The most significant long-term challenge facing network agents in the United States and the United Kingdom is not China or Russia-but a shortage of network talent. Labor shortages not only affect intelligence agencies. A recent study investigated the shortage of online skills in 11 countries / regions, and concluded that the global shortage of qualified talent exceeds 4 million, and believes that the labor force needs to grow at an alarming rate of 145%. Government agencies struggling to match the lucrative private sector wages offered will naturally shrink. Internet reserves, recruitment models and the use of volunteers are often touted as a panacea for increasing government recruits.
However, the call to establish network reserves is not enough. Network protected area models are often unrealistic and cannot fundamentally address emerging policy challenges. Although network reserves can undoubtedly play a limited role in improving security, countries such as the United Kingdom and the United States should continue to focus on policy initiatives that are more in line with political culture and operational requirements. Working with the private sector can provide more scalable enhancements and take a coordinated approach to protect infrastructure that is usually primarily privately owned. The two methods can of course coexist, but strong public-private cooperation usually defeats the whims of volunteers.
Practical limitations of network protection zones
The call to expand network protection zones underestimates the logistical challenges of implementation. This has led to many policy proposals failing to address the nature of network operations or the long schedules often involved. In any case, offensive operations and safety networks are collections of practices that require full-time personnel and organized practices.
Most large government departments defend the Internet 24 hours a day. The security operations center monitors potential threats 24/7. Similarly, the vulnerability management program used to patch high-severity vulnerabilities also needs to be constantly vigilant and actively coordinated to stay ahead of threats. In this case, full-time employees with common work experience can form continuity and establish workflow models to ensure that they do not miss threats.
Cyber espionage is no exception. It is assumed that operations carried out by well-known national spy groups (often referred to as advanced persistent threats) rely solely on technical witchcraft. However, unlike their ability to exploit dizzying zero-day vulnerabilities or deploy highly customized malware, it is often their operational capabilities that make a difference. Rob Joyce, the National Security Agency and former Cyber Security White House consultant, seized this, emphasizing the need for patience and focus on large corporate networks. This is largely due to the various stages involved in network operations. This can include conducting extensive open source research on employees before sending phishing emails, spending a lot of time fully understanding the target's infrastructure, or waiting for the right time to move laterally across the network. Crucially, successful operation often comes down to gritty wear and tear. Full-time employees, shift patterns and certain routine work are the basis of a successful campaign. The supplementary staff may occasionally hang out on weekends or evenings, but these practical operations limit their ability to move the needle significantly.
Another method is to use the conscription model, which has the advantage that even if the network is in a limited period of time (for example, one to two years), agents can use full-time personnel. These measures can attract fresh graduates in related fields. This idea is not without value, it is a model for successful operation in other parts of the world. However, only prestigious degree certificates have limited professional capital in the cybersecurity community. Experts in the industry range from doctorates to those graduating from high school. However, most importantly, practical experience is a premium.
Despite its unlimited potential, a group of fresh-faced graduates with limited experience outside the classroom will take time to develop, and may provide less than some online policy commentators can imagine at the operational level. This is particularly important for cyber espionage. Campaigns often deploy undisclosed tools, which means that operators can only be taught how to use them after joining. Likewise, a single drop in concentration or reuse of previously operated infrastructure is usually all that is needed to detect activity. This means that new immigrants will need years of on-the-job training to fully master the required craftsmanship and discipline.
In addition, the government should recruit fresh graduates in a shorter period of time. As entry-level positions increase, the wage gap between the private and public sectors usually narrows. This is a mid-career professional who has acquired technical skills and started to take responsibility, so it has become more and more attractive to jump into the private sector. Crucially, the shortage of government network skills is often misunderstood. Of course, lower salaries and a lengthy review process will prevent some graduates. However, the government ’s technical shortage is related to recruitment, as is recruitment.
Discussions around supplementary staff often ignore operational details. To be precise, what is the function of the government network that the supplementary staff is responsible for? Will the Reserve Army assist in offensive operations, use development or conduct security audits? Are graduates recruited for military penetration testing, digital forensics, or writing threat intelligence reports? Different defensive and offensive network functions require very different skill sets, security classifications, and operational rhythms. Certain functions are obviously more suitable for temporary staffing models than others, but these issues have not been explored to a large extent. Substantial research such as Marie Baezner's research on multiple network reserve methods and other substantive studies provide much-needed experience for comparing volunteer models with recruitment-based models. Therefore, it is time for the network protection policy recommendations to be taken seriously in detail.
Network policy should not exist in a vacuum. On the contrary, even better, it can reflect the original culture of a state. However, there are many fundamental flaws in the prescription of online reserves: the suggestion implicitly implies that countries can copy others' methods.
Israel is known for including conscripts in its cybersecurity agencies. In addition to providing access to more talents, the system also promotes close ties with the industry. Many people who leave the government to set up their own organizations maintain friendly contacts with the intelligence community. Similarly, Estonia ’s voluntary cyber defense department is often praised and touted as a role model for other Western countries.
