Could the U.S. develop a meaningful framework for a Cyber-based Civil Guard?

The involvement of a nation's civilian population in warfare dates back well before the French Revolution; however, it was this revolution in military affairs (RMA) that solidified the role of the populace in European and American conflict. Though the nature of war has not changed--an inherent competition of wills between two or more actors--the concept of incorporating current cyber-based technologies into increasingly complex strategic and operational environments befuddles many military leaders and their civilian decision-makers.

Of note, U.S. homeland defense frameworks do not adequately account for the role of the civilian population in the current information environment with regard to a cohesive civil-military relationship if large-scale war did break out. Therefore, this article argues that based on lessons from relevant case studies, meaningful consideration of the domestic civilian population in an attack (conventional, cyber, or otherwise) on the homeland should take place now rather than retroactively. Additionally, this article considers starting points in terms of opportunities and potential risks related particularly to civil involvement, planned or unplanned, in a cyber-based defense across a range of effects.

Understanding the landscape

Make no mistake, my main profession is public communications and helping commanders and their staffs synchronize organizational communications through aligned actions and messages. As such, my primary understanding of the cyber domain comes from readings, interest from a non-expert perspective, and utilization of platforms without the coding or other back-end technical skills that many experts do have. That said, I did change the background of my MySpace page once using basic HTML!

More briefly than my friends in the technical world of cyber might care, here are some important terms to understand how I'm contextualizing cyber lexicon in this article:

• Cyber-based: I use this term broadly to refer to the means by which an action along digital and communications-based channels takes place. For instance, a cyber-based fact-checking effort might do so using some technical skills but primarily operate through a network of digital spaces (predominantly social media and websites) to reach their intended audience.
• Cyber operations: This refers to the technical aspect of employing cyber-based capabilities, typically bucketed into offensive and defensive cyber operations.
• Influence Operations: Those actions or words intended to influence an audience. Information, whether released or withheld purposefully, has an inherent influencing effect on intended and unintended audiences.

For more helpful terms, in this nuanced field, reference the National Institute of Standards and Technology's, Computer Security Resource Center.

The democratization of information: strengths made weaknesses

The phrase, the democratization of information (or the Internet) is used frequently to depict a potential new RMA overlapped with an Information Revolution in which, in certain societies, access to information is ubiquitous. However, as promising as this concept sounds, for those looking to manipulate, coerce, and otherwise negatively influence unwitting populations, the ease of access to the Internet poses a significant concern for the social dynamics malign actors seek to undermine. In short, it is easier than ever for malign influence operations to permeate geographic boundaries with the intent of undermining nation-state integrity by circumventing borders and institutional legitimacy.

An additional feature regarding the ease of access to current information capabilities is cost-effectiveness. From a cost perspective, hiring a programmer or software developer to build and run persistent effects (think an army of disinformation bots or information-gathering malware) on a digital platform pales in comparison to single-use, precision-guided munitions or other conventional weapons. Additionally, due to the low cost and high potential for gain, nations must now consider the impact of malign cyber efforts below the threshold of armed conflict on a daily basis.

Finally, when we think of the democratization of information, it's easy to view this through an idealist lens. Unfortunately, reality offers a different and less equitable view of the landscape. Cybersecurity experts face a challenging landscape with regard to protecting corporate and government intellectual property as well as individuals' personal information, necessitating more complex defense mechanisms like two-factor authentication and zero trust to name two fairly popular examples. The issues are twofold. First, an expectation that cyber defense is 100% is inaccurate. Like many complex environments, absolute certainty equates to well-wishing. Even a cyber security program with a hypothetical and generous 99% effective rate may experience catastrophic impacts in the 1% successful exploitation. Second, the experience gap in which customers require increased levels of understanding to legitimately access systems while also preventing exploitation poses a real issue for tech-based companies. Cybersecurity experts are keenly aware of this issue and seek out ways to prevent exploitation while improving usability for their customers.

Bolstering national defense through civil involvement in cyber

From a national defense perspective, civilians and nation-states have taken on creative approaches to address these and other related concerns. Countries like Lithuania have embraced a form of civil-government partnership focused specifically on mitigating the impacts of Russian cyber-based influence operations. As a result of a variety of factors in 2014, including the Maiden movement in Ukraine and Russia's invasion the same year, a group of Lithuanian citizens stood up an independent organization known as the Elves. Their intent, expose and diminish the impacts of Russian influence operations and their aligned cyber-based actors targeting civilian populations. While much could be discussed about the structure, seemingly grassroots origins, and personnel who support the Elves organization, the critical point for U.S. policymakers is that this civil group focuses on national defense in the cyber and cognitive space.

