The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Lawmakers want to create a reserve corps of cybersecurity experts to respond to the next SolarWinds

with Aaron Schaffer

A bipartisan group of lawmakers wants to create a National Guard-like program to address growing cybersecurity vulnerabilities faced by the U.S. government.

Legislation introduced today would pilot two separate reserves of trained cybersecurity professionals for the Department of Homeland Security and the Defense Department, according to bill text shared with The Cybersecurity 202.

The legislation comes as federal agencies are experiencing a growing shortage of cybersecurity talent. The problem has taken on new urgency as the United States faces escalating threats from foreign hackers and cybercriminals. Lawmakers say the threat is underscored by the Russian SolarWinds campaign infiltrating nine federal agencies, including DHS, as well as the rising problem of hackers holding data and computers for ransom.

“The recent, unprecedented cyber-attacks targeting the United States demonstrate the risks of not addressing our severe cyber workforce shortage, Sen. Jacky Rosen (D-Nev.), who is leading the proposal, said. As cybersecurity threats continue to grow in scale, frequency, and sophistication, it’s critical that we find innovative solutions to address this deficiency.” 

Participation in the “Civilian Cybersecurity Reserve” would be voluntary and by invitation only. Applicants would need prior federal government or military service. The number of people in the reserves would be up to the discretion of the agencies, according to Rosen's office.

“The complexity of the cyber domain creates the need for mission-capable personnel ready to confront these new challenges, said co-sponsor Sen. Marsha Blackburn (R-Tenn.) Creating a reserve corps similar to our National Guard or Army Reserve will allow our national security agencies to have access to the qualified, capable, and service-oriented American talent necessary to respond when an attack occurs.

The bill is co-sponsored in the House by Reps. Jimmy Panetta (D-Calif.) and Ken Calvert (R-Calif.)

Experts say the legislation provides an important tool in forming an agile response to emergency situations.

Generally speaking, maintaining a surge capacity to respond to cyber incidents is a really important part of making sure that the cyber workforce is positioned to deliver resilience and responsiveness, according to Laura Bate, a senior director on the Cyberspace Solarium Commission and cybersecurity policy fellow at New America. It is exciting to see a bill that serves that end.

The Cyberspace Solarium Commission has made recommendations for a similar military cyber reserve. The National Guard already provides limited cybersecurity assistance to states, a resource that some lawmakers are hoping to expand.

The bill is just the latest effort to improve the federal government's cybersecurity workforce.

Government watchdogs have warned for years about a growing shortage of cybersecurity talent both in the federal government and the private sector. The Government Accountability Office deemed a consistent shortage of cybersecurity and IT professionals as a high risk in its biennial report auditing agencies for high risk behavior.

 In response lawmakers have pushed for legislation funding cybersecurity training and developing programs to attract and retain cybersecurity talent in the federal government. DHS also announced earlier this year it would be ramping up efforts to address the workforce shortage and barriers to entry for underrepresented groups.

The keys

A lawyer asked for a new trial in a robbery case after Signal found security issues in Cellebrite hardware.

The defense attorney argued in a filing shared with Motherboard’s Joseph Cox that prosecutors relied on Cellebrite technology to extract digital evidence to convict his client for robbery last month, but Signal’s recent discovery means that “any device that is examined may in turn corrupt the Cellebrite devices and affect all past and future reports.” 

Some experts have expressed doubt such an argument would hold up in court, saying the defense would have to prove evidence was actually tampered with.

The motion, which asks for a new trial so the defense can examine Cellebrite hardware, came as the company issued a software update. It did not say whether the update was related to Signal’s announcement. The company did not respond to a request for comment.

A top lawmaker says his committee is drafting mandatory breach notification legislation.

Senate Intelligence Committee Chairman Mark R. Warner (D-Va.) said the proposal, which is designed for the private sector, came as a result of hearings on the cyberattack on SolarWinds and other companies, the Hill’s Maggie Miller reports

“This is what the committee is working on in a very bipartisan way,” Warner said. “Can we create a structure that would allow some limited mandatory reporting for government contractors and critical infrastructure that doesn’t get to the full data breach negotiations?”

Google’s coronavirus contact tracing app has had a privacy flaw for months.

AppCensus warned Google in February that sensitive data was being stored on a part of Android systems that other apps could access, but the tech giant repeatedly dismissed the company’s concerns, the Markup’s Alfred Ng reports.

AppCensus tested the software as part of a DHS contract to test contact-tracing apps. It did not find issues with a version of the framework for iPhones.

“This fix is a one-line thing where you remove a line that logs sensitive information to the system log,” AppCensus co-founder Joel Reardon said. “It’s such an obvious fix, and I was flabbergasted that it wasn’t seen as that.”

“We were notified of an issue where the Bluetooth identifiers were temporarily accessible to specific system level applications for debugging purposes, and we immediately started rolling out a fix to address this,” Google spokesman José Castañeda said in an emailed statement to the Markup. He noted that “roll out of this update to Android devices began several weeks ago and will be complete in the coming days.”

Government scan

The Biden administration is making the “.gov” Internet domain free for government organizations.

The Cybersecurity and Infrastructure Security Agency’s DotGov program announced that U.S. government organizations will be able to register free through at least the end of September. It’s a major drop from the $400 per year that was previously charged, and the agency said the cost was hitting small municipalities and the election community the hardest.

Industry report

Microsoft weighs fixes to code-sharing plan after suspected leak (Bloomberg)

Global cyberspace

Hackers posted inflammatory messages on Eastern European politicians’ social media accounts.

Cybersecurity firm FireEye said that conservative Polish politicians were targeted to increase divisions in the country and discredit their ruling coalition government. Compromised accounts also shared links to fake articles suggesting preparations by NATO for war with Russia. FireEye also attributed parts of the “Ghostwriter” campaigns, which the firm first identified in July, to a state-sponsored hacking group, UNC1151, with “high confidence.” However, the firm said it could not “conclusively attribute all aspects” of the campaign to the group because of gaps in intelligence.

Cyber insecurity

European police hope Google ads will steer teenagers away from a life of hacking (CyberScoop)

Chat room

Hackers who demanded a ransom to not distribute data stolen from Washington's Metropolitan Police Department were the subject of discussion on Twitter. Kevin Beaumont, a senior threat intelligence analyst at Microsoft:

Security researcher Marcus Hutchins:

The Intercept's Ali Winston called it “uncharted territory”:


  • Sir Nick Carter, the Chief of the UK Defense Staff, speaks at a Center for Strategic and International Studies event on the United Kingdom’s integrated review today at 11 a.m.
  • Former Cybersecurity and Infrastructure director Chris Krebs speaks at the Munich Cyber Security Conference on Thursday at 12:10 p.m.
  • Secretary of Homeland Security Alejandro Mayorkas speaks at an Institute for Security and Technology event on hacks-for-ransom on Thursday at 1 p.m. 
  • Deputy Attorney General Lisa Monaco discusses cybersecurity enforcement at the Munich Cyber Security Conference at 11:20 a.m. on Friday.
  • The McCrary Institute at Auburn University hosts a panel on digital supply chains on Friday at 11 a.m. 
  • Rep. Yvette D. Clarke (D-N.Y.), the chair of the House Homeland Security Committee’s cyber panel, and other lawmakers speak at Hack The Capitol 4.0 on May 4. The event is hosted by the ICS Village, the R Street Institute, the Cyber Bytes Foundation and the National Security Institute.
  • Krebs speaks at a U.S. Agency for Global Media event on disinformation on May 5 at 9 a.m.

Secure log off