Key Issues Presented by Existing C3 Laws

There is no one-size-fits-all model for C3 statutes because of the different legal, political, and cultural environments across states. Nevertheless, several key issues should be addressed in each state C3 statute regardless of the differing factors between states (with modifications made to suit a particular state). This section sets out key challenges presented by some of the key legal provisions in existing C3 statutes or that are not addressed in existing statutes.¹ Without adequately addressing the key legal issues, C3s will not be able to achieve their potential or might see only limited utilization that will in turn result in difficulties in recruitment and retention of volunteers.

A foundational step will be establishing the C3’s authority to operate, which must be taken while carefully considering a particular state’s legal, political, and cultural environments. On the one hand, a C3 can be established under a state civilian department responsible for technology—as in the cases of Michigan and Texas—or homeland security or emergency management, as is the case in Wisconsin. This structure can help to ensure cyber volunteers are closely connected with other state IT or emergency management personnel and processes. It also keeps cybersecurity in the civilian domain and could mean the C3’s leadership are more likely to have IT or cybersecurity experience; a dilemma currently facing U.S. armed services is that cybersecurity experience is generally not required to lead cybersecurity personnel.² On the other hand, 18 states and Puerto Rico have active state defense forces under 32 U.S.C. § 109, and a C3 can operate under the authority of the state defense force, as in the cases of Maryland and Ohio.³ For states that have an active defense force, a C3 under that structure can take advantage of existing funding, regulations, and operational processes intended for volunteers. In either case, providing authority to operate is the cornerstone to establish an effective C3. This issue is addressed in Section 3 of Appendix 3.

Next, clearly defining the purpose of the C3 and the criteria for its deployment are key issues because they will determine potential beneficiaries and the circumstances under which the C3 is utilized. For instance, the Ohio Cyber Reserve’s mission expressly includes support for small- and medium-sized businesses (SMBs), while the Texas Volunteer Incident Response Team’s mission is expressly limited to state, local, tribal, and territorial government entities (SLTTs). Because SMBs might operate critical infrastructure, like water utilities or healthcare facilities, a C3 with no authority to provide services to SMBs could not assist a privately owned water utility impacted by a cybersecurity incident. However, determining which SMBs are eligible for assistance and under what circumstances, while also avoiding creating a moral hazard where SMBs underinvest in cybersecurity, can be difficult. The same moral hazard problem can arise with respect to SLTT entities. The purpose should also help to outline the scope of activities of the C3 from other stakeholders involved in cybersecurity incident response, such as the National Guard, FBI, CISA, or state police. These issues can be further clarified in MOUs but are addressed in Sections 3 and 4 of Appendix 3.

C3 laws must also define the criteria for deploying volunteers. If the process to deploy the C3 is too restrictive, the C3 will not be effectively utilized. If the process to deploy the C3 is too permissive, it could lead beneficiaries to underinvest in cybersecurity because of an overreliance on the C3 (the moral hazard problem), or it could strain the resources of the C3. When Michigan’s C3 was initially formed, members could only be deployed during a state of emergency and could only provide services to SLTT entities. The state recognized those criteria were too restrictive and limited use of the C3 as a resource, so when Michigan later codified the C3, the legislature loosened the deployment criteria so that the State Chief Information Security Officers could deploy volunteers to assist SLTT and SMB entities.⁴ In contrast, under the Texas C3 law, the Texas Volunteer Incident Response Team can be activated only at the request of a participating entity if: (1) the Governor declares a state of disaster caused by a cybersecurity event; or (2) a cybersecurity event impacts multiple participating entities.⁵ As a consequence, the Texas Volunteer Incident Response Team is far less likely to be deployed for incident response—even during cybersecurity events where the Volunteer Incident Response Team’s assistance may have proved useful—than other state C3s with more permissive deployment criteria. Section 10 of Appendix 3 addresses this issue, drawing on lessons learned from cases like those of Michigan and Texas.

