Should the U.S. draft cybersecurity experts?

The United States has a shortage of workers skilled in IT security. Thus, we are unable to protect critical infrastructure from terrorist threats. FUD or real? What is the solution?

Throughout history, men and women have answered the call. Is this yet again one of those times?

Secretary of Defense Robert Gates issued a directive in June of 2009, creating U.S. Cyber Command (USCYBERCOM). The military unit was assigned the following mission:

"USCYBERCOM plans, coordinates, integrates, synchronizes, and conducts activities to: direct the operations and defense of specified Department of Defense information networks. And when directed, conduct full-spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries."

Getting past the military-speak, USCYBERCOM is responsible for defending the digital assets of the United States. USCYBERCOM was to be fully operational by October 1, 2010.

IOC was delayed

In military parlance, Initial Operational Capacity (IOC) was finally achieved on May 21, 2010. As with any complex endeavor, there are bound to be delays. But, one of the reasons put forth as to why, was not expected.

According to Stars and Stripes, in September of 2010, General Keith Alexander, Commander of USCYBERCOM, told Congress the command staff was in place, but he was having trouble filling many of the remaining positions:

"This is going to take time for us to generate the force,"

General Alexander also said:

"If you were to ask me, what is the biggest challenge that we currently face? It's generating the people that we need to do this mission."

Another example Secretary Janet Napolitano, Department of Homeland Security (DHS) has been dealing with a similar problem since 2009. To a point where the DHS initiated a recruiting campaign:

"The new hiring authority, which results from a collaborative effort between DHS, the Office of Personnel Management and the Office of Management and Budget, allows the Department to staff up to 1,000 positions over three years across all DHS components to fulfill critical cybersecurity roles."

It seems these positions are not filled either.

It is hard to deny the need for cybersecurity workers in the public sector. It seems the private sector is also looking for a significant number of cybersecurity professionals. With the competition for skilled people and national security at stake, what is the answer?

Possible solution

I recently listened to a NPR podcast explaining how Estonia exemplifies a country able to defend itself against cyberattacks. Following the cyberattacks in 2007, Estonia created the Cyber Defense League, a group of computer and networking specialists willing to volunteer their service as a cohesive military unit tasked to protect Estonia's electronic infrastructure.

In the podcast, Estonia's Defense Minister, Jaak Aaviksoo mentioned that having a command like the Cyber Defense League is so important, the government may institute a draft to make sure the appropriate experts are available:

"We are thinking of introducing this conscript service, a cyberservice."

Minister Aaviksoo continues:

"This is an idea that we've been playing around [with]. We don't have the mechanism or laws in place, but it might be one option."

Closer to home

If that seems far away, I found similar ideas being presented by people here in the United States. In this Government Information Security Blog post, Erik Laykin suggests the following:

"I propose the creation of a National Cyber Corps, a true public-private partnership with responsibility and authority to safeguard America's key information infrastructure.

The National Cyber Corps would be an elite, dedicated, civilian body of our country's best and brightest IT professionals. It would be a nimble group with a mandate to operate across all government departments and address a variety of needs."

Mr. Laykin offers more detail:

As envisioned, the National Cyber Corps would be a specific, centralized organization with access to and authority over all civilian departments within the government, but it would also coordinate and collaborate with the military.

In both part one and part two of his blog post, Mr. Laykin refers to the U.S. Coast Guard as an existing organization with traits similar to those required by the National Cyber Corps:

"Just as the specialty service patrols, protects and defends our coastal waters and tributaries, the National Cyber Corps would monitor, maintain, and mend our public and private cybersecurity. In many respects, fiber optics that transmit information in the 21st century are no different than the Mississippi tributaries that transported goods in the 19th century."

Not wanting to add ambiguity, but if the U.S. Coast Guard is to be an example, it should be known that in time of war, the U.S. Coast Guard's mission statement directs the service to come under the authority of the U.S. Navy.

Need your help

I'm trying to get a handle on this, but, it's bigger than one person. So, I need your help. Should countries, including the United States follow Estonia's lead? Then, the obvious question: Is it important enough to consider conscription?