Grassroots Collaboration

Mansfeld-Südharz, Germany - November 7, 2025

Turning Sunday tinkerers and ham-radio crews into the county’s early-warning fabric—without asking them to become mini-SOCs

The email arrived at 22:41 on a rainy Thursday. The sender used a vintage pirate-radio address, the subject line was written in all-caps Morse shorthand, and the attachment was a five-megabyte packet capture showing an unusual spike of SMB traffic on the repeater network that links the amateur-radio masts between Oranienbaum and Wolfen. What looked like nostalgic nerd trivia was, in fact, the first civilian tip-off that a ransomware affiliate was probing the industrial park’s edge network. Because the packet capture carried the GPS coordinates of the repeater, the Alliance’s ingestion engine could correlate the traffic with a sudden rise in failed VPN authentications logged by the county’s waste-water SCADA system. Forty-three minutes later, a playbook originally written for multi-nationals was executed by a twenty-three-year-old electrical-apprentice who happens to run the local Chaos Computer Club chapter and who had spent his afternoon aligning a forty-year-old Yagi antenna instead of scanning dashboards. That is the kind of serendipity the Alliance is designed to amplify: the moment when civic hobby turns into civic defence without anyone swapping their fleece vest for a security hoodie.

The insight began with a simple cartographic exercise. We overlaid two maps: one showing every club, society or registered association in the county—model-railway circles, botanical societies, volunteer fire brigades, pipe-organ restorers—and the other showing every internet-exposed interface we could find with a passive scan. The correlation was lopsided. More than sixty small networks—repeaters, weather stations, 3-D-printer clubs, observatory webcams—sat on public IPs that were technically part of the county’s attack surface, yet none of those networks appeared on any asset register because they are run by citizens who never think of themselves as critical infrastructure. Instead of issuing cease-and-desist letters, we asked a different question: what if these accidental operators became voluntary sensors? The answer became the Grassroots Node Programme, a lightweight affiliation layer that gives hobby clubs read-only access to a threat-feed and, in return, asks them to forward anything that feels “weird” using whatever channel they already trust—SMS, LoRa, Morse, or simply a phone call to the county emergency line that mentions the keyword “Packet-Orange,” the Alliance’s open sesame.

Joining is intentionally low-friction. A club downloads a single-page memorandum that reads like a neighbourhood-watch pledge rather than a vendor contract: promise not to probe third parties, promise to anonymise any personal data you accidentally collect, promise to report within four hours if you see signs of lateral movement. In exchange, the Alliance provides a Raspberry-Pi image pre-loaded with Suricata in tap-only mode, a Yagi antenna if the group lacks one, and a GPG key-ring that lets the Pi upload PCAP snippets over an onion service. No one is asked to become a mini-SOC; the device is a diary, not a deputy. Its logs are time-stamped and hashed, so if the county SOC later needs to reconstruct an incident sequence, the grassroots node becomes a silent witness rather than a self-appointed sheriff. The first cohort—eleven clubs—was bootstrapped with hardware costs covered by a 50 000-euro micro-grant from the county’s youth-innovation fund, a line item so small it never needed state-level approval, yet large enough to seed a mesh that now covers ninety kilometres of Elbe riverfront without purchasing a single additional commercial sensor licence.

Training follows the same philosophy of additive competence rather than credential conversion. Once a quarter, the Alliance runs a Saturday-morning field exercise called “Funktag,” borrowing the German ham-radio term for a day of open airwaves. Participants bring whatever gear they love—hand-held radios, drone trackers, home-made spectrum analysers—and spend four hours in a loose scenario: a simulated blackout of the county’s LTE backbone after a notional storm, followed by a low-rate ransomware beacon that hops across unlicensed spectrum. The goal is not to defeat the beacon but to notice it, log it, and relay the coordinates using any path that still works. At the end of the day, the logs are merged into a single timeline that is published under Creative Commons, so every club can see how its tiny fragment fits the mosaic. Over time, the exercise has become a social tournament: the botanical society prides itself on sending the first LoRa packet from the greenhouse roof, while the model-railway group competes on who can hide a sensor inside a miniature freight wagon that still couples magnetically. Gamification without gamification: pride does the heavy lifting that KPIs normally do.

"The network was already there; we just gave it something worth hearing."

