The formation of a “reserve” force for hackers (in this context “technical experts”) is finding resurgence in both security and resilience organizations. While a nice thought experiment, it ignores certain realities once analogs to the actual military reserve draw too close. The fact of the matter is that such a stratagem is unlikely to work because the people who are best suited to serve are already entirely too busy.
Natural disasters like hurricane Sandy, and large-scale malicious cyber attacks against ill-prepared enterprises, follow a predictable cycle: concern about the potential impact (usually tied to how inadequate or sub-standard infrastructure or security is), the actual impact and how all the doomsayers were right, or the actual impact and how the naysayers were all right, and calls for improvements and the need for more/more diverse skills so we can avoid “surprise” or tragedy the next time around.
The problem is that highly skilled, innovative, and resourceful technical experts that would fill any “reserve” that would be called up on in an emergency already have jobs. They’re full-time jobs. They’re jobs that would not cease, and in fact would need their skills just as much if not more so during a crisis. In other words: they can’t be spared.
Unless the crisis is existential, no one gives away their time and expertise for free. It’s not that altruism doesn’t exist in the community, but the minute you give government something for free they’re going to expect that it will be free forever and that they can call on you whenever they want. Yes, it’s like giving the alchy $10 for “food.” He’ll spend it on “food” though his lexicon is different than yours.
Corporate CEO: “Let me get this straight: you want me to pay for a cyber security subject matter expert, but send him to work for you, is that it?”
Government Official: “Yes, that’s it exactly.”
CEO: “And what do I get out of this salary I’m paying but not getting any benefit from?”
Official: “Um, ‘thank you’?”
CEO: “Yeeeaaahhh…I don’t think so.”
Official: “The ‘thank you’ will be on letterhead!”
Even if the right talent were available and willing to spend their true spare time to help with an emergency, the hacker’s solution to a given problem is almost assuredly 180-degrees opposite of how a government entity would allow it to be done. If given the chance to have the power back on in an hour but for the solution to be a kludge, or to wait a week for an officially-sanctioned, regulation-complying solution, the good people of this country are going to be in the dark for a long time thanks to some liability-conscious bureaucrat.
/* Not saying safety is not important, and that concerns about liability are not legit, but people who are in the suck worry about getting out of the suck, not civil lawsuits. */
But let’s say that a few kludges are approved and things are back to normal with regards to resources and infrastructure; eventually someone is going to have to deal with all the duct tape the hackers have left behind. That means the power/water/whatever is going to have to go out again until a longer-term (and probably safer) solution is implemented. OK, so you’re not tired, hungry, dirty, cold and in the dark, you’re just in the dark two months after the crisis is past: is that an acceptable trade off? Has anyone actually bothered to talk to those who would be impacted by this approach?
Rather than recycling a solution that has been dead-on-arrival for years, how about building hacker-culture into your organization to begin with so that you can recruit and retain the people you claim to want? Isn’t it a better idea to have the best talent you can all the time?