Facebook
Twitter
LinkedIn
EmailAs federal cybersecurity priorities shift, both through a recent Executive Order and a wave of departures at CISA, the nation’s foremost cyber defense agency, more and more is expected and required of state and local governments.
States and communities have already been shouldering sizable cybersecurity responsibility for decades. While states are unprepared to shoulder the entire federal cybersecurity agenda, they are poised to create lasting regional cyber resilience through innovative cyber volunteering programs and partnerships with nonprofits, academia, and industry. These programs can and should fill an essential gap in state cybersecurity capacity, but more investment and coordination are needed to extend their impact.
Regardless of the whims of Washington, states and communities have always been the first line of defense for the small organizations that uphold our public life. While the federal government has typically handled many key cybersecurity responsibilities, including diplomacy, sanctions, law enforcement, agenda-setting, regulation, and grants, the government is the only entity that can focus primarily on threats to national security. With growing threats from nation-states, criminals, and other actors, and inherent, mounting insecurities embedded in the technology underpinning today’s critical infrastructure, the government, with limited time and resources, can be forced to prioritize those entities it views as the most essential. As a result, many community organizations, such as schools, small or rural utilities, faith-based institutions, and nonprofits that provide critical yet highly localized community services, simply don’t meet the national security threshold. The federal cavalry has never been able to prioritize helping an elementary school recover from a ransomware attack.
And while the federal government is pulling back, states are more active than ever; they are passing cybersecurity legislation at breakneck speed, with over 77 bills introduced just this year. States like New York are leading the charge by creating minimum standards for water utilities, with $2.5 million in implementation funding attached. States like Texas and Louisiana are funding regional security operations centers (SOCs), and Indiana has partnered with Indiana University and Purdue to provide risk assessments for hundreds of local governments.
Notably, states and communities have rallied cyber volunteers to serve the least-resourced organizations. One of the best investments that industry leaders, nonprofits, and individual cyber volunteers can make in the coming years is to help states double down on creating a cyber safety net where any organization can receive affordable cybersecurity services.
Community-Powered Cyber Volunteering Programs
Over the last 15 years, community defenders like states, colleges, universities, and nonprofits established new cyber volunteering programs to improve protection for organizations operating below the cyber poverty line.
These programs consist of volunteers who offer pro bono services in their free time or for non-monetary incentives, such as school credit.
Some key community partnerships include:
- State civilian cyber corps: These volunteer defenders are organized by states themselves, often in the state department of emergency management or the state National Guard. These volunteers operate year-round, providing training and assessments to schools, cities, and other public agencies, as well as deploying to serve as the first responders for cyber incidents like ransomware. Six states, including Louisiana, Maryland, Michigan, Ohio, Texas, and Wisconsin, have active cyber corps programs, and several more are considering creating them by adopting model legislation.
- Cybersecurity clinics: These clinics, housed at colleges and universities, train students to deliver custom, pro-bono cybersecurity assistance such as risk assessments to community organizations. Over 33 clinics operate in the US, providing free assistance to hundreds of local schools, utilities, nonprofits, cities, and small businesses each year, while training hundreds more students for cyber careers. States partner with these clinics to provide high-quality assessments to their small public infrastructure while investing in statewide workforce development.
- Nonprofit volunteering programs: These programs recruit expert volunteers from the private sector to provide free assistance to organizations in need, regardless of their location. Programs like the CyberPeace Builders serve nonprofits, while new initiatives like DEF CON Franklin and UnDisruptable27 focus on critical infrastructure like water and power. Thousands of private sector volunteers operate in these nonprofit programs nationwide each year.
These state and community partnerships offer essential, hands-on services to community organizations at no cost. They work together to weave a safety net that protects everyone, regardless of whether they face a national security threat or a local one.
But programs at their current scale lack the capacity and geographic distribution to help every organization in the US that needs assistance. Without coordinated action between existing efforts and scaling their programs, widespread support for community organizations across the U.S. will remain out of reach.
Extending the Impact of Cyber Volunteering
States and communities are already leading the charge by expanding cyber volunteering programs across the country, and there is more that the academic, nonprofit, and private sectors can do to support this burgeoning cyber safety net.
