Taking the Elf Off the Shelf: Why the U.S. Should Consider a Civilian Cyber Defense
The U.S. doesn’t have a civilian cyber defense. Here’s why it should and how it should be implemented.
Published by The Lawfare Institute
in Cooperation With
It was the morning of Sept. 12, 2001, and from the back seat of a Cessna, Lt. Col. Andrew Feldman was taking photos with his 35-mm Nikon fitted with Zeiss lenses. As armed U.S. Air Force (USAF) F-15 Eagles circled above them like angry bees, the three officers aboard the Civil Air Patrol Cessna 172 became some of the first to witness the devastation at Ground Zero after two hijacked airliners struck the World Trade Center on Sept. 11. The photographs they took helped shape the emergency response, informed the investigation, and demonstrated the capability of the USAF auxiliary, or the Civil Air Patrol (CAP).
Six years later, Russia attacked Estonia, crippling the small country’s internet and prompting a series of reforms to build resilience and capacity, and to strengthen its national defense. Underlying Estonia’s approach—in large part due to its proximity to Russia—was an assertion that every citizen should be able to contribute to national defense if Estonia’s sovereignty is threatened. Similar to the function of CAP in American disaster response, Estonia’s Cyber Defense League (CDL) is a state-sponsored, citizen-led program that promotes cybersecurity in peacetime and bolsters Estonia’s cyber defense capacity during conflict. The all-volunteer CDL—whose members refer to themselves as elves—gives the tiny nation the ability to surge and efficiently organize resources in the event of a cyberattack. The organization has also fostered strong connections among Estonia’s citizens, its commercial sector, and the government—creating an architecture for national defense that is ready on demand.
To date, the United States has no plans to build out a civilian program comparable to Estonia’s CDL or to leverage civilian knowledge in U.S. cyber defense strategy outside of traditional contracting mechanisms. But at a time when there are over 600,000 vacant cyber-related positions, an American Civil Cyber Defense (CCD) sounds appealing. Additionally, with the recent calls for a whole-of-society approach to cybersecurity and the expressed support for a layered cyber defense from senior government leaders, a CCD would provide a route for cyber-focused individuals to use their talents for the benefit of national defense. Therefore, the U.S. government should consider incorporating an all-volunteer, auxiliary cyber force into its Homeland Defense strategy and model it on the successful USAF CAP.
By incorporating lessons learned from Estonia’s CDL and using CAP as an organizational framework, the CCD’s mission should be focused primarily on promoting cybersecurity awareness at the community level, augmenting the national cybersecurity ecosystem to better protect the U.S. from malicious cyber actors, and enabling a collective surge capacity to respond to a cyberattack.
Cybersecurity: The Problem
American dominance in cyberspace is ebbing. Mirroring trends in physical space, U.S. adversaries are engaging in asymmetric tactics and strategies in cyberspace to degrade U.S. physical security and cybersecurity. Countries like China, Russia, North Korea, and Iran relentlessly chip away at U.S. institutions and social trust by taking advantage of America’s patchworked legal parameters and authorities governing cyberspace. One tactical example is the malign use of proxy actors by U.S. adversaries—like patriotic hackers, organized crime syndicates, and bots-for-hire—to execute activities on behalf of the state in and through cyberspace. While these attacks affect all kinds of businesses, small companies are particularly vulnerable because they typically have less cybersecurity expertise and fewer resources at their disposal to allocate to cybersecurity.
This is a serious problem that the U.S. government should approach with urgency. Estimates show that 28 percent of data breaches occur in small businesses, with 55 percent of ransomware attacks hitting businesses with fewer than 100 employees. Among small businesses that experienced a cyberattack, “37 percent suffered a financial loss, 25 percent filed for bankruptcy, and 10 percent went out of business” in the year following the breach. Additionally, less than half of small businesses believe they can quickly respond to a data breach, and 67 percent of small business owners deny they are even vulnerable to a cyberattack—meaning these businesses are almost certainly not taking meaningful steps to increase their security.
