How volunteers could help local governments deal with cyberattacks

While federal agencies search endlessly to hire people skilled in cybersecurity, local government might have a different way. How about enlisting volunteers to ...

While federal agencies search endlessly to hire people skilled in cybersecurity, local government might have a different way. How about enlisting volunteers to help protect critical infrastructure from cyber attacks. That’s the idea behind a detailed set of recommendations from the law firm McDermott Will & Emery. For more, Federal Drive with Tom Temin spoke with McDermott Will & Emery attorney Mark Schreiber.

Interview transcript:

Tom Temin My first question is what would cause a big and well-known law firm like MWE to undertake a report on helping state and local and municipal, county, whatever government with enlisting volunteers in cybersecurity of all things?

Mark Schreiber We identified a deficit because we know how difficult it is to respond to data breaches and do cyber assessments and try to implement all the terrific steps CISA has alerted us to. So from a number of sources, we became aware that even smaller entities would have even more difficulties in doing this. So we decided to try to canvass the area. We thought it would be pretty simple to identify the nonprofits, state or other entities or universities that are doing this. It turned out to be a major task, in part because things were siloed, places didn’t know about each other and it took a lot more work than we thought.

Tom Temin And interestingly, I mean, at the federal level, they may not accept volunteer help or volunteer or services for no consideration. It’s not legal at the federal level except under very certain circumstances. Is it easier to do from a legal standpoint for, say, I’m a small town and I don’t want to be held up for $10 million in Bitcoin from some Russian schnook and therefore I need some help that I don’t have in town. And the local college down the street might be able to help. Can they do that?

Mark Schreiber Yeah. There are a number of resources now at the state level. They may have to jump through some other hoops, but it may be that there’s a nonprofit available that will help out or provide volunteer services. And there are some university clinics that are now doing this. There are a variety of sources out there. The point you raise is a good one. Currently trying to do volunteer services or cyber services where the federal government has lots of limitations. And that was part of the reason to look at the other resources or entities out there doing that. But several states on their own have come up with programs. And then as I mentioned, there are a variety of nonprofits either being formed or that exist that are doing this.

Tom Temin And we should point out that the danger at the state, local, municipal level is very real. And we’ve seen some serious breaches both for governments at that level and also for nonprofit organizations like health care groups.

Mark Schreiber Nobody is immune. It doesn’t matter whether you’re big or small. The hits keep coming. And we know from our experience how difficult and imposing it is, for example, to respond to a ransomware attack or if it locks up certain data that’s critical. And that was part of the concern. How do we better marshal these existing resources? And that got us to some of the basics of how do you even identify what resources are there for cyber volunteering?

Tom Temin We’re speaking with Mark Schreiber. He’s senior counsel with McDermott, Will and Emery. And so you’ve developed a framework that has a number of actions that a entity should take to be able to ingest volunteers in cyber. Maybe briefly review what those steps are.

Mark Schreiber Sure. Well, the first item was where do you go? I mean, if you want to volunteer, where’s the platform, the dashboard, the website where you could sign up. And we found that those were essentially missing in the U.S. So one of the recommendations, the CISA or others, was to produce a national website listing all these resources. A second piece of it was to have a dashboard that connects needy recipients with willing volunteers or companies that would be donating services of their employees. So just the matchmaking service needed to be orchestrated and develop more fully. And that may be done on a state by state basis, could be done by some non-profits operating nationally. And as I mentioned, there are a couple of university clinics, M.I.T., UC Berkeley, that are doing that already with the hope of expanding it further. And then, of course, you got the legal issues. You know, what’s the agreement amongst the parties? The volunteers, the recipient entities. What about indemnities or scope of services? The kind of things that when we engage forensic firms, we deal with every day. But it may be that nonprofits or others aren’t used to that. Maybe they need a model. So we created a model legal framework, or at least model template agreements for that.

Tom Temin Interesting. And getting back to that idea of donation of services, even by profit making organizations, you know, law firms have a pro-bono unit usually or devote a certain number of hours per year, I guess divided among the attorneys to do pro-bono. Can you envision where cybersecurity companies that offer services could maybe set aside a certain portion of their workforce for pro-bono in the public interest?

Mark Schreiber Precisely so. And a number of large consulting and forensic companies already are doing that or are willing to do it. So a couple of the major forensic companies have donated. They’ve indicated they’d be willing to do more. But again, where do they go? Where’s the hub? How is that all connected? And one of the major incentives to corporate CSR is a platform to make their donations or to allow their employees to volunteer themselves or self-volunteer because they want to do this activity. So it is really an organizational task or structure that we identified that needed more work and coordination. Similarly, like our law firm, this entire cyber volunteer project was a pro-bono one.

Tom Temin All right. Well, we thank you for that one. And what types of organizations do you feel are most ripe for using volunteer help? Because if you are a, I don’t know, mid-sized city, say, of 40 or 50,000 people, you’ve also got a contracting operation and possibly even a grantmaking operation that might originate with federal funds. You got to stay out of conflict of interest situations, both for your own people and for the entity that is volunteering the service. So who’s eligible? I mean, what are the types of entities best suited to take in volunteer work?

Mark Schreiber Yeah, that’s a good question, because the range of need is constant and enormous. So how local cities or towns navigate through that process or the procurement process or the limitations is one set of issues. But some hospitals or other regional entities may not be connected with a city government. They may operate on their own or individually. And so those may not be quite as restricted in recipient services. But let’s keep in mind what the goal here is. The goal is to better insulate small, rural and other critical infrastructure from cyber attacks. And there’s got to be a way to cut through some of the red tape to do that. The threat actors trying to pull out ransomware, extortion demands don’t care about your conflicts. They want your money. So I’m confident that with enough attention and thought process given to this, there will be structural alternatives to allow cyber volunteering. And a number of the nonprofits are doing this already. So given the range of need, there’s got to be a way to restructure or better marshal our resources for cyber volunteering.

Tom Temin And how are you promulgating this work, this piece of work with the frameworks that you have and and the advice for those entities to set up volunteer networks?

Mark Schreiber Well, our recommendations including holding a national cyber volunteer conference, someone to decide they want to do a national website on this, somebody else to help identify what the appropriate metrics ought to be. Somebody, or other agencies will pick up the ball, I suspect, because this need is so demanding.

 

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories