Army of Geeks: Ohio Seeks to Create a Civilian Cyber Militia to Protect Elections

Ohio lawmakers recently introduced a bill that would create a civilian cyber militia tasked with protecting the state's critical government agencies and election systems from cyber attacks. If passed, the bill would create a new volunteer unit under the authority of the Ohio adjutant general called the Ohio Cyber Reserve (OCR). It would operate at the same level as the National Guard, creating eight regional teams of 10 members each.

The "Improve Information Integrity and Security Act" (SB 52) would create a cybersecurity reserve force "capable of being expanded and trained to educate and protect state, county, and local governmental agencies, critical infrastructure, including election systems, businesses, and citizens of this state from cyber attacks."

While members of the OCR could not be called into active service by the U.S. military, the governor could, at his discretion, call them to active duty in the state, in which case they would function as civilian members of the Ohio organized militia.

The effort was launched in response to a 2017 U.S. Department of Homeland Security directive designating election infrastructure as part of the nation's critical infrastructure. Secretary of State Frank LaRose, who introduced a similar bill as a state senator last year, supports the current bill under consideration.

“I learned in the U.S. Army that our adversaries only need to be right once – while we need to be right each and every time," LaRose said in a press release. "I refuse to take any chances with Ohio’s election security, so I’m recommending this legislation which will build out Ohio’s cyber-defense posture and make it a model for the nation — placing us in the best possible position to deter any threats to our election system, both foreign and domestic."

Stephanie Beougher, the public information officer for the Ohio National Guard's Adjutant General's Department, told PJM that individuals will be recruited for the cyber force by Ohio Cyber Reserve coordinators, focusing on individuals who are interested in improving Ohio's cyber posture. "There are already a number of individuals who have expressed interest in serving in the Ohio Cyber Reserve," she said.

"Throughout the year teams will train together to improve their skills, individual team members will partner with local high school cyber clubs to increase Ohio's cyber workforce, and small teams will be scheduled to meet with and educate and assess eligible organizations’ cyber networks and operations to help reduce vulnerabilities," she explained.

Similar to the Ohio National Guard, "A typical commitment of training would be two days a month, with a week-long training event each year," she said. There are no physical requirements for the volunteer positions and the "individuals are not soldiers, will not have ranks, or wear military uniforms." According to the proposed legislation, OCR members could not be called into the military service of the United States, although the reserve "may become a civilian component of the Ohio National Guard."

While the OCR would be considered a volunteer civilian militia, the bill states that members who are called to active duty "shall receive a rate of pay determined and provided by rule by the adjutant general, in the name of the governor." Further:

The adjutant general shall establish and revise, in the name of the governor, the rates of pay for reserve members when called to state active duty. While performing any drill or training, reserve members shall serve in an unpaid volunteer status. When called to state active duty by the governor, reserve members shall function as civilian members of the Ohio organized militia.

In addition, "The governor may requisition from the United States Department of Defense, for the use of the Ohio cyber reserve, equipment that may be in the possession and can be furnished by the department, and make available to the reserve the facilities of state armories and equipment and other state premises and property that may be available."

Cyber reservists must be U.S. citizens or legal permanent residents, must not have been expelled or dishonorably discharged from the armed forces and would be subject to background checks, according to the bill.

"The Ohio Cyber Reserve will recruit individuals who are already trained in cyber, but there will be additional training both on the individual and team level," said Beougher. "The OCR will train on the Ohio Cyber Range at local armories. While in a training status, the Ohio Cyber Reserve will hone their skills, train as teams, and obtain all necessary certifications and clearances."

"The Ohio Cyber Reserve is a unique approach to protecting our critical cyber assets from harm," Maj. Gen. John C. Harris Jr., the Ohio adjutant general, told PJ Media. "The legislation being considered would be a model for the nation, as Ohio would create a volunteer civilian force of cyber warriors nested under the Adjutant General's Department. When fully trained and certified, the teams will be available for the governor to deploy in response to cyber threats."

Cybercrime in the private sector is big business — $1.5 trillion according to one conservative estimate. Government agencies are also the targets of hackers — from state actors to criminals seeking to exploit private data to individuals who create mayhem "for the lulz" (just for fun or because they can).

Digital Guardian, a data loss prevention software company, lists the most significant government data breaches in U.S history — and the numbers are astounding:

  • U.S. Voter Database: 191 Million Affected (December 2015)
  • National Archives and Records Administration (NARA): 76 Million Affected (October 2009)
  • U.S. Department of Veteran Affairs: 26.5 Million Affected (May 2006)
  • U.S. Office of Personnel Management (OPM): 21.5 Million (June 2015)
  • Virginia Department of Health Professions: 8.3 Million Affected (May 2009)
  • Office of the Texas Attorney General: 6.5 Million Affected (April 2012)
  • Georgia Secretary of State Office: 6.2 Million Affected (November 2015)
  • Tricare: 4.9 Million Affected (September 2011)
  • South Carolina Department of Revenue: 3.6 Million Affected (October 2012)
  • State of Texas: 3.5 Million Affected (April 2011)

In theory, the idea of harnessing the brainpower of the private sector to protect critical government cyber infrastructure sounds like a great idea. But it might not be so easy to pull off in practice. For one thing, bringing together individuals from a wide variety of tech disciplines would be a major challenge. Tech tends to be highly specialized, with narrowly focused areas of expertise. Recruiters would have to be highly selective, building teams with the relevant expertise to focus on specific missions.

In addition, there's always the possibility that bad actors could infiltrate the program. Sure, they'll have to pass a background check, but as we saw with traitor Bradley Manning, people with nefarious intentions don't always raise red flags.

One big problem with the bill as it's currently enrolled is the mandate for tech professionals to spend time in schools mentoring students and recruiting the next generation of cyber sleuths. While those are noble goals, if the cyber force is to work, members must be focused on the mission of protecting the state's critical cyber infrastructure. Create another program (as if we need another government program) if you want tech professionals to create cyber clubs in school. If there's not enough work for the cyber force to do and they need to spend time in schools to stay busy, maybe the OCF is not really needed. While it's true that the greatest need would come in the event of a massive cyber attack -- or, God forbid, an EMP attack — the cyber troop's time would be better spent preparing for the worst and testing our current systems for vulnerabilities.

The bill, introduced by Sen. Theresa Gavarone (R-Bowling Green) in February, has been assigned to the Government Oversight and Reform Committee, where it is awaiting a hearing.

Follow me on Twitter @pbolyard