Chinese hackers’ 2016 breach of a small Wisconsin company, Cate Machine & Welding, is representative of the precarious situation facing American small businesses. Chinese cyber criminals hacked Cate’s “dusty old computer humming away in the back office.” Even though the hackers were not interested in Cate’s data, they used the company’s server as a launchpad for attacks against other businesses. This is just one type of exposure, among many, that threaten small businesses’ cybersecurity. These vulnerabilities cannot simply be accepted as an inevitability resulting from these companies’ lack of resources and expertise. “Mom and pop” businesses are as important as any other node in the broader network and need greater capacities to strengthen the U.S. cybersecurity ecosystem.
Small businesses are not the only local or community concern. Cybersecurity risks that state and local governments face are also alarming. Investors and insurance providers are increasingly worried about the spiking number of attacks against local government information technology (IT) services and data. The onslaught of ransomware attacks targeting the public sector is especially harmful at the current moment, as most state and local governments are still trying to figure out how to deliver and sustain services online in a continuing global pandemic.
A recent survey of “150 municipal bond credit analysts and specialists (excluding those at rating agencies) carried out this month by HillTop Securities shows digital risks are increasingly on investors’ minds—and practically none of those investors think state and local governments are prepared” for a cyberattack. Additionally, only 6 percent of respondents thought state and local governments were “on their way to being prepared” for cyberattacks, and not a single survey respondent thought that small governments were “prepared” or “very prepared” to face a cybersecurity incident. The implications of an insecure public sector are far-reaching, and with relatively small budgets and staffs, local government cybersecurity efforts are likely to remain underfunded and understaffed.
Most small businesses are not purposely negligent or willfully ignorant of cybersecurity best practices. In many cases, these companies do not have a proper understanding of the cyber risks facing them. In other cases, small businesses do not have a sufficient budget allocated to cybersecurity. While the Civil Cyber Defense model proposed below cannot comprehensively address small business or local government resource allocation, the model can bolster owner and worker education to raise awareness and knowledge of cyber risks. It can also provide subject-matter expert advice on rudimentary cybersecurity and remediation plans—services that may otherwise be too costly for small business owners. An American Civil Cyber Defense and its cadre of volunteers could help small businesses and mayoral offices with cybersecurity tasks—such as updating their systems and installing patches. These kinds of benefits are not merely conceptual. Estonia’s CDL already serves this function.
The Elves: Estonia’s Cyber Defense League
Estonia is one of the most digitally connected—and digitally dependent—countries in the world. To make a decisive break with its Soviet past and chart its own future by embracing democracy and capitalism, Estonia incorporated technological solutions to leap past many other developing, former-Soviet states. But Estonia still struggles against the pull of Russia’s orbit—the northern Estonian border is just over 90 miles from Russia’s second largest city, St. Petersburg. Russia does not respect Estonia’s sovereignty, and to offset Russian influence in the country, Estonia actively pursued membership in the European Union and North Atlantic Treaty Organization. Despite—or perhaps because of—these memberships, Estonia was the target of a Russian cyber aggression in 2007 following the “Bronze Night” protests. Adding to the Russian proximity problem is Russia’s extant desire to reclaim its former great power status by expanding its sphere of influence.
In response to its 2007 cybersecurity failures, Estonia decided that it should scale its cyber capabilities by tapping into the civilian or private sector to defend against hacks orchestrated by Russia. (The IP addresses linked to the computers responsible for the 2007 attack on Estonia emanated from Russia, but the government denied direct involvement.) The Estonian cybersecurity community and the Ministry of Defense proposed the creation of a Cyber Defense League, modeled on the Estonian Defense League, which is a “voluntary national defense organization” under the Estonian Ministry of Defense. The CDL was designed to augment the existing defense league and is tasked with a civilian cyber defense capability.
Estonia divides its CDL forces into regional units composed of a diverse set of members whose skills are aligned with local concerns. Since the units are composed of volunteers, individuals cannot be compelled to participate at all times, and members maintain a commitment that works around their family and business obligations. The volunteer format has the benefit of flexibility. But since there is no permanent CDL staffing, a region could experience a lapse in support. However, Estonian citizens broadly understand their precarious national security situation and that every Estonian has a role to play in homeland defense—particularly in the cyber realm.
