Lawfare Daily: State Cyber Corps and Volunteer Programs

[Intro]

Michael Razeeq: State civilian cyber corps are very well-positioned to handle a lot of different types of incidents. But I think when it comes to OT, it can be more challenging because you may be dealing with industrial control systems, programmable logic controllers, different types of technology that require more specialized security knowledge.

Justin Sherman: It's the Lawfare Podcast. I'm Justin Sherman, contributing editor at Lawfare and CEO of Global Cyber Strategies with Sarah Powazek, director of the Public Interest Cybersecurity Program at Berkeley's Center for Long-Term Cybersecurity, and Michael Razeeq, who is a non-resident fellow at that same program.

Sarah Powazek: Every organization can benefit from free cybersecurity assistance. So, what it really boils down to and what the bottleneck for this, is what does the state care about, and how many volunteers do they have?

Justin Sherman: Today we're talking about cyber threats to states, the current environment, and how state cyber corps and volunteer programs can be an effective response.

[Main episode]

Why don't you start––I always start this way––why don't you start by telling us about yourselves? Both your backgrounds, for those a little less familiar, as well as what you are each working on currently.

Sarah Powazek: Sure, I'll kick us off. So I'm Sarah Powazek. I'm the program director of Public Interest Cybersecurity at UC Berkeley Center for Long-Term Cybersecurity.

And our program right now is focused on trying to create a safety net for small, under-resourced organizations across the U.S. that tend to fall through the cracks when we use a national security lens. So we like to think about it as community cybersecurity. So, how are we thinking about critical services that people in different local communities use and how we can protect those services by using cybersecurity as a tool.

So, for example, think a lot about how to keep kids in school. We need to think about what sort of infrastructure those schools are using, and therefore we have a line of effort on K-12 cybersecurity and educational technology companies. So at a high level, that's what we're working on. And we have a particular line of effort on cyber volunteering as these programs start up across the country.

There are cyber clinics or students who are actually volunteering to do cybersecurity risk assessments for local organizations as a part of their schooling. And there are state cyber corps programs that we'll be talking about more today. So that's a little bit about what the Public Interest Cybersecurity team at CLTC is up to lately.

Michael Razeeq: And my name is Michael Razeeq. I'm a cybersecurity and privacy attorney, and I'm also a non-resident fellow at Public Interest Cybersecurity at UC Berkeley Center for Long-Term Cybersecurity. And my work with the CLTC has been focused on helping to build out this ecosystem of cyber volunteers that Sarah mentioned.

So most recently I published report about MSPs and MSSPs and ways that they can help under-resourced organizations because we can only get so far with volunteers. And we need other resources to help build out long-term resilience for under-resourced organizations. And I'm also working with CLTC and others now, including one of the state civilian cyber corps that we'll talk about in a bit, to organize a workshop for a different types of cyber volunteer organizations so that we can help them to scale and help others to form.

Justin Sherman: A lot of work, which as you noted is relevant to what we're talking about today. So, we're going to dive in.

We are focused, as we heard in the intro, on this interesting concept around state cyber corps and volunteer programs. And these are increasingly coming up in the media, in cyber policy discourse, and so on, including due to the work you both are doing, as another potential way to address the pressing cybersecurity problems that we face as a country and that states around the United States are facing.

And so I say, I want to just shout this out, you know, I referenced you're doing a lot of work in this area. This includes a report, Sarah, that you had authored along with your colleague Grace Menna in June with the Berkeley Center called “The Roadmap to Community Cyber Defense.”

So we will link that below. But I want to start here. To ground us in this conversation, what does the cyber threat landscape today look like if you're a small community organization, like a nonprofit or a city or a school? And related to that, when we talk about cyber threats to states in quotes, how do we think about that or how do you think about that boundary?

Is that state governments proper? Is that states plus their critical infrastructure? How do you approach this question?

Sarah Powazek: Yeah. Thanks for that, Justin. I'll kick us off by sharing a little bit about how CLTC is approaching this.

I think traditionally when we talk about government cybersecurity, we're really talking about the security of the specific government networks, right?

Let's say state of Washington cybersecurity. We're thinking about Olympia, the capital. How are we protecting the different agencies? How are we protecting the legislators? That is what cybersecurity means at the state level. That, I think, is shifting a bit, because when we're starting to talk about state cybersecurity, we really mean who lives in this state? What organizations do they rely on and how can we protect all of those organizations?

