Cyber Civil Defense: Volunteers to the Rescue

Congratulations. You have made it to day three. So look, look to your left, look to your right. Not everybody has done what you have been able to do. So we're super excited. Um, this is it. This is really the culmination of three days. So, we're going to build on day one and on day two and day three and we're going to bring it all home at 11. But before we get to 11, we're going to hear from M. Grace Mena and she's going to tell us about the following. Volunteers are the backbone of cyber civil defense. If you are ready to join the community, the cyber defense fight, but don't know where to start, this talk is for you.

And I can see right now there's a bunch of people who this talk is for in this room. We'll map the the current volunteering efforts, pinpoint the crucial coordinated strategic actions still needed to scale their services, and introduce the Cyber Resilience Corps, your one-stop shop to identify which volunteering groups you are eligible to join. So, please put your hands together and welcome Miss Grace Mena. Woo. [applause] >> Okay, let's see if this thing's on. Sounds like it's working. Can you all hear me? Can I get a thumbs up? Amazing. Um, well, good morning everybody. Happy last day of Besides Las Vegas. I'm really thrilled to be here with you all today. Um, and I'm going to be talking

about cyber civil defense. For a quick show of hands, how many of you have heard this term before? Okay, a decent amount of you. Well, if you haven't, um, cyber civil defense is essentially the fight to protect underresourced organizations across the US from cyber attacks, um, by a coalition of people, mostly government, local universities, and individuals like yourselves, to help bring them above the cyber poverty line. And one of the groups that is a key key component of the cyber civil defense is volunteers. And so, um, in today's talk, you're going to hear me lay out a series of short-term and long-term recommendations to build a safety net for these vulnerable organizations, and volunteers are a key part of that. Um, so my name

is Grace Mena. I'm a fellow at the UC Berkeley Center for Long-Term Cyber Security, which we lovingly call the CLTC. And I there um conduct public interest cyber security research on policy. and I also help co-lead a new initiative called the Cyber Resilience Corps, which is a joint partnership with the Cyber Peace Institute out of Geneva. So, quick show of hands, how many of you saw this headline last week? Okay, a fair amount of you. Um, so if you didn't see the headline, the city of St. Paul was hit with a major attack. Um, and it forced the Minnesota governor to for the first time ever call in the National Guard to to respond to the incident. um

13 individuals from the cyber reserve unit were called in to respond to the attack. And this is happening everywhere and it's been happening for a long time. Um this is an example that I like to point to from two years ago. um in my home state of Arizona, the city of Tucson, which is the second largest metropolitan area in Arizona was hit with a ma a massive attack um that ended up taking the school district down for two full weeks, leaving kids to not be able to go to school, parents to scramble to find um child care, and also put students two weeks behind, right? But this has been happening and is happening across the US um in

municipalities, community organizations alike. So, um, you're going to hear me use the word community organizations in the course of this talk. And when I say community organizations, I'm referring to any organization that provides essential services to the public. So, this includes municipalities, hospitals, school districts, nonprofits, and sometimes even small medium-sized businesses. Um, and they're all vulnerable, and the status quo is unsustainable, right? These community organizations that provide essential services to the public are the least prepared to handle cyber security threats themselves. And they often cannot afford cyber security and lack the in-house expertise to implement these safeguards. And to make matters worse, the attacks actually disproportionately harm um the most vulnerable in our population. So

especially those living in poverty or in rural areas, we cannot accept the risks of an action. And so out of that concept, we formed the cyber resilience corps. Um, and as part of the cyber resilience corps, we set out on a journey to map what currently exists to help community organizations and to understand what steps are still needed to be taken um to help bring them above the cyber poverty line. And so from January until June of this year, we brought together a group of 30 experts spanning cyber volunteering programs currently in the US. cyber insuranceances, cyber insur cyber insurance providers, um, consultants academics MSSPs MSPs and indust industry leaders and investors um, to better understand what exists and