First, cyber volunteering programs should double down on standardization and coordination. Currently, the maturity of cyber volunteering programs varies, resulting in some inconsistencies in the quality and scale of services offered to different locales. Volunteering programs themselves must coordinate across state lines; more established programs can centralize key template resources for others to learn from, strengthen hand-off procedures after engagements, and assist beneficiary organizations in finding full-time support, such as through a managed service or regional SOCs. These small interventions can dramatically boost trust in newer programs and aid the expansion of the cyber safety net.
The UC Berkeley Center for Long-Term Cybersecurity and the CyberPeace Institute have taken the first step by launching the Cyber Resilience Corps volunteering platform at cybervolunteers.us, where anyone can get matched with a cyber volunteering opportunity, and beneficiaries can find volunteering programs to partner with. They have released a Roadmap to Community Cyber Defense, which outlines volunteering programs in detail and proposes key interventions to move community organizations above the cyber poverty line. Cyber volunteers will also convene in October in Madison, Wisconsin for Cyber Volunteering Day, an interactive convening in partnership with Wisconsin Emergency Management where boots-on-the-ground cyber defenders will share best practices and expand services for community infrastructure.
To help these programs scale, cyber leaders across the public and private sectors must plug in to grow these networks. Companies can provide volunteers and funding to rapidly expand successful programs; for example, Google has invested over $20 million in cybersecurity clinics in the US and has helped support dozens of clinics worldwide. The lapse of the State and Local Cybersecurity Grant Program (SLCGP) and the Tribal Cybersecurity Grant Program (TCGP) could diminish the federal funding available for expanding these cybersecurity defenses for state, local, and tribal entities.
States may not have the same resources as the federal government, but they are, and will continue to be, the backbone of community cyber defense. Now is the time to invest in programs that will strengthen regional cybersecurity.
This piece is part of an Aspen Digital series of perspectives on the evolving space of intergovernmental cyber policy, including challenges and best practices for building state, local, tribal and territorial capacity and how governments can collaborate effectively.
The views represented herein are those of the author(s) and do not necessarily reflect the views of the Aspen Institute, its programs, staff, volunteers, participants, or its trustees.
Sarah Powazek is the Program Director of Public Interest Cybersecurity at the UC Berkeley Center for Long-Term Cybersecurity (CLTC), where she leads flagship research on defending low-resource organizations like nonprofits, municipalities, and schools from cyber attacks. She serves as Co-Chair of the Cyber Resilience Corps, a network of cybersecurity volunteer organizations, and as Senior Advisor for the Consortium of Cybersecurity Clinics, advocating for the expansion of clinical cyber education around the world. Sarah hosts the Cyber Civil Defense Summit, an annual mission-based gathering of cyber defenders to protect the nation’s most vulnerable public infrastructure. Sarah previously worked at CrowdStrike Strategic Advisory Services, and as the Program Manager of the Ransomware Task Force at the Institute for Security and Technology. In her free time, Sarah is the Deputy Director of DistrictCon, a hacker conference based in D.C.
Grace Menna is a Public Interest Cybersecurity Fellow at the UC Berkeley Center for Long-Term Cybersecurity (CLTC) where she conducts public interest cybersecurity research and co-leads the Cyber Resilience Corps, a network of cyber volunteering efforts across the U.S. to defend community organizations, including nonprofits, municipalities, rural hospitals and water districts, K-12 schools, and small businesses from cyber threats. Previously, Grace supported global cyber capacity-building initiatives at the Atlantic Council’s Cyber Statecraft Initiative and, as a consultant, advised U.S. tech companies across policy, intelligence, trust & safety, and other security areas. Outside of her role at CLTC, she helps organize the policy track of the DC-based hacker conference, DistrictCon.
READ MORE
Explore insights from our team and contributors on intergovernmental cyber policy.
Beyond the Beltway
Amidst changes in the threat and policy landscape, we convened experts on evolving roles in state and local cybersecurity efforts.
The Limits of Risk-Informed Planning for State and Local Cyber Readiness
A shift to risk-informed planning may hinder cyber readiness as state and local governments assess their evolving digital threats.