After gaining independence, Estonia made concerted efforts to become “E-stonia,” an internet-based society. The country was wired quickly after it became independent and began teaching programming to young schoolchildren (beginning at age 5). More importantly, it was a nation whose population understood well the need to be free from the former Soviet Union after experiencing a tangible threat to the country’s sovereignty
To be effective against Russian aggression, the Estonian CDL focuses citizen participation on improving critical information infrastructure security by pursuing three main efforts:
- Developing a network of cooperation, including for crisis response. This is accomplished by strengthening cooperation among qualified volunteer IT specialists, as well as through the creation of a network to combine the expertise of public and private sectors to act in a crisis.
- Improving the security of critical information infrastructure by both regularly sharing threat awareness information and disseminating best practices to the public and private sectors, as well as enhancing preparedness for operating during a crisis.
- Promoting awareness, education, and training both by providing continuous information security education and training to members as well as actively participating in cybersecurity training networks, including international ones.
In addition, the CDL can be reassigned to support the Estonian Computer Emergency Response Team (Estonian-CERT)—a team that analyzes and disseminates cyber threats and vulnerabilities to coordinate responses—in times of crisis involving critical information infrastructure and systems.
Estonia’s comprehensive security approach recognizes that integrating the public into a whole-of-nation defense after the state is already at risk is too late. Taking a proactive security approach and engaging citizen defenders during a time of relative peace is critical to ensuring Estonia has a more robust defensive posture during conflict. Therefore, Estonia’s cyber defense strategy has created and fostered the connections among citizens, the commercial sector, and the government necessary to establish the networks for a collective defense ahead of a major crisis. And it has the added benefit of promoting security, safety, and stability during peacetime.
The Civil Air Patrol: What Is It?
The Civil Air Patrol dates to 1941, when Gill Robb Wilson—a World War I aviator—launched a program he dedicated his postwar years to designing: the Civil Air Defense Services. Ultimately approved by the Commerce, Navy, and War departments, CAP opened its national headquarters on Dec. 1, 1941. As an organization, CAP provides a model for what an American civilian cyber defense program could look like. CAP offers its members a way to serve the nation without joining the military, and a CCD can do the same.
As an all-volunteer organization that educates young individuals and trains the next generation of aviation leaders, CAP is committed to service and development. Science, technology, engineering, and math (STEM) education is considered its capstone mission, and CAP has invested heavily in STEM initiatives since the organization’s beginning. Additionally, emergency preparedness and response are central to CAP’s mission, as evidenced by its critical imagery collection of Ground Zero after Sept. 11, 2001.
Organized like the U.S. Air Force, CAP provides a military leadership structure that promotes accountability and ensures that the CAP mission, values, and goals are supported by its affiliated chapters. The link to the military chain-of-command allows for a set of detailed and understandable consequences for any individual who breaks rules or regulations. It is especially critical to CAP’s legitimacy that it remains accountable and transparent—as it receives federal funding for its programs and is a part of the USAF’s operational mission. The oversight provided by a congressionally mandated program is important for at least two reasons. First, it guarantees that the CCD and all its local chapters are aligned with national priorities by synchronizing efforts across state lines. Second, congressional oversight helps ensure that citizens’ groups act within the confines of the law.
The principles that shape CAP’s relationship with the USAF—such as volunteerism and saving lives—provide a framework for nesting a CCD under the leadership of the newest branch of service, U.S. Space Force, which does not have a reserve or auxiliary component.
While CAP already designates funding and efforts to STEM and cyber education, a dedicated CCD can take the CAP model and expand on its STEM mission to bring in a broader range of cybersecurity professionals, veterans, and businesses to help construct a dynamic cybersecurity ecosystem within the U.S. CCD’s vision. Developing this infrastructure would help to bring cybersecurity awareness to the American public and promote responsible digital citizenship.