However, due to basic political and cultural differences, these methods may not necessarily be replicated elsewhere. It is often argued that complementary staffing policies have enabled states such as Estonia to overcome natural barriers to a smaller population and are still developing impressive network capabilities. However, due to their small size, these countries are able to implement these initiatives. This is because many sparsely populated countries have adopted a comprehensive defense model in which people recognize that society as a whole must contribute to security. In other words, the successful supplementary staffing model is suitable for the existing culture of recruitment and civilian participation in defense.
On the contrary, this method does not work in countries such as the United Kingdom and the United States. Recruitment or mandatory civilian participation in security is more likely to be seen as overreaching the government. It is neither feasible nor desirable to simulate what has worked in small Baltic countries or Israel. Countries should explore how network policies are consistent with their own requirements and political climate, rather than trying their best in an incompatible reserve model.
The way forward
Network reserves can continue to play an important role in almost all states in the following areas. However, policy recommendations must be consistent with both operational reality and the original state culture. For signal intelligence agencies with billions of dollars in annual budgets, the risk of integrating temporary volunteers may outweigh any gains. Conversely, civilian volunteers can make greater contributions by working with government agencies that have difficulty obtaining cybersecurity expertise.
For example, in the UK, the Network Reserve Force is dedicated to protecting military networks. Similarly, the National Crime Bureau has also used the expertise of cybersecurity professionals and academics. Although it may be difficult for supplementary personnel to maintain long-term offensive operations, they can provide valuable resources for government departments that require skilled experts to execute training programs. Looking ahead, resource-depleted organizations (such as local police forces) can use the expertise of enthusiastic volunteers, which is an exciting possibility.
Although the culture of many large states limits the scope of volunteers to carry out large-scale activities, they may find that they have the opportunity to collaborate with other actors. Tim Maurer has previously written about how the country works with a wide range of stakeholders, including the private sector and hacker groups. These alternative forms of collaboration are accompanied by a series of challenges and policy challenges, but they are often combined with a broader national security approach.
Countries such as the United Kingdom and the United States should continue to shift to private ownership in search of more important operational reinforcement, a hotbed of talent for the sector. Many private companies will align with the values and missions of their superior governments, making them natural allies. Despite the well-known challenges of government procurement, the expertise provided by outsourcing arrangements is unmatched by most supplementary staff arrangements. Compared with the goodwill of volunteers, multi-year contracts provide better resource protection for the government. Large defense contractors also have a logistics infrastructure that works with the government to solve many problems related to network operations, from security reviews to confidential office areas.
London and Washington can also increase salaries to retain employees or make government roles more attractive. By improving career development and promotion paths. The funds set aside for contractors can also be used to increase the salary for using network skills on demand. This may not scale to the same level as the procurement plan, but the point is that larger states that enjoy better-funded network plans have other options besides supplementing staffing.
Larger governments also face completely different cybersecurity issues that naturally require other forms of stakeholder participation. This includes huge coordination challenges. A small country like Estonia will naturally benefit from short-distance communication links, and a "everyone knows" society promotes a safe combination. In contrast, larger states must navigate through larger security agencies, which should have a wider range of public and private stakeholders. For example, the UK ’s National Cybersecurity Centre ’s information sharing partnership and the “Industry 100” program can promote important public-private cooperation in key areas of critical infrastructure. These challenges are naturally easy to promote industry cooperation, and supplementary staffing methods will be largely ineffective.
Asking the right questions
Recruiting and hiring Internet reserve forces is the wrong approach for network agents in countries like the United Kingdom and the United States because there is no ready-made application culture or extensive Civilians participate in defense. Reserve personnel may still make valuable contributions, but their role will naturally be limited in scope. On the contrary, these states should use their advantages, whether it is to cooperate with the emerging private sector, or to increase government salaries through the large amount of government cybersecurity funds already in place.
Before providing solutions, network policy experts should ensure that they ask the right questions. It is useful to first identify the key cybersecurity challenges facing a country, whether it is fighting cybercrime, protecting the healthcare sector from attacks during a pandemic, or solving problems related to offensive cyber operations. Contractors, back-up personnel, private sector collaborators, and conscripts are all means of achieving their goals. Therefore, stakeholder mobilization strategies should be mapped to the solution that best suits the current challenge.
Dr. Jamie Collier is a research member of the Center for Technology and Global Affairs and a cyber threat intelligence consultant. He recently completed a doctorate in cybersecurity at Oxford University. Jamie was a Fulbright scholar in cybersecurity at the Massachusetts Institute of Technology and worked with PwC India, the NATO Collaborative Cyber Defense Center of Excellence and Oxford Analytics.
Picture: United States Air Force (Photo courtesy of JM Eddins Jr.)