Courtesy MIRS News
Members of Michigan’s Cyber Civilian Corp are being described as the “volunteer firemen” of the computer security world.
Created in 2013 at the urging of Gov. Rick SNYDER, the Cyber Civilian Corp, or MiC3 as it is called, currently has 52 members who have volunteered to respond when a government agency, municipality, educational institution or business is under “imminent threat” from a hacking attack or other cybersecurity incident, according to David BEHEN, director of Michigan’s Department of Technology, Management and Budget (DTMB).
He hopes MiC3 will have 200 volunteers by 2018, Behen told the House Communications and Technology Committee Tuesday.
Committee members were considering HB 4508, introduced by Rep. Brandt IDEN (R-Oshtemo Twp.), which would bring MiC3 under the DTMB, add background checks for the volunteers and create a new advisory board to oversee its operations. The bill would also put decisions about when and where to deploy the Cyber Civilian Corp into the hands of the DTMB and provide the volunteers with immunity from liability when they are on assignment volunteering in response to a threat.
Currently, MiC3 is operated by the Merit Network, according to Caleb BUHS, spokesperson for the DTMB. Merit is a non-profit organization operated by the state’s universities, which also operates the Michigan Cyber Range, a program where computer security experts can train and practice their response to hacking attacks.
In the event of a cyber attack, DTMB could deploy one or more of its volunteers for up to seven days to assist in securing data and computers against the attack. As the response is done on a volunteer basis, the members would receive only expenses for gas, lodging and food.
Dennis TALLUTO, Strategic Account Manager for the Sequris Group based in Royal Oak, raised concerns about whether the program would compete with private sector firms, many of which provide cybersecurity services. He said response to attacks is among the services they offer.
Iden contended the purpose of the program is not to compete with private sector firms.
“What these people do is come in when there are highly vulnerable situations and they come in and provide additional support,” he said. They’d be called in when users’ credit card information, email accounts, banking information or perhaps even health care information is being treated by a cybersecurity risk.
But companies would still need to contract with private businesses for cybersecurity protection, training and prevention. Rebuilding databases and damage repair after an attack also would be something private sector firms would have to provide.
David WORTHAMS, policy director for the Michigan Bankers Association, spoke in favor of the bill. He said his industry gets hit frequently by cyber attacks, and while larger regional banks already likely have departments that would be able to respond to a cybersecurity incident, smaller banks may operate with only one or two people in their technology department and may need help during a cyber attack to protect customers’ information.
Worthams said Texas has already had 55 major cybersecurity attacks, but security officials there have been able to defeat each one.
Buhs said Michigan has yet to have an attack severe enough to deploy the Cyber Civilian Corp. But many businesses and government agencies have been subject to such attacks. “You hear about it every day,” he said.
Behen said Michigan’s MiC3 program has become a national model and as many as eight other states have reached out to Michigan to learn how to put together a similar volunteer corp.