Community organizations — nonprofits, rural hospitals, schools, local utilities, municipalities, and small businesses — are vital to delivering essential services to the public, but they are often the least prepared to protect themselves from cyberattacks and are often held wholly responsible, leaving them particularly vulnerable to attacks that could disrupt the delivery of essential social and public services.
A new CLTC report from the Center for Long-Term Cybersecurity (CLTC) provides a strategic plan for addressing this challenge in the near- and long-term future. Authored by Sarah Powazek, Director of CLTC’s Public Interest Cybersecurity Program, and Grace Menna, Public Interest Cybersecurity Fellow, the report, “The Roadmap to Community Cyber Defense: A Path Forward from the Cyber Resilience Corps,” is based on findings from the first year of operations of the Cyber Resilience Corps, an initiative co-chaired by CLTC and the CyberPeace Institute that brings together cyber volunteering leaders, private-sector partners, experts, and community leaders.
On June 17, CLTC hosted a webinar in tandem with the report launch where Powazek and Menna presented key insights from the Roadmap report. The webinar also featured a panel discussion between additional members of the Cyber Resilience Corps: Eric Franco, Cybersecurity Preparedness Coordinator at the Wisconsin Department of Emergency Management; Iranga Kahangama, Non-Resident Research Fellow at CLTC; Francesca Lockhart, Cybersecurity Clinic Program Lead at the University of Texas at Austin’s Strauss Center for International Security and Law; and Ann Cleaveland, Executive Director of CLTC as moderator. The panelists discussed the report’s proposed solutions and cyber volunteering groups’ ongoing efforts to support cybersecurity for community organizations across the U.S. The conversation touched on several salient topics:
The need for better metrics on cyber volunteering efforts
Panelists stressed the importance of improving data collection practices among cyber volunteering groups to measure the effectiveness of their services and track outcomes for client organizations after receiving cybersecurity support. Sharing reliable, comparable metrics across organizations could help increase visibility into the impact of cyber volunteering efforts and reveal gaps in service delivery. Some panelists acknowledged the inherent difficulty of quantifying impact in cybersecurity, given that success often involves preventing cyberattacks and breaches that never occur. The preventive nature of many of these services makes it challenging to produce metrics around outcomes.
Academic institutions represent essential pieces of the puzzle in the cyber volunteering ecosystem as they train the next generation of cyber professionals working for public interest organizations
Panelists recommended that state and federal partners continue to explore opportunities to integrate universities and students into ongoing public-sector cyber volunteering initiatives. Student-run Regional Security Operations Centers (RSOCs) hosted at universities were cited as a promising model. Francesa Lockhart, Cybersecurity Clinic Program Lead at the University of Texas at Austin, shared how the university operates an RSOC for students to work with Texas’ Department of Information resources to help secure local government entities from cyber threat actors, exposing students to potential cybersecurity careers in state government. “Our hope is that this model can be replicated and validated more in the future,” Lockhart said.
Demand for cyber volunteering services gets generated through trusted relationships
The conversation later turned to how cyber volunteer groups generate demand for their services. Panelists noted that clients learn of their services via word of mouth, referrals from trusted partner organizations, and proactive relationship-building efforts by cyber volunteering organizations. Iranga Kahangama, CLTC Non-Resident Research Fellow, stressed the importance of establishing client connections early, ideally before cyber incidents occur. “Building relationships and trust with public interest organizations in advance is essential to ensuring organizations are receptive to cyber volunteering help when needed,” he said.