Many military leaders tend to think of cyber in terms of what they own and what they can affect within the authorities they are granted. While this is not a wholly incorrect approach, it does not take into account the role of the civilian population in conflict. The Elves organization challenges this thought process. Understanding this relationship, outside of the terms of traditional authorities, information sharing, and the will of the people when defending the nation should serve as a consideration in how the U.S. approaches cyber doctrine.

Of note, states like Michigan have explored the concept of a civilian cyber corps. On the face, this organization seems similar to the Elves concept but focused on the cyber operations side of the spectrum rather than the debunking efforts of the Lithuanians. This retouches on the experience gap issue from a different angle, as people with relevant experience in the broader cyber career fields are in high demand.

What would a Cyber-based Civil Guard look like?

This article doesn't pretend to have a "right answer" with regard to the framework for a U.S., Cyber-based Civil Guard. It does offer considerations from both an idealist and realist perspective before arriving at what's likely a spectrum of the possible for the U.S. if the homeland ever came under attack.

To begin with, the government should accept the persistent and democratizing attributes of Cyber. Incorporating this meaningfully into national strategy will enable prioritization of what a Cyber-based Civil Guard could look like.

In lieu of this prioritization of civil-government partnering, a few assumptions must be made. First and foremost, the integrity of the civilian population must be protected. As noted in the Elves concept, a grassroots approach is likely desirable. One can also look at the independent efforts of Bellingcat, an open-source intelligence group composed of private citizens from various backgrounds. Most notably, this group used digital forensics methods to identify the perpetrators of and debunk falsehoods related to the downing of flight MH-17 over Ukraine in October 2015.

Relatedly, the limited involvement of the broader public in the cyber domain amplifies the need for a grassroots origin. Like many technical high-demand, low-availability careers, the majority of talent and interest in the cyber domain generally resides in the civilian and private sectors. Additionally, the cyber domain usurps most traditional geographic and temporal perspectives. As such, cyber-based defense may not necessitate or look like the traditional, full-time requirement that defines current conventional military force structures. Finally, the ownership of homeland defense carries with it a certain level of pride, as noted by those who call themselves Elves or debunk falsehoods and conduct open-source analysis with Bellingcat.

Next, the intent of the Cyber-based Civil Guard should be clearly, yet broadly outlined. A challenge associated with the military is the inclination to define and control specifics. Much of this is related to the need to stay within the bounds of authorities, but also the lack of operational understanding of cyber among the non-technical community. Out of this prioritization, which must be mutual between civilians and the government in a democratic state, roles and responsibilities can begin to take shape. For instance, does a Cyber-based Civil Guard focus only on debunking influence operations, or do they also extend their reach out to defending non-critical infrastructure? What is the impact on the nation if these organizations take on an offensive role? These and many other questions need exploring.

Finally, once a framework begins taking shape with priorities and intent, a focus on preparation, training, and indoctrination can take place. Similar to information-sharing efforts between the U.S. Government and the financial sector or telecommunication businesses, frameworks for civilian-governmental partnerships exist. It is likely unnecessary for a member of a Cyber-based Civil Guard to attend some form of physical basic training. However, it would likely be helpful to have a crash course in how the military views itself and operates. Not only would this help the Cyber-based Civil Guard prioritize its own efforts, but it would also allow them to think of problems in creative ways that military strategists might miss.

Conclusion: an ill-understood future

While the U.S. and its leaders do not actively seek out war with other nations, it would be naive to think that preparation lacks prudence. As we've seen since the people overthrew the aristocracy in the French Revolution and a transition to national mobilization in the following centuries, the role of civilians in conflict has a staying power. Without a clear understanding of the role of civilians in a cyber-based national defense, the U.S. Government is kicking a known problem down the road until a true forcing function changes the mindset.

This would give us time to think through real and important considerations like vetting, clearance, and scope. Additionally, it would give the government and citizens alike a chance to process what this means from a U.S. perspective and how to adapt to a workable relationship.

Now is the time for the U.S. to consider how civilians and the government can align interests in the cyber domain to undermine adversarial malign efforts within our networks and institutions. This is not just a U.S. Government issue, it's an issue of the people and our nation as a whole. This will require a level of comfort with uncomfortable scenarios by Government officials and military leaders. But with the right focus, it will result in a more resolved ownership of the defense of our nation if the need ever arises.

Major Chris Mesnard is the producer of these thoughts and they belong to him alone. These thoughts are in no way intended to represent an official position by the U.S. Air Force or Department of Defense. Currently, Chris is a student at the Army's Command and General Staff College and a scholar in the institution's Information Advantage Scholars program. This paper is independent of any curriculum requirements.