Table of Contents
- Executive Summary
- Background
- Civilian Cyber Corps (C3s) to the Rescue
- Existing Legal Frameworks Governing Civilian Cyber Corps
- Key Issues Presented by Existing C3 Laws
- Conclusion
- Appendix 1. Civilian Cyber Corps Overview
- Appendix 2. Key Legal Provisions for State Civilian Cyber Corps (“C3”) Laws
- Appendix 3. Model Civilian Cyber Corps (C3) Law
Executive Summary
Several states have established volunteer civilian cyber corps (C3s) to fill critical cybersecurity workforce gaps, strengthen the defenses of state and local government agencies, and enhance cyber emergency response capabilities. This report (1) explores the growing need for C3s in response to today’s escalating cybersecurity threats; (2) examines the development of C3s in the United States, as well as in Estonia, which serves as a more mature example; (3) analyzes key legal provisions and challenges in existing state C3 laws; and (4) offers a list of key legal provisions and a Model C3 Law to guide states in forming their own C3s.1
Using volunteers for cybersecurity services is necessary but raises certain legal issues. This report provides ways to address those issues by law so that states can focus on operational concerns related to developing and maintaining C3s.
Insecure software and a significant workforce shortage have contributed to a state of cyber insecurity across the public and private sectors in the U.S. In 2023, nearly 29,000 common vulnerabilities and exploits (CVEs)—weaknesses in software that a malicious actor can exploit—were recorded.2 Meanwhile, there aren’t enough cybersecurity professionals to help mitigate the risks posed by those CVEs. As of early 2024, around 470,000 cybersecurity job openings remain unfilled.3 The consequences of this problem are especially significant for state, local, tribal, and territorial governments (SLTTs) and small- and medium-sized businesses (SMBs), which operate critical infrastructure and provide essential services, such as electricity, sewerage and water treatment, healthcare, and education.4 SLTTs and SMBs require much more support than they currently receive to improve their cybersecurity posture and resilience.
Following the examples of other countries, like Estonia, Sweden, Switzerland, and others, the U.S. must take a whole-of-society approach to cybersecurity. An ecosystem of public and private organizations is emerging to support such an approach that includes university cybersecurity clinics like the UC Berkeley Cybersecurity Clinic; volunteer efforts coordinated by nonprofits like the CyberPeace Institute; and volunteer civilian cyber corps (C3s) formed by governments to augment their cyber workforce and bolster emergency response capabilities.5 The U.S. relies on the support of volunteers in other domains, such as the Civil Air Patrol, the Coast Guard Auxiliary, the Medical Reserve Corps, and Volunteer Firefighters, and the U.S. needs the support of volunteer C3s in the cyber domain.
Of those cyber volunteer initiatives, state government-led C3s present the best option for long-term, replicable, and scalable services to support SLTTs and SMBs through education and training, vulnerability and risk assessments, and post-incident recovery. State C3s can cost around $1 million annually, so only a few deployments can offset costs that SLTT and SMB entities would otherwise spend on third-party services. Although the U.S. government has explored the idea of a federal C3, several U.S. states have already led the way and established C3s over the past few years. Each state has developed its own legal framework—including statutes, contracts, memoranda of understanding (“MOUs”), and rules or guidance—to govern the C3. These frameworks help address and clarify issues such as the authority to operate, volunteer eligibility, funding, volunteer deployment, liability protections for volunteers, confidentiality obligations, and more. With legal issues addressed, states can shift their focus to operational issues, ensuring the delivery of cybersecurity services to those in need.
Citations
- Together with a model contract published in a recent C3 report by the law firm McDermott, Will, and Emery, LLP, states now have the foundations to establish a legal framework to govern C3s. See Mark E. Schreiber et al., Creating a Cyber Volunteer Force: Strategy and Options (Boston, MA: McDermott, Will, and Emery, LLP, 2023), 54–64, source.
- “Metrics: Published CVE Records,” CVE, accessed August 31, 2024, source.
- “Cybersecurity Supply/Demand Heat Map,” Cyber Seek, accessed June 16, 2024, source.
- See Cyrus R. Vance, Elizabeth Roper, and Justine Phillips, “Cybercriminals Have Small Town, USA, in Their Crosshairs: How to Fight Back,” The Hill, February 15, 2024, source.
- See UC Berkeley Cybersecurity Clinic, UC Berkeley Center for Long-Term Cybersecurity, accessed August 25, 2024, source; IU Cybersecurity Clinic, Indiana University, accessed August 25, 2024, source; “Cybersecurity for Social Impact,” CyberPeace Builders, accessed August 16, 2024, source; Casey Dolen, “Re-Envisioning State Cyber Response Capabilities: The Role of Volunteers in Strengthening our Systems,” National Governors Association (Washington, DC: June 16, 2022), source.