Sarah Pawasik

We will answer your call as soon as we can.

Advertisement Voice

Are you still running your business? With one creaky old phone system, missing calls, losing track of messages, and scrambling to keep up with your team? It's time to break up with the past and say hello to Quo. Quo is the number one business phone system with 4.7 stars across 3,000 reviews on G2, Quo brings all your business phone calls and texts into one app for your team. No more juggling devices or being tied to a landline. Quo's built in AI logs calls, creates summaries, automates follow ups, and can even answer and route calls so you never miss an opportunity. Whether you're a solo operator or leading a growing team, Quo keeps you connected and helps you deliver standout customer experiences. Join over 90,000 businesses using Quo and see why it's the one business phone system for customer satisfaction. Level up your workflow with quo. Get started free plus get 20% off your first six months at quo.comtech that's quo spelled q u o.com tech and if you have existing numbers with another service, Quo will port them over for free. No missed calls, no missed customers if you're a maintenance supervisor at a manufacturing facility and your machinery isn't working right, Grainger knows you need to understand what's wrong as soon as possible. So so when a conveyor motor falters, Grainger offers diagnostic tools like calibration kits and multimeters to help you identify and fix the problem. With Grainger, you can be confident you have everything you need to keep your facility running smoothly. Call 1-800-GRAINGER clickgrainger.com or just stop by Granger for the ones who get it done.

Michael Ruzik

State civilians Cyber Corps are very well positioned to handle a lot of different types of incidents, but I think when it comes to ot, it can be more challenging because you may be dealing with industrial control systems, programmable logic controllers, different types of technology that require more specialized security knowledge.

Justin Sherman

It's the Lawfare Podcast. I'm Justin Sherman, Contributing Editor at lawfair and CEO of Global Cyber Strategies, with Sarah Pawasik, Director of the Public Interest Cybersecurity Program at Berkeley's center for Long Term Cybersecurity, and Michael Ruzik, who is a non resident fellow at that same program.

Sarah Pawasik

Every organization can benefit from free cybersecurity assistance. So what it really boils down to and what the bottleneck for this is what does the state care about and how many volunteers do they have?

Justin Sherman

Today we're talking about cyber threats to states. The current environment and how state cyber corps and volunteer programs can be an effective response. Why don't you start? I always start this way. Why don't you start by telling us about yourselves, both your backgrounds for those a little less familiar, as well as what you are each working on currently.

Sarah Pawasik

Sure, I'll kick us off. So I'm Sarah Pawasik. I'm the Program Director of Public Interest Cybersecurity at UC Berkeley center for Long Term Cybersecurity. And our program right now is focused on trying to create a safety net for small under resourced organizations across the US that tend to fall through the cracks when we use a national security lens. So we like to think about it as community cybersecurity. So how are we thinking about critical services that people in different local communities use and how we can protect those services by using cybersecurity as a tool. So for example, think a lot about how to keep kids in school. We need to think about what sort of infrastructure those schools are using and therefore we have a line of effort on K12 Cybersecurity and Educational technology companies. So, so at a high level that's what we're working on. And we have a particular line of effort on cyber volunteering as these programs start up across the country. There are cyber clinics where students are actually volunteering to do cybersecurity risk assessments for local organizations as a part of their schooling. And there are state cyber corps programs that we'll be talking about more today. So that's a little bit about what the public interest cybersecurity team at CLTC is up to lately.

Michael Ruzik

And my name is Michael Razik. I'm a cybersecurity and privacy attorney and I'm also a non resident fellow Public Interest Cybersecurity at UC Berkeley center for Long Term Cybersecurity. And my work with the CLTC has been focused on helping to build out this ecosystem of cyber volunteers that Sarah mentioned. So most recently I published report about MSPs and MSSPs and ways that they can help under resourced organizations because we can only get so far with volunteers and we need other resources to help build out long term resilience for under resourced organizations. And I'm also working with CLTC and others now, including one of the state civilian cyber corps that we'll talk about in a bit to organize a workshop for different types of cyber volunteer organizations so that we can help them to scale and help others to form a.