The interaction between C3 laws and state procurement laws is also an important issue to be addressed. The funding and procurement challenges faced by the U.S. Cyber Command—which largely relies on the Army, Airforce, Navy, and Marines to meet those needs—demonstrate the importance of agile procurement (and sufficient funding) for cyber forces.⁶ C3s that are part of an existing state defense force, like the Maryland Cyber Unit and the Ohio Cyber Reserve, can take advantage of existing equipment, facilities, and procurement processes designed for the military, providing adequate resourcing to equip and train the C3.⁷ While those processes may or may not be optimal for the C3, they provide useful procurement infrastructure that is already used to support cyber defense. Additionally, defense forces likely already have access to at least some cybersecurity tools, like network scanners and application testing software. C3s established under information technology or emergency management organizations are less likely to have adequate processes to procure equipment and supplies. The responsibilities of IT and emergency management entities may not encompass statewide cybersecurity incident response and their funding is more likely to vary as a result of political changes. As a consequence, if C3 laws do not appropriately address the procurement of equipment and supplies, procurement of appropriate equipment and supplies may require navigating complex, bureaucratic processes that prevent or delay C3s from obtaining the tools they require. C3 laws must provide flexibility for C3s to obtain appropriate software, equipment, and facilities to provide services to beneficiaries (as shown in Section 13 of Appendix 3), which could even include exceptions to existing state procurement laws.

Liability is another key legal issue that arises from the use of a C3. Some existing state C3 laws address the liability of the state, all address the liability of volunteers, but those provisions do not need to reinvent the wheel. The Volunteer Protection Act of 1997, a federal law designed to provide liability protection to volunteers—including those volunteering on behalf of a state—provides, in part, that no volunteer performing services for a nonprofit or a government entity will be liable for harm caused by their act or omission if: (1) the volunteer was acting within the scope of his or her duties; (2) the volunteer was authorized by the entity to perform the services; and (3) the harm was not caused by willful or criminal misconduct, gross negligence, reckless misconduct, or a conscious, flagrant indifference to the rights or safety of the individual harmed.⁸ That means that, even in Wisconsin, which does not have a C3 law, volunteers are afforded some liability protections while performing services for the state’s Cyber Response Team. Existing state C3 laws do not address the Volunteer Protection Act but should incorporate and build on the existing federal law to further address concerns with respect to the potential liability of volunteers. Liability is addressed in Section 9 of Appendix 3.

Further, C3 laws should address the confidentiality of volunteers’ personal information. Given the nature of their work, it is possible that volunteers or their employers could themselves become targets of malicious actors because of their service. To mitigate that risk, C3 laws should expressly provide for the confidentiality of volunteers’ personal information and provide an exemption of volunteers’ personal information from disclosure under state freedom of information or access to public records laws. That protection should be provided to all cyber volunteers, who can then determine whether they want to make their volunteer work known publicly. Currently, only the Texas C3 law expressly provides for the confidentiality of volunteers’ personal information, while Wisconsin provides an exemption for personal information of applicants to the program.⁹ Doing so can assist states with recruiting and retaining volunteers who may be concerned about disclosure of their participation and personal identifying information. Section 11 of Appendix 3 provides model provisions to protect the confidentiality of volunteers’ personal information.

Lastly, a streamlined approach to data collection and metrics reporting would be useful to demonstrate the value of C3s and identify opportunities for improvement. Existing C3 laws, however, fail to adequately address requirements for data collection and reporting in their frameworks. As corporate cybersecurity departments typically report metrics to management to demonstrate the maturity of the cybersecurity program and its value to the organization, C3s should also report metrics for similar reasons. A data collection and metrics reporting provision could direct the department overseeing the C3 to collect data demonstrating the program’s utilization, effectiveness, and areas for improvement. Existing state C3s collect data on their operations, but often, the data collected vary by state; they are not standardized or centralized in a way that would facilitate comparison and information sharing across state C3s. Standardizing C3 data and sharing it with relevant stakeholders will allow for better decision making when determining which activities are best suited to the scope of duties of state C3s and which might be better suited to other organizations in the cyber volunteer ecosystem. Performance metrics will also help provide benchmarking across state C3s and to make the case for additional funding by clearly demonstrating the C3’s value. This issue does not need to be completely resolved by statute but should be addressed as shown in Section 15 of Appendix 3.