where we still need to go. And out of that six-month journey, we ended up creating a road map. And this road map lays out a strategic plan for addressing this challenge in the near term and the long-term future. Right? And I think it's important to to state that we're in a unique time moment right now. Um the future of cyber security um cyber security defense is at the state and local level. That's what we believe. More and more is being asked of states and regional leaders. Um and so banding together local universities, nonprofits, and state governments we believe is the most pragmatic way forward to help build a safety net for these organizations. And so we're

looking to create ecosystems of cyber support. So, okay, what exists right now? If you're not already familiar with cyber volunteering programs, actually, quick show of hands. How many of you have heard of any existing cyber volunteering programs? Okay, about half of the room. Um well, if you're not already familiar, um there are a series of different programs that I'll lay out in a moment, but essentially it's where skilled volunteers volunteer in their free time proono services to some combination of um SLT governments, critical infrastructure, nonprofits, and small medium-sized businesses. [snorts] And there are essentially three major buckets of these types of programs. The first is state civilian cyber cores. Um right now there are six of them in the

US. Um, and these are state-run volunteer operations depending on where they're based, maybe under the Department of Emergency Management or the Department of Information Technology. Uh, the second is university clinics. So, right now there's over 30 in the US. Um, and they primarily serve critical infrastructure and nonprofits at the moment. Um, but may potentially expand outwards. And then the final is nonprofitled groups including I am the Cavalry, which I'm sure you're going to hear more about a little later, which is doing amazing research and policy work. um particularly in regards to critical infrastructure. So these groups depending on how they're set up and where they're located provide some combination of the following services. Incident response,

vulnerability or risk assessments, education training, and threat intel sharing. And they're doing amazing work, but we've identified six critical gaps when we were mapping these organizations. The first is that these services are not equally accessible. The second is that organizations who need help don't know where to go. Like I said, some of you didn't even know that these programs existed. Um, what do you think that a nonprofit CEO is going to do you think that a nonprofit CEO is going to know that these services exist? Most likely not. Um, and so organizations in who need help need a more streamlined way to know what services are available to them and by whom. And uh third, legal and liability

challenges continue to create barriers for volunteering services. Um right now there needs to be separate legal agreements um on the individual basis and the actual volunteer program itself to protect both volunteers that are volunteering their services and the companies that they work for in their primary capacity. Fourth, um after volunteering incidents are after volunteering um after volunteering services are rendered, there is very little pathways of support to continue the cyber hygiene paradigm for these organizations. So we need to build more off-ramps. Fifth, um funding for these programs is incredibly volatile, which means that the programs h often struggle to mature and expand despite the increase in demand for these services. And sixth, um programs face major

difficulty collecting standardized metrics on impact. A lot of these programs are relatively new. They're run by volunteers um and they're also set up incredibly different from each other. And so it can be very challenging to not only just compare metrics from program to program but even from year to year within the same program. And so our work is not done here. We still have a lot of work to do to scale these programs and meet demand. So what can we do? We identified in this road map three actions that would help immediately build a short-term um safety net for community organizations. And there are essentially three different buckets of types of recommendations. So the first

is to expand cyber volunteering programs. Um I mentioned earlier that accessibility is a huge issue. Um right now there are at least 22 states in the US who don't do not have any existing volunteering programs that are regional based. So that's no states state civilian cyber cores and no local university clinics. Um, and then on top of that, only eight states or only eight of these programs offer any sort of incident response services, which means that if you live in a state that doesn't have a state civilian cyber corps and you're a community organization in need of incident response services and you don't meet the threshold for the National Guard to come in and help, then

you're out of luck. Um, and so building off of that expanding cyber volunteering programs, um, we had three subrecommendations. The first is to prioritize the most threatened organizations. At the end of the day, we need to make sure that resources are being allocated where they're needed most, particularly to critical infrastructure. The second is that we need to continue to invest in the interconnectivity of of among these programs. They can do more together when they're collaborating, sharing resources and best practices, and handing off um community organizations after an engagement to continue services. And finally, we need to continue investing in cyber volunteering. um whether that be through government funding or private uh donors or through foundations that

