A bipartisan group of lawmakers is pushing to create a civilian reserve corps of cybersecurity experts to help defend national security interests, amid concerns about growing digital threats to public and private networks and infrastructure.
The Civilian Cybersecurity Reserve pilot program would bolster the workforces at the Defense Department and Department of Homeland Security by bringing in former federal employees and military veterans who are trained in the field and could respond to emergencies.
Civilian reservists could give the federal government a fresh tool in its arsenal to protect networks and root out bad actors in cases like last year’s SolarWinds breach, in which Russian intelligence is suspected of compromising about 100 companies and about a dozen government agencies.
Sens. Jacky Rosen, D-Nev., and Marsha Blackburn, R-Tenn., introduced the Civilian Cyber Security Reserve Act in the Senate April 22. Two California congressmen, Democrat Jimmy Panetta and Republican Ken Calvert, followed suit Wednesday with a companion bill in the House.
“The recent, unprecedented cyberattacks targeting the United States demonstrate the risks of not addressing our severe cyber workforce shortage,” Rosen said in a release Wednesday. “As cybersecurity threats continue to grow in scale, frequency, and sophistication, it’s critical that we find innovative solutions to address this deficiency.”
A new commission suggests several changes to address the government's cybersecurity workforce problems
In 2019, the Center for Strategic and International Studies found the global cybersecurity workforce is expected to have more than 1.8 million unfilled positions by 2022.
The United States currently faces an annual shortfall of around 13,700 information security analysts, with nearly 320,000 other openings for candidates with cybersecurity skills, according to the federal initiative CyberSeek.
The bills follow the recommendations of the National Commission on Military, National and Public Service and the Cyberspace Solarium Commission, which recently led a federal deep dive into the future needs of the American cyber workforce.
They also build on language in the 2021 National Defense Authorization Act that directed DOD officials to look into options for building a cyber reserve force, including a civilian reserve, a traditional uniformed military reserve and others.
Under the bill, the DOD and DHS secretaries would be able to appoint members of the cyber reserve to six-month positions in the department as federal civil service employees. That would allow the federal government to temporarily pull people from their day jobs to benefit from their expertise, without asking them to sign up for a long-term commitment or jeopardizing their employment.
The bill calls on the Labor Department to write regulations to ensure reservists can return to their jobs and keep their benefits after activating for federal service.
“By building the reserve program around cybersecurity experts who have left government service for other opportunities, the program would also help the government to maximize the value of taxpayer investment in developing their expertise,” the National Commission on Military, National and Public Service said last year.
DOD and DHS would need to establish their pilot projects within 180 days of the bill’s enactment, and craft criteria for choosing members of the cyber reserve. All members would need an active security clearance to handle classified information.
“Participation in the Civilian Cybersecurity Reserve would be voluntary and by invitation only and would not include members of the military Selected Reserve,” according to the bill sponsors.
The military’s cyber fighters have moved away from a “reactive, defensive posture” and are increasingly engaging in combat with foreign adversaries online, says the USCYBERCOM leader in a commentary published Tuesday.
It’s unclear how DOD and DHS would opt to use that rapid-response workforce alongside their offensive and defensive cyber teams — including uniformed reservists — or whether cyber reservists would be held to similar training standards as typical military reservists. People who don’t show up for duty when called could have their pay withheld, among other possible penalties.
Five years after the program launches, lawmakers want the head of the Government Accountability Office to study whether the effort should be changed, extended or made permanent. The pilot project would automatically end six years after establishment, according to the bill.
The sponsors hope to pass their legislation as a standalone measure or as part of the 2022 defense policy bill, an aide said.
“Creating a reserve corps similar to our National Guard or Army Reserve will allow our national security agencies to have access to the qualified, capable, and service-oriented American talent necessary to respond when an attack occurs,” Blackburn said in the release. “The Civilian Cybersecurity Reserve pilot project represents a big step in strengthening America’s cybersecurity posture.”