Assessment of Militia Forces as a Model for Recruitment and Retention in Cyber Security Forces

Franklin Holcomb is a graduate student from the U.S. at the University of Tartu, Estonia and a former research analyst on Eastern European security issues in Washington, D.C. Divergent Options’ content does not contain information of an official nature nor does the content represent the official position of any government, any organization, or any group.


Title:  Assessment of Militia Forces as a Model for Recruitment and Retention in Cyber Security Forces

Date Originally Written:  September 25, 2019.

Date Originally Published:  November 18, 2019.

Author and / or Article Point of View:  The author is a graduate student from the U.S. at the University of Tartu, Estonia and a former research analyst on Eastern European security issues in Washington, D.C. He is a strong believer in the Euro-American relationship and the increasing relevance of innovation in security and governance.

Summary:  U.S. and Western Armed Forces are struggling with recruitment and retention in their cyber units, which leaves their countries vulnerable to hostile cyber actors. As society becomes increasingly digitalized in coming years, the severity of these vulnerabilities will increase. The militia model adopted by the Baltic states provides a format to attract civilian experts and decrease vulnerabilities.

Text:  The U.S. Armed Forces are facing difficulties recruiting and retaining cyber-security talent. To meet this challenge the U.S. Marine Corps announced in April 2019 that it would establish a volunteer cyber-auxiliary force (Cyber Aux) consisting of a “small cadre of highly-talented cyber experts who train, educate, advise, and mentor Marines to keep pace with constantly-evolving cyber challenges[1].” The Cyber Aux will face many of the issues that other branches, and countries, have in attracting and retaining cyber-security professionals. Cyber Aux takes notably important steps towards increasing the appeal of participation in the U.S. armed forces for cyber-security experts, such as relaxing grooming and fitness standards. But Cyber Aux will struggle to attract enough professionals due to factors such as its role as a mentorship organization, rather than one that conducts operations, and the wide military-civilian pay gap in the cyber-security field[2]. These factors will ensure U.S. and North Atlantic Treaty Organization (NATO) military forces will have suboptimal and likely understaffed cyber components; increasing their vulnerabilities on and off the battlefield.

Estonia, Latvia, and Lithuania have been on the geographic and virtual frontlines of many challenges faced by NATO. The severity of threats facing them has made security innovation a necessity rather than a goal. While not all innovations have succeeded, these countries have created a dynamic multi-layered defense ecosystem which combines the skillsets of civil society and their armed forces to multiply their defense capabilities and increase national resilience. There are numerous organizations that play a role in these innovations including civilian groups as well as the militias of each state[3]. The militias, non-professional military forces who gain legitimacy and legality from state authorization, play a key role in increasing the effective strength of forces in the region. The Estonian Defense League, the Latvian National Guard, and the Lithuanian Riflemen’s Association all draw on civilian talent to form militias. These organizations are integrated, to different extents, with military structures and play supporting roles in a time of crisis that would free regular forces to conduct operations or support their operations directly.

These militias have established cyber units which are models for integrating civilian cyber-security professionals into military structures. The Baltic cyber-militias engage directly in practical cyber-security concerns, rather than being restricted to academic pursuit or mentoring like Cyber Aux. In peacetime, these organizations conduct training for servicemen and civilians with the goal of raising awareness of the risks posed by hostile cyber actors, increasing civilian-military collaboration in cyber-security, and improving cyber-security practices for critical systems and infrastructure[4]. In crisis, these units mobilize to supplement state capabilities. The Estonian Defense League and Latvian National Guard have both established cyber-defense units, and Lithuania intends to complete a framework through which its militia could play a role in supporting cyber-defense capabilities by January 2020[5]. 