Justin Sherman

Lot of work which as you noted, is relevant to what we're talking about today. So we're going to dive in. We are focused, as we heard in the intro, on this interesting concept around state cyber corps and volunteer programs. And these are increasingly coming up in the media and cyber policy discourse and so on, including, due to the work you both are doing, as another potential way to address the pressing cybersecurity problems that we face as a country and that states around the United States are facing. And so I say, I want to just shout this out. You know, I reference, you're doing a lot of work in this area. This includes a report, Sarah, that you had authored along with your colleague Grace Mena in June with the Berkeley center, called the Roadmap to Community Cyber Defense. So we will link that below, but I want to start here. So to ground us in this conversation, what does the cyber threat landscape today look like if you're a small community organization, like a nonprofit or a city or a school? And related to that, when we talk about cyber threats to states in quotes, how do we think about that? Or how do you think about that boundary? Is that state governments proper? Is that states plus their critical infrastructure? How do you approach this question?

Sarah Pawasik

Yeah, thanks for that, Justin. I'll kick us off by sharing a little bit about how CLTC is approaching this. I think traditionally when we talk about government cybersecurity, we're really talking about the security of the specific government networks, right? So let's say state of Washington cybersecurity, we're thinking about Olympia, the Capitol. How are we protecting the different agencies? How are we protecting the legislators? That is what cybersecurity means at the state level. That, I think, is shifting a bit because when we're starting to talk about state cybersecurity, we really mean, like, who lives in this state, what organizations do they rely on, and how can we protect all of those organizations? And those organizations are in a pretty tough spot. They always have been. There have been numerous efforts for years to try and help what we're calling community organizations. So not just the traditional definition of critical infrastructure, but any sort of organization that provides a critical service to people. So we like to include some small businesses and nonprofits in that definition, such as food banks, but also what you might traditionally think of critical infrastructure. So cities, schools, small utilities like water and electricity. So all of these very, very small organizations, they have different needs, but they still struggle with the basics. And that won't be, to a lot of the folks listening in, just trying to get these organizations to understand basic cybersecurity controls and give them the Resources that they need to implement them is a huge challenge. It's very, very difficult to scale people, and people is really what these organizations need at the moment. UC Berkeley ran a survey just last year with nonprofits in the Bay Area, and we found that nearly half of of the nonprofits we surveyed had no full time it, let alone cybersecurity staff whatsoever. And this is really difficult because you need someone these days to implement cybersecurity. The tools that exist right now just aren't created for beginners and non experts. They're not created for the gym teacher. Right. A gym teacher is not going to be able to use CrowdStrike's Falcon tool. There really isn't a lot out there for them to do on their own. And, and we're really trying to push to get more people there to sort of hold their hand, guide them through some of those basics that they need. And that is really the challenge that they're facing right now is that they don't know what they don't know, and we can't expect them to without trying to scale some human assistance for them to sort of guide them through that process.

Justin Sherman

I was muted, but I'm laughing when you say the gym teacher using the Kratztrika system.

Sarah Pawasik

That's what we expect of them.

Justin Sherman

Right? And I'm glad you say that also, because it's so easy to. I mean, I'm preaching to the choir in this case. You both are much more involved with this issue than I am. But as you say that, I'm thinking it's so easy as cyber folks to come into a room or a company or something or a government office and say, where's the cyber person? Rather than, as you're saying, what about one step back, do you even have IT staff, right. Or do you even have a person who hooks up your router or downloads what you're using? So that's a really important point. So with that in mind, what is a state cyber core like within this threat landscape? What does that term mean? And relatedly, what is a state cyber volunteer program? Are these the same thing? Are these different concepts? Michael? Perhaps, if you want to answer that one.

Sarah Pawasik

Sure.

Michael Ruzik

And I think you can think about these as equivalent. And you might hear different terms like state cyber corps, state cyber volunteer, civilian cyber corps, cyber civil corps. You might hear different terms used interchangeably. But what they're all getting at are essentially the equivalent of volunteer firefighters. These are groups of volunteer cybersecurity professionals that are led by a state agency. So maybe it's a department of it. Maybe it's emergency management, and in some cases, maybe it's the National Guard or another state agency or department that organizes this group of professionals because they may not be able to hire enough staff to help these under resourced or community organizations that Sarah was talking about. But they do have plenty of talented people that live in the state and that are more than willing to contribute and to help out when needed. And so that's, that's at its core what it is. It's a, it's a group of volunteer professionals that provide different preventive and reactive services to a defined group of beneficiaries.

