Newmark initiative will bring online a network of civil defense hackers
Nearly 30 years ago, Craigslist brought the digital bazaar to the average person who had little idea how to trade on the net. Now, the founder of the classified ads website is looking to bring cybersecurity to the average person who has little idea how to stop hackers.
At the Aspen Cyber Summit in Washington, D.C. on Wednesday, Craig Newmark Philanthropies will announce a new initiative with the University of California, Berkeley, the Cybersecurity and Infrastructure Security Agency, and the nonprofit CyberPeace Institute that brings together a slew of cyber volunteering programs across the U.S. to help organizations that simply can’t defend themselves from hackers.
Ann Cleaveland, executive director of the Center for Long-Term Cybersecurity at UC Berkeley, said that the new initiative, called the Volunteer Network for Civil Cyber Defense, will “help amplify the work of all of the different volunteer and state and local grassroots efforts to provide cyber assistance.”
The initiative is driven by a brittle digital ecosystem, where dinner table conversations can cover everything from a ransomware attack on a nearby hospital that shuts down health care services to extortionists residing in Russia and using children’s information as leverage with little fear of retaliation. Meanwhile, criminals and state-backed cyberthreats will likely continue to far outstrip the federal government’s response efforts and victims are left figuring out what’s next with little help, little approachable guidance, and little comfort in stopping the next attack.
Hackers and local governments are not taking the cyber beating sitting down, of course. A host of voluntary initiatives working with the under-resourced are scattered across the states and internationally, but knowing that they exist can be a problem in and of itself — a gap the initiative is hoping to fill.
“Volunteer networks and no-cost cyber services are important parts of cyber civil defense, bringing critical resources into communities that need a hand with cyber protection and resilience,” Craig Newmark said in a statement.
In August, two voluntary cyber initiatives aimed at helping critical infrastructure stand up against hackers were launched during cybersecurity conferences in Las Vegas. Michael Razeeq, a #ShareTheMicInCyber fellow at New America, said at the time that new initiatives have been popping up recently, particularly as technical glitches and bad updates like the CrowdStrike incident have highlighted what could happen in a worst-case scenario.
The foundation is donating $1.2 million in funds, which will also be used to continue existing projects created with previous moneys, such as UC Berkeley’s Consortium of Cybersecurity Clinics, a network of universities that sends trained students to help social organizations like nonprofits that face increased attention from governments, corporations and malicious actors. The funding is part of a larger batch of programs that Newmark’s foundation dubs the Cyber Civil Defense Coalition, which is centered around civilian resilience and cybersecurity.
Cleaveland said Wednesday’s announcement is about “meeting the moment for underserved organizations and underresourced organizations.” Ransomware attacks have gone on long enough that the giants of the corporate world can pay their way to cybersecurity or risk mitigation. But that leaves easy pickings for criminal hackers looking to make money with little thought to the consequences.
“This is about an attack on a local dentist’s office or a middle school that can be devastating in communities,” Cleaveland said.
Stéphane Duguin, CEO of the CyberPeace Institute, said existing initiatives can often be “piecemeal and scattered,” which helps make resources and tools available but lacks a “big strategy.”
“There’s no coordination mechanism. There is nothing to be sure that what is developed by one is going to be helpful to the other,” he said.
An overarching lack of coordination impacts high-risk communities that historically have little resources for basic needs, let alone costly cybersecurity products. Civil society organizations have been considered a high threat of targeting with a low-defense capacity to protect themselves, according to recent guidance from CISA. And it’s not always their fault, according to the guidance, which calls out products that push the burden of security onto the user.
“Low defense capacity is exacerbated, in most cases, by products and services designed in a manner that places the burden of reducing cyber threats on the customer or end user. For example, the customer or end user is required to take specific, sometimes onerous, actions to improve their cyber posture,” the guidance states — a particularly troubling truth given civil society organizations are frequently the target of state-backed threats.
Sarah Powazek, director of the Public Interest Cybersecurity Program at UC Berkeley, said bringing together existing and new volunteers and initiatives would turn off the deluge of noise people hear, transforming warnings of zero-day vulnerabilities leveraged by Fancy Bear into easy listening once cyber volunteers learn to “play off the same sheet.”
Powazek notes that for many organizations, cybersecurity lacks the human experience in the physical world that can explain technical jargon and digital vagueness in easy and — more importantly — actionable terms.
“If you’re a community-serving organization that doesn’t have the money, the knowledge, the talent to afford cybersecurity in any shape or form, you have nowhere to turn. I mean, there’s nothing out there for you. If you can’t afford it, you don’t get the protections,” Powazek said. “I think what you’re seeing is that there are a lot of programs across the country that say that’s not good enough. We need to step up. We need to help these organizations because they’re vital to our community.”