A Road Map: Creating a Civil Cyber Defense
Creating a Civil Cyber Defense begins with a charter. Establishing a congressionally mandated nonprofit under the newly commissioned Space Force would provide clear funding lines and oversight mechanisms. It would also create a Total Force concept for the Space Force. The Total Force concept blends active-duty, national guard, and reserve personnel to promote efficiency and effectiveness in support of the overall mission. As a program modeled on CAP and Estonia’s CDL, the CCD would be a congressionally chartered and federally supported nonprofit corporation that would serve as the official civilian auxiliary of the Space Force. It would be established as an organization by Title 10 of the U.S. Code with its duties, roles, and responsibilities detailed by legislation.
The first and central tenet of the CCD concept is public education—specifically related to the recognition and management of risks and vulnerabilities. The CCD would be a community-oriented organization. In addition to youth programming, a CCD would conduct community and citizen cybersecurity awareness training and resourcing—from the individual to the small businesses that make up American communities. By partnering with local chapters of organizations, like Neighborhood Watch, Rotary, Toastmasters, the Chamber of Commerce, and Veterans of Foreign Wars, among others, a CCD would deliver education in cyber and general STEM-related issues to increase awareness among professionals, seniors, and youth.
A second tenet of the CCD concept is emergency preparedness. A CCD would leverage its local resources and connections to community organizations to conduct penetration and “red team” testing for small local businesses as pre-crisis preparedness training and support. A CCD would also assist local schools and education systems to establish cybersecurity baselines that protect student records and help to deter cyberattacks. As a community-oriented organization, a CCD will need to establish the local community’s trust, and, ideally, members of the CCD would come from the communities they serve. Local participation is an important element of trust because victims may be more likely to request assistance from someone who is local and known rather than from an outsider.
The third tenet of the CCD concept is maintaining an emergency surge capacity. As a local organization, the CCD would align its mission with those of other civic-minded groups—like those listed above—and work in coordination with these kinds of organizations to provide support in the event of a crisis. The CCD would integrate its members into traditional emergency response units, where CCD members would provide technical expertise to disaster response and assistance efforts to promote the maintenance and rebuilding of critical systems. It would also work alongside other local first responders and disaster relief organizations toward the same end.
Just as with the Estonian model, the CCD would offer U.S. citizens a chance to give back to their nation. There is the possibility that U.S. citizens would not be as willing to participate as are Estonian citizens—due to different historical experiences and cultural backgrounds among citizens in the two countries. This could result in lower participation levels in the U.S. But these distinctions do not mean the concept could not be adapted in the U.S., or that similar efforts should not be pursued.
Further, not everyone is eligible to serve in the armed forces, and many seek out alternative opportunities to serve their country. The CCD would provide another route for cyber-focused individuals to use their talents for the benefit of national defense. Additionally, veterans of the armed forces with cyberspace experience would be an important asset for CCD regional teams. As skilled individuals cycle out of uniformed service, the CCD would provide them with an opportunity to continue their work in national defense.
When assessing the risk calculus for a CCD program, policymakers must weigh the risk of not doing anything versus the risk of utilizing nonmilitary citizens to aid in national defense. The risks generally believed to be associated with “civilians on the battlefield” may be mitigated by the structure of the CCD—which would have a carefully legislated role and be nested under the Space Force military chain-of-command.
If policymakers consider cyber operations as escalatory weapons, then civilians are unwelcome and unnecessary distractions on the internet battlefield. However, in strategic competition, cyber and information operations are used primarily for shaping the environment and intelligence activities on civilian populations, not as acts of war. Further, CCD members would not be using or accessing critical systems. And the CCD would report any abnormalities or vulnerabilities to an appropriate federal agency—potentially the Cybersecurity and Infrastructure Security Agency—to enhance the nation’s overall cybersecurity posture.
To establish and maintain a robust cybersecurity ecosystem, citizens need to be involved, engaged, and aware of how the country’s cybersecurity is inextricably linked with the systems they rely on every day. Establishing a CCD would be a step in the right direction toward that critical aim.