Australia needs a civilian cyber reserve. State emergency services are the model

Australia should follow international examples and develop a civilian cyber reserve as part of a whole-of-society approach to national defence.

By setting up such a reserve, the federal government can overcome a shortage of expertise in cybersecurity and increase national resilience to cyber threats. It could be modelled along the lines of state emergency services.

In doing so, the government should consider the way state emergency services are formed and mobilised when needed. Legal safeguards will also be needed to protect the recruits and also organisations that would receive assistance from the reserve when subject to cyberattack.

Malicious cyber activities are a persistent threat faced by nation states globally—from cyber operations against critical infrastructure, to cyber-enabled disinformation operations seeking to undermine social cohesion.

As noted by the director-general of the Australian Security Intelligence Organisation, Mike Burgess, the cyber threats faced by Australia include those from nation states seeking to pre-position themselves in Australia’s critical infrastructure, allowing them to carry out more disruptive and destructive attacks in the future. At the same time, a global skills shortage in the cybersecurity workforce undermines the capacity to defend against these threats.

In response to these issues, several countries are seeking to harness volunteers in cybersecurity and defence. Funded by the Department of Defence’s Strategic Policy Grants Program, we are currently carrying out research mapping out some of the key initiatives around the world.

The United States, for example, is carrying out a pilot project establishing a Civilian Cybersecurity Reserve. This was in response to recommendations made by the US National Commission on Military, National, and Public Service which in 2020 argued that a federal civilian cybersecurity reserve would allow US agencies to obtain additional cybersecurity capacity from cyber experts when needed. These recommendations were echoed in the 2020 final report of the US Cyberspace Solarium Commission which argued that a cyber reserve would play a key role in mobilising surge capacity using existing links between the private sector and the government.

The developments in the US follow similar developments elsewhere. Ukraine’s IT Army made headlines in 2022 when it called on hackers from around the world to join Ukraine’s defence against Russian aggression.

Estonia’s Cyber Defence Unit, within its Defence League, was established already in 2011 following large scale distributed denial of service attacks against Estonia a few years prior. Another example is the Cyber Peace Builders NGO which helps connect corporate volunteers with not-for-profit organisations to improve their cybersecurity.

The proposed US federal-level cyber reserve also follows from developments in several US states that already have similar structures in place. These began with the Michigan Civilian Cyber Corps, established in 2013; a growing number of states including Ohio, California and Texas have followed suit. These civilian cyber reserves engage in a variety of activities, ranging from education in schools and public organisations, cybersecurity audits, and incident response. They can provide high-level training and certifications for their members for free and organise cyber war games exercises for participants.

Often compared to volunteer firefighters or other volunteer-based emergency services, cyber reserve organisations provide an opportunity for cyber experts to give back to society and help increase cybersecurity awareness, resilience and preparedness. For example, in March 2025 the Ohio Cyber Reserve responded to a cyber incident affecting the municipal court of the city of Cleveland, and it also deployed in 2024 when the city of Cleveland was subject to a ransomware attack by Russia-affiliated actors.

Australia should follow and create a civilian cyber reserve. However, several considerations must be addressed for it to be effective. These include the appropriate structure, membership, criteria for organisations to be eligible for support, and relevant legal safeguards.

In terms of structure, it could be modelled on existing organisations such as state emergency services which operate at the state level and are designed to help communities both prepare and respond to natural disasters. Initial members could be recruited from those with a high level of cybersecurity expertise, but gradually the membership base can be built through training and upskilling of volunteers with general cybersecurity skills or other relevant subject matter knowledge.

The identification of eligible organisations should start with public organisations at the state and local levels, including schools and hospitals. Finally, appropriate legal structures will need to be explored to protect volunteers, as well as to protect the confidentiality of organisations seeking support.

Creating a civilian cyber reserve can promote a culture of cybersecurity and be an avenue through which volunteers can use their expertise to help others and give back to the community. Having a structure like this in place in peacetime also provides a potential capability that can be harnessed in times of crisis or conflict.

You might also like
Cyber wrap
Critical infrastructure legislation should also set the parameters of cognitive security
Apple, Face ID and privacy
Cyber wrap
Australia’s new Critical Infrastructure Centre: a vital first step    
Reservists should be integrated with regular forces, not separate