And those organizations are in a pretty tough spot. They always have been. There have been numerous efforts for years to try and help what we're calling community organizations. So not just the traditional definition of critical infrastructure, but any sort of organization that provides a critical service to people.

We like to include some small businesses and nonprofits in that definition, such as food banks, but also what you might traditionally think of critical infrastructure: cities, schools, small utilities like water and electricity. All of these very small organizations, they have different needs, but they still struggle with the basics and that won't be news to a lot of the folks listening in.

Just trying to get these organizations to understand basic cybersecurity controls and give them the resources that they need to implement them is a huge challenge. It's very, very difficult to scale people. And people is really what these organizations need at the moment. UC Berkeley ran a survey just last year with nonprofits in the Bay Area and we found that nearly half of the nonprofits we surveyed had no full-time IT, let alone cybersecurity staff whatsoever.

And this is really difficult because you need someone these days to implement cybersecurity. The tools that exist right now just aren't created for beginners and non-experts. They're not created for the gym teacher, right? A gym teacher is not going to be able to use CrowdStrike's Falcon tool.

There really isn't a lot out there for them to do on their own, and we're really trying to push to get more people there to sort of hold their hand, guide them through some of those basics that they need. And that is really the challenge that they're facing right now, is that they don't know what they don't know. And we can't expect them to without trying to scale some human assistance for them to sort of guide them through that process.

Justin Sherman: I was muted, but I'm laughing when you say the gym teacher using the CrowdStrike, you know, system.

Sarah Powazek: Yeah. That's what we expect of them.

Justin Sherman: Right. And I'm glad you say that also because it's so easy to––I mean, I'm preaching to the choir in this case, you both are much more involved with this issue than I am––but as you say that, I'm thinking it's so easy, as cyber folks, to come into a room or a company or something, or a government office and say, where's the cyber person?

Rather than, as you're saying, what about one step back? Do you even have IT staff? Or do you even have a person who hooks up your router or downloads what you're using?

So that's a really important point. So with that in mind, what is a state cyber corps? Like within this threat landscape, what is, what does that term mean? And relatedly, what is a state cyber volunteer program? Are these the same thing or these different concepts? Michael, perhaps if you want to answer that one.

Michael Razeeq: Sure. And I think you can think about these as equivalent and you might hear different terms like state cyber corps, state cyber volunteer, civilian cyber corps, cyber civil corps. You might hear different terms used interchangeably. But what they're all getting at are essentially the equivalent of volunteer firefighters.

These are groups of volunteer cybersecurity professionals that are led by a state agency. So maybe it's a department of IT, maybe it's emergency management. And in some cases maybe it's the National Guard or another state agency or department that organizes this group of professionals, because they may not be able to hire enough staff to help these under-resourced or community organizations that Sarah was talking about.

But they do have plenty of talented people that live in the state and that are more than willing to contribute and to help out when needed. And so, that's a, that's at its core what it is. It's a group of volunteer professionals that provide different preventive and reactive services to a defined group of beneficiaries.

Justin Sherman: How do these differ from the other resources? Just to really put a fine point on this, from the other resources that a state might currently have at its disposal or bring to bear on cyber problems, like what does that status quo of alternatives look like?

Are states––we're going to talk in a minute about the programs you're mentioning, Michael, but are states well-equipped otherwise with other ways to deal with cybersecurity issues? What does that look like?

Michael Razeeq: Generally? I'll say no. A lot of states aren't well-equipped. And you might think about some of the numbers that you see for private sector companies where you see shortages of cybersecurity personnel and it's no different in the public sector.

And Sarah gave the example of K-12 schools where a lot of them don't have, don't even have an IT person. Let's not even talk about cybersecurity; they don't even have an IT person.

And so when you look at the municipal level, when you look at smaller nonprofits, they all have similar issues. So they just don't have enough people to help solve the problem.

But states do have some resources on hand. So, states have the National Guard. A lot of National Guard, state National Guard have cyber units. And some may have more cyber personnel than others, depending on the state. You could imagine a state like Maryland where you have the NSA, where you have people that may work for a lot of other cyber agencies or departments within government, that may be involved in this type of organization.

So they may just have a larger pool to draw from. That's not going to be the case for every state. Also, some states can work with the FBI. Depending on which state it is, different FBI field offices may have more expertise in cybersecurity and may be able to provide more assistance.