support these these organizations, they cannot continue to scale um without continued sustainable funding. So the second recommendation is to mature cyber volunteering programs. All community organizations deserve a consistent high level of service and right now there are a number of community organizations that go to cyber volunteering programs um that are just off the ground and haven't quite figured out their their methodology yet. And so um we think that we can mature cyber volunteering programs three ways. First is by expanding the collection of metrics of volunteering groups impact. So right now um there are actually a couple of really really great examples out there that cyber volunteering programs can look to. Um Indiana's Cyber Track program has a really really great

methodology for tracking um the success of the recommendations that they provide to community organizations. So second um we need to clarify liability protections for cyber volunteering. It's great to have these programs, but if volunteers can't be protected from liability when actually rendering their services, then that's going to limit the amount of people that we have that are actually able to help community organizations. And third, we need to improve volunteer and client matching. Making sure that the right client organization, community organization, is matched with the right type of volunteer is essential to high levels of service and continued engagement and trust building. Right? So in improving, expanding, maturing um these programs is great. Um but the end goal is to get these

community organizations to be able to stand up on their own. Um and so we think that we can do that three ways. One, by centralizing common handoff resources. So like I mentioned earlier, the offramps for these community organizations are very limited. And so giving them resources that they can use after the service engagement ends will be immensely helpful. whether that's incident response plans, um business disaster recovery plans, um a list of different types of groups they are able to contact based off of different types of incidents or situations that they're dealing with is really really helpful um because we want to keep the appetite for cyber hygiene ongoing with the or these organizations after services are

rendered. And so building off of that, we want to bolster hands-off procedures after engagements. So sometimes that means passing the baton. So, if you're a state civilian cyber corps, passing the baton to a local university clinic who can help provide proactive services that continues that spectrum of um cyber hygiene after the incident response services are rendered. And finally, uh help organizations find full-time support. Um right now, it is incredibly hard for the majority of community organizations to obtain MSSP or MSP services. Um, not only is it incredibly expensive, but a lot of these organizations don't know what to look for when going through the contracting process. And so creating some sort of guidance for these community

organizations to use when they're going out and trying to build relationships with MSPs and MSSPs will be immensely helpful to getting them to be able to have that full-time support. So these are those were those three recommendations were for the short term, right? We believe that those will help create a safety net immediately. And we recognize this is not a long-term solution, right? Cyber volunteering programs are doing a lot of amazing work and they are incredibly important for the current um moment and we want to get to a place where hopefully community organizations are not relying entirely on cyber volunteering organizations to help patch the gap. And so we identified three long-term solutions that we

believe will help. So the first is that companies must simplify cyber security for non-experts. I'm sure you've heard that a lot during the course of this besides right. Um this is everything from um encouraging secure by design and secure by default practices. Um pushing more vulnerability um liability onto the actual software providers themselves. Um but also encouraging businesses to see that that secure by design and secure by default is a competitive advantage particularly when working with community organizations. community organizations may be more likely to go with a particular vendor if they believe that a a vendor has secure by design products. Um and so we believe that's one way. The second is um venture capital should

continue to invest in products and technologies that simplify cyber security and automate a lot of these tools for community organizations because most community organizations do not have the time or expertise to execute these controls by themselves. and if an MSP or an MSSP is out of reach for them, they're out of luck. Um, so that's the first recommendation. The second is that states have a role to play here, particularly when it comes to pooling services. Um, so right right now, like I mentioned, it's very difficult for a lot of organizations to um, be able to contract with MSPs and MSSPs. And so we've seen other successful models of these shared poolled services. Um the UN has one for

their international computing program. Um and they provide shared services at cost for all UN affiliates and we believe that states particularly should be doing this for um utilities that are important for critical infrastructure. So water utilities, electric utilities, other things where it's important to have a high level of functioning and to be able to provide these at cost. And finally, we need to embed cyber knowledge in our communities, right? And this is done in two-prong ways. The first is that we're finding boots on the ground. It is incredibly hard to educate the general public about cyber security principles, right? Um and and continue to upskill as security evolves. And so we've found that the most effective way

