Could a corps of civilian cybersecurity volunteers save state networks?
A volunteer group for cybersecurity experts and enthusiasts in Michigan could go nationwide if other states follow suit.
Paul Groll, Michigan’s deputy chief security officer and the executive department sponsor of the Michigan Cyber Civilian Corps, or MiC3, said Tuesday that the model established in Michigan could help underprepared state and local governments to handle cyberthreats. While state CIOs reported last year that cybersecurity was now “part of the fabric of state government,” only a quarter of state chief information security officers expressed confidence in their states’ cyber-defenses.
“We would love to see this blossom into a national model where we could do interstate cooperation and maybe even large-scale training conferences and exercises,” Groll said at the National Association of State Technology Directors’ Southern Region conference. “As far as I know, this is the only thing of its kind in the country so far.”
Despite being around for nearly half a decade, MiC3 has undergone some changes to gear up for a future of helping the state react to immediate incidents like distributed denial of service (DDos) attacks, as well as threats with long dwell times, like ransomware.
“The mean time to find those [advanced threats] in your network is over 250 days in the U.S.,” Groll said. “We want to have a skill set on board that knows how to find that stuff hiding in our network.”
Convincing the state legislature to fund a budget for a volunteer corps could be a solution to information technology and workforce funding troubles across the country. Instead of funding the salaries of the entire corps as cybersecurity staff, the state would primarily invest in training for those volunteers, instead. In previous and future years, MiC3 members have participated in exercises in Michigan’s Cyber Range, as well as attended SANS Institute cybersecurity training.
“The biggest perk is probably that we will send them to SANS training,” Groll said. “All they have to do is show up, and the class is free for our members.”
Last year, MiC3 sent 30 members through a 6-day SANS class. At the conclusion of the class, members participated in a challenge. The MiC3 members completed the challenge and broke the national record at SANS for completion time, Groll said.
Looking ahead, Groll said he and his team are working with the legislature to pass a law enabling members to work with their local communities to give cybersecurity aid to local government. The group is also working on legislation to protect members if something goes wrong during an exercise and the team causes damage in a system.
To apply for the Michigan corps — which Gov. Rick Snyder formed about four years ago — members must have at least two years of information security, incident response or digital or network forensics experience, along with a basic security certification. Applicants must also have a signed letter of agreement from their employer, showing that they support their employee’s work in the space.
In addition, members need to pass a full FBI background check, sign a confidentiality agreement and disclose any potential conflicts of interest.
“They’ve told us it helps them fulfill their sense of civic duty to give back a little bit,” Groll said about the MiC3 members.