To close that gap, the adjutant general has stood up the Ohio Cyber Reserve, a volunteer force of cyber professionals who step in to assist with remediation efforts. Across the nation, a number of states are looking to such citizen-supported efforts as a way to elevate state and local defenses.
“Back in 2013, Michigan became the first state to sponsor a civilian core dedicated to cyber workforce development and preparedness and response,” said Steve Fugelsang, cybersecurity program director at the National Governors Association (NGA), speaking on a panel at the 2022 National Summit on State Cybersecurity last summer. At that time, NGA counted 15 states that had built similar programs or had plans to do so.
Cyber experts say that citizen volunteers could do much to shore up cyber efforts in state and local government. “There are some very talented cyber professionals that work across multiple industries, and having access to that expertise would be very beneficial to states,” said Chris Estes, U.S. SLED technology leader at EY.
AdobeStock
'TO PROVIDE MUTUAL AID'
Michigan Cyber Civilian Corps (MiC3) describes itself as “a group of trained, civilian technical experts who individually volunteer to provide rapid response assistance to the state of Michigan in the event of a critical cyber incident.” Its efforts aim to help organizations in both the public and private sectors, as well as schools.
Wisconsin runs a similar program, a volunteer Cyber Response Team (CRT) administered by Wisconsin Emergency Management and facilitated through the Department of Military Affairs. In addition to “general” members who share cyber best practices, CRT’s volunteer “incident responders” take part in two quarterly training sessions per year and help to remediate in the case of cyber incidents.
Wisconsin looks for volunteers who have experience in cybersecurity preparedness, mitigation, response and recovery. In Ohio, too, organizers sought out experienced professionals in building its Cyber Reserve force.
“We recruited civilian individuals who are already cybersecurity professionals who have an interest in serving their community,” Bell said. “We gave them background checks to make sure they were upstanding citizens. We did skills tests to make sure they actually were experts in their craft. And then we put them into teams where they trained collectively on their various missions.”
The idea of these citizen cyber brigades is to take advantage of the skilled people, those earning a living in the field, who are often very willing to donate their time.
In Michigan, for example, the civilian corps at first responded only to “a governor-declared cyber emergency” when “life and limb are at stake,” said Ray Davidson, who served for a time as the day-to-day program manager for the Michigan Cyber Civilian Corps.
Speaking on the NGA panel, Davidson said the corps’ mission has since expanded. Under the Michigan Cyber Civilian Corps Act, the group “can respond to the existence of a vulnerability” in local government.
With its “general membership” category, Wisconsin too has sought to expand citizen cyber efforts beyond immediate cyber remediation.
Organizers recognized that “not everyone was going to be an incident responder,” said Alan Greenberg, who was serving as Wisconsin CISO when he spoke on the NGA panel. “But if we could teach them and train them about cybersecurity, even if they never became an incident responder, then they could be able to sit back, take those lessons learned, and apply them to their city, their county, their school — so that we can go ahead and improve cybersecurity across the board.”
Whether responding to missions, remediating “vulnerabilities” or simply elevating awareness, experts say citizen cyber organizations can play an important role in helping safeguard state and local entities.
POTENTIAL ADVANTAGES OF CITIZEN CYBER
With a well-documented shortage of talent in the cybersecurity field, state and local governments are struggling to hire and retain the people they need.
“Cybersecurity expertise is hard to find,” said John Pescatore, director of emerging security trends at SANS Institute. “People can make really good salaries working for commercial companies in cybersecurity, so there are city governments and small organizations that find it hard to attract or even afford full-time cybersecurity talent.”
In this environment, volunteers can act as a force multiplier. “The idea of these citizen cyber brigades is to take advantage of the skilled people, those earning a living in the field, who are often very willing to donate their time,” he said.
Through a citizen cyber corps, a state “can match up those volunteers with these smaller organizations that can’t do it by themselves,” he said.
In Ohio, Bell describes the cyber corps as primarily a force-augmentation effort.
“What the Cyber Reserve brings to the table is extra hands on deck,” he said. “We have cyber expertise at the state level, but they’re primarily absorbed defending state networks. We’ve got cyber expertise in the National Guard, but it’s a limited size, and states cannot increase the manpower of their National Guard. Those manning decisions are made at the national level, at the Department of Defense.”
How to bring more forces to bear? “We felt that the best way to do that was to create the Ohio Cyber Reserve, where we take existing cybersecurity professionals, organize them into a vetted trained team, and then make them available to do this limited set of missions that will support our other efforts,” he said.
