Teams of cyber-savvy volunteers are assisting in several states, where they may rally to help public — and sometimes private — sector entities with supports like incident response and vulnerability assessments.
But no two states are exactly alike, and programs can differ across a variety of elements. Government Technology caught up with Wisconsin CISO Alan Greenberg, whose state was one of the first to try such an initiative, and with Oklahoma Cyber Command Watch Officer Amber Mangham, whose state is in the midst of establishing its own program.
The earliest state cyber volunteer programs debuted a decade ago, with Michigan announcing its civilian cyber corps, MiC3, in 2013 and Wisconsin unveiling its Cyber Response Team (CRT) in 2014. The idea keeps spreading, with the National Governors Association (NGA) finding a handful of states in various stages of expressing interest in budgeting for or launching such an offering.
There’s plenty of ways to design a program like this, and states vary over details like which entities are eligible to receive help and what scope of services is offered, as well as how heavily they rely on training up interested individuals versus recruiting existing professionals in the field. Looking to others’ experience can give interested states a starting point and help them identify and adopt effective strategies and avoid hitting the same pitfalls.
“Here in Oklahoma, we’re still in the rollout stage,” Mangham told GovTech. She expected the state would complete its recruitment and have teams ready to deploy in three years. “We’re learning best practices and lessons learned from other states trying to grow and gain membership.”
WHO CAN VOLUNTEER?
States vary over how experienced new volunteers need to be. Michigan, for example, requires participants to hold a cybersecurity certification and two years of information security experience as well as pass several tests, per the NGA. Ohio’s Cyber Reserve members must pass a test and come with about five years of cybersecurity experience.
Meanwhile, Oklahoma and Wisconsin look for individuals with some experience but emphasize training up volunteers to allow them to cast a wider recruitment net.
Greenberg said the Wisconsin CRT includes people from “all over the map.”
“We have technical, non-technical. We have longtime IT people, we have longtime IT security people, we have newcomers,” he told GovTech. “The only part we ask is [that] when they join, just be willing to learn and grow.”
Mangham spoke similarly: While Oklahoma prefers candidates with some form of IT experience, it’s not requiring cyber backgrounds.
“If you want to be a public servant, and you have the mindset to make a difference and you want to help your community and you have an information technology baseline, we can teach you the rest,” she said.
According to online information, would-be Oklahoma Civilian Cyber Corps (OKC3) members must have two years of IT experience and pass tests about basic networking and security concepts knowledge. Mangham said would-be participants undergo self-assessments that can help indicate what tasks they’re qualified for and what trainings they need.
This approach has helped OKC3 recruit widely, and it considers anyone at least 18 years old. Some current members include a gas station attendant who’s also a gamer, a high school football coach who also handles the school’s IT and cyber responsibilities, and a retired former Air Force member, Mangham said.
Offering trainings has side benefits: it can help entice professionals interested in these career development opportunities, and it can elevate the workforce’s cybersecurity knowledge, boosting overall cybersecurity in the state.
“They know that the training and information they receive they can take back to their city, their township, their county, K-12, their schools — wherever they may be from — and apply that knowledge and improve the cybersecurity in each of their different areas,” Greenberg said. Joining the team “helps you professionally and helps your organization, and it helps the state.”
RECRUITING AND RETAINING
The trainings — along with networking opportunities and efforts to create welcoming environments for new members — are helping Wisconsin build its team, Greenberg said. The state has relied on word-of-mouth to build its now 350-person volunteer force.
Some states try other forms of incentives, too: Ohio volunteers are paid for incident response work, according to the NGA.
Oklahoma, for its part, is actively recruiting with talks at high schools and higher ed, regional emergency management meetings, tech centers, local tech conferences and other events as it tries to raise awareness and reach a wide swathe of possible volunteers.
States differ in how they organize those volunteers. Some may expect volunteers to be able to use virtual services to connect with entities throughout the state, while others create regional teams assigned to help entities in their local surrounding area.
Mangham said Oklahoma follows the regional approach, and expects that having volunteers help their own communities will foster trust.
“These [volunteers] are people that you already know: you see them at the gas station, you see them at the grocery store. They’re within that community,” she said.
States who’ve recruited then need to find ways retain volunteers’ interest during periods with few incidents to handle. Having volunteers take on additional responsibilities like vulnerability assessments and cyber educational efforts can keep volunteers engaged, connecting with the community and sharpening their skills, Mangham said.
WHO GETS HELPED AND HOW?
Public- and private-sector professionals can volunteer in Wisconsin’s CRT, but only public entities may call upon it for help. Greenberg says CRT serves only the public sector to reserve support for entities with the greatest needs and due to restrictions on how some of the federal funding behind it may be used. NGA also noted that limiting recipients can help “mitigate any frustration or concerns of private-sector companies that offer similar services about unfair competition from a no-cost provider.”
Who can get help is only one part of the question — the other is how. Michigan’s volunteers originally could only be activated by the governor and only in response to a major emergency. That left volunteers waiting around, without many high-level disasters to rally them, and Michigan revised its policy in 2018.
Oklahoma takes Michigan’s experience as a lesson. Mangham hopes to see volunteers activated more easily by a CIO or CISO, who could approve activation when volunteers detect or get alerted to a cyber problem in their communities.
Entities, too, need to feel comfortable calling for help, and may be cautious when volunteer programs are still new, Greenberg said. His predecessor held briefings throughout the state to explain how the program can assist state and local entities. That effort, along with positive word-of-mouth from organizations that had received help, has built up trust in the team, he said.
STARTING YOUR OWN
Some common tips can help get states started designing their own programs.
For one, Greenberg recommended defining roles and responsibilities and creating a charter to make it easy for others to understand the volunteer program’s purpose.
The NGA, too, outlines a variety of recommendations:
- Start by evaluating the statewide cyber posture, to understand gaps that volunteers could help plug.
- House the volunteer team within a cyber response-related agency to simplify the administrative, funding and legislative work involved in launching this initiative.
- Plan out and tabletop how volunteers will spring into action and how they’ll work “within the state’s cybersecurity and emergency response ecosystems.”
- Create task forces to help think through further policy details of the program that should be addressed. Task force members should be stakeholders from the academic, nonprofit, private and public sectors — including from organizations or sectors who might receive help or contribute volunteers.
- When determining what services to offer, consider the full “cybersecurity life cycle” including prevention, protection, mitigation, response and recovery activities.
- Partner with groups like cyber ranges, academic institutions and nonprofits to better connect volunteers to the community and collaborate on cyber.
- Develop volunteer recruitment and retention strategies with an eye toward building and diversifying the cyber workforce.
- Document guidance for volunteers, standard operating procedures and policies around working with different partners during incidents, to create consistency in the teams’ efforts now and in the future.
- Collect data to help evaluate the impact the teams are having, such as looking at workforce development trends and cybersecurity challenges, to guide adjustments to the volunteer programs.
