B (4:10)

Very interesting. Yeah, I mean, I can totally see where, you know, particularly underfunded industries or, you know, organizations even in an industry where maybe just for some reason based off of their location or any given circumstances, don't have the same resources that a larger institution has, how something like a civilian cyber corps could really, really help bolster the cyber posture of that organization. So, you know, this is a sentiment that I read in your paper, and I've heard plenty of other cybersecurity leaders out there say this, but it's, you know, this idea we should. Everybody's like a cyber warrior. You know, actually, we had a. We had an episode several months back with Renata Spinks where she. She talked about how everybody is a war fighter in. In cybersecurity. And your report specifically says we must take a who society approach to cybersecurity. Everybody participates in that.

A (5:05)

Right.

B (5:06)

So what are some of the successful C3 initiatives that you've studied? It sounds like there's probably some in the U.S. and some even outside of the U.S. you know, what sets apart the successful ones from the ones that fizzled out? How do they incubate this, like, whole of society approach to cybersecurity that you mentioned in your paper?

A (5:24)

I think you really hit the nail on the head when you said that everyone has A role to play. And that's the, that's effectively what the whole society approach is. And early on, I think a lot of studies around Civilian Cyber Corps tended to focus on Estonia and their Cyber Defense unit, which is a civilian volunteer organization that is set up and provides all the services that I mentioned, preventive and reactive. So you might think about things like vulnerability and risk assessments. You might think about education and training and even incident response services. And it really stems from the idea that this is a large scale societal problem and it's not something that a single government agency or a handful of private sector organizations can solve on their own. It's really something that everyone has to pitch in and play their part to help solve. And so where in the US you've seen this come up recently, just in the past year, there was some press coverage around Ohio's Cyber Reserve, which was deployed to assist in response to ransomware attacks on the city of Cleveland and the city of Columbus. Those were both well reported. But there are a number of other engagements that come up with where civilian Cyber Corps might help at the state level. And it could be something as simple as a nonprofit or local agency or organization looking to conduct a risk assessment or maybe to set up or enhance an incident response plan.

B (7:04)

Something that I've really appreciated about civilian Cyber Corps and learning more about them is just like how they can, you know, have different impacts at different levels within different organizations. There's, it's such a, like, versatile solution that I think, you know, it offers a lot to, to us as a society. So something that your report outlines, this was a quote from Representative Mike Gallagher of Wisconsin in 2023 congressional hearing. He said, Since 2013, we have tried to address the civilian and military Cyber Workforce Dilemma 45 times, and the country's collective capabilities and readiness are seemingly no better because of it. That's a bit of a provocative statement. And so something that I kind of wondered as we were reading a bit more about civilian Cyber Corps is What makes this C3 initiative any different than those 45 initiatives proposed through Congress? Are there legal or liability concerns or specific regulations that organizations need to be aware of if they were trying to deploy something like this?

A (8:08)

So there are definitely some concerns that can be worked through, but I think it's important to note that that statement, I believe, was specifically geared toward federal efforts. And so in a lot of ways, you might think about this like the privacy space where there have been multiple attempts to pass comprehensive federal privacy laws that haven't quite succeeded. But in the meantime, a Large number of states have passed privacy laws. So this is a similar scenario where the federal government authorized funds to be allocated for an assessment of the feasibility of a federal civilian Cyber Corps. A DOD pilot was authorized. As far as I know, not much has been done in terms of action, in terms of bringing the federal efforts to fruition. But in the meantime, several states have taken action on their own because they have the power to, they have the talent within their, within their state to help address some of these issues. So they've been able to do this in different ways. Depending on the state. The civilian Cyber Corps might be set up under a department of IT or Homeland Security, or it might be set up under a state National Guard. And what that setup looks like really depends on the local political culture, the legal culture of the legal frameworks within a state, and even just the civic culture within a state. They all influence the setup of a civilian Cyber Corps. So there isn't one right answer. But you do see common trends and you see common concerns around things like liability, which you mentioned, and how that should be addressed, or being able to properly vet and recruit volunteers, especially if volunteers will be going and doing work within a beneficiary's IT environment, the, whoever the beneficiary organization is will want to know that the volunteers have gone through some sort of a background check or have some base level of training. So, so there are common issues that come up, even despite the slightly different approaches that different states take. Right.

