Ohio Cyber Reserve Bill Advances to House

Ohio Senate Bill 52, which creates the Ohio Cyber Reserve, a new division of the Ohio National Guard that specializes in cyber security, passed the State Senate on April 3 and heads to the Ohio House of Representatives. As envisioned in the bill, Ohio Cyber Reserve will consist of qualified, civilian cyber security experts. The Reserve will be tasked with maintaining regional Cyber Response Teams that can deter and mitigate cyberattacks against local Ohio governments, critical infrastructure and businesses.

(From left to Right) Virginia Army National Guard Capt. Rayce West, Vermont Army National Guard Staff Sgt. Mathew Scroggins and Illinois Army National Guard Staff Sgt. Joseph Hardin practice digital forensic skillsets during a Cyber Shield 19 training week class at Camp Atterbury, Ind. April 7, 2019. As the nation’s largest unclassified cyber defense training exercise, Cyber Shield provides participants with training on industry network infrastructure and cyber protection best practices. (U.S. Army National Guard Photo by Staff Sgt. George B. Davis)

Senate Bill 52 was sponsored by State Senator Theresa Gavarone (R-Bowling Green). She commented, “I am proud to sponsor legislation establishing this new force, and I am confident that it will become a critical component for enhancing Ohio’s cyber security.”

The legislation includes language intended to give voters more confidence in the accuracy of election results. Senate Bill 52 will also require post-election audits in all years, rather than just even-numbered election years. This will be performed in collaboration with Ohio Secretary of State Frank LaRose. If passed, the law will also result in the appointment of a CISO to advise the Secretary of State on cyber security matters.

This proposed law originated in 2017 when LaRose was a Senator. He was responding to a Security Directive from DHS covering election hacking. DHS said, “We are committed to working collaboratively with those on the front lines of elections – state and local government, election officials, federal partners and the vendor community – to manage risks to election infrastructure.”

At the time, LaRose stated in a press release, “I learned in the U.S. Army that our adversaries only need to be right once – while we need to be right each and every time. I refuse to take any chances with Ohio’s election security, so I’m recommending this legislation which will build out Ohio’s cyber-defense posture and make it a model for the nation — placing us in the best possible position to deter any threats to our election system, both foreign and domestic.”

With the encouragement of DHS, this legislation is part of a broader move to put Army Reserve and National Guard units to work in securing elections. National Guard units protected 27 state networks during the last election. As suggested in the photo, comparable efforts are under way in Vermont and Illinois.

The Reserve will be a volunteer force. Recruitment and organization details are still not set, but the expectation is that the Reserve will grow from existing structures like the Ohio Cyber Collaboration Committee (OC3). Maj. Gen. John Harris, the Ohio Adjutant General, will command the Reserve. General Harris explained, “The Ohio Cyber Reserve is a unique approach to protecting our critical cyber assets from harm. The legislation being considered would create a volunteer civilian force of cyber warriors nested under the Adjutant General’s Department. When fully trained and certified, the teams will be available for the governor to deploy in response to cyber threats.”

Cyber security industry insiders expressed mixed opinions on the legislation. Ellen Sundra, a government cybersecurity expert at Forescout, which secures digital devices, felt the Cyber Reserve offered a solution for a problem facing the government in general—a lack of cybersecurity talent. She said, “Having a Reserve of this type will protect the state, but also raise the level of talent it can access. People want to make a difference. They want to serve their communities, but this way, they can perform those duties while still pursuing careers in private industry.”

Giovanni Vigna, CTO of the AI-powered network security provider, Lastline, and director of UC Santa Barbara’s Center for Cyber Security, was not quite so sanguine. “An effort like this is more than likely going to fail,” he said. “Their intentions are sound, and no doubt the people involved will be experienced in cybersecurity. However, the problem is that they’re getting into asymmetrical conflict. It’s extremely difficult for part time cyber reservists to counter experienced hackers. It’s not a fair matchup, so a cyber reserve force is not well equipped to handle the kind of threats we see every day.”

The legislation still has to pass the House and then be signed into law by Governor Mike DeWine in order to take effect.

 

 

Photo Credit: The National Guard Flickr via Compfight cc