On March 19, 2025, the Center for Long-Term Cybersecurity (CLTC) and the CyberPeace Institute hosted the second of three plenary sessions as part of the Cyber Resilience Corps, a groundbreaking initiative focused on uniting cyber volunteer efforts from different sectors.
Adrien Ogée, Chief Operating Officer of the CyberPeace Institute, welcomed the group and touched on the recent changes in cyber defense since the previous plenary session. Then, Jessica Walton, U.S. Regional Officer of the CyberPeace Institute, previewed the forthcoming Cyber Resilience Corps’ Platform and Threat Tracer, including a searchable heat map of all cyber volunteer groups and a breakdown of who, what, and where they serve.
Sarah Powazek, Program Director of Public Interest Cybersecurity at UC Berkeley, then gave an overview of how the group discussions would inform the development of the Cyber Resilience Corps’ forthcoming report, National Roadmap for Community Cyber Defense, describing the roadmap as “a redefinition of the shared responsibility model for community infrastructure, with actionable recommendations for providing short-term assistance and long-term resilience.”
Following introductions, the session’s participants — including representatives from university cyber clinics, for-profit and nonprofit organizations, non-profit-focused managed service providers (MSPs) and managed security service providers (MSSPs), and government-led civilian cyber corps — were divided into two breakout groups. The first group focused on recommendations for immediate action, specifically on actions that would help build a cyber safety net for community organizations. The second group focused on recommendations for the future of community cybersecurity in the US, informing a shared responsibility model.
Key Takeaways
Throughout the discussions, several key takeaways emerged:
1. Liability concerns and risk management remain significant barriers for cyber volunteering groups’ deployability.
- Legal templates have been developed and successfully utilized for specific use cases and groups, but have not seen widespread adoption.
- Prioritizing government-run volunteering groups in incident response protects volunteers the most from liability concerns.
2. Referrals to satisfy continuous service engagement needs are challenging and complex to scale.
- Once the volunteer timeframe is complete, methods for offboarding and handing off community organizations between service providers are non-standardized and challenging to scale. Volunteer groups are hesitant to refer community organizations to continuous service providers in the private sector because they do not want to be seen endorsing or favoring a for-profit company.
- Not all continuous service providers are created equal, and it can be challenging to identify and differentiate the highly reliable from less reliable providers without first-hand experience.
- Trust between community organizations and volunteer groups takes time and effort to build. The reputational risk to volunteering groups during the hand-off to a continuous service provider disincentivizes them from making referrals.
3. Responsibility for cybersecurity and cyber hygiene should be a shared effort for organizations of all sizes.
- It is key to frame shared responsibility as “information security” and ensure that it is implemented from the top down, even in the smallest organizations.
- Centralized support might be necessary for resource-limited organizations. Relying solely on free tools can create a false sense of security.
- Larger enterprise vendors can do more to protect community organization than simply supplying products and platforms. These vendors are better positioned to understand attack and threat trends across their own infrastructure.
4. Considering the most economically efficient way to improve security is vital for long-term resilience.
- We need more consensus and analysis on where it is appropriate to promote free volunteering services and products, and where to increase the burden on suppliers.
- Federally supported or subsidized security solutions for interconnected critical infrastructure providers, such as water and electricity, may be the best defense strategy because attacks on these types of providers pose a threat to national security.
5. Information security standards and best practices need to be more widely communicated.
- Hyper-local approaches to communication have been successful and impactful thus far, including volunteering groups conducting outreach and education through churches and local school districts.
- The media is an underutilized tool to spread awareness. While one-off articles have been published highlighting best practices for individuals and small businesses, the frequency is insufficient to reach the public.
6. Working cybersecurity groups for community organizations have shown initial promise.
- Community information-sharing groups can be effective ongoing support mechanisms. By providing a space for organizations in the same industry to collaborate, organizations with more mature cybersecurity postures can effectively mentor less mature organizations and build resilience across the broader sector.
7. Partnerships with MSPs/MSSPs, particularly sector-specific MSSPs, help streamline processes for community organizations.
- Individual sectors have unique security needs, which can make scaling MSSPs challenging. Optimizing MSSPs to focus on particular sectors may help limit risk and onboarding time.
- Successful partnerships may include economic incentives, such as tax breaks or grants, to reduce organizations’ service costs.
8. A public-private solution may be the best approach for incident response.
- Government staffing capacity and funding can be unpredictable and volatile.
- Relying solely on volunteers for incident response is neither sustainable nor realistic.
- Public-private partnerships that are bottom-up and locally based may be the most potent approach for incident response.
Ann Cleaveland, CLTC Executive Director, wrapped up the session by highlighting the group’s potential for collaboration and coordination.
The final plenary session will focus on refining recommendations to proactively improve high-risk organizations’ cyber hygiene and integrate resources and existing networks into a structured system.
Interested in learning more about the Cyber Resilience Corps? Stay up to date by subscribing to our mailing list.
