The U.S. Coast Guard established the Coast Guard Auxiliary Flotilla 22-12 on 21 April 2023, the service’s first Auxiliary flotilla dedicated to cyberspace. Headquartered out of Fort Meade, Maryland, it aims to recruit and retain “cybersecurity professionals to support the Coast Guard's missions in the cyber domain.” Specifically, informational materials for Flotilla 22-12 state its members can participate in three areas of Coast Guard cyber operations: defending Coast Guard cyberspace, enabling Coast Guard operations, and protecting the Maritime Transportation System (MTS). Other information on the Coast Guard’s Auxiliary Cybersecurity Augmentation (AuxCyber) program, the broader program encompassing Flotilla 22-12, states auxiliarists can support the Coast Guard through cybersecurity outreach, awareness, education, and training; cyber-related facilities/vessel inspections; review of cybersecurity amendments of facility security plans and facility security assessments; cyber exercise support; Coast Guard Cyber Command (CGCyber) cyber protection team (CPT) augmentation; CGCyber Maritime Cyber Readiness Branch (MCRB) augmentation; and cybersecurity for recreational boating safety missions.
A review of available open-source information provides scant details of Flotilla 22-12’s activities over the past year. While it is possible that the flotilla’s security practices have limited information about it, a simpler explanation is more plausible: that Flotilla 22-12 has not participated in any substantial effort to defend the Coast Guard’s cyberspace, enable its operations, or protect the MTS. That is not necessarily a reflection of Flotilla 22-12’s capabilities, as it takes time for any new organization to reach full operating capability, but it likely points to a larger problem between the Coast Guard and the Auxiliary: how to best employ its volunteers.
A Brief Primer on the Coast Guard Auxiliary
Established in 1939, the Coast Guard Auxiliary served as source of additional manpower and equipment. More than 50,000 members joined the Auxiliary at the onset of U.S. participation in World War II. The Auxiliary is a unique organization: A pseudo-government entity partially funded by taxpayer dollars, but with looser restrictions than other volunteer entities such as the Civil Air Patrol or volunteer firefighting outfits. As noted in a 2007 Proceedings article, auxiliarists have the ability to decline requests for use of their time or equipment because of the “bring your own boat,” or BYOB, model of employment. The Coast Guard also significantly expanded the role of the Auxiliary in the post-9/11 era, authorizing auxiliarists to stand watches in sector command centers and small-boat stations to more directly augment the Coast Guard workforce.
With the advent of cyber as a warfighting domain, the Auxiliary’s foray into cyberspace could prove a significant boon to the service as it struggles with recruitment and retention, particularly those with cyber skills. However, the lack of clear roles and responsibilities for AuxCyber and Flotilla 22-12 is rather odd. Maturation of the AuxCyber will depend on the development of clear policies detailing Auxiliarists’ augmentation of Coast Guard cyber operations.
Other issues also require resolution for the program to mature. In typical operations, auxiliarists operate their personal vessels, receiving compensation for fuel and provisions used during the operation. Coast Guard and Auxiliary leaders must determine if the same BYOB operating model will apply to the cyber domain, with members required to provision their own computers and networks, or if the service will fund and provision them. While the “bring your own computer” model is more cost effective, it potentially introduces vulnerabilities to Coast Guard cyberspace and the Department of Defense Information Network (DoDIN).
The Benefits of AuxCyber
The volunteer nature of the Auxiliary has promise within the cyber domain, in which highly technical skills are in great demand and the Coast Guard must compete with the private sector and the other services. As of January 2024, the base pay for an E4 with less than two years of service is just over $2,600 a month, increasing up to $3,000 per month with four years of service, or between $31,000 and $36,000 per year. With housing allowances and other benefits, a newly graduated cyber mission specialist (CMS) in the Coast Guard can anticipate earning between $60,000 and $70,000 a year. Compared with the average salary of $96,000 to $105,000 in the private sector for commensurate experience, the military’s struggles to recruit cyber talent are unsurprising.
This is an area where AuxCyber and Flotilla 22-12 can help. While those in the cyber domain may choose to take a better paycheck in the private sector over joining the military, there likely is a notable portion interested in volunteering. Even at the height of the COVID-19 pandemic, almost a quarter of the U.S. population volunteered through formal organizations between 2020 and 2021. The Auxiliary provides technically proficient and civic-minded individuals a pathway to contribute to national security. For the Coast Guard, it could provide access to skills that may not be commonly available within its CMS rating, such as coding in esoteric languages for niche roles, thus lessening the service’s training investment. Access to such individuals, even on a part-time volunteer basis, could yeild significant dividends.
Auxiliarists already augment station and sector watchstanders, and members of AuxCyber and Flotilla 22-12 could augment CGCyber Cybersecurity Operations Center (CSOC) and Network Operations Security Center (NOSC) watchstanders defending Coast Guard cyberspace and the DoDIN. Auxiliarists may even be able to participate on CPT missions by assessing the security of MTS networks, akin to how the Auxiliary currently facilitates commercial shipping and container inspections.