to do this is through trusted community messengers. So, a lot of these community organizations already work with other organizations that they trust, whether that be their local credit union, their business association. Um, and so we want to tap into those networks of people to help be catalysts for this culture of cyber security. Um, but second to that, um, we also need to start early, right? um if we start embedding cyber security principles and skills in the school system, we will end up with a population that has at least a base level of cyber security fundamentals um that then will translate into the community organization workforce. And so this is a much longer term goal, but we believe

that this is this should be the way that we're moving in a similar way that um going and doing typing classes in school was important, right? How do we teach students basics of cyber security and security thoughts mindsets? So, right, key takeaways from this are that cyber volunteering programs are doing a lot of good. They're helping catch organizations that are falling beneath the cyber poverty line. Um, but there's still a lot of work to be done to scale them and make them more effective. And they're not enough. We need more long-term effective solutions. So, how can you be how can you help be part of the solution, right? Um, I have a few recommendations. The first is to

read our road map. Um, it's linked up here on the slide. Um, we go into a lot more depth about the actual ins and outs of how to execute these recommendations, but we also map the different cyber volunteering groups and we also quantify the risk to these organizations. Um but at the very end of this roadmap report um you can find a state guide book which is essentially a clearing house of actions that states can take to help build this local ecosystem of support. Um and in it we outline the different types of cyber volunteering programs, how they weave together and how you can set them up. We even link to model bills that states can use to establish their

own state civilian cyber cores. We also outline effective funding strategies for local um education initiatives and we also um set up we also outline different ways that private sector companies can help partner with nonprofits to set up private volunteering programs. Um but the most helpful thing that you all can do is to go back to your policy makers and help start up more of these state-run and state endorsed volunteering programs. We just need more boots on the ground. We need more students at universities offering services. We need more volunteers on the state level who are able to come in particularly in local and rural locations to help boots on the ground organizations. Um and so please go knock

on your policy makers door and tell them about the amazing work that these types of volunteering organizations are doing. And of course join us um on our platform. We have cyber it's cybervolunteers. us um and check us out. We're doing a mainstage talk at Defcon on at 10:00 a.m. on Sunday where we're going to outline the different types of volunteering groups in much more depth. Um share some stories from more stories from boots on the ground. Um and also tell you a little bit more about the current volunteer distribution networks. And you can reach out to me here. Um and I'm going to open the floor up for questions. Thank you. [applause]

>> [applause] >> Thank you, Grace. That was a lot of words in 20 minutes. That is fabulous. So, if you've got questions, come on around here and ask them, please. >> Here we go. >> Grace, I've known you for a while, kind of indirectly. So, um, I started off a community college student, right? And I'm pretty much self-taught cyber. Um I attended George Washington University thanks to you know uh programs like women in cyber security and during my time at uh George Washington University. I started women in cyber security at GW is the most popular cyber club in the DC Maryland Virginia area and we helped George Mason and uh uh Georgetown start their women in cyber clubs. Right. So

these little seeds that you're talking about, I've seen it in real time because it helped me grow as a person. And then from there, I, you know, had my internship at Intel Corporation and Government Affairs, met I am the Calvary through some pretty cool people, did Hackers on the Hill, and then full circle, right? Now I'm a community college professor after being dogeed. Uh but the good news is I joined one of the best uh you know community college districts in in California, the North Orange County Community College District. And so now that I'm kind of like full circle, the wheels are are spinning, right? Like the it's turning, right? We have a community college cyber

center and it's actually doing well, but I think it could like go up a notch. And my dean is also into cyber policy. He's getting his PhD at at uh at uh UCLA in policy. And so I'm kind of like wondering for community college professors, how do we take what's pre-existing and take it up a notch? Right? Because I've been there. A lot of us in this room have been there before in their own journey. So, like how can we kind of like level up? And I I know the work CLTC is doing. I mean, I've followed them throughout grad school. So, yeah, I'm here to pick your brain. >> Yeah. Are you asking how we can scale up