Legal air-cover is provided by a clause inserted into the county’s civil-protection ordinance that recognises “voluntary telemetry contribution” as a form of auxiliary emergency service, on par with volunteer fire brigades or water-rescue units. The wording was copied almost verbatim from existing regulations for amateur-radio storm spotting, so no new legislation was required; the county simply issued an administrative notice that extends the same liability shield to cyber incidents. Clubs are therefore covered by the county’s blanket insurance when they act in good faith, and the four-hour reporting window aligns with the federal Kritis regulation, ensuring that any data they forward enters the official escalation chain without exposing them to follow-up liability. The elegance is that the mechanism scales down as well as up: a single citizen running a Wi-Fi scanner in a garden shed is equally protected, provided the traffic dump is uploaded through the same onion end-point. The state interior ministry has since indicated it will copy the clause into a model ordinance for other counties, turning local improvisation into transferable statute.

Perhaps the most surprising outcome is cultural rather than technical. By giving hobbyists access to the same threat-feed that professionals watch, the programme dissolves the mystique that normally surrounds cyber security. When a retired chemistry teacher sees the identical IoC that a tier-one analyst sees, the subject stops being black magic and becomes another flavour of observable nature, like cloud cover or soil acidity. That shift has already produced unexpected dividends: the county’s botanical garden now hosts an annual “packet forest” art installation where LED strips visualise live firewall logs among the tomato beds, and local high-school teachers use the anonymised feed to teach statistics classes about entropy and randomness. Security becomes scenery, something you walk through rather than avoid. The longer-term bet is that this normalisation will feed the professional pipeline without the usual recruitment campaigns: teenagers who once built weather balloons now ask how to write Suricata rules, and the Alliance simply points them to the apprenticeship scheme run jointly with Anhalt University. No brochures required—only data they have already helped collect.

We are still cautious about scale. The psychology of volunteering is fragile; the moment a grassroots node is asked to shoulder commercial SLAs, the magic dies. The Alliance therefore keeps the ask constant: notice, record, relay. Anything beyond that—triage, containment, forensics—is handled by the county SOC, which is staffed and paid to carry those burdens. The separation is enforced by architecture, not by policy: the sensors operate in tap-only mode, the onion service rejects any inbound connection that carries a write payload, and the GPG key-ring is encryption-only, so no remote command can ever be issued. Even if a well-meaning volunteer wanted to intervene, the hardware cannot physically transmit. That hard limitation protects both the volunteer and the integrity of the evidence chain, because it eliminates any allegation that amateur action altered the crime scene. In legal terms, the grassroots node is a camera, not a drone.

The next frontier is cross-border federation. Because the technical interface is nothing more than signed STIX bundles over HTTPS, any European region can stand up its own collection endpoint without installing custom software. South-Tyrol has already begun mapping its hiking clubs and amateur astronomers using the same one-page memorandum translated into Italian and German, and the Bavarian Red Cross wants to equip its mountain rescue teams with portable sensors that upload once teams descend to valley GSM coverage. The only additional requirement is a reciprocity clause: any region that consumes the feed must contribute back at least one verified observation per quarter, ensuring that the commons does not become a free fire-hose for vendors. That rule keeps the network honest and prevents the Alliance from evolving into yet another threat-intelligence vendor with a community sticker on the box. So far, the ratio holds: for every hundred IoCs we ship outward, we receive ninety-five back, a surplus that is close enough to parity to call the loop sustainable.

Ultimately, the programme proves that resilience is not a product you buy but a neighbourhood you organise. The same antenna that once relayed ham-radio jokes now carries evidence of hostile packets, and the same club that scheduled flower exhibitions now publishes SHA-256 hashes. The technology is trivial; the sociology is not. By leaving pride, autonomy and local language untouched, the Alliance gains an early-warning fabric that costs less than a single enterprise licence and stretches across every parish that possesses a curious mind and a scrap of copper wire. If that sounds romantic, remember that the email which started this story arrived in Morse shorthand and was signed with a call-sign older than the internet itself. The network was already there; we just gave it something worth hearing.

The Cyber Resilience Alliance is a public-private partnership established 2025, led by CypSec, Validato and the County of Mansfeld-Südharz. The Alliance operates a sovereign private-cloud security stack, a shared SOC and an cyber academy, aiming to make Mansfeld-Südharz the reference site for rural cyber resilience by 2030.

Media Contact: Daria Fediay, Chief Executive Officer at CypSec - daria.fediay@cypsec.de.