Podcast Summary: Data Security Decoded

Episode: Civilian Cyber Corps: Protecting Underfunded Organizations

Host: Caleb Tolan (Rubrik Zero Labs)
Guest: Michael Razik (2025 UC Berkeley Center for Long Term Cybersecurity Fellow)
Date: March 27, 2025

Overview

This episode explores the rise and role of Civilian Cyber Corps (C3s) in strengthening cybersecurity for underfunded organizations, especially local governments and small-to-midsize businesses. Host Caleb Tolan interviews Michael Razik, whose research maps the landscape, challenges, and successes of these innovative volunteer-driven groups. They discuss practical models, the “whole of society” approach, challenges of scalability, and the future potential of these grassroots cyber defense forces.

Key Discussion Points & Insights

1. What Are Civilian Cyber Corps?

[00:00 – 02:34]

Definition: C3s are groups of volunteers—students, cybersecurity professionals—offering cyber defense support to a range of beneficiaries (universities, nonprofits, local/state agencies).
Formations: From university cyber clinics to nonprofits like the Cyberpeace Institute, to state-run corps.
Emergence: Around five U.S. states currently have official C3s, with others considering adoption.
Mission: Address workforce shortages, insecure systems, and lack of funding in smaller orgs as well as in government bodies.
- Quote (Michael Razik, 02:34): “They all generally refer to a group of volunteers who might be students studying cybersecurity, or they might be cybersecurity professionals who provide volunteer services to a group of beneficiaries.”

2. The "Whole of Society" Approach

[05:05 – 07:04]

C3s exemplify “whole of society” cybersecurity—meaning everyone has a role: prevention, education, incident response, and more.
International Example: Estonia’s Cyber Defense Unit is a widely cited model.
U.S. Example: Ohio’s Cyber Reserve provided ransomware response for Cleveland and Columbus.
- Quote (Michael Razik, 07:04): “It’s really something that everyone has to pitch in and play their part to help solve.”

3. What Makes C3s Different From Other Initiatives?

[07:04 – 10:21]

Federal vs. State Action: Despite many federal attempts to build cyber volunteer forces, most progress occurs at the state level.
- Quote (Rep. Mike Gallagher, via Razik, 07:04): “Since 2013, we have tried to address the civilian and military Cyber Workforce Dilemma 45 times, and the country’s collective capabilities and readiness are seemingly no better because of it.”
Flexible Structure: Each state adapts the C3 to its regulatory and civic culture. Some are housed under IT departments, others under the National Guard.

4. How Can Organizations Start Their Own C3?

[11:09 – 13:59]

Models to Follow:
- Cyberpeace Builders (nonprofits)
- DEFCON’s Project Franklin (K-12 and utilities)
- Dragos OT-CERT (industrial sector)
- University Cyber Clinics
- ISACs (sector-wide information sharing)
Advice:
- Tap existing national and local volunteer initiatives to avoid starting from scratch.
- Invest for the long term; value builds over time.

5. Who Can Join & How Are Volunteers Supported?

[13:59 – 16:26]

Skill Levels:
- Most C3s need volunteers with baseline cyber skills.
- University clinics may start with less-experienced students.
- Non-technical roles (communications, training) are available.
  - Quote (Razik, 14:34): “You don’t necessarily need to be an expert in everything… there are a number of different avenues to get into cybersecurity that aren't all fingers on keyboard, that don’t all involve coding.”
Training:
- Most programs offer at least some onboarding; skill requirements vary by role and organization focus.
Getting Involved:
- CISA's High Risk Communities Portal is a useful entry point for both potential volunteers and organizations in need.
  - Quote (Razik, 16:26): “Sometime last year, CISA set up a website called High Risk Communities Portal that has links to different opportunities across different states.”

6. C3s in Action: Left and Right of "Boom"

[16:52 – 20:58]

Left of Boom: Preparation, risk assessments, training.
Right of Boom: Incident response, recovery, crisis support.
- University clinics focus more on prevention; state C3s often handle emergency response.
Speed & Impact: State-level C3s are “rapid response” teams, built to deploy quickly in emergencies.
- Quote (Razik, 19:58): “It’s a rapid response service. It has to be, it’s designed that way… these are all organizations that are used to being able to rapidly respond to emergencies…for them, this is just another type of emergency.”

