The Lawfare Podcast – Lawfare Daily: State Cyber Corps and Volunteer Programs

Date: October 28, 2025
Host: Justin Sherman (Contributing Editor at Lawfare, CEO of Global Cyber Strategies)
Guests: Sarah Pawasik (Director, Public Interest Cybersecurity Program, UC Berkeley’s Center for Long-Term Cybersecurity), Michael Ruzik (Cybersecurity & Privacy Attorney, Non-resident Fellow, UC Berkeley CLTC)

Overview

This episode investigates the rise and operation of state-level Cyber Corps and volunteer cyber defense programs in the U.S., exploring how states are responding to increasing cyber threats, resource shortfalls, and federal cutbacks by leveraging local volunteers. The discussion covers the threat landscape for small and under-resourced organizations, explains the structure and operation of state cyber volunteer programs, and offers practical insights about their challenges, successes, and policy implications at both state and federal levels.

Key Discussion Points & Insights

1. Defining the Problem: Cyber Threats to States and Communities (06:41–09:11)

• Expansion of "state cybersecurity":
  Traditionally, state cybersecurity referred to protecting state government networks, but the focus is widening to include all critical organizations relied upon by state residents, including municipalities, schools, nonprofits, small utilities, and even food banks.

  "We’re starting to talk about state cybersecurity [as] who lives in this state, what organizations do they rely on, and how can we protect all those organizations?" — Sarah Pawasik (06:41)

• Primary challenge:
  Small organizations often lack even basic IT staff, making implementation of security controls nearly impossible.

  "Nearly half of the nonprofits we surveyed had no full-time IT, let alone cybersecurity staff whatsoever." — Sarah Pawasik (08:15)

• Volunteer gap:
  Even the best tools can’t substitute for qualified personnel, and scaling human assistance is prohibitively difficult for resource-constrained organizations.

2. Understanding State Cyber Corps & Volunteer Programs (10:13–11:23)

• Core concept:
  State Cyber Corps and similar programs are described as the "volunteer firefighters" of cybersecurity—professional volunteers, led by a state agency, providing both preventive and reactive services to public or critical organizations:

  "What they're all getting at are essentially the equivalent of volunteer firefighters. These are groups of volunteer cybersecurity professionals led by a state agency." — Michael Ruzik (10:13)

• Alternatives and limitations:
  Traditional resources are insufficient; National Guard units, FBI partners, and state CISOs are spread thin and can't meet the scale of the problem.

  "A lot of states aren’t well equipped... They just don’t have enough people to help solve the problem." — Michael Ruzik (11:51)

• Emergency management parallel:
  Cyber is becoming accepted as another form of disaster that should be met with similar rapid, organized response.

  "Most states have a Department of Emergency Management... That has not traditionally extended to things like cyber attacks, even though they can have similarly devastating consequences." — Sarah Pawasik (13:52)

3. The Current State of State Cyber Volunteer Programs (17:03–19:42)

• Adoption status:
  At least seven states have fully functional civilian Cyber Corps: Louisiana, Maryland, Michigan, Ohio, Texas, Wisconsin, and Virginia.

• Growth and models:
  The concept is proven and spreading, with national and international analogues (e.g., EU pilot).

  "We have around seven states that have some form of a civilian cyber corps today... And it’s been working for, in some cases, several years." — Michael Ruzik (17:03) "This is not a pilot. This is a program that has successfully expanded to seven states." — Sarah Pawasik (19:25)

4. How Programs Operate: Recruitment, Training, and Engagement (20:42–22:54)

• Recruitment and vetting:
  Volunteers are vetted and typically must meet minimum technical and background qualifications, sometimes via federal background checks.

• Retention challenges:
  Maintaining engagement over time is essential. Strategies include regular trainings, networking, and civic engagement opportunities.

  "Wisconsin now has, I believe, over 400 members..." — Michael Ruzik (21:43) "Retention can be difficult... but one helpful thing is having some sort of frequent engagement." — Michael Ruzik (22:17)

5. Case Study: The Wisconsin Cyber Response Team (22:54–26:35)

• Example response:
  Wisconsin's Cyber Response Team rapidly deployed after a ransomware attack destroyed a county's network and backups, handled forensic analysis, migrated accounts to new environments, and supported post-incident reviews and resilience planning.

  "They responded under the Wisconsin Department of Emergency Management... to assess the situation... and did forensic analysis ...implementing multi-factor authentication... helped [rebuild] their Microsoft 365 environment..." — Sarah Pawasik (24:16)

• Long-term resilience:
  The team didn’t just remediate the attack but also conducted a two-week penetration test and built plans for future incident response.

