State Creates 'Cyber National Guard'Rapid Response Team Aims to Protect Government, Industry IT
Michigan's new Cyber Civilian Corps, a rapid response team of volunteers, will assist the state and industries during a major cybersecurity incident.
Gov. Rick Snyder, who announced the creation of the Corps, describes the team as a "Cyber National Guard." State Chief Information Officer David Behen, in an interview with Information Security Media Group (transcript below), says the corps, to be deployed in late spring, will include volunteers from government, education and business.
Behen says the Cyber Civilian Corps will be used to respond to cyber-attacks against the private and public sector in Michigan. He provides the following example:
If a county finds itself under a cyber-attack, the county CIO would reach out to the Michigan Cyber-Command Center or Behen, who would determine the severity and scope of the attack.
"If we needed the Cyber Civilian Corps, we would call them up," Behen says. "We would work with the [impacted organization] and bring our corps in to assist them in responding to the cyber-attack."
In the interview, Behen explains how:
- The Civilian Cyber Corps will function;
- Volunteers of information security specialists will be trained; and
- The initiative will be funded.
As the state's CIO, Behen is a member of the governor's cabinet. He previously served as CIO and deputy administrator of Washtenaw County, the home of Ann Arbor. Behen co-founded software maker InfoReady and served as a vice president and CIO of its parent corporation, GDI InfoTech.
Michigan's Cyberthreat Landscape
ERIC CHABROW: Before we get to the details of the Cyber Civilian Corps, please take a few moments to describe the cyberthreat environment in Michigan that led to the creation of the Corps.
DAVID BEHEN: Michigan is just like any other state. We're being bombarded every day with cyber-attacks. For example, in the state of Michigan, [there are] over half a billion attacks a day [against] the state network. It's a very serious issue, and I'm just talking about the state network. Then, if you think about all the businesses in the state of Michigan and all the educational institutions and how their networks are being attacked as well, cybersecurity is an issue that we all need to work together on. Gov. Rick Snyder is taking a leadership role not only in the state of Michigan but also nationally around cybersecurity. It only made sense that we look at our partners in the public sector, private sector and education institutions to come together and work on this very important topic.
Value of Information Sharing
CHABROW: Why is it important to bring these different parties together?
BEHEN: There are a couple of reasons. One is the information sharing piece. How can we work together? How can we share information so that we all become better educated around these attacks? As you know, if we all have more knowledge and are better educated around these attacks, we'll be able to hopefully reduce them. If something does happen, then maybe, at the very least, we'll be able to respond together jointly to lessen the impact on our organization.
Secondly is that we all can learn from each other. You have the health industry, finance industry, education and small business. All of us are in this thing together. The ability to have cross-sector collaboration, cooperation and communication allows us to learn from each other and better prepare ourselves for a cyber-attack that most likely will come in the future.
Cyber Civilian Corps
CHABROW: Where did the idea of this Cyber Civilian Corps come from?
BEHEN: It really came from conversations with Gov. Rick Snyder. We have so many great assets in the state of Michigan, and I'm talking about human assets. We have really smart people in the state of Michigan. This is not something that the state government controls, the private sector controls or critical infrastructure [controls]. This is something that we all have to work together on. We started talking and he said, "Let's look at bringing together a group of volunteers, sort of like the National Guard. [They] brought [them] together and trained. Then, when something happens, they're deployed. Because they've done all the training together and they have the education of working together, they really are effective."
CHABROW: How does the Cyber Civilian Corps work?
BEHEN: The Cyber Civilian Corps is just in its infancy right now, working with organizations in the public sector, private sector and educational institutions. We will start soliciting them to see if they want to have folks in their organizations volunteer to be on the Cyber Civilian Corps. Once we have a good number of folks that have volunteered, we're looking at between three and five classes that they will take at Merit Network in Ann Harbor, the home of our Michigan Cyber Range. They'll take some classes there in which they'll get a certification, because there has to be something in it for the individual as well. ... But then, we'll bring all those folks together and we'll use our Michigan Cyber Range to actually do training, testing and collaboration teamwork training and testing as well.