Justin Sherman

How do these differ from the other resources, just to really put a fine point on this, from the other resources that a state might currently have at its disposal or bring to bear on cyber problems? Like, what does that status quo of alternatives look like? Are states. We're going to talk in a minute about the programs you're mentioning, Michael, but are states well equipped otherwise with other ways to deal with cybersecurity issues? What does that look like?

Michael Ruzik

Generally, I'll say no. A lot of states aren't well equipped. And you might think about some of the numbers that you see for private sector companies where you see shortages of cybersecurity personnel. And it's no different in the public sector. And Sarah gave the example of K through 12 schools where a lot of them don't even have an IT person. Let's not even talk about cybersecurity. They don't even have an IT person. And so when you look at the municipal level, when you look at smaller nonprofits, they all have similar issues. So they just don't have enough people to help solve the problem. But states do have some resources on hand. So states have the National Guard, a lot of National Guard, state National Guard have cyber units. And some may have more cyber personnel than other, depending on the state. So you could imagine a state like Maryland where you have the nsa, where you have people that may work for a lot of other cyber agencies or departments within government that may be involved in this type of organization. So they may just have a larger pool to draw from. That's not going to be the case for every state. Also, some states, states can work with the FBI, depending on which state it is, different FBI field offices may have more expertise in cybersecurity and may be able to provide more assistance. And then the state has their own agencies, their own ciso, their own personnel that can help with some of these issues. But generally it's not enough when you look at the scale of the problem, and maybe we'll come back to this, but you could look at some of the recent incidents like the Cyber attack on St. Paul in Minnesota and or maybe in Las Vegas, that the amount of resources that have to get pulled in to respond to a cyber attack in just one city.

Sarah Pawasik

Yeah. And I think another way to think about this is that states are traditionally better equipped to handle natural disasters when they think about emergency management. And most states have a Department of Emergency Management. Again, they're thinking about landslides, earthquakes. How do you deploy a team of people to respond to an emergency very quickly? That has not traditionally extended to things like cyber attacks, even though they can have similarly devastating consequences. For example, cyber attack hits a water utility and suddenly the hospital doesn't have fresh water. They're not able to take care of patients within a couple hours. So I think states have started realizing one, that the impact of cyber attacks can be just as destructive and two, that nobody is coming to help. Right. The federal government is focused on national security even more so in the current administration. Those resources do not really extend to states as far as having a team that can actually land on the ground and help someone recover from a cyber incident. So states are starting to step up and you'll see that actually many states have integrated these programs into their emergency management departments and functions because it already fits so well with what those departments missions are.

Justin Sherman

That's really interesting. We're going to circle back to some of these resources questions in the context of the current environment. But I appreciate you both that that's useful to flesh out. Right. What those differences and alternatives look like. So I want to talk about these programs next. But, but one more question first, which is is it that states face different cyber threats than at the federal level per se, or is it more so a question of what you were both just explaining with states may have fewer resources or they may have different capacity or different structures to deal with issues than say, the federal level of government.

Michael Ruzik

I wouldn't say that the threats are necessarily different, but the targets are. So I don't know of any, although there may be some. I don't know of any federally owned water utilities, but there are municipally owned water utilities and electric plants and health clinics and things like that that are attractive targets for cyber attacks that you don't necessarily have at the federal level. And states don't necessarily have the resources or even the legal capability to respond in the same way that the federal government can, for example, through diplomacy or through, through the military even. They just don't have those same options available to them.

Justin Sherman

I figured as much, but, but wanted your, your thoughts there. So back to state cyber Corps and volunteer programs. How many states have programs like this? Are we at more of a proof of idea stage? Are we at the point by which there are some models for these programs up and running? What does that landscape look like today?

Michael Ruzik

We definitely have some proofs of concept and we know that this works. So the only question now is how do we get more of these up and running? We have around seven states that have some form of a civilian cyber corps today, spread out geographically, different states, red states, blue states. And it's been working for, in some cases several years in a few states. We also have evidence that this works from some countries in Europe, if you look at countries like Estonia or maybe even Switzerland or a couple others. And in fact, the EU is looking to launch an EU wide, slightly modified version of this, but an EU wide version toward the end of the year.

