Michigan’s volunteer cyber corps expands despite critical audit report

Mark Maki, senior counsel and a member of the cybersecurity/data privacy group and the intellectual property group at Miller Canfield.

Michigan has a first-of-its-kind cybersecurity program that Mark Maki thinks is a critical component to businesses and local governments staying safe in the cyber world.

Mark Maki, senior counsel and a member of the cybersecurity/data privacy group and the intellectual property group at Miller Canfield.

The Michigan Cyber Civilian Corps, a 99-volunteer group created in 2013, was designed to allow experts to respond to cyberattacks. And, by and large, Maki and others believe the group is doing well.

Maki is senior counsel and a member of the cybersecurity/data privacy group and the intellectual property group at Detroit-based law firm Miller Canfield. He said the Michigan Cyber Civilian Corps is a “critical component to addressing the continuing threat of cyber hackers” he said “continue to attack government and private businesses.

“It’s a critical need … for many enterprises it’s difficult enough to come up with a budget for cyber security,” Maki said. “It’s even more difficult for municipalities … they’re on more of a fixed budget because they’re working within a millage, so they can’t just raise prices.”

But, like many industries and programs, experts say cybersecurity requires constant updates and reviews. And the Michigan Cyber Civilian Corps just got one of its own.

Background checks
The state’s auditor general recently reported that 35 of the 99 volunteers of the Michigan Cyber Civilian Corps failed to undergo background checks. Two volunteers failed the checks and had their status revoked in April.

The program was privately managed until 2017, when it was transferred to the Department of Technology, Management and Budget.

Volunteers who passed assessment tests, but not background checks were previously allowed to participate in networking calls and training, the report said.

Assessment tests determine a cybersecurity professional’s skill level, the background checks look for history of a criminal record.

The budget agency agreed to revise its volunteer agreement and initiate a more thorough vetting process in response to the report. 

Officials said that while they did not adequately evaluate training effectiveness, volunteers frequently discussed it.

Growing pains
Cyber security experts can volunteer to respond to cyberattacks with the Michigan Cyber Civilian Corps if they follow the certification and background check procedures.

Maki thinks the review is just a sign that the program, like any new venture, is going through “growing pains.

“It’s the first in the country, so it’s a model for other states and the federal (government),” Maki said. “Any growing pains they might have now are just a function of working through implementation of something that’s never really been done before.”

While Michigan’s program is the first of its kind, the New American, a public policy think tank, recently called for a 25,000-member national version modeled after Michigan’s program. 

The Michigan effort is expected to grow from 99 to 120 members within the next two months, said Chris DeRusha, who manages it as a part of the cybersecurity and infrastructure unit within the budget agency. 

Training opportunities
Cybersecurity experts who volunteer to respond to critical infrastructure attacks and data breaches receive networking, training and certification opportunities. 

The corps responded to three attacks on local governments in 2019, DeRusha said. He declined to reveal the nature of the attacks, the victims or whether they were successfully repelled, citing confidentiality agreements between the corps and the governments involved.

Depending on the cyberattack’s circumstance, disclosure of information could compromise a victim’s security or hinder the criminal investigation, said Caleb Buhs, the Department of Technology, Management and Budget communications director.

Laws vary across states, and without a clear guideline from national law, many attacks are not reported, DeRusha said.

“That’s why there’s not as high a level of awareness across the country as there could be for how many cyber attacks are happening every day,” he said.

He encourages clear reporting requirements to allow police to investigate with confidentiality to ensure the perpetrators are swiftly found.

Common attacks
Many attacks fall under the category of “ransomware” in which a downloaded attachment locks users away from data until a ransom is paid to the hacker, said Alan Rea, a professor of business information systems at Western Michigan University. Malware attacks are also common, which can steal or destroy files from the start on an attack.

“It might be an email attachment. Someone opens it, that’s all it takes,” Rea said

The moment a local government plugs its systems into the internet, it’s at risk, Rea said. 

Resources to repel such attacks vary among local governments, Rea said. Some can afford a contract with an information security professional, others pay the ransom up front.

Local governments can’t assume because they’re small and rural that they’re safe, he said. 

“We can’t have security through obscurity anymore.”

Indeed, there were 394 cyber attacks nationwide in August 2019 alone, with attacks increasing in quantity each month over two years, according to researchers at the cybersecurity firm Recorded Future.

“The Michigan initiative provides value because the risks are increasing,” Miller Canfield’s Maki said. “They’re not going away.”

The volunteer civilian corps focuses on governments rather than private businesses because the training is taxpayer-funded, DeRusha said. But that doesn’t rule out a deployment to private organizations providing public services like a utility company.

Businesses face risks similar to those governments face.

“Don’t assume because you’re small that you’re not a target,” said Scott Lyon, the senior vice president of the Small Business Association of Michigan.

Lyon may have an answer: The association rolled out a tool in August that assesses the risk of a cyber attack and identifies computer system vulnerabilities so that business owners can patch holes in security.

The level of awareness is definitely higher today than it was a year or two ago, but it’s a constant process, he said. 

“As the good guys figure out a way to close the door, the bad guys are figuring out a new way to open it,” Lyon said.

That’s why Maki thinks the ransomware problem isn’t going away any time soon.

“It’s going to increase because it’s become a way to monetize these breaches,” he said. “It’s become very profitable for many of these crews.”

Evan Jones of Capital News Service contributed to this report. His full story can be found at http://news.jrn.msu.edu/2019/09/michigans-volunteer-cyber-corps-expands-despite-critical-audit-report/