Michigan Cyber Range
CHABROW: Why don't you take a few moments just to tell us what the Michigan Cyber Range is?
BEHEN: The Michigan Cyber Range is another public/private educational partnership here in Michigan; it's an unclassified cyber range. If you think about the old school missile range or shooting range, where you shot something or blew something up and then you did R&D on it, think about that with cybersecurity. What we've done is we have a secure network that's a training ground for cybersecurity folks. Within the cyber range, we have a fictional city called Alphaville Town that has a hospital, government, library, business and an electrical grid, all of those things that make up a city. That's the virtual city in which we can attack and put viruses in, and then have the team on the range as the test bed. It's an unclassified test bed where people can come in, train and become experts in cybersecurity.
CHABROW: You were discussing how the range will be used to train and test collaboration. Why don't you go on from that point?
BEHEN: What will happen is once we get the volunteers and the Cyber Civilian Corps together, they will start doing training together. Let's say there's an attack on the health industry and we have a hospital in Alphaville Town, we'll use that range and have folks come in and basically do an exercise of how they would support the health industry and be that mutual aid to be brought in to assist in the response to a cyber-attack on the health industry, finance industry, critical infrastructure or government. It's really like a mutual aid agreement with everybody.
How Corps Will Be Used
CHABROW: Okay, so some type of attack occurs. How would this Cyber Civilian Corps be used?
BEHEN: Let's say, for example, local government is hit by a cyber-attack. Ideally, what would happen is that county CIO would contact myself or Michigan Cyber-Command Center who would then determine: Is it an incident, what kind of incident is it, at what level is it and then, if needed, do we call up the Cyber Civilian Corps? This is all the stuff that's being worked on right now. This is all the stuff that we need to work on together and train at the Michigan Cyber Range. If we needed the Cyber Civilian Corps to be called up, we would call them up in some way; we'd communicate with them. We would bring them together and then we would work with those organizations to bring our Cyber Civilian Corps in to assist them in responding to the cyber-attack.
CHABROW: The more qualified people would be able to help in defending systems, whether it's government or business, if they're called upon?
BEHEN: Exactly, and not all of them may have the expertise we're looking for. But the ones who do we want to offer them up to that organization or organizations and say, "We have some qualified people here who are part of the Michigan Cyber Civilian Corps. We would like for them to assist you on this. Do you want their assistance?" If they do, we'll send them in.
CHABROW: We're talking about providing some kind of training and certification. What specific type of training would they be receiving?
BEHEN: That's still being worked on with Merit Network and the Michigan Cyber Range, but I would suspect it won't be basic information assurance training. Because what we are asking is to give those folks who are skilled in cybersecurity or in IT already the training that they'll actually get on the range. [It] would be more about how they work together, collaborate, cooperate and communicate in the cases of emergencies. We're really still working on what that course work would look like, but we do want to make sure that the individual - because they're putting their own time and effort into this - get some sort of certification or something out of that. We're working very closely with Merit and their partners to put together that - for lack of a better word - curriculum for them right now.
Governing Cyber Civilian Corps
CHABROW: How would this be governed or is that not determined yet?
BEHEN: We know that we're in the process of putting that all together right now. We're looking at Merit housing the Cyber Civilian Corps and operating it with the assistance of the state of Michigan and some of the other partners.
CHABROW: Tell me a little bit about Merit.
BEHEN: Merit Network is a non-profit organization that provides network connectivity to a large percentage of Michigan schools, colleges and universities. Their governing [board] includes about 12 or 14 of the state universities, and they work very close in educational institutions. It started back in the 1960s as a spinout from the University of Michigan.
Issues with Sharing Information
CHABROW: You discussed earlier about the creation of this corps of information sharing between government and business. That is a hot topic in Washington. Some legislation stalled because of exactly how companies would be protected when they share information. What kind of challenges do you see in the use of the corps with sharing information with government?