B (10:21)

And I mean, most of the examples we've talked about seem to be like a state sponsored to some extent. And, and of course, you know, public sector organizations can definitely, it seems, benefit from this concept of C3S. Also, you know, smaller businesses or businesses that may just not necessarily have access to the same resources as a, as a larger, more enterprise ready company. Those types of companies can all benefit from this too. So how can an organization like a state and state or local government, small, medium sized business get started informing their own C3? And is there a clear structure for how once a C3 is established, how that coordinates with the kind of like parent organization or the one that initiated it, whether that be the state or the business or what have you?

A (11:09)

Sure. There really are different models that can be taken. And I think taking the definition of a C3 broadly, I don't know if you've read the book the Ransomware Hunting Team by Renee Dudley and Daniel golden, but it talks about a group of, I think five or six individuals who came together online and started coordinating to essentially develop DECRYPTORS to ransomware and distribute them to organizations impacted by ransomware attacks. And, you know, it's hard to think of a better example of, you know, of civilian engagement and helping to improve cyber defense than that. But I think at the organizational level, a couple good models come to mind. So one is Cyberpeace Builders, which is run by the Cyberpeace Institute, and that allows individuals to volunteer. And I believe right now it's mostly geared toward nonprofits, but there's a wide range of nonprofits that provide an even wider range of services, and individuals can volunteer through that organization, or organizations can receive support directly through that program. There are also other initiatives like defcon's Project Franklin, which launched last year and that's focused on K12 education and water and wastewater treatment. They recently, I think they recently partnered with municipal water utility in Waterbury, Vermont to help conduct risk assessments. So there are different initiatives like that that organizations can get involved with. And depending on the industry or sector, there may even be some other opportunities. For example, in the industrial space, the cybersecurity firm Dragos has what they call OT cert, which is meant to bring together different organizations in the industrial sectors for information sharing to help to help them improve. So there are all sorts of different models. And then there are also the ISACs that also bring together different actors and take on roles to varying degrees. So I think, for starters, organizations thinking about starting C3 should look at some of those existing opportunities. And then beyond that, it really depends on the resources that they have internally, both in terms of funding, in terms of focus. I think another important factor is to make sure that whatever they do decide to get involved with that, they're taking a long term view of it because it is something that takes investment and will bear fruit over time.

B (13:59)

And I imagine that these programs that have started so far probably have a mix of people. You correct me if I'm wrong, but my assumption would be they kind of have a mix of people who are existing technologists, who have familiarity with cybersecurity best practices, things like that, and then other people who just want to help and, you know, to better their communities, if you will. One is that assumption kind of true? And if there are those people who maybe not, you know, they don't, they don't have that background in cybersecurity and they need a bit of education, what kind of like training and support do these volunteers get to make sure that they can perform in these roles?

A (14:34)

Sure. So that really depends on the program. And I think for a lot of the civilian cyber corps and for the type of work that they're doing, you need people who have some sort of skills. And you know, you, you don't necessarily need to be an expert in everything. A lot of the programs offer training. But I think you do need to come with a certain skill set to be able to contribute. And what those skills need to be depend on the type will dictate the type of activities that you'll be involved in. For example, if you are focused on, if you are in the GRC space governance, risk and compliance, then maybe you're working on risk assessments, but maybe you're not working on incident response. I think one exception to that might be in the university space. So there are a number of university cybersecurity clinics that fall under the umbrella of the Consortium of Cybersecurity Clinics now across the US and those are geared towards students who are, you know, and I think even, even a lot of students will have some base level of knowledge because they're probably in the field. But there are a number of different avenues to get into cybersecurity that aren't all fingers on keyboard, that don't all involve coding. So there are people that come from different backgrounds and have different skill sets.

B (15:58)

Right. Even probably like, you know, hosting security trainings. I'm sure, you know, somebody with like more of like a, you know, communication kind of background that is, you know, something that's very much not like the technologist skill set. Skill set, yeah, I'm sure plenty of technologists out there, you know, have great communication skills, of course, but you know, that, you know, if somebody wanted to get involved in just helping these communities and maybe they don't have the technology background, that could be a good way for them to get involved.

A (16:26)

And one thing that I'll also make the pitch for is CISA's High Risk Communities portal. So that's one more way to get involved. Sometime last year, CISA set up a website called High Risk Communities Portal that has links to different opportunities across different states. For those who want to find out more about cyber volunteering, whether as a beneficiary or as a volunteer to get involved.