Justin Sherman

Just briefly on that. Is the EU one roughly similar to the way the conversation has gone here, or is it, is it quite a different from what you can tell so far? Is it quite a different approach?

Michael Ruzik

I don't think the approach, it's still early, so it hasn't launched yet. So I think we'll, we'll see. But from what I can tell so far, it doesn't seem like it's that different from what we're talking about here.

Sarah Pawasik

Yeah, and I'll say, I think that we're right at the precipice of this model becoming very, very popular. I think the National Governors association really kicked off this work by doing three case studies of a handful of states in the Midwest a number of years ago and how they had just started up these programs. And now 2025, we have seven fully functioning state cyber corps and we have meetings with different states across the country pretty regularly because CLTC runs a program called the Cyber Resilience Corps where we're trying to build connective tissue between cyber volunteering organizations and programs of all types, including in academia, in state government, like we're talking about today, and also in nonprofits. And we have these conversations with states and they're all starting to come back to cyber volunteering. I know Washington and Arkansas have some version of strike teams with cybersecurity where they similarly go in and do incident response. And Michael mentioned that seven states already have programs. I'll just list them. Louisiana, Maryland, Michigan, Ohio, Texas, Wisconsin, and I think one more Michael, you said seven and that was six. Yes.

Michael Ruzik

Virginia State Defense Force has a cyber unit.

Sarah Pawasik

Yes. Awesome. So it really is. This is not a pilot. This is a program that has successfully expanded to seven states in the US and many, many other states are starting to take notice and to try and outline ways that they can replicate this in a way that makes sense for their state.

Justin Sherman

And we'll link it. I like the map that you. I'm always big on visuals. I like the map you have as well on the CLTC site of the country showing dots of, of where these different Cyber Resilience Corps volunteers are located. So it's, it's interesting. As you're saying, I'm seeing dots in Texas and California and Idah and all sorts of places. So what do these programs we're hearing about the structure? Clearly there's a need for states to have alternative means of boosting capacity, dealing with specific issues. What do these programs actually look like? How do you recruit, how do states or how should states recruit and retain people into these programs? Is there a process for that? Are people tested? Is there a qualification, training? What does that actually look like from, from the standpoint of a state looking to bring people from interested parties in their state individuals into such an effort.

Michael Ruzik

So at a minimum, there should be some sort of qualifications and training. And the states that we mentioned do have that. I know that that's a concern, an initial concern that comes up from time to time. When people hear about volunteer hackers or cybersecurity professionals coming to the rescue, they might ask, where are these people coming from? How do we know they know what they're doing and it's because they have been vetted by a state organization, they have gone through some minimum level of training, they meet some minimum level of qualifications and that may be through certifications, it may be even relying on federal background checks. Some of the state civilian cyber corps are able to fast track applications where the individuals have already gone through a federal background check. There are options like that that can help. In terms of recruiting, I think that can be difficult. And that's something that some of the states that we've spoken with have identified as a challenge. But I think they're also figuring it out. Wisconsin now has, I believe, over 400 members and their Cyber Response team. In Ohio, there are, I believe, over 160 volunteers in the Ohio Cyber Reserve. So it has been a challenge, but I think they are figuring it out. And it's one of the things that we hope to help other states to be able to learn from and be able to replicate in the upcoming workshop. In terms of retention, retention can be difficult as well because you can imagine that depending on the criteria for deploying the civilian Cyber Corps, if they aren't deployed frequently, then people might lose interest or people might drop out. And so one of the things that we've heard that is helpful for retention is having some sort of frequent engagement. So whether that's training, whether it's networking events, because that's also a benefit of this is the civic engagement. You have people in the private sector engaging with the public sector, helping their local communities. And that's a big part of retention, just being able to give back, being able to meet other people in your community.