And then the state has their own agencies, their own CISO (chief information security officer), their own personnel that can help with some of these issues. But generally it's not enough when you look at the scale of the problem. And maybe we'll come back to this, but you could look at some of the recent incidents like the cyberattack on St. Paul in Minnesota or maybe in Las Vegas, that the amount of resources that have to get pulled in to respond to a cyberattack in just one city.

Sarah Powazek: Yeah, and I think another way to think about this is that states are traditionally better-equipped to handle natural disasters when they think about emergency management, and most states have a department of emergency management.

Again, they're thinking about landslides, earthquakes. How do you deploy a team of people to respond to an emergency very quickly? That has not traditionally extended to things like cyberattacks, even though they can have similarly devastating consequences. For example, cyberattack hits a water utility and suddenly the hospital doesn't have fresh water. They're not able to take care of patients within a couple hours.

So I think states have started realizing, one, that the impact of cyberattacks can be just as destructive, and two, that nobody is coming to help. Right? The federal government is focused on national security, even more so in the current administration.

Those resources do not really extend to states as far as having a team that can actually land on the ground and help someone recover from a cyber incident. So states are starting to step up. And you'll see that actually many states have integrated these programs into their emergency management departments and functions, because it already fits so well with what those departments’ missions are.

Justin Sherman: That's really interesting. We're going to circle back to some of these resources questions in the context of the current environment, but I appreciate you both––that's useful to flesh out, right? What those differences and alternatives look like.

So I want to talk about these programs next, but one more question first, which is, is it that states face different cyber threats than at the federal level per se, or is it more so a question of what you were both just explaining, with states may have fewer resources, or they may have different capacity or different structures to deal with issues than, say, the federal level of government?

Michael Razeeq: I wouldn't say that the threats are necessarily different, but the targets are. So, I don't know of any––although there may be some––I don't know of any federally owned water utilities, but there are municipally owned water utilities and electric plants and health clinics and things like that are attractive targets for cyber attacks that you don't necessarily have at the federal level.

And states don't necessarily have the resources or even the legal capability to respond in the same way that the federal government can, for example, through diplomacy or through the military, even. States just don't have that, those same options available to them.

Justin Sherman: I figured as much but wanted your thoughts there. So back to state cyber corps and volunteer programs. How many states have programs like this? Are we at more of a proof-of-idea stage? Are we at the point by which there are some models for these programs up and running? What does that landscape look like today?

Michael Razeeq: We definitely have some proofs of concept, and we know that this works. So the only question now is how do we get more of these up and running? We have around seven states that have some form of civilian cyber corps today spread out geographically. Different states, red states, blue states. And it's been working for, in some cases, several years in a few states.

We also have evidence that this works from some countries in Europe. If you look at countries like Estonia or maybe even Switzerland or a couple others, and in fact, the EU is looking to launch an EU-wide––a slightly modified version of this, but an EU-wide version toward the end of the year.

Justin Sherman: Just briefly on that, is the EU one roughly similar to the way the conversation has gone here?

Or is it quite a different––from what you can tell so far, is it quite a different approach?

Michael Razeeq: I don't think the approach––it's still early, so it hasn't launched yet, so I think we'll see. But from what I can tell so far, it doesn't seem like it's that different from what we're talking about here.

Sarah Powazek: Yeah, and I'll say I think that we're right at the precipice of this model becoming very very popular. I think the National Governor's Association really kicked off this work by doing three case studies of a handful of states in the Midwest a number of years ago, and how they had just started up these programs.

And now, 2025, we have seven fully functioning state cyber corps, and we have meetings with different states across the country pretty regularly because CLTC runs a program called the Cyber Resilience Corps, where we're trying to build connective tissue between cyber volunteering organizations and programs of all types––including in academia, in state government like we're talking about today, and also in nonprofits.

And we have these conversations with states and they're all starting to come back to cyber volunteering. I know Washington and Arkansas have some version of strike teams with cybersecurity where they similarly go in and do incident response, and Michael mentioned that seven states already have programs.

I'll just list them: Louisiana, Maryland, Michigan, Ohio, Texas, Wisconsin, and I think one more. Michael, you said seven and that was six.

Michael Razeeq: Yes. Virginia State Defense Force has a cyber unit.