B (16:52)

Yes, that is a great recommendation. We'll definitely include that in the show notes for anybody who's listening too, just, you know, check those out and get involved if you'd like to. Awesome. So that's a great recommendation. And you know, going into how these organizations kind of operate, you've kind of described to me how C3s help support organizations in both left and Right of boom, which was, you know, a term you taught me. I, I really was interested in that one. So where do you see, tend to see that C3s are most effective in organizations that they work for? Is it in that preparation and education phase? Is it during the actual incident response? Is it in those, you know, GRC audits and things like that? Or is it kind of a mixture.

A (17:38)

Of all of us?

B (17:38)

What's your opinion there?

A (17:39)

Sure, sure. And if it makes you feel better, I learned left of boom, right of boom as I was doing this research, so it was new to me too. But it's essentially looking at the preventive services before there's an incident, so making sure that the cyber house is in order and then right of boom being after an incident, working on incident response recovery, the services that the cyber, that the cyber volunteers provide can really run that gamut. And I think rather than saying civilian cyber corps as a whole are better at one side of the boom than the other, I think that different types of volunteer organizations might be structured more appropriately for one or the other. So, for example, I think a lot of the university cybersecurity clinics tend to do more left of boom activities. And you can think about, you know, I mean, maybe something as simple as the fact that, you know, schools have summer break and so you'll probably, you might have less students over, over the summer. Right. And so if you're a state civilian cyber corps and you have cybersecurity professionals that are staffed or volunteering year round, and that gives you a bit more flexibility to do incident response work. And so I think it's still early on. So a lot of organizations are trying different things. And I think over the next several years, we'll start to see a bit more specialization as organizations come together and say maybe university cyber clinics are best place for X services and state civilian cyber corps are best place for Y services, I think we'll see a lot more of that collaboration and a lot more distribution of work along those lines based on who is most, who is best able to provide the services.

B (19:41)

And out of curiosity, for those organizations that are a bit more specialized in the right of boom kind of category, how quickly for an organization that is deploying a C3 mobilized during a major cybersecurity incident, what does that look like on the ground?

A (19:58)

Sure. And so from the interviews that I've had from the, from the discussions with people who are actively involved in some of the different civilian cyber corps, it's, it's, it's, it's a rapid Response service. It has to be, it's designed that way. And at least at the state level, we were talking about organizations that are formed under departments of it, Departments of Emergency Management under the National Guard. So these are all organizations that are used to being able to rapidly respond to emergencies. And so for them, this is just another type of emergency and in some cases the same type of emergency. Right. Because the National Guard and state IT departments may already provide some of these services. And so it sits well within what they're used to doing and they're able to quickly respond to organizations and get them the support that they need. Right, right.

B (20:54)

That's great. That's great. They're literally like cyber firefighters. Exactly.

A (20:58)

I love it.

B (20:59)

Awesome. So, I mean, looking at how you measure the success of a C3 program, one of the things you had in your report was, or your paper was that state C3s can cost around 1 million annually. So only a few deployments can offset the costs of these organizations or entities would otherwise, you know, spend on a third party service. Um, what kind of level of savings can organizations expect, you know, by leveraging something like a C3? And is that the best measurement for the success of a C3 program? Is that, is it budget? Is it mitigated risk? Is it something else? How, how are you, how do you recommend measuring that? Or how have you, as you've spoken to the people who are participating in leading these, how do people measure the success of these programs?

A (21:44)

Sure. So there was a report from Netdiligence that comes out annually and 20 their from their 2024 report, that was a look back at 2023. The average cost of a cyber attack was over a million dollars. And so you might, you can go from there to look at any of the reports that different states put out at the number of cyber attacks and say, okay, well you know, if there were X number of cyber attacks and the average is around over a million dollars, here, here's the subcategory of services that the volunteers tend to provide. And it can offset these costs over a certain amount of time. And I think that's especially true if you look at the state level because the state has the resources to continue to support these over a long time horizon. I don't think that's the best measure necessary or at least should be the only measurement of success. Right. Because you might have a small business or a small nonprofit that is victim, that falls victim to a cyber attack. And in terms of dollars, maybe the savings isn't, isn't necessarily high. But maybe in terms of preventing critical data from being lost. Right. How do you. How do you. How do you value that? Or in terms of making sure that that business that serves a community is able to continue to operate? Right. There's some intangible value. So I think the quantitative measures of success are definitely important, but I think this is also a space where capturing the qualitative measures are just as important. And being able to share the stories like the one I mentioned about the Ohio Cyber Reserve helping to respond to ransomware attacks in cities in that state are just as important to demonstrate this is what these organizations do on a human level, and this is how they impact communities. Right.