The idea of a cyber-militia is not new, yet the role these organizations play in the Baltic states as a talent bridge between the armed forces and civil society provides a very useful policy framework for many Western states. Currently cyber-auxiliaries are used by many states such as Russia and China who rely on them to supplement offensive cyber capacities[6]. This situational, and often unofficial use of auxiliaries in cyber operations has advantages, prominently including deniability, but these should not overshadow the value of having official structures that are integrated into both civil society and national cyber-defense. By creating a reserve of motivated civilian professionals that can be called on to supplement military cyber units during a time of crisis, the Baltic states are also effectively increasing not only their resilience to a major cyber incident while it is underway, but raising the up-front cost of conducting such an attack in the first place.

As NATO and European policymakers consider the best courses available to improve their Armed Forces’ cyber capacities, the models being adopted in Estonia, Latvia, and Lithuania are likely of value. Estonia pioneered the concept in the region[7], but as the model spreads to other states Western states could learn from the effectiveness of the model. Cyber-militias, which play a supportive role in cyber operations, will strengthen the cyber forces of militaries in other NATO states which are undermined by low recruitment and retention.


Endnotes:

[1] (2019, May 13). Marine Corps Establishes Volunteer Cyber Auxiliary to Increase Cyberspace Readiness. Marines.mil. Retrieved September 25, 2019. https://www.marines.mil/News/Press-Releases/Press-Release-Display/Article/1845538/marine-corps-establishes-volunteer-cyber-auxiliary-to-increase-cyberspace-readi

[2] Moore E., Kollars N. (2019, August 21). Every Marine a Blue-Haired Quasi-Rifleperson? War on the Rocks. Retrieved on September 25, 2019. https://warontherocks.com/2019/08/every-marine-a-blue-haired-quasi-rifleperson/; Cancian M., (2019, September 05) Marine Cyber Auxiliaries Aren’t Marines, and Cyber “Warriors” aren’t Warriors. War on the Rocks. Retrieved September 25, 2019. https://warontherocks.com/2019/09/marine-cyber-auxiliaries-arent-marines-and-cyber-warriors-arent-warriors/

[3] Thompson T. (2019, January 9) Countering Russian Disinformation the Baltic nations’ way. The Conversation. Retrieved September 25, 2019. http://theconversation.com/countering-russian-disinformation-the-baltic-nations-way-109366

[4] (2019, September 24). Estonian Defense League’s Cyber Unit. Estonian Defense League. Retrieved on September 25, 2019. http://www.kaitseliit.ee/en/cyber-unit; (2013). National Armed Forces Cyber Defense Unit (CDU) Concept. Latvian Ministry of Defense. Retrieved September 25, 2019. https://www.mod.gov.lv/sites/mod/files/document/cyberzs_April_2013_EN_final.pdf; (2015, January 15). National Guard opens cyber-defense center. Public Broadcasting of Latvia. Retrieved September 25, 2019. https://eng.lsm.lv/article/society/society/national-guard-opens-cyber-defense-center.a113832/; Kaska K, Osula A., Stinnissen J. (2013) The Cyber Defence Unit of the Estonian Defense League NATO Cooperative Cyber Defense Centre of Excellence. Tallinn, Estonia. Retrieved September 25, 2019. https://ccdcoe.org/uploads/2018/10/CDU_Analysis.pdf; Pernik P. (2018, December). Preparing for Cyber Conflict: Case Studies of Cyber Command. International Centre for Defense and Security. Retrieved on September 25, 2019. https://icds.ee/wp-content/uploads/2018/12/ICDS_Report_Preparing_for_Cyber_Conflict_Piret_Pernik_December_2018-1.pdf

[5] (2019, July 03) The Government of the Republic of Lithuania: Ruling on the Approval of the Interinstitutional Action Plan for the Implementation of National Cybernet Security Strategy. Lithuanian Parliament. Retrieved September 25, 2019. https://e-seimas.lrs.lt/portal/legalAct/lt/TAD/faeb5eb4a6c811e9aab6d8dd69c6da66?jfwid=dg8d31595