Sarah Powazek: Yes. Awesome. So it really is, this is not a pilot. This is a program that has successfully expanded to seven states in the U.S. And many many other states are starting to take notice and to try and outline ways that they can replicate this in a way that makes sense for their state.

Justin Sherman: And we'll link it. I like the map that you––I’m always big on visuals, I like the map you have as well on the CLTC site of the country showing dots of where these different cyber resilience corps volunteers are located. So it's interesting, as you're saying, I'm seeing dots in Texas and California and Idaho and, you know, all sorts of places.

So what are these programs––we're hearing about the structure. Clearly there's a need for states to have alternative means of boosting capacity, dealing with specific issues. What do these programs actually look like? Like if you're, you know, how do you recruit, how do states, or how should states recruit and retain people into these programs?

Is there a process for that? Are people tested? Is there a qualification training? Like, what, what does that actually look like from the standpoint of a state looking to bring people from interested parties in their state, individuals into such an effort?

Michael Razeeq: So, so at a minimum there should be some sort of qualifications and training, and the states that we mentioned do have that.

I know that's a concern, an initial concern that comes up from time to time when people hear about volunteer hackers or cybersecurity professionals coming to the rescue. You know, they might ask, where are these people coming from? How do we know they know what they're doing? And it's because they have been vetted by a state organization.

They have gone through some minimum level of training. They meet some minimum level of qualifications. And that may be through certifications––it may be even relying on federal background checks. So, some of the state civilian cyber corps are able to fast-track applications where the individuals have already gone through a federal background check, right. So there are options like that that can help.

In terms of recruiting, I think that can be difficult. And that's something that some of the states that we've spoken with have identified as a challenge, but I think they're also figuring it out. Wisconsin now has, I believe, over 400 members. And their cyber response team in Ohio, there are I believe over 160 volunteers in the Ohio Cyber Reserve. So it is––it has been a challenge, but I think they are figuring it out, and it's one of the things that we hope to help other states to be able to learn from and be able to replicate in the upcoming workshop.

In terms of retention, retention can be difficult as well, because you can imagine that depending on the criteria for deploying the civilian cyber corps, if they aren't deployed frequently, then people might lose interest or people might drop out. And so one of the things that we've heard that is helpful for retention is having some sort of frequent engagement.

So whether that's training, whether it's networking events––because that's also a benefit of this, is the civic engagement. You have people in the private sector engaging with the public sector helping their local communities. And that's a big part of retention: just being able to give back, being able to meet other people in your community.

Sarah Powazek: I think it's really helpful to hear how one of these groups in action is actually helping sort of state and local entities that otherwise would really not have the resources to get assistance. So, one of the case studies, and we also detail this in a report that we recently put out called “The Roadmap to Community Cyber Defense,” where we detail a lot of these programs that build regional connective tissue for these small organizations and provide them this assistance.

So, the Wisconsin Cyber Response Team is one of the premier cyber corps programs. We're actually co-hosting an event with them next month. They are fantastic. They have great support from leadership in their government. And they responded to a ransomware attack that hit a Wisconsin county government and actually destroyed a lot of the network infrastructure and all of their data backups.

And so the Wisconsin Cyber Response Team was able to respond, to get on the ground very very quickly to help them remediate this. So what they did was they responded under the Wisconsin Department of Emergency Management and sent a small group of volunteers onsite immediately to assess the situation before we really knew what was going on.

They then worked hand-in-hand with county government team to do containment for the attack. They took disc images, they captured as much logs and forensic data as they could, and then did forensic analysis on that data on-site to try and understand what was happening: who is in the network, what is the extent of the damage, and what can they do to contain it?

They then helped the network owner by implementing multifactor authentication. They completely helped them set up a defederated Microsoft 365 environment, and they migrated all of the users to a new domain controller. They did a bunch of hands-on activity with this to move all of the users from an instance that was less secure, that had been impacted by the ransomware attack to a completely fresh instance.

They did a bunch of other stuff with that organization to try and help them recover. And then they didn't just leave. I think a really important part of this engagement was that they stuck around. They actually helped the county government do a postmortem analysis. They helped––they did a couple assessments of them to try and understand how they could have better responded to this incident in the future. They did like an after-action review.

And then they continue to engage with the director of that county's emergency management department and their IT director to create an incident response plan. So they're actually building resilience into this county government post-engagement, to say next time this happens, here's what your staff should do. Here's who you need to call. Here's how we can mitigate the impact of such an event if it were to occur again.