Sarah Pawasik

I think it's really helpful to hear how one of these groups in action is actually helping state and local entities that otherwise would really not have the resources to get assistance. One of the case studies, and we also detail this in a report that we recently put out called the Roadmap to Community Cyber Defense where we detail a lot of these programs that build regional connective tissue for these small organizations and provide them this assistance. So the Wisconsin Cyber Response Team is one of the premier Cyber Corps programs. We're actually co hosting an event with them next month. They are fantastic. They have great support from leadership in their government and they responded to a ransomware attack that hit a Wisconsin county government and actually destroyed a lot of the network infrastructure and all of their data backups. And so the Wisconsin Cyber Response Team was able to respond to get on the ground very, very quickly to help them remediate this. So what they did was they responded under the Wisconsin Department of Emergency Management and sent a small group of volunteers on site immediately to assess the situation before we really knew what was going on. They then worked hand in hand with county government team to do containment for the attack. They took disk images, they captured as much logs and forensic data as they could and then did forensic analysis on that data on site to try and understand what was happening, who's in the network, what is the extent of the damage and what can they do to contain it. They then helped the network owner by implementing multi factor authentication. They completely helped them set up a defederated Microsoft 365 environment and they migrated all of the users to a new domain controller. They did a bunch of hands on activity with this to move all of the users from an instance that was less secure, that had been impacted by the ransomware attack to a completely fresh instance. They did a bunch of other stuff with that organization to try and help them recover. And then they didn't just leave. I think a really important part of this engagement was that they stuck around. They actually helped the county government do a postmortem analysis. They helped, they did a couple assessments of them, try and understand how they could have better responded to this incident in the future. They did like an after action review. And then they continue to engage with a director of that county's emergency management department and their IT director to create an incident response plan. So they're actually building resilience into this county government post engagement to say, next time this happens, here's what your staff should do, here's who you need to call, here's how we can mitigate the impact of such an event if it were to occur again. So not only is the county government recovered from that incident, but they now have tools to help them better in the future. And that's sort of using incident response as a way of building in long term resilience to an organization. You know, people don't usually invest in cybersecurity unless something bad happens. And so I really appreciate how folks like the Wisconsin CRT were able to come and use this as an opportunity to actually improve this county's defenses in the future. And in fact, they actually conducted a two week penetration test after the engagement to identify additional vulnerabilities and help protect that system. Maybe a helpful distinction as well is that these organizations, the Cyber Corps, typically are mostly doing incident response, but a handful of them have started doing more proactive assistance like doing risk assessments and doing cyber awareness training. So that is becoming more commonplace. Although many of them did start up just to serve that incident response function.

Advertisement Voice

Hey, folks, I want to tell you about an absolute disaster I recently had in the payroll department. You know, I have this little substack. It now has an employee, and that employee, you know, I have to do withholding for him. I got to do multiple jurisdictions, unemployment, and I did it all myself because I'm an idiot. And it took months. I just wish I had known about Gusto. You know, let's be honest about this. Nobody starts a business for the joy of handling their own tax withholdings. And that's where gusto comes in to take the stress out of payroll, benefits and HR so that you can focus on why you started your business in the first place. And in my case, that's because I like writing stuff. I like doing, you know, my morning live streams. I don't want to know about D.C. versus Maryland withholding rules. And how to sign up for the kind of thing Gusto is online payroll and benefits software built for small businesses. It's all in one remote, friendly and incredibly easy to use so you can pay, hire onboard and support your team from anywhere. Unlimited payroll runs for one monthly price. There are no hidden fees, no surprises. So if I had like a second employee, it would just be like enter the name, enter the Social Security number, you're done. Get direct access to certified HR experts if you need them to help support you through any tough HR situation. It's the number one payroll software according to G2 for fall 2025 and it's trusted by more and 400,000 small businesses. If only I had known. So try Gusto today@gusto.com LawFair and get three months free when you run your first payroll. That's three months of free payroll@gusto.com Lawfair one more time Gusto.com LawFair.

You'Ve worked hard to build your business. SimpliSafe helps you protect it with SimpliSafe for Business, AI powered cameras watch over your entry points and instantly alert live monitoring agents. They can deter intruders before they get inside. It's protection built for growing companies.

Justin Sherman

24.

Advertisement Voice

7 monitoring, no contracts and a 60 day money back guarantee. To get 50% off your new system, go to SimpliSafe.com podcast. That's SimpliSafe.com podcast for 50% off. There's no safe like SimpliSafe 1.3%. It's a small number, but in the right context it's a powerful one. Stripe processed just over $1.4 trillion last year. That figure works out to about 1.3% of global GDP. And powering that figure are millions of businesses finding new ways to grow on stripe like Salesforce, OpenAI and Pepsi. Learn how to build the next era of your growth@swepe.com Enterprise thank you for.

