The Wisconsin Cyber Response Team started in 2015 as a collaboration between the state’s Division of Enterprise Technology, the Wisconsin Department of Military Affairs and the Wisconsin Department of Justice. About a year ago, administration was transferred to Wisconsin Emergency Management (WEM), a division of the Department of Military Affairs.
In the last two years, membership has expanded from 119 volunteers to a current roster of 457. In 2023, the group had responded to 27 incidents as of October, compared to 19 incidents in all of last year.
Eric Franco, the cybersecurity preparedness coordinator for Wisconsin Emergency Management, spoke with Government Technology about the key factors contributing to the CRT’s success.
VIEWING CYBERSECURITY FROM AN EMERGENCY MANAGEMENT LENS
Franco says it made sense for the administration of CRT to change hands to emergency management when viewing cybersecurity in an all-hazards context.
He said the “secret sauce” to growing the CRT was cherry picking the best practices from existing structures in emergency management and applying them to cybersecurity, with significant assistance from volunteers.
“Quite frankly, our membership base has exploded mostly because of word of mouth,” said Franco. “A lot of the districts and counties have either received direct services or someone they knew received direct services, and they want to be involved in some way, shape or form.”
MAXIMIZING PARTNERSHIPS AND GRANTS
Wisconsin Emergency Management has used the Homeland Security Grant Program to subsidize the group’s training, a resource Franco deems “a game-changer.” A partnership with the Wisconsin National Guard also allows the CRT to provide expertise for a quarterly training program.
This fall, the CRT expanded its partnership with the University of Wisconsin-Whitewater’s cybersecurity program. According to Franco, the university will bolster the CRT’s quarterly training program and give additional support to the team when possible. This partnership will mutually benefit both agencies.
“We’re going to provide avenues for public-sector placements for their students, and also try and build a sensible and vetted conduit for sustainability for membership and networking,” Franco said.
STREAMLINING THE PROCESS FOR A QUICK RESPONSE
When an initial call to the CRT is received, it undergoes triage with incident response leads in a private channel on Slack.
The team then broadcasts a call on the same platform, requesting volunteers to pre-register to assist with the incident. Franco estimates that it takes 7-8 minutes to assemble a team and set up a meeting. They also collaborate with citizen partners, DET partners, and DOJ partners as needed.
The CRT primarily serves school districts, but also supports counties and municipalities. They protect public-sector critical infrastructure, including public utilities, schools and government services. They have also expanded their reach to support agribusiness in rural areas. In 2023, the CRT responded to 16 cyber incidents involving K-12 school districts, six involving municipalities, three involving county government agencies and two incidents in higher education.
“The nice thing about it is, you know, if you have a county that is hit with a ransomware incident, if they don’t have the resources to have a third-party cybersecurity forensics team, we have one that we can stand up,” said Franco.
PROFESSIONALISM AND CONFIDENTIALITY AT THE CORE
The focus of the CRT is on professionalism and confidentiality. Volunteers must submit an application that details their experience, education and professional certificates addressing cybersecurity events or incidents. They are bound to a non-disclosure agreement, and have to provide their TSA Known Traveler Number.
“We don’t blame the victim, right? I mean, we’re there to support that person as if that person's network was indeed our own,” said Franco. “That’s the kind of ownership we take with each of these incidents.”