6. Strengths and Limits of Volunteer Cyber Corps (30:25–35:57)

• Best fits:
  Well-suited for IT security incidents, especially for small, under-resourced entities (cities, non-profit orgs, K-12, etc.).

• Limitations:

  • Less adept at handling operational technology (OT) incidents due to required specialized knowledge.

    "When it comes to OT, it can be more challenging because you may be dealing with industrial control systems... that require more specialized knowledge." — Michael Ruzik (30:38)

  • Not intended for responding to nation-state attacks, APTs, or espionage—these are better handled by federal or specialized actors.

    "I don’t think that these groups will be the best option for that, especially if we're talking about espionage or spyware." — Sarah Pawasik (35:21)

• Coverage gaps:
  Some state programs limit which sectors or organizations they serve, often due to statutory or funding boundaries.

7. Practical Steps for States (38:00–39:42)

• Starting a program:

  • Connect with officials in states already running programs.
  • Use existing resources like model legislation (see Ruzik's New America report for a model bill).

  "We connect some of the people with officials in other states... [and] send them resources like the roadmap..." — Michael Ruzik (38:00)

  • Address legal authority and liability issues up front.

• Scaling and sustaining:
  Overcome hurdles in volunteer authorities, training, liability, and retention.

8. Federal Policy Landscape & State Challenges (39:42–46:23)

• Federal cutbacks:
  Recent federal resource reductions (notably at CISA) and a shift of cybersecurity burden to states make these programs even more critical.

  "...the federal government has signaled... this is state’s responsibility... They really... are not really prepared to take on [it]..." — Sarah Pawasik (41:09)

• Program sustainability:
  Reauthorization of state/local cybersecurity grants is uncertain but essential; Secure by Design initiatives at CISA are promising for improving ecosystem-wide security for under-resourced entities.

• Policy recommendations:

  • Renew and expand federal state-and-local cyber grants (SLCGP).
  • Continue federal support through Secure by Design/default initiatives.
  • Encourage pilot programs and information sharing at all government layers.

Notable Quotes & Memorable Moments

• On the challenge for small orgs:

  "The tools that exist right now just aren't created for beginners and non-experts. They're not created for the gym teacher. Right. A gym teacher is not going to be able to use CrowdStrike's Falcon tool." — Sarah Pawasik (08:41)

• On why state-level response matters:

  "Nobody is coming to help. The federal government is focused on national security... Those resources do not really extend to states as far as having a team that can actually land on the ground and help..." — Sarah Pawasik (14:18)

• On volunteers as a force multiplier:

  "The idea of a state hiring an entire staff of full time [cyber] folks... we're just not in that space yet. So being a program that only takes a few full time staff to manage and then a group of volunteers who donate their time, you're able to start a program relatively cheaply..." — Sarah Pawasik (31:31)

• On program limits:

  "Responding to APTs and other nations’ attacks... these groups will [not] be the best option for that, especially if we're talking about espionage or spyware... [They’re better for] commercially motivated cyber attacks." — Sarah Pawasik (35:21)

• On federal funding uncertainty:

  "The SLCGP... is now up in the air, even though it has great bipartisan support, so we hear. So those resources are drying up. I desperately hope that the SLCGP gets reauthorized. It has been absolutely transformational for states..." — Sarah Pawasik (41:10)

Timestamps for Key Segments

• Defining the threat landscape & small orgs: 06:41–09:17
• What is a state cyber corps/volunteer program? 10:13–13:52
• Current program landscape/adoption: 17:03–19:42
• Program operations, recruitment, retention: 20:42–22:54
• Wisconsin Cyber Response Team case study: 22:54–26:35
• Strengths/limits: OT & organization types: 30:25–35:57
• Starting/scaling a program: 38:00–39:42
• Federal support and policy context: 39:42–46:23

Conclusion

The episode underscores the urgent need for state-based, volunteer-driven cyber response programs as cyber threats multiply and federal support wanes. These programs offer an agile, cost-effective force multiplier for defending the small organizations that form the backbone of critical services. While not a panacea—especially for OT environments or advanced nation-state threats—they fill a crucial, growing gap in U.S. cyber defense, combining technical volunteerism with local knowledge and community engagement. As more states look to build or expand such efforts, shared resources, model legislation, and continued advocacy for federal support are essential for future resilience.