Sarah Pawasik

Calling the Bombas Comfort line. Bombas make socks, slippers, tees and underwear made with the highest quality materials. Press 1 for comfort, 2 for style, 3 for donation. You chose Style Bombas styles for whatever you enjoy. You can run in Bombas, lounge in Bombas, dress them up, dress them down, but always give back in Bombas because with every item purchased, another is donated. Bombas Comfort Worth calling for. Go to bombas.com and use code audio for 20% off your first purchase. That's B O M b-s.com and use code audio.

Justin Sherman

What kinds of issues? You mentioned some of them in your instructive case study. What kinds of issues are state Cyber Corps and volunteer programs best designed to address?

Michael Ruzik

The biggest thing that I found so far that can be challenging would be OT or operational technology. I think in terms of it, states of Ill and Cyber Corps are very well positioned to handle a lot of different types of incidents. But I think when it comes to ot, it can be more challenging because you may be dealing with industrial control systems, programmable logic controllers, different types of technology that require more specialized security knowledge, even within the realm of security professionals. So that can be more challenging because there may be fewer people within the Cyber Corps that have that capability. But apart from that, I think they're very well positioned to handle a lot of different types of incidents and maybe.

Sarah Pawasik

Some less tangible things that Cyber Corps are good at.1 cost reduction. The idea of a state hiring an entire staff of full time folks whose only job it is to respond respond to incidents in the state, we're just not in that space yet. So being a program that only takes a few full time staff to manage and then a group of volunteers who donate their time, you're able to start a program relatively cheaply where you can get that hands on assistance at scale to folks across the state. And that's a really difficult thing to do without contracting with a very large managed service provider on retainer, very, very expensive. So they're good, they're relatively cost efficient, they're good at doing that. Another thing is having folks being able to do community engagement and civic engagement on cybersecurity around the state. There are programs like Illinois Cyber Navigators program where you have folks going around county to county helping answer questions and just sort of steering folks in the right direction. And I know that sounds sort of basic, but actually having someone to ask questions to can be a huge boost to organizations like we were talking about that don't have anyone in it. If you've ever tried to Google what should I do with cybersecurity? I don't recommend it. It's just impossible to find the right guidance and to interpret it. And having someone actually stand with you, hold your hand, explain things to you and tell you, you know, what are the top five things that you actually need to do that will make a difference. That goes a long way for some of these organizations.

Justin Sherman

That's on the incident side specifically. Obviously another component of this is not just what kind of incident or issue, as you're saying, impacts an organization per se, but which organization are we talking about. Right. And so are there some entities, given your work that you found and this might be public, private, this might be sector by sector, I don't know. Are there some entities that state Cyber Corps and volunteer programs are best suited to help versus others that maybe are not, for whatever reason as equal a target for that kind of support?

Sarah Pawasik

I think what Michael mentioned is right, that most small under resourced organizations are really well served by Cyber Corps programs. Maybe not ot as much because that expertise is a lot harder to find, especially in volunteers. But every organization can benefit from free cybersecurity assistance. So what it really boils down to and what the bottleneck for this is, what does the state care about and how many volunteers do they have? So one of the issues I will say that happens with Cyber Corps programs is that they often have limited mandates, right? So maybe a Cyber Corps program can only help cities or county governments. Maybe a Cyber Corps program can only help school districts. And that is useful. But ideally we'd see as a first step all public entities, schools, cities, counties, having access to it. And then someday our dream is nonprofits, utilities, small hospitals, folks in rural areas. There are a lot of organizations that I would expand that definition to that are really in need of assistance. But right now not all of them can get assistance under the state Cyber Corps programs because of rules they have around what they limit engagements to.

Justin Sherman

On the flip side then, are there types of incidents that these initiatives are not particularly well positioned to address? And same with organizations. Are there specific types of organizations that these volunteer programs are not going to be the best option, especially if you have others to deal with a particular cybersecurity problem?

Sarah Pawasik

That's a great question, Michael. Correct me if you feel differently, but I think in general responding to APTS and other nations attacks, I don't think that these groups will be the best option for that, especially if we're talking about espionage or spyware. I think that Cyber Core are really meant to respond to commercial attacks from, you know, commercial actors, ransomware fraud, business, email compromise, really financially motivated cyber attacks.

