IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

What Makes a State Volunteer Cybersecurity Program Work?

A Texas bill proposes creating a volunteer cyber incident response team. Other states have tried their own efforts to harness volunteer talent, discovering strong practices and pitfalls along the way.

A digital image of a lock on a screen next to lines of code.
Shutterstock
A bill that came before the Texas governor earlier this month would establish a volunteer cyber incident response team. It arrives at a time when high-stakes ransomware attacks have put national focus on cybersecurity — as well as on government’s struggle to recruit enough talent.

In the recent State and Local Workforce 2021 study, about 60 percent of local jurisdictions reported that they had more open IT positions than applicants. Secretary of Homeland Security Alejandro Mayorkas has acknowledged the severity of the problem and designated cybersecurity workforce as the focus of his second sprint.

Texas’ legislation is only one of the latest state efforts to supplement the public-sector workforce with ad hoc resident assistance. Experiences from other such attempts point to the challenges that any similar program will need to address, as well as best practices to consider.

LESSONS IN CYBERSECURITY VOLUNTEERING


The Michigan Cyber Civilian Corps (MiC3) has encountered various pitfalls and opportunities since it was announced in 2013 and officially formed in 2014.

The program was originally designed to mobilize volunteers in cases where the governor called a state of emergency, Ray Davidson, MiC3 program manager, told Government Technology. But that meant the team would only activate in case of a “really big disruption, like a nation state taking some action where there is threat to life and limb, which is the highest condition of emergency in the state,” Davidson said.

Like that initial version of MiC3, Texas’ program would set a high bar for activating volunteers. State or local agencies impacted by a cyber incident would be able to request volunteer help if the attack either prompts the governor to declare a “state of disaster” or is severe enough to affect multiple entities. A federal bill presented in April by U.S. House members follows in this vein, too, envisioning a volunteer Civilian Cybersecurity Reserve for providing emergency support to the U.S. departments of Defense and Homeland Security during “times of greatest need.”

But MiC3 found that its pool of willing volunteers remained ready and waiting for years, with no sufficiently catastrophic event triggering their deployment.

Michigan seized on the notion that volunteers can be helpful outside of a high-level crisis and enacted new legislation in 2018 loosening the activation criteria. This law allows critical infrastructure providers, educational organizations, municipal agencies and nonprofits to request MiC3’s help.

Since then, members have been deployed “a handful of times” to help local and regional governments respond to issues like ransomware and business email compromise, Davidson said. The program also encourages its members to help out with high school cybersecurity education, such as mentoring students and participating in hacking competitions.

Tightly limited deployment criteria is not the only force that hit the brakes on these programs. Lack of liability protection for well-meaning volunteers can also stop teams from mobilizing — something Michigan had to correct with its 2018 revisions to MiC3. The new policies ensured volunteers passed certain qualifications before becoming members and then gave them legal protections for actions they took when trying to help, similar to Good Samaritan rules. Texas is taking a similar approach, with its bill extending civil liability protections to volunteers.

FINDING FUNDING


Finding funding for any program can make or break it — an issue Del. Suhas Subramanyam of Virginia ran into with his 2020 bill that would have created a volunteering pathway for cybersecurity and IT experts to assist schools and local governments.

“There are a lot of stories about local government across the country experiencing cyber attacks [and] need for expensive consultants to help them with security,” Subramanyam said. And schools often want to use more technology but need advising on how to utilize it, he added.

Subramanyam also told Government Technology that concerns over committing funds ultimately defeated his bill, which likely would have required a website connecting volunteers with opportunities and possibly an administrator. Other volunteer programs can stack up further costs, with Texas’ bill anticipating travel expenses, while Davidson said volunteer training is his program’s greatest expenditure.

The Texas bill sought to handle the funding question by allowing the state Department of Information Resources to require agencies to contribute toward the program’s operational costs if they wish to receive assistance. Neither Sen. Jane Nelson nor Rep. Giovanni Capriglione, both sponsors of the bill, were able to provide further comment.

Programs organized — and funded — by state government are not the only source of cybersecurity volunteers who can support agencies. But government-controlled programs bring certain advantages, said Subramanyam.

Some nonprofits provide tech services, too, Subramanyam added, but there are limits to what government can expect from donor-funded organizations, given that contributions supporting nonprofit work may come with restrictions.

WHY VOLUNTEER?


The ability to participate in expensive training is often what entices cybersecurity professionals to initially volunteer, while networking opportunities and a sense of civic duty tends to be what keeps them engaged long-term, Davidson said, reflecting on recent conversations with his program’s members.

The networking, Davidson said, means that “you get a sense of who’s using what tools and so who might be able to help you out when you have a problem, like ‘Have you ever done this? Have you implemented that?’”

“That kind of thing in our industry is invaluable,” he added.

Program managers also can better recruit and retain members by not being overly prescriptive, Davidson said.

“My particular advice would be to make sure you’re in contact with whatever information security ‘hacker’ community there is in your state,” he said. “Because there are a lot of people that like to know how things work and they like to help other people. They don’t like to obviously follow rules. Give them a chance to be flexible, and don’t put too many rules on it.”
Jule Pattison-Gordon is a senior staff writer for Government Technology. She previously wrote for PYMNTS and The Bay State Banner, and holds a B.A. in creative writing from Carnegie Mellon. She’s based outside Boston.