7. Measuring C3 Success

[20:59 – 23:49]

Cost Savings: State C3s may cost ~$1 million/year—much less than the expense of major attacks.
- NetDiligence 2024 Report: Average cyberattack cost was over $1 million in 2023.
Beyond Dollars: Success should also be measured by:
- Unquantifiable loss prevention (e.g., critical data, community services).
- Stronger community resilience and operational continuity.
- Quote (Razik, 21:44): “I don’t think budget should be the only measurement… being able to share the stories… is just as important to demonstrate what these organizations do on a human level.”

8. Barriers to Scaling and Sustainability

[23:49 – 27:14]

Workforce Shortage: Recruiting, vetting, and retaining skilled volunteers is challenging, especially outside urban centers.
Legal Concerns: Liability remains a major challenge; some states mitigate risks via legislation or contracts.
- E.g., Wisconsin prefers volunteers who’ve passed federal background checks.
Resource Constraints: Smaller and less populous states may struggle to find enough qualified local volunteers.

9. The Future of Civilian Cyber Corps

[27:34 – 29:18]

Collaboration & Consolidation: Expect more partnerships between C3 organizations for greater efficiency and reach.
- Cyber Resilience Corps: An emerging network uniting different C3s, sponsored by CyberPeace Institute and UC Berkeley.
- Quote (Razik, 28:23): “They’ll be able to more efficiently distribute services, partner with each other, and help each other to scale…that’s what I think we’ll see going forward.”

Notable Quotes & Memorable Moments

On “Whole of Society” in Cybersecurity (07:04):
“It’s really something that everyone has to pitch in and play their part to help solve.”
— Michael Razik
On the Urgency and Uniqueness of C3s (07:04):
“Since 2013, we have tried to address the civilian and military Cyber Workforce Dilemma 45 times, and the country’s collective capabilities and readiness are seemingly no better because of it.”
— Rep. Mike Gallagher, quoted by Razik
On C3s as “Cyber Firefighters” (20:54):
“They’re literally like cyber firefighters.”
— Caleb Tolan
On the Value of Impact Stories (21:44):
“Being able to share the stories… is just as important to demonstrate what these organizations do on a human level.”
— Michael Razik

Timestamps for Key Segments

00:00 – Defining Civilian Cyber Corps, current landscape
05:05 – The “Whole of Society” model, real-world examples
07:04 – What sets C3s apart from previous cyber initiatives
11:09 – How to start or join a C3; practical models in the field
13:59 – Who volunteers, what training/support looks like
16:52 – C3 roles: prevention vs. incident response (“left/right of boom”)
20:59 – Measuring success: cost savings, risk mitigation, human impact
23:49 – Key challenges: scaling, legal issues, workforce
27:34 – Future outlook: expansion, collaboration, and C3 networks

Final Takeaways

Civilian Cyber Corps are a promising grassroots solution for plugging gaps in cybersecurity, especially for under-resourced entities.
Varied models (state, nonprofit, university) allow for flexibility and adaptation.
Success depends on strategic investment, volunteer recruitment, thoughtful legal frameworks, and cross-sector collaboration.
The future points toward a more unified network of C3s, scaling reach, expertise, and impact.

For more resources and to get involved:

CISA’s High Risk Communities Portal (find volunteer and beneficiary opportunities)
Relevant reports: NetDiligence 2024, Rubrik Zero Labs' data risk report

This episode provides both strategic and practical insights for policymakers, IT leaders, and cybersecurity professionals looking to bolster digital resilience in their communities.