AuxCyber and Flotilla 22-12 also hold a particular appeal to both volunteers and the service: the lack of physical requirements for eligibility. Whereas the Coast Guard requires active-duty and reserve members to meet certain physical requirements, people can participate in the Auxiliary “regardless of physical limitations.” For those individuals with physical limitations or disabilities, this provides a prime opportunity to serve the nation.
The Drawbacks of AuxCyber
However, there are potential drawbacks centered around affiliation, attribution, and absenteeism.
Affiliation between the member, the Coast Guard, and other organizations can present a variety of issues. A member’s affiliation with the Auxiliary, and thus the Coast Guard, may have unintended consequences for his or her personal life and primary employment. In addition, a member’s personal and professional affiliations also may have unintended consequences for his or her service in the Auxiliary. While issues of affiliation also crop up with the active-duty and reserve components, the Coast Guard has more ability to directly influence those affiliations. For example, affiliation with hate groups or individuals who participate in those groups can result in service members being disciplined by the service. For Auxiliarists, the service has no disciplinary authority. Further, association with such groups or individuals does not disqualify an individual from joining the Auxiliary so long as his or her affiliation has not resulted in criminal convictions or court actions. Conversely, a member’s affiliation with the Auxiliary may result in his or her targeting as a member of the service or federal government by antigovernment/antiauthority groups or individuals.
Shifting into the cyber world, attribution could become an issue of concern. Assuming the member has openly shared his or her status as an Auxiliarist, it is not difficult to imagine a scenario in whcih a foreign adversary associates all cyber activity an individual performs as being part of a larger effort by the U.S. government conducted through the Coast Guard and the Auxiliary. For example, if a member of the Auxiliary is a penetration tester by trade and accidentally breaches the network of a Chinese business as part of an assessment of a subsidiary network, it is plausible that China might view the actions of the member through his or her affiliation with the Auxiliary and not as part of his or her private sector work. While some may argue that the Coast Guard could easily point to the member’s work as the reason for the breach and disavowing itself from responsibility, it is important to note that the U.S. government and U.S. cybersecurity firms frequently identify Chinese cybercriminals and their confirmed or suspected links to the Chinese People’s Liberation Army. The Coast Guard should anticipate reciprocal treatment of its Auxiliarists in such scenarios.
A final issue is absenteeism. While it is highly likely that Auxiliarists would report for duty when and where scheduled, the inability to compel them to do so serves as a counterargument against using of the Auxiliary to augment the active-duty component. Watch schedules would still require active-duty members to cover watches, requiring the service to continue staffing CGCyber at its current levels. When Auxiliarists report to stand watch, it would create inefficiencies as either the scheduled watchstander, the Auxiliarist, or both would be less productive and more idle than normal. The potential variability in Auxiliary availability would limit its ability to augment the active-duty component to specific noncritical and time-insensitive roles.
Exporting the AuxCyber Model
Assuming AuxCyber and Flotilla 22-12 achieve full operational capability and begin integrating with daily Coast Guard operations, it is worth asking if this model could be exported to U.S. Cyber Command (CyberCom) and DoD elements as well. Given the challenges of recruitment and retention generally and cyber talent specifically, it would benefit the services to explore the use of volunteer forces. For the AuxCyber model to gain traction across DoD, Coast Guard and AUX leaders must showcase the program’s value while mitigating its potential drawbacks. First, the service must reevaluate the Auxiliary program broadly and determine how to codify the roles, responsibilities, and obligations of auxiliarists to further professionalize the program. This may require dedicating more funding to avoid placing most of the burden on the auxiliarists. Provisioning equipment, such as Coast Guard laptops, would be one such example.
Second, the Coast Guard through CGCyber should determine the scope of Auxiliary participation in cyber operations. Integration into the CSOC and NOSC watches would be relatively straightforward and easy to implement, and integration in the MCRB also would likely be manageable. More challenging would be determining how auxiliarists could augment Blue and Red Teams and the CPTs, requiring decisions on several legal, logistical, and administrative issues that may take longer to resolve but are critical in determining exportability of the AuxCyber model. Without determining such scope, AuxCyber will remain unique to the Coast Guard.
Finally, garnering support from CyberCom would be instrumental in exporting AuxCyber across DoD. The Coast Guard should petition CyberCom for resources, especially since CyberCom’s enhanced budget control authority provides it with more than $2 billion in annual funding. Considering the overall cost of the Auxiliary program is less than $20 million for the Coast Guard, of which a small fraction is provided to AuxCyber, leveraging Cyber Com’s support could allow significant growth of the AuxCyber program while providing support to a CyberCom equivalent. The Coast Guard and CGCyber should also provide CyberCom with subject matter experts to help develop a CyberCom volunteer force akin to AuxCyber.
Looking Forward
Utilizing a model such as AuxCyber to bring volunteer efforts to bear in the cyber domain could provide significant benefits, especially if coupled with proactive mitigations for potential drawbacks. The Coast Guard has the opportunity to demonstrate those potential benefits by fully codifying AuxCyber’s role in Coast Guard cyber operations and employing Auxiliarists in defense of Coast Guard cyberspace and the DoDIN. Given the current global challenges and threats from peer and near-peer competitors, such calls for volunteer service should strive for augmentation paralleling that of World War II to give the United States a decisive advantage in any future conflict.