Michael Ruzik

I think that's generally right. Unless it happens that, you know, the apt maybe stumbled on this organization by accident and wasn't specifically targeting them and there's a quick fix like a patch or something like that that can help get the organization back up and running. And then I also think there are specific parts of Inc Sense that the state Cyber Corps are not necessarily well suited to or where other organizations might be better placed to step in. So with things like breach notification when it comes to that, that's typically not something that the state Cyber Corps would do, that's something that the organization would do or something like long term recovery. So going back to the firefighter analogy, thinking about after the fire has been put out, the volunteer firefighters aren't the ones that are there to rebuild that structure. Those are some parts of incidents that I think other organizations might be better suited to. Like I mentioned the MSPS and MSSPs earlier. When you think about longer term resilience and recovery and building up different practices, that's where those organizations, for example, might be better place to step in.

Justin Sherman

APTS in nation states is a great example of one of those potential gap areas. So I want to shift now. We've gotten a fairly good coverage of what these programs are, how they sit in the landscape. I want to look forward now and think about future actions and policy steps and so forth to really continue bringing these ideas you all have been discussing to further fruition. So first, at the state level, if you're a state, I mean, I'm sure you quite literally have this all the time, right? A state coming to you both saying, we want to stand up one of these programs. What are the first steps you tell them to take? And then for those that already have them but want to grow the program further, what are the first steps that they should take to level up a state cyber corps or volunteer program?

Michael Ruzik

Typically, when this comes up, one of the first things that I'll do is, and I think the same might be true for Sarah as well, is connect some of the people with officials in other states that are already operating civilian cybercore, because that way they can get boots on the ground advice and understand what some of the challenges were and how they were able to overcome the challenges from someone who has already gone through it. We also send them some of the resources from the crc, like the roadmap that we talked about. There was a report that I wrote last year when I was with New America. There was the report from GA that Sarah mentioned and one from a law firm, McDermott, Will & Emory, that cover a lot of different aspects of civilian cyber Corps. So more and more people are taking an interest in the area and there's more material that we can share. But I think having that firsthand knowledge is really crucial.

Sarah Pawasik

Yeah, I think that's right. And just shouting out that Michael's paper for New America actually includes a model bill, we see that one of the biggest hurdles to folks starting up these programs is actually getting the authority to run it in the first place. And so thankfully, Michael's written a model bill that folks can take, that the state can pass, that will grant the authorities necessary to start up a state Cyber Corps program, which is the first but not the only hurdle to getting one of these programs in the air. Like Michael mentioned, all of the liability issues. How do you train volunteers, how do you recruit them, how do you retain them? That is information that we're working to centralize and that is always best heard from the horse's mouth, which is why it's so important to connect them to the folks in other states that are doing this work as well.

Justin Sherman

I want to look then federally. Interesting moment to be looking federally. We've of course seen a tremendous cutback, which really that word doesn't even fully capture it, but a cutback of resources at the federal level under the current administration when it comes to cybersecurity, including cuts, among many other things, to cisa, the cybersecurity and infrastructure security agency at dhs. So how have, and maybe they haven't, I don't know, but I imagine they have. How have federal cuts if at all impacted these kinds of efforts, including potentially creating further need for state level programs like these in the first place?

Sarah Pawasik

Yeah, I think you hit the nail on the head. We've been advocating for really regional based cyber defense programs for a number of years now, including cybersecurity clinics. And we've always seen the need for them. Right. The national government has a national security focus. They are rightly focused on very, very large entities, systemically important entities, and not all of the little organizations that sort of make up most of you and my daily life. So we've been pushing for them for a while and they've only become more important because the limited resources that were available at the federal level, and I'll name drop CISA's free resources through their partnership with CIS and Ms. Isaac, their free network and vulnerability scanning program, the cybersecurity Performance goals checklist, which is a fantastic resource for folks who do have an IT team to do a self assessment and most importantly the state and local cybersecurity grant program, which is now up in the air. Those resources are starting to get pulled significantly back. We heard recently that the partnership with CIS has officially ended. The reauthorization for the SLC GP is up in the air, even though it has great bipartisan support, so we hear. And so there's resources are drying up. I desperately hope that the SLC GP gets reauthorized. It has been absolutely transformational for states and it can be really great for them to start up Programs like this that can sustain themselves through multiple administrations. But I think what we're really seeing in the federal government has signaled through the White House executive order that basically said, you know, this is state's responsibility. Right? Cybersecurity needs to be the responsibility of states. They've always had some amount of responsibility, and now what we're seeing is that a ton is being pushed on them all at once. And they really, I think states do a wonderful job, but they're not really prepared to take on the responsibility of protecting every single organization within their borders the way that they're now expected to. So I feel like these regional defense programs that lean on volunteers, that lean on homegrown talent within that state, a really effective and modeled way for them to take on some of these responsibilities. I won't pretend that Cyber Corps are going to solve all of their problems, but I think starting to build that connective tissue that they own, that they can take care of and that can outlast any administration is going to be really critical for states.