Podcast Summary: Data Security Decoded

Episode: Civilian Cyber Corps: Protecting Underfunded Organizations

Host: Caleb Tolan (Rubrik Zero Labs)
Guest: Michael Razik (2025 UC Berkeley Center for Long Term Cybersecurity Fellow)
Date: March 27, 2025

Overview

Key Discussion Points & Insights

1. What Are Civilian Cyber Corps?

[00:00 – 02:34]

Definition: C3s are groups of volunteers—students, cybersecurity professionals—offering cyber defense support to a range of beneficiaries (universities, nonprofits, local/state agencies).
Formations: From university cyber clinics to nonprofits like the Cyberpeace Institute, to state-run corps.
Emergence: Around five U.S. states currently have official C3s, with others considering adoption.
Mission: Address workforce shortages, insecure systems, and lack of funding in smaller orgs as well as in government bodies.
- Quote (Michael Razik, 02:34): “They all generally refer to a group of volunteers who might be students studying cybersecurity, or they might be cybersecurity professionals who provide volunteer services to a group of beneficiaries.”

2. The "Whole of Society" Approach

[05:05 – 07:04]

C3s exemplify “whole of society” cybersecurity—meaning everyone has a role: prevention, education, incident response, and more.
International Example: Estonia’s Cyber Defense Unit is a widely cited model.
U.S. Example: Ohio’s Cyber Reserve provided ransomware response for Cleveland and Columbus.
- Quote (Michael Razik, 07:04): “It’s really something that everyone has to pitch in and play their part to help solve.”

3. What Makes C3s Different From Other Initiatives?

[07:04 – 10:21]

Federal vs. State Action: Despite many federal attempts to build cyber volunteer forces, most progress occurs at the state level.
- Quote (Rep. Mike Gallagher, via Razik, 07:04): “Since 2013, we have tried to address the civilian and military Cyber Workforce Dilemma 45 times, and the country’s collective capabilities and readiness are seemingly no better because of it.”
Flexible Structure: Each state adapts the C3 to its regulatory and civic culture. Some are housed under IT departments, others under the National Guard.

4. How Can Organizations Start Their Own C3?

[11:09 – 13:59]

Models to Follow:
- Cyberpeace Builders (nonprofits)
- DEFCON’s Project Franklin (K-12 and utilities)
- Dragos OT-CERT (industrial sector)
- University Cyber Clinics
- ISACs (sector-wide information sharing)
Advice:
- Tap existing national and local volunteer initiatives to avoid starting from scratch.
- Invest for the long term; value builds over time.

5. Who Can Join & How Are Volunteers Supported?

[13:59 – 16:26]

Skill Levels:
- Most C3s need volunteers with baseline cyber skills.
- University clinics may start with less-experienced students.
- Non-technical roles (communications, training) are available.
  - Quote (Razik, 14:34): “You don’t necessarily need to be an expert in everything… there are a number of different avenues to get into cybersecurity that aren't all fingers on keyboard, that don’t all involve coding.”
Training:
- Most programs offer at least some onboarding; skill requirements vary by role and organization focus.
Getting Involved:
- CISA's High Risk Communities Portal is a useful entry point for both potential volunteers and organizations in need.
  - Quote (Razik, 16:26): “Sometime last year, CISA set up a website called High Risk Communities Portal that has links to different opportunities across different states.”

6. C3s in Action: Left and Right of "Boom"

[16:52 – 20:58]

Left of Boom: Preparation, risk assessments, training.
Right of Boom: Incident response, recovery, crisis support.
- University clinics focus more on prevention; state C3s often handle emergency response.
Speed & Impact: State-level C3s are “rapid response” teams, built to deploy quickly in emergencies.
- Quote (Razik, 19:58): “It’s a rapid response service. It has to be, it’s designed that way… these are all organizations that are used to being able to rapidly respond to emergencies…for them, this is just another type of emergency.”

7. Measuring C3 Success

[20:59 – 23:49]

Cost Savings: State C3s may cost ~$1 million/year—much less than the expense of major attacks.
- NetDiligence 2024 Report: Average cyberattack cost was over $1 million in 2023.
Beyond Dollars: Success should also be measured by:
- Unquantifiable loss prevention (e.g., critical data, community services).
- Stronger community resilience and operational continuity.
- Quote (Razik, 21:44): “I don’t think budget should be the only measurement… being able to share the stories… is just as important to demonstrate what these organizations do on a human level.”

8. Barriers to Scaling and Sustainability

[23:49 – 27:14]

Workforce Shortage: Recruiting, vetting, and retaining skilled volunteers is challenging, especially outside urban centers.
Legal Concerns: Liability remains a major challenge; some states mitigate risks via legislation or contracts.
- E.g., Wisconsin prefers volunteers who’ve passed federal background checks.
Resource Constraints: Smaller and less populous states may struggle to find enough qualified local volunteers.

