In June, the City of Cleveland was the victim of a ransomware attack, requiring services to be taken offline and the closure of City Hall. In response, Cleveland engaged the volunteer Ohio Cyber Reserve—a group of volunteer cybersecurity professionals, analogous to the Coast Guard or the Medical Reserve Corps—for assistance. The next month, a ransomware attack on the City of Columbus resulted in the theft of personal information of thousands of residents and forced the city to disconnect from the internet, disrupting services including 311 and email. The Ohio Cyber Reserve again assisted with incident response efforts and provided recommendations to help mitigate the risk of future attacks. In fact, in the past three years, the Ohio Cyber Reserve has assisted over 30 municipal governments, schools, and critical infrastructure entities.
Not all states that fall victim to cyberattacks are so lucky. In neighboring Indiana, around the same time as the Cleveland ransomware attack, a separate incident impacted the municipal government of Clay County and hindered the delivery of critical services. Indiana, unlike Ohio, does not have a civilian cyber corps (C3). Consequently, Clay County was forced to issue a disaster declaration, and most county functions remained offline nearly a month after the incident. Recognizing the benefits of C3s, Indiana had already begun the assessment process for forming a state C3, so that municipalities like Clay County will have a cavalry to call to assist with recovery from such cyber incidents.
While C3s may not prevent cyberattacks, they can avoid disaster in the case of one: In Indiana, for example, more resources would have been available to assist with containment and recovery. This article explains the current state of C3s, the key legal issues that can arise from the use of volunteers for cyber defense, and the need for a model C3 law to assist states in adequately addressing those key legal issues so that they can focus on effective operation of C3s.
An Overview of State C3s
Indiana is one of the most recent states to consider establishing a C3, but given the impacts and costs of cybersecurity incidents, it is unlikely to be the last. The total estimate of losses resulting from the 880,418 cybercrimes across the U.S. that were reported to the FBI in 2023 is $12.5 billion. According to another report from the cybersecurity company Emsisoft, ransomware attacks alone resulted in the encryption or theft of sensitive data, disruption of operations, and other impacts to 2,207 hospitals, schools, and government entities across the U.S. in 2023. Those estimates almost certainly underestimate the scope of the problem because of the number of cybercrimes that go unreported. A combination of factors has led to cyber insecurity nationally, including insecure software and technology and a significant cybersecurity workforce shortage.
State, local, tribal, and territorial governments (SLTTs) and small and medium-sized businesses (SMBs) are particularly vulnerable to cybercrime. Many SLTTs and SMBs are target rich but cyber poor. They manage sensitive information, operate critical infrastructure, and provide essential services but do so with far fewer resources than the federal government and large corporations. Despite increasing bipartisan cybersecurity measures, such as the recent Streamlining Federal Cybersecurity Regulations Act and the Healthcare Cybersecurity Act, the federal government has not taken sufficient action to date to support and improve the cyber resilience of SLTTs and SMBs.
Civilian cyber corps, or C3s, are an attractive option for states hoping to fill the cyber workforce gap and to augment their existing cybersecurity capabilities to support SLTT entities and SMBs. A C3 is a group of volunteer cybersecurity professionals who provide preventive and reactive cybersecurity assistance to individuals or organizations. Utilizing volunteers allows states to draw on the expertise of cybersecurity professionals whom they might not otherwise be able to hire. The volunteers’ services are similar to those of volunteers in other domains, such as the Medical Reserve Corps, the Civil Air Patrol, the Coast Guard Auxiliary, and volunteer firefighters. Civilian cyber corps volunteers generally engage in education, training, and outreach; vulnerability assessments and testing; and on-call expertise and emergency response. Over the past several years, various cyber policy experts have proposed C3s as a replicable, scalable solution to a large-scale societal problem.
The U.S. government has considered establishing a federal C3—although, to date, few concrete measures seem to have been taken to do so. The National Defense Authorization Act (NDAA) for Fiscal Year 2023 required the secretary of defense to assess the feasibility of creating and maintaining a federal civilian cybersecurity reserve corps to support the response to significant cybersecurity incidents and to assist in solving other cyber workforce-related challenges. That assessment has not been completed. More recently, the NDAA for Fiscal Year 2024 provided authority for the secretary of the Army to establish a civilian cybersecurity reserve pilot program, but the Army has not yet utilized that authority.
However, the U.S. Marine Corps has established its own cyber auxiliary program to help train, educate, assist, and mentor Marines. In addition, anticipating that the number of state C3s will continue to increase in the U.S., the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency launched a Cyber Volunteer Resource Center in 2024 to provide a centralized resource with opportunities for potential volunteers and beneficiaries to learn about and engage with C3s across the U.S.