BEHEN: That conversation that's happening at the federal level is the same thing that we're going to face here at the state level. There are a lot of challenges with that piece. Businesses want to protect some information. We need to, as government, be sensitive to that. What we can't do, in my opinion, is just stop and wait until that conversation happens. We need to start moving forward and running parallel paths. Let's put together the Cyber Civilian Corps; let's get them trained; let's have them take the course work so that, once something happens, we're prepared to protect the data and respond to things here in the state of Michigan.
That being said, lets run a parallel path. What does it look like? Does the state of Michigan need to run legislation around information sharing? Do we work with the federal government on information sharing? How does all that play out? That's going to play out because cybersecurity is such a big issue, a very important topic right now and will be continuing in the future. But we can't stop doing the things we're doing. I think we have to run a lot of parallel paths, and the information-sharing piece is an important one and the feds are talking about this. But it has been stalled. Maybe the states need to push them a little harder because this is something that's really important; we need to make sure that we protect our private large and small companies and their information. But at the same time, how do we work together, because it's really important that all these organizations work together when something happens.
Tackling Private Information
CHABROW: It would be fair to say that, at some point, the corps is going to need to have some kind of definition of how to approach private information, because obviously a company that's going to call on outsiders to come in and help them if they're being attacked still wants to have certain protections for proprietary information.
BEHEN: Yes, and those are the big issues with the Cyber Civilian Corps. Our organizations that will work with the small businesses, large businesses, education and government are going to want to know that these folks are trained and professional, all those things that you just mentioned. Those are the things that we're working through right now, but I can tell you that the partners who have indicated to us that they want to be a part of this all understand those issues very well and they want to work with us to resolve those issues so that we all can work together in this.
Milestones, Deployment Deadline
CHABROW: What are some of the milestones, and what do you hope to achieve in the next few months or in a year? Also, when should this corps be deployed?
BEHEN: We're looking at the corps being deployed late spring of 2014. Right now, we're in the phase of working with Merit and putting together the framework of how the core is going to be governed. Then we're going to be running parallel paths on the information sharing pieces and those pieces that you talked about - the legal parts of it. Parallel with all of those is the announcement of the recruitment of these folks to come on to the Cyber Civilian Corps.
I can tell you that, since the governor announced it, I've had several organizations reach out to me and say, "We want to be a part of this." [We're] putting together the governing and administration parts of it right now. That's really where we're at. But it's our goal that by late spring of 2014 this is launched, ready and people are taking classes and training. We're really excited about the progress we've made to date, but we still have a ways to go. But it's something we're really anxious to get moving forward with.
Covering the Cost
CHABROW: There's obviously some cost with this. Who picks up the tab and how much would that tab be?
BEHEN: We're still working through those numbers, but I think the state of Michigan, in partnership with some of our private partners, will bring forward dollars for training. That's where the money piece comes in, for setting up some back-office administrative stuff and then to train our volunteers in the Cyber Civilian Corps and how we can work together. I would see the state of Michigan stepping forward with some of those dollars. Also, at some point I would see some of our private partners joining us in that venture.
CHABROW: It hasn't been determined if the company is going to volunteer some of their technical experts. Who would pay for them? Whether the company would or not, that hasn't been determined yet?
BEHEN: It hasn't been determined. I will say that the state of Michigan is committed to starting to put the dollars into the training at the very, very beginning. We will have some conversations with our private partners to see what their level of involvement is when it comes to training dollars.
CHABROW: Do you have a figure yet for how much Michigan will put in?
BEHEN: I don't yet. I'm looking at a number that would be able to train 50-75 people though.
Opportunity for Individuals
CHABROW: You made an analogy earlier with the National Guard. With the National Guard, you have individuals who volunteer for the guard. I hear you talking about private organizations being involved with government. Could an individual apply to be in this or is this where you gear toward having various types of organizations?
BEHEN: If an individual called and said, "We want to be part of this," we'd look at that. There's going to be some criteria that you [need] to be able to join. We're working on what that criteria looks like. We would accept individuals, but ideally we're going to work through companies, at least at the very beginning, just so that it's a little bit more manageable and streamlined, making sure that we can have all of our ducks in a row. I will not be turning individuals away if they're qualified to do this.