Cyber Civil Corps proposed to protect Australia's economy

Organised volunteer 'rapid response teams' are needed to deal with 'extreme cyber emergencies' in the civil sector, says one of Australia's leading military scholars. Maybe he's right.

We know there's a massive cybersecurity skills shortage. We know our ways of dealing with the threats are still evolving. We know that those threats are unpredictable, and changing rapidly.

So what do we do?

We need a "novel institutional response", according to Professor Greg Austin from the Australian Centre for Cyber Security (ACCS) at the Australian Defence Force Academy (ADFA) in Canberra.

Austin proposes forming what he calls an Australian Cyber Civil Corps. He's sketched out his idea in three-page draft concept paper, released last week.

A core team would operate from a secure operations centre, independent of but linked to the Australian Signals Directorate (ASD) and the government's Australian Cyber Security Centre (ACSC).

That team would map Australia's critical information infrastructure, data resources and data flows, and provide a "disciplined command structure" to coordinate emergency response.

That response would be provided by "highly-disciplined rapid response teams, based on the most highly qualified volunteers, specific to certain technologies, environments or sectors, on a mix and match basis appropriate to cyber emergencies in the civil sector," Austin wrote.

"The contours of future high technology threats to Australia in cyber space are sufficiently unpredictable to suggest that development of overly rigid standing structures supported by full-time staff with pre-determined skill sets, as in the ADF [Australian Defence Force], would be the equivalent of building modern versions of the Maginot Line," he wrote.

"Extreme cyber emergencies in the civil sector in cyber space are of such low probability that a full-time standing response force cannot be justified, even if Australia could afford it."

This isn't the first time that some sort of cyber reserve paramilitary or auxiliary policing organisation has been suggested.

At the AusCERT information security conference in 2012, critical infrastructure security expert Emeritus Professor Bill Caelli proposed forming a cyber posse when needed.

Under common law, on which the laws of the US and Commonwealth countries are based, a county sheriff, or other law officer, can conscript any able-bodied males to assist in keeping the peace, or to pursue and arrest a felon.

Caelli argued that police could simply enlist any technically adept citizens and form a posse to deal with the bad guys. Similarly, citizens could be conscripted into a militia, should the threat be more military in nature rather than criminal.

More recently, James Turner, security adviser with Australian consulting firm IBRS, floated his admittedly "controversial" ideas of nationalising the information security industry, or drafting university students into national service.

"Cyber national service is something we really need to be looking at," Turner said in September 2015.

A year later, Turner says the cyber corps idea is worth considering, but he's softened his views on recruitment.

"I think it's worth acknowledging that we cannot force people to participate in this style of program. It has to be more like the army reserve and less like a national service," he told ZDNet on Tuesday.

"If nothing else comes of it, it's important that we do these thought experiments, because it helps show us where the gaps are, and what else we need to factor in. For instance, I think an important point in this discussion brief is the emphasis on being government-led, but largely supported by volunteers. I think it may be worth considering tax incentives, to help with the financial side for the volunteers."

For some time now I've been concerned about the militarisation of the language used to discuss cybersecurity. My thoughts were echoed in a solid analysis by Dave Dittrich and Katherine Carpenter at Threatpost last week in Misuse of Language: 'Cyber'; When War is Not a War, and a Weapon is Not a Weapon.

Austin made it clear that his cyber corps would be a civilian organisation, and suggested that it report the the communications minister rather that the attorney-general, or perhaps to a new "Minister for Civil Security in Cyber Space".

"The overwhelming share of critical national infrastructure is in civilian hands [and] an appropriately sophisticated understanding of the consequences of cyber crime is almost exclusively in the civil sector," he wrote.

Legislatively, Austin sees the cyber corps as being closer to the Australian Security and Intelligence Organisation (ASIO) and the Australian Secret Intelligence Service (ASIS) in its approach, rather than to the ADF, Border Force ,or the Australian Federal Police (AFP).

"Only the small headquarters of the cyber civil corps would be full-time permanent staff, all other personnel would be sworn officers," he wrote.

Austin wrote that the cyber corps could be developed "in several phases over two years", at least once the enabling legislation had been passed by parliament and the cabinet decisions made.

While Austin's paper is only a draft for discussion at this stage, I'd be concerned if the legislation were rushed. We've already seen poorly-drafted legislation in areas such as ASIO's new powers and mandatory data retention.

I can also see delays as existing organisations such as ADF and the Attorney-General's Department kick off turf wars over the powers and funding -- though perhaps I'm being a pessimist.

One thing is certain, though.

When it comes to cyber militias, China is way ahead of us.