As with other emerging areas at the intersection of law and technology, like privacy and artificial intelligence, states have not waited for the federal government to act. Several states, including Maryland, Michigan, Wisconsin, Ohio, and Texas, have established state government-led C3s, while others, including Oklahoma, Indiana, and Virginia, have considered them.
The C3 Legal Framework
As existing state C3s mature and other states establish C3s, the legal frameworks that govern these C3s can either lay the foundation for or impede their success. This is an important but understudied aspect of C3s, especially given the legal questions raised by the use of volunteers to provide cybersecurity assistance. C3 legal frameworks generally include a statute to establish and govern the C3; implementing rules and regulations; contracts for services or memoranda of understanding (MOUs) between the state, volunteers, and beneficiaries; and guidance for volunteers to address operational matters. While some work has been done to establish model contracts, similar publicly available research has not been completed regarding the C3 statutes and no model C3 law has yet been drafted.
Just as state governments have benefited from access to model laws to assist with development of other privacy and cybersecurity legislation, they would benefit from a model law or key legal provisions to help draft C3 laws. This resource would prove essential in ensuring C3s are a replicable, scalable, and data-driven solution to a large-scale problem. It would also enable states to expend less time and resources researching and developing legislation, while ensuring key issues are similarly addressed across various states. For example, under what authority will the C3 operate, and how will potential conflicts with other agencies be managed? Who can qualify to become a volunteer or a beneficiary? Who can activate the volunteers and under what circumstances? Who will bear the risk if data is accidentally deleted or destroyed during a recovery operation? And will information relating to volunteers’ activities be subject to disclosure under states’ freedom of information laws? In fact, Virginia’s governor vetoed a proposal to assess the feasibility of a state C3, citing other legal issues that would need to be addressed first, and Oklahoma has slowed the development of its C3, at least in part to further assess potential legal issues absent a C3 statute.
Some of the questions raised by the use of cyber volunteers can be addressed in contracts or MOUs; others are better addressed by statute. With the exception of Wisconsin, the states with active C3s have enacted laws to govern them. Not all of those laws address the exact same issues or address them in the same way, but generally, they address matters such as the establishment and authority of the C3 to operate, its purpose, the scope of volunteers’ services, the status of volunteers under state employment law, requirements for contracts with the volunteers and beneficiaries, the qualifications required of volunteers and the training to be provided to them, confidentiality of beneficiaries’ and volunteers’ information, liability with respect to services rendered, equipment and supplies to be used by volunteers, the method of calling volunteers to action, reimbursement of volunteers’ expenses, and additional rulemaking authority.
C3 statutes can either help or hinder C3s’ effectiveness. For example, a C3 statute that limits a C3’s services to SLTT entities would limit the ability of a C3 to provide support to a privately owned water utility that falls victim to a ransomware attack. Likewise, a C3 statute that restricts the deployment of C3 volunteers to situations where the governor orders the deployment will likely result in the underutilization of the C3. Because Wisconsin does not have a C3 law, and therefore has no such restrictions, Wisconsin’s C3 is utilized more frequently for incident response than C3s in other states. The absence of a C3 statute has allowed Wisconsin’s C3 to be more agile and responsive to beneficiaries’ needs compared with some other states. However, that does not mean states should avoid enacting laws to govern C3s. Instead, it means policymakers must carefully consider key legal issues when creating C3 laws, drafting them in a way that will allow for the flexibility C3s need to operate efficiently in response to shifting challenges.
***
To maximize the potential of C3s to help address the increasing cyber threats to SLTTs and SMBs, a model law and key legal provisions are needed to help ensure relevant issues are appropriately addressed as new C3 laws are enacted. The experiences of states enacting data protection and cybersecurity laws in the absence of federal legislation provides precedent for this approach. Uniformity among various state C3 laws will also allow state C3s to better collaborate, benchmark against, and learn from peers to continue to improve and operate more effectively.
Given the ongoing reliance on volunteers in cyber and other domains, it should be no surprise that states will continue to establish C3s. As more states do so, it is important that they consider the ways in which the law might help or hinder C3s’ effectiveness. It is also important that states are supported in their efforts through the development of a model law and key legal provisions for them to draw on based on the experiences of the existing state C3s and those in other countries. As cyberattacks become increasingly common, C3s could prove a vital tool in combating their effects—but only if lawmakers and legal experts lay a strong foundation.
– Michael Razeeq, Published courtesy of Lawfare.
