Civilian cyber reserves gaining steam at the US federal and state levels

Most states have established working group structures that cooperate with local governments and other related organizations, such as state-level cyber commands, the National Guard, and military reserve organizations. Most operate under state-level organizations, with Michigan operating under the Department of Technology, Management and Budget, Wisconsin operating under the state’s Emergency Management Department, and Ohio operating under the Adjutant General’s Department.

Most states usually operate with no more than two full-time personnel to manage the reserve recruiting and operating process and purchase equipment and technology for the volunteers. The modest budgets range from an estimated $250,000 to $750,00 per year, according to 2022 to 2023 levels.

So far, the coordinators for the state-level programs count them as successes. “It’s been fantastic to the point now I’m starting to figure out exactly what this would cost versus what we’re saving people,” Craig Baker, program administrator for the Ohio Cyber Reserve, tells CSO. “When I came in, there was a little under 50 personnel. We’re now at 144. I’ve got another 15-plus people working through the process to join us. So, it’s been fantastic.”

One particularly successful initiative the Ohio Cyber Reserve has run involved three-hour seminars for a dozen school districts across the state on strengthening their networks. Ohio volunteers have also conducted three to four dozen assist missions for local governments to conduct audits based on NIST 800-53 to tell them where they stand regarding their security and privacy controls.

As is true for all public and private organizations, the challenge is finding enough qualified cybersecurity personnel to meet the tasks. In Ohio, volunteers must have five years of relevant experience, undergo a background check, and pass a SANS test, although no educational degree or certifications are required. “We’ve got a wide variety of people, everything you can think of, some super experienced that do international IR jobs,” Baker says. “We’ve got people high up in their companies, CISOs and all that. We’ve got academics that are very well-known in their field. We’ve got PhDs, people with master’s degrees, people that work for the state, people that work for the government, people that work in different industries across the spectrum while working in cybersecurity or a strong IT field with some cybersecurity knowledge.”

Still, Ohio faces competitive headwinds when it comes to attracting talent. “There are a lot of challenges,” Baker says. “The people that you’re looking for are people that have been doing this for 10, 15-plus years. But then you do the common-sense check on those people. They’re going to be in their thirties and generally have families, so it’s tougher for them to provide that volunteer time. So, we’re constantly looking.”