the existing volunteering organizations at the community colleges? >> Yes. Yes. >> Okay. Um, so, right, so there's amazing resources out there. Um if the community college is not already a part of the consortium of cyber security clinics um I highly encourage the community college to check out um the consortium website. There's a series of different resources that are available to different to everybody right to use to to set up and mature um different cyber security clinics. But I also think right um we've found that clinics benefit the most when they are in direct contact with other clinics and other places to share knowledge and to also just um kind of point out potential um pitfalls that you

may have in the first year or two years in setting up. Um but I think that what we're seeing is that um there are there are a couple of challenges right like getting um buyin from the admin of a particular university can be hard um and so increasing funding for that is really important um but I think that the best recommendation that I'd give to a community college hoping to to scale to scale their service offerings um would be to find another community college or university that's doing similar work and partner with them to sort of tag team the problem and see where you can learn from each other. Um, we're finding amazing success with that

and the consortium of cyber security clinics. Um, and if you're interested, I can give you a list of different people from the consortium that I think could potentially be a good fits for your university. >> Dope, dope. Thank you so much. >> Yeah, of course. >> Hi, Grace. Thank you so much. Uh, longtime fan. Uh, I am Hi. I'm curious as to um whether you could talk more about the liability side. Um >> is it a for hackers specifically looking to do this sort of work? >> Is it a lack of resourcing like the volunteering corps doesn't necessarily have a series of template contracts or waiverss or is it that the companies or public sector or uh SLT organizations

are unwilling to sign such things? >> This is a great question um an incredibly complicated question as well. Um so there are a couple of things happening here right um the different governance structures of these different types of cyber volunteering groups um have different built-in thresholds for liability built into them right so if you're a state civilian cyber corps um and you're a volunteer that is volunteering for a state civilian cyber corps you are protected at a base level from liability more than you would be from a different organization just by the the virtue of the fact that you're working for the state um and so when when folks are going in on the state

level and doing some of this incident response work, they have much more peace of mind. Um, that being said, other nonprofit volunteering groups have developed really great templates like you mentioned um that they're using. So, the cyber peaceuilders that the cyber peace institute is doing is running um has a really really great template they've been using and has been um has put the confidence of a lot of really big private sector companies um to ease. And so they've actually volunteered a bunch of their own cyber security analysts to go and do this work through cyberpace builders. And so I think the problem is um I think there's promising promising solutions to the problem. But the problem is that um all of these

programs are set up differently and have different needs. And so you essentially need different customizable templates for every different type of program based off of the governance structure. And on top of that, some volunteers depending on who their employer are might have different needs on liability. And so having um customizable templates and also the help of proono legal services is huge. So, um, one of the things that we're hoping to do in the next phase of CRC potentially is to explore partnerships for cyber volunteering programs with, um, legal clinics across the US, um, to help essentially provide some of these free services to volunteers and to the volunteering programs themselves to help bridge that gap and increase the number

of volunteers that can be scaled. >> Awesome. Thank you. >> Thanks, Vona. Okay. Last chance for questions. Any more questions? Oh, we Mr. Ray has a very important question. We do not want to miss this. I really just I I just want to foot stop what Grace is doing. I was uh the leader of one of these uh state sponsored cyber sec uh ci civilian organizations for about six years and we learned a lot of lessons. we ran into some roadblocks and those roadblocks are what the the uh cyber resilience core is going to try to take into account and teach you how to solve. So if you are in any way thinking of doing something like this, now is the

time. There's people that have have the the arrows in their backs and the blood. So we're around. If you need need advice of what to avoid, come come talk to us. We have uh Michigan had legislation that you can copy. Texas did. So, uh, wear around. >> Yes. Thank you, Ray. Thank you so much, Ray. Yeah, to foot stomp that. Um, >> community cyber security is national security. So, um, yeah, please get involved and thank you all so much. [applause]