So not only is the county government recovered from that incident, but they now have tools to help them better in the future. And that's sort of using incident response as a way of building in long-term resilience to an organization.

You know, people don't usually invest in cybersecurity unless something bad happens. And so I really appreciate how folks like the Wisconsin CRT were able to come and use this as an opportunity to actually improve this county's defenses in the future. And in fact, they actually conducted a two-week penetration test after the engagement to identify additional vulnerabilities and help protect that system.

Maybe a helpful distinction as well is that these organizations, the cyber corps typically are mostly doing incident response. But a handful of them have started doing more proactive assistance, like doing risk assessments and doing cyber awareness training. So that is becoming more commonplace, although many of them did start up just to serve that incident response function.

Justin Sherman: What kinds of issues––you mentioned some of them in your instructive case study. What kinds of issues are state cyber corps and volunteer programs best designed to address?

Michael Razeeq: The biggest thing that I've found so far that can be challenging would be OT or operational technology. I think in terms of IT, state civilian cyber corps are very well positioned to handle a lot of different types of incidents.

But I think when it comes to OT, it can be more challenging because you may be dealing with industrial control systems, programmable logic controllers, different types of technology that require more specialized security knowledge, even within the realm of security professionals. So that can be more challenging because there may be fewer people within the cyber corps that have that capability.

But apart from that, I think they're very well positioned to handle a lot of different types of incidents.

Sarah Powazek: And maybe some less tangible things that cyber corps are good at: one, cost reduction. The idea of a state hiring an entire staff of full-time folks whose only job it is to respond to incidents in the state, we're just not in that space yet.

So, being a program that only takes a few full-time staff to manage, and then a group of volunteers who donate their time, you're able to start a program relatively cheaply, where you can get that hands-on assistance at scale to folks across the state. And that's a really difficult thing to do without contracting with a very large managed service provider on retainer. Very very expensive.

So they're good. They're relatively cost-efficient. They're good at doing that. Another thing is having folks being able to do community engagement and civic engagement on cybersecurity around the state. There are programs like Illinois Cyber Navigators program where you have folks going around county to county helping answer questions and just sort of steering folks in the right direction.

And I know that sounds sort of basic, but actually having someone to ask questions to can be a huge boost to organizations like we were talking about that don't have anyone in IT. If you've ever tried to Google ‘what should I do with cybersecurity,’ I don't recommend it. It's just impossible to find the right guidance and to interpret it.

And having someone actually stand with you, hold your hand, explain things to you and tell you, you know, what are the top five things that you actually need to do that will make a difference? That goes a long way for some of these organizations.

Justin Sherman: That's on the incident sides specifically. Obviously, another component of this is not just what kind of incident or issue as you're saying, impacts an organization per se, but which organization are we talking about, right?

And so are there some entities, given your work, that you found––and this might be public-private, this might be sector-by-sector, I don't know––are there some entities that state cyber corps and volunteer programs are best suited to help, versus others that maybe are not, for whatever reason, as equal a target for that kind of support?

Sarah Powazek: I think what Michael mentioned is right, that most small, under-resourced organizations are really well-served by cyber corps programs. Maybe not OT as much because that expertise is a lot harder to find, especially in volunteers.

But every organization can benefit from free cybersecurity assistance. So what it really boils down to, and what the bottleneck for this is, what does the state care about, and how many volunteers do they have?

So one of the issues I will say that happens with cyber corps programs is that they often have limited mandates, right? So maybe a cyber corps program can only help cities or county governments. Maybe a cyber corps program can only help school districts.

And that is useful, but ideally we'd see as a first step, you know, all public entities, schools, cities, counties, having access to it. And then someday our dream is, you know, nonprofits, utilities, small hospitals, folks in rural areas. There are a lot of organizations that I would expand that definition to, that are really in need of assistance.

But right now, not all of them can get assistance under the state cyber corps programs because of rules they have around what they limit engagements to.

Justin Sherman: On the flip side then, are there types of incidents that these initiatives are not particularly well positioned to address? And same with organizations. Are there specific types of organizations that these volunteer programs are not going to be the best option, especially if you have others to deal with a particular cybersecurity problem?