9. The Future of Civilian Cyber Corps

[27:34 – 29:18]

Collaboration & Consolidation: Expect more partnerships between C3 organizations for greater efficiency and reach.
- Cyber Resilience Corps: An emerging network uniting different C3s, sponsored by CyberPeace Institute and UC Berkeley.
- Quote (Razik, 28:23): “They’ll be able to more efficiently distribute services, partner with each other, and help each other to scale…that’s what I think we’ll see going forward.”

Notable Quotes & Memorable Moments

On “Whole of Society” in Cybersecurity (07:04):
“It’s really something that everyone has to pitch in and play their part to help solve.”
— Michael Razik
On the Urgency and Uniqueness of C3s (07:04):
“Since 2013, we have tried to address the civilian and military Cyber Workforce Dilemma 45 times, and the country’s collective capabilities and readiness are seemingly no better because of it.”
— Rep. Mike Gallagher, quoted by Razik
On C3s as “Cyber Firefighters” (20:54):
“They’re literally like cyber firefighters.”
— Caleb Tolan
On the Value of Impact Stories (21:44):
“Being able to share the stories… is just as important to demonstrate what these organizations do on a human level.”
— Michael Razik

Timestamps for Key Segments

00:00 – Defining Civilian Cyber Corps, current landscape
05:05 – The “Whole of Society” model, real-world examples
07:04 – What sets C3s apart from previous cyber initiatives
11:09 – How to start or join a C3; practical models in the field
13:59 – Who volunteers, what training/support looks like
16:52 – C3 roles: prevention vs. incident response (“left/right of boom”)
20:59 – Measuring success: cost savings, risk mitigation, human impact
23:49 – Key challenges: scaling, legal issues, workforce
27:34 – Future outlook: expansion, collaboration, and C3 networks

Final Takeaways

Civilian Cyber Corps are a promising grassroots solution for plugging gaps in cybersecurity, especially for under-resourced entities.
Varied models (state, nonprofit, university) allow for flexibility and adaptation.
Success depends on strategic investment, volunteer recruitment, thoughtful legal frameworks, and cross-sector collaboration.
The future points toward a more unified network of C3s, scaling reach, expertise, and impact.

For more resources and to get involved:

CISA’s High Risk Communities Portal (find volunteer and beneficiary opportunities)
Relevant reports: NetDiligence 2024, Rubrik Zero Labs' data risk report

This episode provides both strategic and practical insights for policymakers, IT leaders, and cybersecurity professionals looking to bolster digital resilience in their communities.

wavePod

Civilian Cyber Corps: Protecting Underfunded Organizations

Powered by Wave AI

Summary

Podcast Summary: Data Security Decoded

Episode: Civilian Cyber Corps: Protecting Underfunded Organizations

Overview

Key Discussion Points & Insights

1. What Are Civilian Cyber Corps?

2. The "Whole of Society" Approach

3. What Makes C3s Different From Other Initiatives?

4. How Can Organizations Start Their Own C3?

5. Who Can Join & How Are Volunteers Supported?

6. C3s in Action: Left and Right of "Boom"

7. Measuring C3 Success

8. Barriers to Scaling and Sustainability

9. The Future of Civilian Cyber Corps

Notable Quotes & Memorable Moments

Timestamps for Key Segments

Final Takeaways

Summary

Podcast Summary: Data Security Decoded

Episode: Civilian Cyber Corps: Protecting Underfunded Organizations

Overview

Key Discussion Points & Insights

1. What Are Civilian Cyber Corps?

2. The "Whole of Society" Approach

3. What Makes C3s Different From Other Initiatives?

4. How Can Organizations Start Their Own C3?

5. Who Can Join & How Are Volunteers Supported?

6. C3s in Action: Left and Right of "Boom"

7. Measuring C3 Success

8. Barriers to Scaling and Sustainability

9. The Future of Civilian Cyber Corps

Notable Quotes & Memorable Moments

Timestamps for Key Segments

Final Takeaways