A bill presented to the Texas governor earlier this month would set up a volunteer team to respond to cyber incidents. It comes at a time when high-profile ransomware attacks have put the national focus on cybersecurity – as well as governments’ struggle to recruit talent.
In the latest study of the state and local workforce in 2021, about 60 percent of local jurisdictions said they have more IT positions open than applicants. Homeland Security Minister Alejandro Mayorkas has recognized the severity of the problem and made cybersecurity staff the focus of his second sprint.
Texas legislation is just one of the most recent state efforts to add ad hoc resident assistance to the public sector workforce. Experience from other such attempts indicates the challenges each similar program must face and the best practices to consider.
LESSONS IN CYBERSECURITY VOLUNTEERING
The Michigan Cyber Civilian Corps (MiC3) has encountered various pitfalls and opportunities since its announcement in 2013 and its official creation in 2014.
The program was originally designed to mobilize volunteers in cases where the governor declared a state of emergency, Ray Davidson, MiC3 program manager, told Government Technology. However, that meant the team would only act in the event of a “really major disruption, like a nation state taking action that threatens life and limb, which is the state’s highest state of emergency,” Davidson said.
Like this first version of MiC3, the Texas program would set a high bar for volunteer activation. State or local authorities affected by a cyber incident could seek voluntary assistance if the attack either causes the governor to declare a “disaster condition” or is severe enough to affect multiple entities. A federal bill tabled by members of the US House of Representatives in April that provides for a voluntary civilian cybersecurity reserve to provide emergency aid to the US defense and homeland security departments in “times of greatest need” also goes in this direction.
But MiC3 found that its pool of volunteer volunteers had been ready and waiting for years without a sufficiently catastrophic event causing their deployment.
Taking up the idea that volunteers can be of help at high level outside of a crisis, Texas passed a new law in 2018 that eases the activation criteria. This law enables providers of critical infrastructure, educational institutions, community facilities and non-profit organizations to request the assistance of MiC3.
Since then, members have been deployed “a couple of times” to help local and regional governments respond to issues such as ransomware and the compromise of business email, Davidson said. The program also encourages its members to help with cybersecurity education in high schools, such as: B. looking after students and participating in hacking competitions.
Strictly limited application criteria are not the only force that breaks down in these programs. A lack of liability coverage for well-meaning volunteers can also prevent teams from mobilizing – something Michigan had to correct with its 2018 overhauls of MiC3. The new guidelines ensured that volunteers passed certain qualifications before becoming members and then gave them legal protection for actions they took when trying to help, similar to the rules of the Good Samaritan. Texas is taking a similar approach with its bill that extends civil liability protection to volunteers.
FIND FUNDING
Finding funding opportunities for any program can make it or break it – an issue on the Del. Virginia Bumped Suhas Subramanyam with his 2020 bill that would have created a volunteer path for cybersecurity and IT professionals to support schools and local governments.
“There are many stories of local governments across the country being hit by cyberattacks [and] need expensive consultants to help them with safety, ”Subramanyam said. And schools often want to use more technology but need advice on how to use it, he added.
Subramanyam also told Government Technology that funds commitment concerns ultimately undone its bill, which likely would have required a website that connects volunteers with opportunities and possibly an administrator. Other volunteer programs may incur additional costs, with Texas billing for travel expenses, while Davidson said volunteer training is the largest expense of his program.
The Texas bill, meanwhile, attempted to resolve the funding issue by allowing the State Department of Information Resources to ask agencies to contribute to the cost of running the program if they want assistance. Neither Senator Jane Nelson nor Rep. Giovanni Capriglione, both sponsors of the bill, were able to make further comments.
Programs organized – and funded – by the state government aren’t the only source of cybersecurity volunteers government agencies can support. But government-controlled programs bring certain benefits, Subramanyam said.
Some nonprofits also provide technical services, Subramanyam added, but there are limits to what the government can expect from donor-funded organizations, as contributions to support community service can have limitations.
WHY VOLUNTEERS?
The ability to attend expensive training is often what leads cybersecurity professionals to volunteer first, while networking opportunities and a sense of civic duty tend to keep them long-term, Davidson said of recent conversations with members of his program .
Networking, Davidson says, means “You get a feel for who is using which tools and who can help you with a problem such as a problematic location. B. ‘Have you done this before? Did you do that? ‘”
“This is invaluable in our industry,” he added.
Program managers are also better at recruiting and retaining members by not being over-prescriptive, Davidson said.
“My special advice would be to make sure you are in contact with the information security hacking community in your state,” he said. “Because there are many people who like to know how things work and who like to help other people. They obviously don’t like obeying rules. Give them the chance to be flexible and don’t make too many rules. ”
source https://collegeeducationnewsllc.com/what-makes-a-state-volunteer-cybersecurity-program-work/
No comments:
Post a Comment