This comment in a recent thread about scams prompted me to finally post this:
With the ever-increasing scope of cyberattacks and assorted scams (and the failures that allow them to happen), should we create a Civil Cyber Defense network?
This would be networks—statewide, regional, nationwide--of individuals of varying skills and skill levels that can possibly share data with each other, state and federal entities if necessary when a threat is found. Obviously any data-sharing would need to be controlled; not necessarily that every single person needs clearances (a good thing, but impractical), but that’s something for a much more detailed discussion.
The networks would include hyperlocal groups that also help to educate and/or train the public on infosec best-practices on a level that is comfortable for all parties involved. I’ve found that a lot of users can be intimidated by anything more complex than passwords, so they think “oh my ISP/bank/whatever will let me know if anything happens” (not always) or at worst disable security measures because they’re ‘annoying’ and only seek help when Really Bad Thing inevitably happens (at which point it may be too late to actually recover from).
The local groups (or freelancers) could also serve as consultants if someone does get in trouble—recovery and hardening/mitigation. Local businesses and individuals might be more willing to seek help from people in the community that they know can come to them (and may even be known to them personally).
Not to say that the end user doesn’t bear some responsibility for their own security, but education seems paramount now. Some users will want to learn, some won’t. That’s fine; the point is that people who aren’t fully comfortable with what’s involved will be able to come to someone who is with no judging. Given the global scope of cyber warfare, it only makes sense that this ‘army’ is as large and diverse as possible.
I have no idea how to get something like this set up, or even if it’s a viable concept, but it’s worth a thought. I don’t doubt that for every trained, certified professional we have hundreds if not thousands who possess the skills on some level but for whatever reason—lack of money or time to pursue training, interviewing skills, lack of ‘formal’ requirements, etc--are unable to get full official employment in the field. This could also serve as a STEM education/employment gateway, empowering interested students in communities (especially marginalized communities) to fill a needed gap.
Ideas? Comments?