cyber security expertise is harder to come by.
In the United Kingdom, for example, the cyber reserve force works exclusively on protecting military networks. Likewise, the National Crime Agency taps into the expertise of cyber security professionals and academics. While supplementary staff may struggle to maintain long-term offensive operations, they can offer an invaluable resource for government departments in need of skilled experts to run training programs. Going forward, there are exciting possibilities for resource-depleted organizations, such as local police forces, to draw on the expertise of passionate volunteers.
While many larger states have a culture that limits the scope for expansive volunteer movements, they may find themselves with opportunities to collaborate with other actors. Tim Maurer has previously written on how states work with a wide range of stakeholders, including the private sector and hacking collectives. These alternative forms of collaboration all come with their own set of challenges and policy headaches, but they are often better aligned with a state’s broader approach to security.
Countries like the United Kingdom and the United States should continue to turn to the private sector’s hotbed of talent when looking for more significant operational reinforcements. Many private companies will be aligned with their home government’s values and mission, making them natural allies. Notwithstanding well-known government procurement challenges, outsourcing arrangements supply expertise at a scale unmatched by most supplementary staffing arrangements. Multi-year contracts provide governments with better guaranteed access to resources when compared to the goodwill of volunteers. Large defense contractors also have the logistical infrastructure to collaborate with government on the myriad of issues accompanying cyber operations, ranging from security vetting to classified office areas.
London and Washington could also make government roles more attractive by increasing pay to retain staff or through improving career development and promotion pathways. Money reserved for contractors could alternatively be used to boost the salaries available for in-demand cyber skills. This might not be scalable to same extent as procurement programs, but the point is that larger states who enjoy better-funded cyber programs have other options on the table beyond supplementary staffing.
Larger governments are also faced with altogether different cyber security problems that naturally require alternative forms of stakeholder engagement. This includes a sizeable coordination challenge. Small states such as Estonia naturally benefit from short communication links and an “everybody knows everybody” society that fosters a joined-up approach to security. Larger states, by contrast, must navigate sizeable security establishments that comprise a wider range of public and private stakeholders. For example, the U.K. National Cyber Security Centre’s information sharing partnershipand Industry 100 schemes facilitate vital public-private collaboration in key areas of critical infrastructure. These challenges naturally lend themselves to industry collaboration, whilst supplementary staffing approaches would be largely ineffective.
Asking the Right Questions
Recruiting and hiring cyber reserve forces is the wrong approach for cyber agencies in countries like the United Kingdom and the United States, because there is not a pre-existing culture of conscription or wide-scale civilian involvement in defense. Reservists might still make a valuable contribution, yet their role will naturally be limited in scope. Instead, these states should capitalize on their strengths, whether that be collaboration with a budding private sector or by improving government salaries through the substantial governmental cyber security funding already in place.
Before offering solutions, cyber policy wonks should make sure they are asking the right questions. It is more useful to first identify the key cyber security challenges a state faces, whether that be fighting cyber crime, protecting the healthcare sector from attacks during a pandemic, or grappling with the issues surrounding offensive cyber operations. Contractors, reservists, private sector collaborators, and conscripts are all ultimately a means to an end. Stakeholder mobilization strategies should therefore be mapped to solutions most appropriate for the challenges at hand.
This post originally appeared on War on the Rocks.