B (23:49)

I mean, yeah, that totally makes sense. I mean, mitigating risk, like, how do you measure that? Is definitely something that's a big topic of conversation. I mean, just last year, Rubrik zero Labs, I mean, we released a report last year all about measuring your data's risk and how you go about that. So if you know, anyone listening hasn't already checked that out, you definitely should. But, yeah, I know that's. It's challenging. It's challenging, but a worthwhile conversation for sure. So what are some of the major challenges in scaling C3s across states and ensuring that this is like a sustainable model? And then kind of as a secondary part, too, how can these challenges be addressed and expand the reach and the impact of C3 so that more organizations can adopt this kind of model?

A (24:36)

There are a few challenges that I think are common across the different types of C3. So whether it's the university cyber clinic or a nonprofit, or if it's a state, civilian cyber corps, and one is recruiting and vetting. Right. So especially given the cybersecurity workforce shortage that we talked about, it may be difficult to bring people in. It may be difficult to bring qualified people in. And then it may be difficult to establish a process of background checks to make sure that you have the security that you need when you're deploying volunteers for something like incident response. So that's one challenge. And it also takes time. It takes time and resources to be able to do that as well. And then if you're in a smaller state or a less populated state or region, then it becomes even more difficult because maybe you don't have the same number of professionals within the state who can help. And so then there are questions about, you know, should. Should you open it up to people outside of the state? So. So those are some of the initial concerns. Liability is also a big one. Potential liability for Volunteers that are providing these services that can be addressed through contracts. So contracts between the volunteer organization and beneficiaries, contracts between the hosting organization and the volunteers, it can be addressed by law. So some of the state civilian Cyber corps, and this is what I had mentioned earlier as a benefit of some of the state civilian Cyber Corps is states can pass laws. States can issue executive orders that provide some sort of legal protection outside of just having a contract. So that's one, that's one benefit to that model. And in terms of how those issues are addressed, they are addressed in those ways. So some states have passed laws to address liability. Some states and the private organizations use contracts to address different issues in terms of workforce vetting and recruiting. I've seen different creative solutions there. For example, Wisconsin tends to favor applicants that have gone through or that are part of the federal government's infra guard program because those individuals will have already gone through a background check for the federal government.

B (27:14)

Yeah, I mean, it's, you know, definitely doesn't seem like a super necessarily clear path forward, but yeah, this is such a fascinating thing that I think can really help progress the conversation of how everybody can be involved in improving.

A (27:34)

Our.

B (27:35)

Country'S cyber posture, which is so, so important as we rely so much on critical infrastructure and that world is intertangling with cyber. So so much. Well, Michael, this has been awesome. This has been a fantastic conversation. And before you go, I do have one more question for you. And it's, you know, looking forward you've mentioned, I mean, I can't even begin to count how many different examples of civilian cyber corps that you've mentioned so far just here in the US alone. And I know there's more outside of the US too. How do you see, like the role of these volunteer cybersecurity forces evolving here in the US broadly. And like, you know, looking ahead, what do you see is the future for this model and for, for these types of organizations?

A (28:23)

Sure. I think these organizations will come together and I think they'll be able to more efficiently distribute services, partner with each other and help each other to scale. And I think one or one, one initiative that is bringing together a lot of those organizations is the Cyber Resilience Corps, which is a partnership between the Cyberpeace Institute that I mentioned and UC Berkeley center for Long Term Cybersecurity. And that's sponsored by Craig and Mark Philanthropies. So I think that's one effort that will bring a lot of the organizations together. And that's what I think we'll see going forward is more collaboration, more scaling, and more efficient delivery of services.

B (29:18)

That sounds like a great future and one that I think all of us would like to see come to fruition very, very soon. So I love it. I love an optimistic outlook. And Michael, thank you so much for spending some time with us today. I know this is a really interesting concept. I know it was new to me before we got to know each other a little bit more. I think our audience is going to get a ton of value out of this. So thank you so much for sharing your insights and hopefully we can have another conversation about this very soon.

A (29:46)

Thanks for having me.