Cyber threats have metastasized worldwide.
In the U.S., they have presented as security issues for critical infrastructure, such as industrial sites, and cast doubt on the integrity of crucial information technology systems used for elections — including many vulnerable voting machines (PDF) themselves that are employed and managed at the state level.
Technological approaches to curbing or countering these cyber threats are proliferating, but they alone cannot offer adequate protection. What is needed is manpower: hundreds of thousands of information security professionals working in the private and public sectors to actively defend the cyber terrain on which America's national security, prosperity, and democracy depend.
Like many private companies and public agencies in the U.S., the Department of Defense struggles with a shortage of information security professionals. But RAND research suggests that the armed forces, and the nation more broadly, might already have some of the personnel resources it needs — in the ranks of its Reserves and National Guard.
RAND researchers studying the skills of personnel in the Army National Guard and the U.S. Army Reserve in 2015 estimated, conservatively, that more than 100,000 of these men and women have some degree of cyber competence, including thousands with deep or mid-level cyber expertise.
Many of these soldiers, like their counterparts in the reserve components of other military services, perform information security functions in their civilian careers, often in high-tech sectors. Some are serving in newly created reserve component cyber formations.
A growing proportion of reservists are “digital natives” who want to leverage their tech skills as part of their military duties.
A growing proportion of service members in the reserve components are also “digital natives” — part of the younger generations who grew up using a wide variety of technologies. Many want to leverage their tech skills as part of their military duties.
The Department of Defense — and individual states across the country — would do well to tap into this pool of trained, vetted, and often combat-experienced men and women available to extend the labor pool of information security professionals — personnel who could provide support to federal and state civilian authorities during times of crisis.
For example, the reserve component could be mobilized to help the Department of Homeland Security defend the industrial control systems of critical infrastructure experiencing an attack, especially the newest addition to the DHS list of critical infrastructure, the election system itself.
Other countries have begun to leverage civilian-acquired skills in their defense against cyber threats. In the wake of cyber attacks against its public and private Internet infrastructure in 2007, Estonia announced plans to develop the Estonian Defence League, a collection of volunteers — now numbering in the hundreds — who are prepared to help the country respond to emerging cyber crises and attacks.
The U.S. has different options for filling shortfalls in its arsenal of information security professionals. In March, for example, Rep. Ruben Gallego (D-AZ) proposed the creation of a “cyber national guard” to attract talented civilians who do not want to serve in the military, but are willing to contribute to the nation's cyber defense.
The reserve components of the U.S. military are uniquely positioned to attract, train, and manage a cadre of information security professionals who are able to operate both with the active components of the U.S. armed forces and with civilian authorities. Innovative approaches to recruiting, tracking readiness, and career planning of these professionals will be required, and new models of reserve component participation and training might prove necessary.
There is every reason to believe that nefarious actors, including powerful nation-states, will continue to target critical infrastructure, the U.S. election system as a whole and information technology systems in general.
This threat to American democracy and cyber way of life demands hands-on attention to the underlying machines and devices. Mitigating this threat with human resources will require the cyber equivalent of boots on the ground. The state of Ohio has already tapped its National Guard to defend its election system from hackers.
Time is running out to build an adequate nationwide defense for the next presidential election cycle, but many of the necessary personnel resources are right here — in the form of the Guard and the Reserves that are ready and willing to be called up to perform the mission.
Isaac Porche is a senior engineer and Brian Wisniewski is an adjunct researcher at the nonprofit, nonpartisan RAND Corporation.
This commentary originally appeared on TechCrunch on April 18, 2017. Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.