The key to making the US cyber strategy work: boots on the ground
We have seen more federal resources, action and coordinated strategies around improving nationwide cybersecurity in the past four years than in the last 40 combined. The FBI and the Department of Justice are prosecuting cybercriminals, disrupting criminal networks and seizing stolen funds. The Cybersecurity and Infrastructure Security Agency, handed the mighty mission to defend and secure cyberspace just four years ago, is set to receive more than $3 billion in funding for 2024.
Most recently, the Office of the National Cyber Director, a two-year-old office leading the Biden Administration’s cyber agenda, released the much-anticipated National Cybersecurity Strategy, an astonishing document with a vision of securing “the full benefits of a safe and secure digital ecosystem for all Americans.” This strategy, built on the recent cyber executive orders out of the Biden administration, is an ambitious move by the White House to stay ahead of the curve on cyberdefense, seeking to both prevent cybercrime and actively disrupt criminal operations.
The strategy could not have come at a better time. Despite years of growing political willpower and resources at the federal level, critical local organizations are still regularly getting hit with common cyberattacks such as ransomware. Municipalities, food banks, hospitals, school districts and other local organizations are at risk of becoming incapacitated within minutes of a ransomware attack, affecting the critical services that entire populations rely on. Tribal territories are often included in the umbrella of the “SLTT” acronym but rarely receive similar resources and attention as their municipal counterparts and are also at risk for debilitating cyberattacks.
At the community level, the impacts of ransomware are often felt immediately and can last from weeks to months after the attack. In one of the worst incidents of recent memory, the Vermont Medical Center was forced to delay cancer treatments after losing access to electronic health records of chemotherapy medications. Attacks such as ransomware are challenging to recover from, and delaying critical services creates long-term consequences for an entire community.
And while U.S. agencies have been allocating more resources toward countering cybercrime in recent years, these funds and advice often do not reach smaller, local organizations, which are still left to their own defenses.
Ultimately, federal intervention will never be enough, on its own, to address all cybercrime in every locality. It will take a whole-of-nation effort to protect local communities from cyberattacks, and local organizations can provide critical “boots on the ground” services and support directly to the organizations at risk of cybercrime. And in the current challenging economic climate, it will take out-of-the-box thinking by nontraditional groups to provide these resources to those in need.
There are three major groups that we’ve seen move the needle for local cybersecurity efforts in innovative ways: academia, local government, and volunteer cyber experts. Though each program serves a small population with specific resources, together they paint a picture of collaborative cyberdefense.
Academics and educational organizations are uniquely positioned to serve as hubs of cyber defense; they train the next generation of cybersecurity professionals and are preoccupied with cybersecurity as frequent targets of cybercrime. Higher-ed institutions have created dual training and service programs called Cybersecurity Clinics, in which students learn core cyber skills and provide free cyber assessments to local organizations in need.
Many higher-ed institutions like the University of Georgia, MIT, The University of Texas at San Antonio, UC Berkeley and the University of Alabama are running Cybersecurity Clinic programs, training students to perform cybersecurity maturity assessments pro-bono and give recommendations for local cities and nonprofits, much like law school and medical school clinics have for decades. In just a few years, less than a dozen programs have trained more than 730 students and bolstered the defenses of more than 120 organizations.
Other programs at schools like Oregon State and Bridgewater State University are training students to perform security operations center incident detection services for vulnerable organizations.
Higher-ed institutions have deep community partnerships, commitments to public service, and the talent and energy of hundreds of thousands of young people. Academia is a formidable and growing ally in the fight to protect local organizations from cyberattacks.
State and local governments are another group making sizable contributions to community cyberdefense by piloting innovative ways to provide state cyber aid. For example, the County of San Francisco developed the Bay Area UASI to promote resource sharing and cyber mutual aid programs across the county. The State of Massachusetts formed the MassCyberCenter, an innovative department that assists municipalities with cybersecurity. States such as Ohio, Wisconsin, Michigan, North Carolina and Wyoming have created state-led cyber response corps to help local organizations with cyber incident response and recovery.
These regional governments are often discussed only in the context of cyber victimhood, as they have suffered some of the most high-profile attacks in recent years. But regional governments are vital stewards for community cyberdefense; cities, counties, and states can provide cyber mutual aid to surrounding areas, promote federal cyber resources, send on-site assistance quickly, and ultimately act as trusted advisors for struggling organizations.
Cyber experts as volunteers
The last actors stepping up to protect local organizations from cyberattacks are local volunteers. Nonprofit organizations like the CTI League, I am the Cavalry and other formal and informal groups of cyber professionals harness the insight of industry experts to act as a last line of defense. These groups share threat information and even attempt to notify potential ransomware victims before their data becomes encrypted.
Some individuals also join state-led programs like the Michigan Cyber Corps, mentioned above, which certifies industry volunteers to step in as incident responders when local organizations suffer a cyberattack. Others offer a few hours of their week pro-bono through programs such as the CyberPeace Builders, which matches experts with bite-sized tasks like helping an organization set up its firewall.
Cyber volunteers are quickly becoming an indispensable backbone of cyberdefense for organizations that cannot afford long-term professional assistance.
Call to action: making local cyber collaboration a priority
Local cyberdefense programs share a common goal, despite having roots in different sectors and across the continent; with cyberattacks, no one gets left behind.
Strengthening local cyber programs will act as a force multiplier for all the progress made at the federal level; local leaders can disseminate advice between trusted local partners, arrive at the scene of an attack faster, and stick around for longer to ensure a ransomware victim has the support they need to recover. Indeed, these programs can be beacons through which resources that often remain concentrated at the federal level can reach those who need them most.
The White House ONCD acknowledges this unlevel playing field in the National Cybersecurity Strategy by stating: “Our collective cyber resilience cannot rely on the constant vigilance of our smallest organizations and individual citizens.” The strategy notably requires buy-in and resources from states. For example, its goal of harmonizing regulation would necessitate working with states to align numerous state breach disclosure and other cybersecurity laws.
Other proposed projects in the strategy have local impacts, like increasing the speed of victim notification and intelligence sharing, supporting a digital identity ecosystem, and strengthening the cyber workforce. These projects’ success and longevity will depend on engagement with government, academia, and industry members.
Local organizations like academic institutions, regional governments and groups of volunteers are among those best-positioned to serve their communities’ cyberdefense needs; they have the trust and drive to alleviate burdens for critical local organizations. Only by prioritizing collaboration with local institutions and harmonizing strategies among government agencies can we move the needle on cyberdefense for all.
Sarah Powazek is the program director of public interest cybersecurity at the UC Berkeley Center for Long-Term Cybersecurity.
Marc Rogers is a longtime cybersecurity professional, senior technical adviser at the Institute for Technology and Security, a member of the Ransomware Task Force and co-founder of the CTI League.