Justin Sherman

I am obviously nothing even close to anything resembling an expert in disaster response or anything like that. But as you're. You mentioned earlier, that point about other state capacity, how states address cyber within that, I thought of some of the things you just mentioned of that must also then be part of this impact picture with. With federal cuts. So given the current landscape and some of the impacts, Sarah, you were just describing in the current administration to either of you, I mean, I'd love both of you to answer this. You know, do you see any likelihood of movement on federal policy or federal support for state cyber protections for state cyber corps and volunteer programs, anything like that? And regardless of your answer to that, what do you think whichever administration does work in this area next, what are some things at the federal level that either of you have been calling for that you think would be helpful to bolster? You alluded to some of this just now, but steps to bolster these programs into the the future.

Michael Ruzik

So the lawyer's answer is always, it depends or maybe or we'll see. So I think that's definitely the case here. I think with the executive order that came out earlier in the year asking states to take on more responsibility for emergency preparedness, this cybersecurity falls under that bucket. So I think we definitely will see a lot of movement at the state level. We are seeing a lot of movement at the state level. I think at the federal level, it's been a bit slower, but there has been some movement in the last couple years. There were provisions in the last couple NDAAs that would have allowed the army to conduct a pilot program. I don't know if that was actually completed, but I wouldn't be surprised to see that come back up under any administration. And some of the other federal agencies or departments might conduct their own pilots regardless. So for example, the Marines have their own cyber auxiliary that they run, and so we might see more of those initiatives pop up.

Sarah Pawasik

I'm not a lawyer, so I can try and read the tea leaves. I think that there is some signal of support for pieces of regional cyber defense at the federal level. Like I mentioned, the SLC GP does have great bipartisan support. I know the reauthorization is a bit in limbo, but I'm very, very hopeful that that will go through and provide some funding for states to continue trying to take up this mantle of responsibility. I also think that CISA has signaled some continuing interest in the Secure by Design initiative, which can seem a bit unrelated to this work. But when we're thinking of the smallest organizations that don't have any IT staff, even small changes to default settings of large enterprise software can make a huge difference for them, because they're not going to know to turn on multi factor authentication for administrators, for example. So having them continue to push enterprise businesses to make their products secure by design and secure by default will have a measured impact on these small organizations at the state level.

Justin Sherman

That's all the time we have. Sarah Michael, thanks very much for joining us.

Sarah Pawasik

Thanks for having us, Justin.

Michael Ruzik

Thank you.

Justin Sherman

The Lawfare Podcast is produced in cooperation with the Brookings Institution. You can get ad free versions of this and other Lawfare podcasts by becoming a Lawfare material supplier through our website, lawfairmedia.org support. You'll also get access to special events and other content available only to our supporters. Please rate and review us wherever you get your podcasts. Look out for our other podcasts, including Rational Security, Allies, the Aftermath and Escalation. Our latest Lawfare Presents podcast series about the war in Ukraine. Check out our written work@lawfaremedia.org the podcast is edited by Jen Patia and our audio engineer. This episode was Goat Rodeo. Our theme song is from Alibi Music. As always, thank you for listening.

Advertisement Voice

If you're a maintenance supervisor at a manufacturing facility and your machinery isn't working right, Grainger knows you need to understand what's wrong as soon as possible. So when to comes it when a conveyor motor falters, Grainger offers diagnostic tools like calibration kits and multimeters to help you identify and fix the problem. With Grainger, you can be confident you have everything you need to keep your facility running smoothly. Call 1-800-GRAINGER click granger.com or just stop by Grainger for the ones who get it done.