[6] Applegate S. (2011, September/October) Cybermilitias and Political Hackers- Use of Irregular Forces in Cyberwarfare. IEEE Security and Privacy. Retrieved on September 25, 2019. https://www.researchgate.net/publication/220497000_Cybermilitias_and_Political_Hackers_Use_of_Irregular_Forces_in_Cyberwarfare

[7] Ruiz M. (2018.January 9) Is Estonia’s Approach to Cyber Defense Feasible in the United States? War on the Rocks. Accessed: September 25, 2019. https://warontherocks.com/2018/01/estonias-approach-cyber-defense-feasible-united-states/; Drozdiak N. (2019, February 11) One of Russia’s Neighbors Has Security Lessons for the Rest of Us. Bloomberg. Retrieved on September 25, 2019. https://www.bloomberg.com/news/articles/2019-02-11/a-russian-neighbor-has-cybersecurity-lessons-for-the-rest-of-us

Assessment Papers Baltics Cyberspace Estonia Franklin Holcomb Latvia Lithuania Non-Full-Time Military Forces (Guard, Reserve, Territorial Forces, Militias, etc)

Options for U.S. National Guard Defense of Cyberspace

Jeffrey Alston is a member of the United States Army National Guard and a graduate of the United States Army War College.  He can be found on Twitter @jeffreymalston.  Divergent Options’ content does not contain information of an official nature nor does the content represent the official position of any government, any organization, or any group.


National Security Situation:  The United States has not organized its battlespace to defend against cyberattacks.  Cyberattacks are growing in scale and scope and threaten surprise and loss of initiative at the strategic, operational and tactical levels.  Shortfalls in the nation’s cybersecurity workforce and lack of division of labor amongst defenders exacerbates these shortfalls.

Date Originally Written:  July 23, 2017.

Date Originally Published:  September 4, 2017.

Author and / or Article Point of View:  This paper is written from a perspective of a U.S. Army field grade officer with maneuver battalion command experience who is a senior service college graduate.  The officer has also been a practitioner of delivery of Information Technology (IT) services and cybersecurity for his organization for over 15 years and in the IT industry for nearly 20 years.

Background:  At the height of the Cold War, the United States, and the North American (NA) continent, organized for defense against nuclear attack.  A series of radar early warning lines and control stations were erected and arrayed across the northern reaches of the continent to warn of nuclear attack.  This system of electronic sentries were controlled and monitored through a series of air defense centers.  The actual air defense fell to a number of key air bases across the U.S. ready to intercept and defeat bombers from the Union of Soviet Socialist Republics entering the NA airspace.  The system was comprehensive, arrayed in-depth, and redundant[1].  Today, with threats posed by sophisticated cyber actors who directly challenge numerous United States interests, no equivalent warning structure exists.  Only high level, broad outlines of responsibility exist[2].  Existing national capabilities, while not trivial, are not enough to provide assurances to U.S. states as these national capabilities may require a cyber event of national significance to occur before they are committed to address a state’s cyber defense needs.  Worse, national entities may notify a state after a breach has occurred or a network is believed to be compromised.  The situation is not sustainable.

Significance:  Today, the vast Cold War NA airspace has its analog in undefended space and gray area networks where the cyber threats propagate, unfettered from active security measures[3].  While the capabilities of the myriad of companies and firms that make up the critical infrastructure and key resource sectors have considerable cybersecurity resources and skill, there are just as many that have next to nothing.  Many companies and firms cannot afford cyber capability or worse are simply unaware of the threats they face.  Between all of these entities the common terrain consists of the numerous networks, private and public, that interconnect or expose all of these actors.  With its Title 32 authorities in U.S. law, the National Guard is well positioned to take a key role in the unique spot interface between private industry – especially critical infrastructure – in that it can play a key role in this gray space.

There is a unique role for the National Guard cyber forces in gray space of the internet.  The National Guard could provide a key defensive capability in two different ways.

