Members of the Cyber Response Team participate in quarterly training in Madison. Courtesy: WEM

MADISON, Wis. – A Wisconsin resource that protects information technology (IT) systems and critical infrastructure across the state is seeing an uptick in volunteers who are ready to defend against cyber attacks.

Over the past two years, the Cyber Response Team (CRT) has grown from 119 voluntary members to more than 400. A majority of those are considered general members, which allows people working in the public and private sectors to share information and get plugged into what threat indicators are occurring around the state. About 140 members also volunteer to be called in to assist when an entity is the victim of a cyber attack.

In early March, dozens of CRT members attended training in Madison designed to expand their knowledge and potentially become incident responders. Some participants were there to help understaffed schools, municipalities, tribes, and counties improve their level of protection, while others wanted to share their knowledge so the state can build stronger cyber spaces.

“I wanted more training, and I am new to cyber security,” said Brody Carroll, who works for Northwestern Mutual. “I want to better myself and my team back home, while helping where I can.”

“I am fairly new to the IT world, and this foundations course is a great way to help my school district and others,” said Tracee Gleichner, who is employed by the Menasha Joint School District.

A cyber response team member is working on a computer exercise during quarterly training in Madison. Courtesy: WEM

While Carroll and Gleichner are newer members, the CRT has been a resource in Wisconsin since 2015. The team was formerly administered by the Department of Administration’s Division of Enterprise Technology (DET), but oversight was recently transferred to Wisconsin Emergency Management (WEM), a division of the Wisconsin Department of Military Affairs. WEM manages and supports the CRT as one of several specialized teams that can respond statewide to different kinds of emergencies.

“Cyber security and response are part of WEM’s all-hazards mission, but it takes a group effort,” said WEM Administrator Greg Engle. “It takes a coordinated response from all the cyber response team partners supported by WEM, DET, and the Wisconsin National Guard, to assist in both preventing and responding effectively to cyber emergencies.”

“Cyber security is part of the National Guard’s mission set with defense cyberspace operations,” said Lt. Col. Sarah Frater, Director of Cybersecurity Operations for the Wisconsin National Guard. “Cyber security is a team game, and not only is the CRT a collaboration between the National Guard and WEM, it is a partnership among several agencies as well as the private and public sectors.”

LTC Sarah Frater assists a Cyber Response Team member during a computer exercise. Courtesy: WEM

The team includes responders from the Wisconsin Departments of Administration, Justice, Natural Resources, and Public Instruction. The Wisconsin Cybersecurity and Infrastructure Security Agency advisor is also available as a resource for the team.

“By building coalitions like the cyber response team, we have increased confidence there is a pool of people to respond if there should ever be a statewide cyber response,” said Eric Franco, WEM cybersecurity preparedness coordinator. “All of this knowledge and experience in the CRT fills a capability gap that no single agency has on its own.”

The cybersecurity preparedness coordinator is a new position at WEM. Part of Franco’s role is to join emergency management all-hazards practices with the ever-changing cyber threat landscape.

WEM Cybersecurity Preparedness Coordinator Eric Franco gives a presentation to the Cyber Response Team. Courtesy: WEM

When an organization suspects an unusual occurrence on their computers or network, they first report the incident to WEM’s 24-hour emergency hotline. There, Cyber Response Team leaders assess and analyze the situation, then assign team members based on the type of response and needs of the emergency.

One of the team’s leads is Jay Schaefer, whose full-time job is working as the cyber security architect for Winnebago County. Schaefer has responded to several cyber incidents since 2017. He says a CRT response can include anywhere from one or two people on a small response to a dozen people for a larger incident.

“As a team lead, you deal with the customer one-on-one so there is a coordinated response instead of a dozen separate voices,” said Schaefer. “How much the CRT is involved in an incident is based on how much they need us. Those factors include whether that organization has IT staff that can rebuild once we step in or if they have a cyber insurance company also working on an incident.”

Response teams can be utilized whenever there is suspicious activity on a computer. Smaller incidents can include someone clicking on a phishing link in an email, giving bad actors the credentials need to remotely access a network. Larger incidents could involve ransomware, where the information held on a server is held hostage until the organization pays for the material to be released.

Jay Schaefer leads a computer exercise for Cyber Response Team training. Courtesy: WEM

 In 2022, the CRT responded to 22 incidents across the state. However, another aspect of the team’s mission is to protect critical infrastructure through planning and mitigation.

“Response is only one part of the cyber response team’s mission,” said Franco. “It’s a volunteer network to help develop technical skills to assist governments, organizations, and businesses with prevention, protection, and efforts to reduce the impacts of a cyber attack.”

CRT members hone their own skills at quarterly training sessions, where they learn how to assess computer network security, the latest protection tools and techniques, and practice responding to when a threat is detected.

LTC Frater hopes the team continues to gain traction in the state to create long-lasting cyber support for governments and organizations across Wisconsin.

“I want the CRT to have continuity, so as people come and go, the team is still here,” said Frater. “If there is someone who is an IT professional, who wants to build relationships and share cybersecurity knowledge, join the CRT. Even if you already have a staff member on the CRT, consider having other workers join to help create cyber security consistency.”

People interested in becoming a member of the Cyber Response Team can find more information at