While the added civilian talent is helping Ohio and other states to elevate their level of cyber readiness, experts point to a number of key considerations — both for states looking to stand up a cyber corps and for those seeking to make the most of their existing volunteer cadres.
CAUTIONS AND CAVEATS
In pondering a citizen cyber corps, Oklahoma has surfaced some concerns. First and foremost, “there’s liability,” said Oklahoma Cyber Command Watch Officer and OK-ISAC Interim Director Amber Mangham. What if the volunteers biff the response? Worse, what if they turn out to be hackers?
Oklahoma hasn’t yet stood up its cyber corps, as leadership mulls these concerns. Thorough vetting and background checks might weed out the bad actors, Mangham said, but it’s still unclear where the liability would fall should something go wrong.
Some states, like Ohio, have tackled this by organizing their volunteers as an adjunct to the National Guard. Once activated, Ohio volunteers go on the payroll and liability essentially works as it would for any other state employee.
At the NGA panel, Ohio National Guard Adjutant General Major General John C. Harris Jr. explained that these volunteers “have liability protection under our revised code, the same protection a doctor or an attorney who practices in a state emergency would have.”
While supporting a cyber incident, “they would have the support of the state attorney general … if there was a lawsuit or something,” he said. “We took the military reserve model and we simply added a civilian core to that.”
While that’s one possible model, the overall point is that liability must be addressed. And there are other potential hurdles as well.
A volunteer effort can be “hard to sustain over the long term,” Pescatore said. “It’s kind of like a food bank. There’s lots of volunteer food banks and lots of motivated volunteers, and then sooner or later life issues cause the volunteers to have to do other things, or they burn out,” he said. “They really love it, but it just takes up so much time.”
A solid organization helps here. “Somebody needs to be in charge, and somebody needs to be recruiting new members,” he said. Again, there’s no easy fix: It’s just something states need to factor in as they look to stand up and maximize their volunteer efforts.
Usually when there’s a cyber incident, time is of the essence: I need these people now, not ‘when they are available,’ and they probably work day jobs. Can they free themselves up in a timely way?
Given the potential pitfalls, and the high degree of risk around cyber exploits, some experts remain wary of involving citizen volunteers in the public sector’s efforts at all.
Others, particularly those in the private sector, echo this concern. “The main issues we’ve seen with relying on volunteers is a lack of proper training. Depending on the incident, mistakes often exacerbate the situation,” said Josh Amishav, founder and CEO at data breach monitoring company Breachsense.
With this in mind, states that are leveraging citizen talent will need to emphasize training to ensure their volunteer responders know what they’re up against and how to handle it.
There’s concern, too, about the readiness of a volunteer force. “Usually when there’s a cyber incident, time is of the essence: I need these people now, not ‘when they are available,’ and they probably work day jobs. Can they free themselves up in a timely way?” said Estes from EY. A thoughtful governance structure will be needed to assure that high level of availability.
GOING FORWARD
Despite the hurdles, some say the benefits still outweigh the risks.
Citizen cyber brigades offer states “the chance to harness a vast pool of untapped talent. From self-taught cybersecurity enthusiasts to retirees with decades of industry experience, there’s a wealth of skill and knowledge out there that state governments can leverage,” Chaudhuri said.
“A broader base of participants can lead to more diverse and innovative problem-solving approaches,” he said. “It is well-known that cybersecurity challenges are not one-size-fits-all, so having a range of minds working on these problems can lead to out-of-the-box solutions.”
Some point to the international arena for signs of what might be possible.
“We can look to Ukraine as a great example of positive achievements by cyber brigades,” said Irina Tsukerman, a geopolitical analyst and president of Scarab Rising, a crisis communications and management firm. “One great example is the Ukraine Cyber Alliance, a community of cyber activists in Ukraine and from around the world which emerged from the joining forces of several hacktivist groups in 2016.”
Over time, citizen cyber activism “has become more sophisticated and widespread,” she said, noting that Ukraine’s citizen cyber efforts during the war with Russia have “gained renown and great reputation as a potential model for other countries.”
Others make a financial argument in favor of this model.
Too often in state and local government, “cybersecurity doesn’t get funded to the level that it should,” said Richard Gardner, CEO at technology products and services firm Modulus. “Citizen cyber brigades offer some relief, adding enhanced capabilities without adding significant cost.”
Citizen cyber is still a relatively new phenomenon in state and local government. While it can offer advantages in terms of force augmentation, the caveats make it clear that states will need to proceed with caution as they turn to ordinary citizens to support their cyber efforts.
This story originally appeared in the October/November issue of Government Technology magazine. Click here to view the full digital edition online.
