To defend “target rich, resource poor” critical infrastructure from cyberattacks, the U.S. must expand its patchwork volunteer system, a new report concludes.
Listen to this article
0:00
Learn more.
This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.
The United States should move toward a new model where “target rich, resource-poor” community organizations like hospitals, schools, utilities and municipal governments share their cybersecurity responsibilities with “other, more capable actors” in the government and private sectors.
That is the primary conclusion of a new report released Tuesday by the Cyber Resilience Corps, a volunteer organization led by the University of California Berkeley Center for Long Term Cybersecurity (CLTC) and the CyberPeace Institute.
For years, policymakers have struggled to help these vital cogs of U.S. critical infrastructure level up their cybersecurity defenses in the face of rampant attacks from ransomware groups, nation-states and digital scammers.
Many of the insights in the paper are drawn from conversations the authors had with grantees from the Craig Newmark Philanthropies in the Cyber Civil Defense Initiative and the Cybersecurity and Infrastructure Security Agency, the federal government’s primary contact with states and localities on cyber defense.
“Emerging from both of these groups was one core theme: community organizations as a whole are falling through the cracks, and current efforts are not enough to help them protect themselves online,” wrote authors Sarah Powazek and Grace Menna.
These community organizations are “highly interdependent; just as hospitals need water, small businesses need childcare, and utilities need city governments, which in turn need nonprofits, and so on,” the report states.
While numbers vary according to the source, experts have long identified these types of organizations as the soft underbelly of America’s cybersecurity problem: important enough that their disruption could cause real world harms — making them attractive targets for profit-minded hackers or foreign intelligence services — but too small and under-resourced to do anything meaningful about it. The CyberPeace Institute has tracked approximately 43,000 cyber incidents targeting 121 civil society organizations between 2023 and 2025.
While community organizations rely on digital technologies, very few have the human or technical resources to fully secure them. IT and cybersecurity specialists are in demand across the public and private sector, with many going to larger companies or governments that can offer higher salaries than your average rural hospital or municipality.
But the authors argue that, much like how people and organizations can safely rely on automobiles without understanding how an internal combustion engine works, these organizations should be able to operate essential technologies without having to hire and staff full-time security operations centers.
To meet these challenges, the authors recommend maturing and expanding existing cyber volunteer programs to increase the number of organizations they can assist.
The report identifies three potential ways for outside groups to help these organizations secure their IT. First, private companies can make simpler, more secure products that do not place the burden for security on their customers. That echoes a similar effort that federal agencies like CISA have undertaken to push cyber risk up from individual organizations to the (much more resourced) manufacturers they rely on.
Second, states can create new shared services for smaller and rural organizations while taking over much of the responsibility for security. Again, this mirrors an approach the federal government has taken in recent years, charging the Department of Homeland Security and other departments with developing shared IT resources for smaller and less resourced agencies.
“When you get to the small regional level, where you have [organizations] with maybe an IT team of 10 or less people, that’s when cyber hygiene, cyber basics are most useful,” said Powazek, program director of public interest cybersecurity at CLTC.
Finally, existing volunteer cyber organizations help fill critical gaps, but they need to expand, use resources more effectively, and build lasting cyber expertise into local communities that can endure beyond a one-time engagement.
The items in the report include significant logistical and organizational challenges, such as finding a way to attract disparate groups of volunteers to defend IT infrastructure they don’t own or operate. The CLTC has set up a new website, cybervolunteeers.us, that is meant to build off existing efforts by CISA and others to organize the nation’s piecemeal cyber volunteer population.
Ann Cleaveland, executive director of CLTC, said the effort to better coordinate and organize cyber volunteers was an attempt to “take our own medicine” when it comes to implementing the report’s recommendations.
“One of the first things our volunteer community asked for [in interviews] was visibility,” she said. “We don’t even know who else is out there; organizations in need don’t know how to find us.”
But Powazek said it’s also an effort to acknowledge that “the status quo is unacceptable” for many smaller and rural organizations.
“We are, by doing nothing, leaving them to face these state actors by themselves,” she said, “and unless we have some sort of coordinated effort across all the folks who work these issues, work with these communities, it’s never going to change.”