Sarah Powazek: That's a great question, Michael. Correct me if you feel differently, but I think, in general, responding to APTs and other nations attacks, I don't think that these groups will be the best option for that.

Especially if we're talking about espionage or spyware, I think that cyber corps are really meant to respond to commercial attacks from, you know, commercial actors, ransomware, fraud, business, email compromise, really financially motivated cyberattacks.

Michael Razeeq: I think that's generally right, unless it, it happens that, you know, the APT maybe stumbled on this organization by accident and wasn't specifically targeting them and there's a quick fix, like a patch or something like that can help get the organization back up and running.

And then I also think there are specific parts of incidents that the state cyber coprs are not necessarily well-suited to or where other organizations might be better placed to step in. So with things like breach notification, when it comes to that's typically not something that the state cyber corps would do.

That's something that the organization would do. Or something like long-term, long-term recovery. So, going back to the firefighter analogy, thinking about after the fire has been put out, the volunteer firefighters aren't the ones that are there to rebuild that structure. So those are some parts of incidents that I think other organizations might be better suited to. Like I mentioned, the MSPs and MSPs earlier: when you think about longer-term resilience and recovery and building up different practices, that's where those organizations, for example, might be a better place to step in.

Justin Sherman: APTs in nation states is a great example of one of those potential gap areas.

So I want to shift now––we've gotten a fairly good coverage of how, what these programs are, how they sit in the landscape, I want to look forward now and think about future actions and policy steps and so forth to really continue bringing these ideas you all have been discussing to further fruition. So first, at the state level, if you're a state, I mean, I'm sure you quite literally have this all the time, right? A state coming to you both saying, we want to stand up one of these programs.

What are the first steps you tell them to take? And then for those that already have them but want to grow the program further, what are the first steps that they should take to level up a state cyber corps or volunteer program?

Michael Razeeq: Typically when this comes up, one of the first things that I'll do is––and I think the same might be true for Sarah as well––is connect some of the people with officials in other states that are already operating civilian cyber corps, because that way they can get boots on the ground advice and understand what some of the challenges were and how they were able to overcome the challenges from someone who has already gone through it.

We also send them some of the resources from the CRC, like the roadmap that we talked about. There was a report that I wrote last year when I was with New America, there was the report from NGA that Sarah mentioned, and one from a law firm, McDermott Will and Emery, that cover a lot of different aspects of civilian cyber corps.

So, more and more people are taking an interest in the area and there's more material that we can share, but I think having that firsthand knowledge is really crucial.

Sarah Powazek: Yeah, I think that's right. And just shouting out that Michael's paper for New America actually includes a model bill.

We see that one of the biggest hurdles to folks starting up these programs is actually getting the authority to run it in the first place. And so thankfully, Michael's written a model bill that folks can take, that the state can pass, that will grant the authorities necessary to start up a state cyber corps program.

Which is the first, but not the only hurdle to getting one of these programs in the air. Like Michael mentioned, all of the liability issues: how do you train volunteers? How do you recruit them? How do you retain them? That is information that we're working to centralize and that is always best heard from the horse's mouth. Which is why it's so important to connect them to the folks in other states that are doing this work as well.

Justin Sherman: I want to look, then, federally.

Interesting moment to be looking federally. We've of course seen a tremendous cutback––which, really, that word doesn't even fully capture it, but a cutback of resources at the federal level under the current administration when it comes to cybersecurity, including cuts, among many other things, to CISA, the cybersecurity and infrastructure security agency at DHS.

So how have––and maybe they haven't, I don't know, but I imagine they have––how have federal cuts, if at all, impacted these kinds of efforts, including potentially creating further need for state-level programs like these in the first place?

Sarah Powazek: Yeah, I think you hit the nail on the head. We've been advocating for really regional-based cyber defense programs for a number of years now, including cybersecurity clinics.

And we've always seen the need for them, right? The national government has a national security focus. They're rightly focused on very very large entities, systemically important entities, and not all of the little organizations that sort of make up most of your and my daily life.

So we've been pushing them for a while, and they've only become more important because the limited resources that were available at the federal level. And I'll name drop, you know: CISA’s free resources through their partnership with CIS and MS-ISAC; their free network and vulnerability scanning program; the Cybersecurity Performance Goals Checklist, which is a fantastic resource for folks who do have an IT team to do a self-assessment; and, most importantly, the State and Local Cybersecurity Grant Program (SLCGP), which is now up in the air.

