In the run-up to November’s midterms, state governments across the U.S. find themselves at the forefront of the national-security debate around safeguarding our elections. It should come as no surprise that many states are struggling to protect their election and other critical systems. After all, cybersecurity remains a key challenge for the federal government as well, despite its massive resources and deep expertise. Budget realities demand that state government find innovative ways to respond to cybersecurity threats. Michigan’s Cyber Civilian Corps (MiC3) is an innovative model that enables the state to call on outside cybersecurity experts during crises to provide a surge capacity of cybersecurity skills in the event of a crisis.
Republican Gov. Rick Snyder announced the effort in 2013, and the state began assembling a group of information-security professionals it could call on in the event of a governor-declared cyber emergency. Today, the MiC3 includes 100 members—all civilians— from local companies, universities, and civil society that work closely with the Michigan Army and Air National Guard and the Michigan State Police, providing a unique suite of skills and capabilities across civilian communities, the military and law enforcement.
MiC3’s mandate was expanded in 2016 beyond declared cyber emergencies to assisting local and regional governments, nonprofits and community health, and educational institutions. MiC3 volunteers are given immunity from liability under the Government Liability for Negligence Act, to facilitate their work on behalf of the state. At the same time, the 2017 Cyber Civilian Corps Act provides for due diligence and oversight of MiC3 volunteers and requires that they undergo background checks and sign confidentiality agreements.
Recruitment and Benefits
MiC3 members must have a minimum of one to two years of direct hands-on-keyboard experience in computer-incident response and/or forensics and commit to at least 10 days of training and team meetings per year on top of potential deployments (which have yet to happen).
These requirements create a challenge for the Corps: recruitment. State governments cannot match private-sector salaries and there will always be competing demands on cybersecurity experts’ time, but the MiC3 offers something that those jobs and other outlets do not: fulfillment of an individual’s sense of duty. Moreover, members receive state-funded cybersecurity training (since 2016, this has come in the form of the highly coveted SANS training), which enhances a participant’s value to their employer and their professional marketability. Perhaps more important, since members are dispersed across the state with many employers, the program increases the level of cyber-related expertise in the state’s workforce. Members also gain access to a broader network of cybersecurity peers, which allows the diffusion of specialized knowledge across the state and increases the overall security culture.
Members’ employers benefit as well. Training in specific subject matter is often a challenge—identifying appropriate training, securing funding, and ensuring that employees actively participate toward obtaining added value can be difficult. The MiC3 takes care of the former. Members are also required to take and pass any associated certification exams, which offers a return on the state’s investment by keeping member’s skills to date while providing added training to members at no additional cost to the their employers. Of course, members do not share proprietary information, but there are often useful “tips and tricks,” that can be gleaned from fellow members. Moreover, the informal network created can provide a useful alerting capability as cybersecurity professionals often say that they hear important information from their respective circles.
For the state, the MiC3 serves as an extended response capability, if and when needed. Its pre-existing incident command structure is critical, as it has a flexible operating-response structure and technical focus by design. Moreover, the active collaboration among the MiC3, the National Guard, and state police lays the channels of communication that may be critical in the event of a serious incident. Additionally, participation of members from across the community triggers a broader increase in cybersecurity awareness and practice that can bleed over to the general public, providing a broader cyber-health benefit. Program Manager Ray Davidson argues that this is one of MiC3’s most important benefits, as “government is unlikely to fund proactive efforts like awareness and professional networking. However, by funding and properly managing a reactive response effort, we get the proactive component for free.”
The MiC3 also aims to develop a standard toolkit for cyber-incident response. Though MiC3 tends to rely heavily on free and open-source software largely due to financial constraints, open-source tools are coincidentally the area where volunteers are, in general, more likely to share familiarity due to their accessibility. In the lead-up to the 2018 elections, the resources available to the MiC3 have multiplied, with technology companies offering free election-security tools.
MiC3’s innovative model of bridging sectoral divides is generating attention both in and outside of the state. Its current roster of 100 volunteers has nearly doubled from last year, reaching the 2018 target of 100 members well before the end of calendar year. The team has written guidelines for the National Governors’ Association and representatives in Washington, Hawaii, Indiana, Georgia, and Montana. More recently, a District of Columbia council member introduced the “Cyber Civilian Collective Act of 2018,” directly referencing the MiC3 as a “public-private partnership program under which volunteers with cybersecurity expertise can provide services to District government agencies and offices in the event of a cyber attack.”
Similar Programs Outside Michigan
Other states and countries have similar programs. The Maryland Defense Force Cyber Security Unit supplements the cyber teams of the Maryland National Guard. Created in 2010, it provides support to the Maryland Military Department and can respond alongside them in case of a cyber emergency. The California Cybersecurity Institute (CCI) is as a multi-agency effort to protect California through enhanced cybercrime forensics and statewide tactical response training. Its partners include the California National Guard and Cal Poly, San Luis Obispo. Affiliated with the CCI, the California Army National Guard’s Cyber Protection Team (CPT), activated in 2017, specializes in cyber defense by creating training opportunities for the state and by expanding the CPT’s ability to engage in the defense of private agencies. Ohio set up the Cyber Collaboration Committee to determine what the state needs to improve cybersecurity and training. Part of the committee’s focus includes the creation of a Cyber Reserve Force, whose description is similar to the MiC3.
Advocating a similar model in a related field, Daniel Byman made the case on Lawfarefor a intelligence reserve corps. Similar to MiC3’s efforts, Byman highlights that the corps could bring in personnel with unique technical knowledge to expand the range of skills available to government and increase private-sector awareness of government needs, while achieving its goal of countering terrorists’ use of the internet.
Other countries have also experimented with this model, such as the Estonian Defence League Cyber Defense Unit (EDL CDU). As I explained in an earlier War on the Rocksarticle, the EDL CDU is a unique extended-response capability tasked with two broad types of activities: capability-building and operations. It is a close network of cybersecurity experts that improve readiness through trainings and exercises and which the Estonian government can call on for specific situations requiring additional help. As part of the Estonian unit’s international cooperation efforts, it has also partnered with the 175th Network Warfare Squadron of the Maryland Air National Guard. – Lawfare