Option #1:  The National Guard’s Defensive Cyberspace Operations-Element (DCO-E), not part of the Department of Defense Cyber Mission Force, fulfills an active role providing depth in their states’ networks, both public and private.  These elements, structured as full-time assets, can cooperatively work to negotiate the placement of sensors and honeypots in key locations in the network and representative sectors in their states.  Data from these sensors and honey pots, optimized to only detect high-threat or active indicators of compromise, would be aggregated in security operations centers manned primarily by the DCO-Es but with state government and Critical Infrastructure and Key Resources (CIKR) participation.  These security operations centers provide valuable intelligence, analytics, cyber threat intelligence to all and act to provide depth in cybersecurity.  These units watch for only the most sophisticated threats and allow for the CIKR private industry entities to concentrate their resources on internal operations.  Surveilling gray space networks provides another layer of protection and builds a shared understanding of adversary threats, traffic, exploitation attempts returning initiative to CIKR and preventing surprise in cyberspace.

Risk:  The National Guard cannot be expected to intercept every threat that is potentially targeted at a state entity.  Negative perceptions of “mini-National Security Agencies (NSAs)” within each state could raise suspicions and privacy concerns jeopardizing the potential of these assets.  Duplicate efforts by all stakeholders threaten to spoil an available capability rather than integrating it into a whole of government approach.

Gain:  Externally, this option builds the network of cyber threat intelligence and unifies efforts within the particular DCO-E’s state.  Depth is created for all stakeholders.  Internally, allowing National Guard DCO-Es to focus in the manner in this option provides specific direction, equipping options, and training for their teams.

Option #2:  The National Guard’s DCO-Es offer general support functions within their respective states for their Adjutants General, Governors, Department of Homeland Security Advisors, etc.  These elements are tasked on an as-needed basis to perform cybersecurity vulnerability assessments of critical infrastructure when requested or when directed by state leadership.  Assessments and follow-on recommendations are delivered to the supported entity for the purpose of increasing their cybersecurity posture.  The DCO-Es fulfill a valuable role especially for those entities that lack a dedicated cybersecurity capability or remain unaware of the threats they face.  In this way, the DCO-Es may prevent a breach of a lessor defended entity as the entry point for larger scale attacks or much larger chain-reaction or cascading disruptions of a particular industry.

Risk:  Given the hundreds and potentially thousands of private industry CIKR entities within any particular state, this option risks futility in that there is no guarantee the assessments are performed on the entities at the greatest risk.  These assessments are a cybersecurity improvement for the state overall, however, given the vast numbers of industry actors this option is equivalent to trying to boil the ocean.

Gain:  These efforts help fill in the considerable gap that exists in the cybersecurity of CIKR entities in the state.  The value of the assessments may be multiplied through communication of the results of these assessments and vulnerabilities at state and national level industry specific associations and conferences etc.  DCO-Es can gradually collect information on trends in these industries and attempt to use that information for the benefit of all such as through developing knowledge bases and publishing state specific trends.

Other Comments:  None.

Recommendation:  None.


Endnotes:

[1]  Winkler, D. F. (1997). SEARCHING THE SKIES: THE LEGACY OF THE UNITED STATES COLD WAR DEFENSE RADAR PROGRAM(USA, Headquarters Air Combatant Command).

[2]  Federal Government Resources. (n.d.). Retrieved July 22, 2017, from https://www.americanbar.org/content/dam/aba/marketing/Cybersecurity/2013march21_cyberroleschart.authcheckdam.pdf

[3]  Brenner, J. (2014, October 24). Nations everywhere are exploiting the lack of cybersecurity. Retrieved July 21, 2017, from https://www.washingtonpost.com/opinions/joel-brenner-nations-everywhere-are-exploiting-the-lack-of-cybersecurity

 

 

 

Cyberspace Jeffrey Alston Non-Full-Time Military Forces (Guard, Reserve, Territorial Forces, Militias, etc) Option Papers United States