Those resources are starting to get pulled significantly back. We heard recently that the partnership with CIS has officially ended. The reauthorization for the SLCGP is up in the air, even though it has great bipartisan support, so we hear.

And so those resources are drying up. I desperately hope that the SLCGP gets reauthorized. It has been absolutely transformational for states, and it can be really great for them to start up programs like this that can sustain themselves through multiple administrations. But I think what we're really seeing, the federal government has signaled through the White House Executive Order that basically said, you know, this is states’ responsibility, right?

Cybersecurity needs to be the responsibility of states. They've always had some amount of responsibility, and now what we're seeing is that a ton is being pushed on them all at once. And they really––I think states do a wonderful job, but they're not really prepared to take on the responsibility of protecting every single organization within their borders the way that they're now expected to.

So I feel like these regional defense programs that lean on volunteers, that lean on homegrown talent within that state, are really effective and modeled way for them to take on some of these responsibilities.

I won't pretend that cyber corps are going to solve all of their problems, but I think starting to build that connective tissue that they own, that they can take care of and that can outlast any administration, is going to be really critical for states.

Justin Sherman: I'm obviously nothing even close to anything resembling an expert in disaster response or anything like that. But as you're, you mentioned earlier that point about other state capacity, how states address cyber, within that,I thought of some of the things you just mentioned of, oh, that must also then be part of this impact picture with federal cuts.

So given the current landscape and some of the impacts, Sarah, you were just describing, in the current administration, do either of you––I mean, I'd love both of you to answer this, you know––do you see any likelihood of movement on federal policy or federal support for state cyber protections, for state cyber corps and volunteer programs, anything like that?

And regardless of your answer to that, you know, what do you think, whichever administration does work in this area next, you know, what are some things at the federal level that either of you have been calling for that you think would be helpful to bolster? You alluded to some of this just now, but steps to bolster these programs into the future.

Michael Razeeq: So the lawyer's answer is always, ‘it depends.’ Or ‘maybe,’ or, ‘we'll see.’ So I think that's the definitely the case here, I think, with the executive order that came out earlier in the year asking states to take on more responsibility for emergency preparedness. This cybersecurity falls under that bucket.

So I think we definitely will see a lot of movement at the state level. We are seeing a lot of movement at the state level. I think at the federal level, it's been a bit slower, but there has been some movement in the last couple years. There were provisions in the last couple NDAAs that would've allowed the Army to conduct a pilot program.

I don't know if that was actually completed, but I wouldn't be surprised to see that come back up under any administration. And some of the other federal agencies or departments might conduct their own pilots regardless.

So, for example, the Marines have their own cyber auxiliary that they run, and so we might see more of those initiatives pop up.

Sarah Powazek: I'm not a lawyer. So I can, I can try and read the tea leaves. I think that there's some signal of support for pieces of regional cyber defense at the federal level. Like I mentioned, the SLCGP does have great bipartisan support. I know the reauthorization is a bit in limbo, but I'm very very hopeful that that will go through and provide some funding for states to continue trying to take up this mantle of responsibility.

I also think that CISA has signaled some continuing interest in the Secure by Design initiative, which can seem a bit unrelated to this work. But when we're thinking of the smallest organizations that don't have any IT staff, even small changes to default settings of large enterprise software can make a huge difference for them because they're not going to know to turn on multifactor authentication for administrators, for example.

So having them continue to push enterprise businesses to make their products secure by design and secure by default will have a measured impact on these small organizations at the state level.

Justin Sherman: That's all the time we have.

Sarah, Michael, thanks very much for joining us.

Sarah Powazek: Thanks for having us, Justin.

Justin Sherman: Thank you.

The Lawfare Podcast is produced in cooperation with the Brookings Institution. You can get ad-free versions of this and other Lawfare podcasts by becoming a Lawfare material supporter through our website, lawfaremedia.org/support. You'll also get access to special events and other content available only to our supporters.

Please rate and review us wherever you get your podcasts. Look out for our other podcasts, including Rational Security, Allies, The Aftermath, and Escalation, our latest Lawfare Presents podcast series about the war in Ukraine. Check out our written work at lawfaremedia.org.

The podcast is edited by Jen Patja and our audio engineer this episode was Goat Rodeo. Our theme song is from ALIBI Music. As always, thank you for listening.