How Volunteers Can Support Government Cybersecurity
Connecting state and local government leaders
Michigan was the first state to launch a volunteer cyber corps about a decade ago. The trend is catching on.
With cybersecurity talent in short supply, a growing number of states are establishing networks of volunteers to assist local government agencies, schools, and in some cases businesses and nonprofits, targeted by hackers.
It’s sort of like volunteer firefighting, but for tech emergencies. In addition to helping with response and recovery after digital attacks, some of the volunteers are even working with eligible organizations on proactive steps to ward off cyber criminals before they strike.
Michigan, in 2013, was the first state government to start a cyber corps along these lines. Since then, at least 14 others have either launched the programs, or have taken steps toward doing so, according to a report the National Governors Association released in June.
"Really great success,” Steve Fugelsang, the National Governors Association’s cybersecurity program director, said during a recent National Association of State Chief Information Officers meeting, as he described Michigan’s program.
“Michigan kind of set the tone and it's something that other states have picked up on,” he added.
The Michigan program early on had about 20 volunteers. Its ranks expanded to a peak of nearly 100. But dozens of inactive members were removed from the group, leaving around 60 volunteers participating as of May, the NGA report says.
Some of the other states that have moved to establish cybersecurity volunteer networks, according to the report, include California, Maryland, Ohio, Oklahoma, South Carolina, Texas and Wisconsin.
Alan Greenberg, Wisconsin’s chief information security officer, said the volunteer program there began with around 30 people two to three years ago and now has over 270 members.
“When these people show up on site during an incident,” he said, “they stop the bleeding and they fix problems.”
“This group has an incredible reputation across the state,” he added.
Applying to the state’s program is relatively easy, Greenberg said. Prospective volunteers send an email saying they’re interested.
The state took away prerequisites to make it simple for people to join, he said, and the ranks include people who are not cybersecurity gurus, including members who have day jobs as teachers or accountants. Volunteers do need to clear fingerprint and background checks.
“You don't have to have security knowledge,” Greenberg added, “we're going to teach you about all of the different things.”
People who are less experienced take on different responsibilities within the group than those with more cybersecurity knowhow.
Wisconsin’s department of military affairs oversees day-to-day operations for the volunteer team. When volunteers are involved in an incident response, they work alongside state staff. “We make sure that there's that supervision,” Greenberg said.
There are differences in how the groups are organized and operated across states.
For example, while Wisconsin doesn’t have a requirement for relevant cybersecurity experience, Michigan does (it’s two years). Michigan and Ohio have tests people must pass to join their groups. Wisconsin does not, but requires testing before people can respond to incidents.
The National Guard serves as the umbrella organization for Ohio’s program, while in Michigan it’s the Department of Technology, Management and Budget.
In some states, the programs are codified in law. In others they are not. Budgets can range from around $250,000 to $750,000 per year.
Training and certifications available through the programs, as well as professional networking, can provide perks for those who join.
Greenberg noted that Wisconsin is training volunteers to do cybersecurity assessments to identify vulnerabilities with computer systems before they’re exploited by bad actors.
If an assessment team finds a problem, it’s possible for the state to alert other organizations, he said, adding: “We get better information sharing and we start raising the bar for cybersecurity.”
NEXT STORY: Drug data center takes on opioid crisis