Cybersecurity requires constant updates and reviews, experts say — and a group of Michigan volunteers that provides rapid response to attacks on government data just got one of its own.
The state’s auditor general recently reported that 35 of the 99 volunteers of the Michigan Cyber Civilian Corps failed to undergo background checks. Two volunteers failed the checks and had their status revoked in April.
The program was created in 2013 and privately managed until 2017 when it was transferred to the Department of Technology, Management and Budget.
Volunteers who passed assessment tests but not background checks previously were allowed to participate in networking calls and training, the report said.
Assessment tests determine a cybersecurity professional’s skill level; the background checks look for history of a criminal record.
The budget agency agreed to revise its volunteer agreement and initiate a more thorough vetting process in response to the report.
Officials said that while they did not adequately evaluate training effectiveness, volunteers frequently discussed it.
Cybersecurity experts can volunteer to respond to cyberattacks with the Michigan Cyber Civilian Corps if they follow the certification and background check procedures.
Michigan’s program is the first of its kind. New America, a public policy think tank, recently called for a 25,000-member national version modeled after Michigan’s program.
The Michigan effort is expected to grow from 99 to 120 members within the next two months, said Chris DeRusha, who manages it as a part of the cybersecurity and infrastructure unit within the budget agency.
Cybersecurity experts who volunteer to respond to critical infrastructure attacks and data breaches receive networking, training and certification opportunities.
The corps responded to three attacks on local governments in 2019, DeRusha said. He declined to reveal the nature of the attacks, the victims or whether they were successfully repelled, citing confidentiality agreements between the corps and the governments involved.
Depending on the cyberattack’s circumstance, disclosure of information could compromise a victim’s security or hinder the criminal investigation, said Caleb Buhs, Department of Technology, Management and Budget communications director.
Laws vary across states, and without a clear guideline from national law, many attacks are not reported, DeRusha said.
“That’s why there’s not as high a level of awareness across the country as there could be for how many cyberattacks are happening every day,” he said.
He encourages clear reporting requirements to allow police to investigate with confidentiality to ensure the perpetrators are swiftly found.
Many attacks fall under the category of “ransomware” in which a downloaded attachment locks users away from data until a ransom is paid to the hacker, said Alan Rea, a professor of business information systems at Western Michigan University. Malware attacks also are common, which can steal or destroy files from the start on an attack.
“It might be an email attachment. Someone opens it, that’s all it takes,” Rea said.
The moment a local government plugs its systems into the internet, it’s at risk, Rea said.
Resources to repel such attacks vary among local governments, Rea said. Some can afford a contract with an information security professional, but others are forced to pay the ransom upfront.
Local governments can’t assume because they’re small and rural that they’re safe, he said.
“We can’t have security through obscurity anymore,” Rea said.
Indeed, there were 394 cyberattacks nationwide in August 2019 alone, with attacks increasing in quantity each month over two years, according to researchers at the cybersecurity firm Recorded Future.
The volunteer civilian corps focuses on governments rather than private businesses because the training is taxpayer-funded, DeRusha said. But that doesn’t rule out a deployment to private organizations providing public services like a utility company.
Businesses face risks similar to those governments face.
“Don’t assume because you’re small that you’re not a target,” said Scott Lyon, the senior vice president of the Small Business Association of Michigan.
Lyon may have an answer: The association rolled out a tool in August that assesses the risk of a cyberattack and identifies computer system vulnerabilities so that business owners can patch holes in security.
The level of awareness is higher today than it was a year or two ago, but it’s a constant process, he said.
“As the good guys figure out a way to close the door, the bad guys are figuring out a new way to open it,” Lyon said.