The massive security breaches that struck U.S. health-care companies, universities, retailers and banks this year have triggered an aggressive effort in California to get a handle on how state government detects, thwarts and responds to cyberattacks.
State leaders have scrambled to create a more centralized and accountable cybersecurity system, recognizing that the systems, agencies and departments responsible for safeguarding critical state services and the personal information of Californians aren’t immune from potentially catastrophic attacks.
“When you think about how broad the threat is, and the multiple layers and levels of where that threat could come from, it is overwhelming because there is no silver bullet,” state Office of Emergency Services (OES) Director Mark Ghilarducci said in October.
The task is monumental in a state with nearly 39 million people, where government operates or oversees nuclear power plants, electric grids, wastewater treatment facilities, defense and 911 dispatch, automated transportation, and information systems containing personal data.
“It’s not a fair fight,” said California Office of Information Security Director Michele Robinson.
“We are battling a well-advantaged adversary,” Robinson told the Assembly Select Committee on Cybersecurity in April. “They are well-funded, well-organized. They don’t have to follow the rules we have to follow when dealing with technology and information sharing.”
The state government is target-rich. California has more than 100 agencies and departments within the executive branch alone, each with a mission to deliver critical public services, mostly through IT services and the Internet.
Gov. Jerry Brown, Ghilarducci, Robinson and a growing army of concerned public agencies and private companies have moved quickly to reduce California’s vulnerabilities. A flurry of legislation, hearings and executive orders in the past year aimed to shore up cybersecurity. The efforts focus on centralizing operations and enhancing accountability through increased oversight and coordination.
It started in February with the formation of an Assembly Select Committee on Cybersecurity led by Assemblymember Jacqui Irwin, D-Thousand Oaks. The committee is tasked with examining the state’s vulnerabilities, assessing resources, educating leaders and developing partnerships to manage and respond to threats. After the committee completes an investigation into cyberthreats, it will issue a report to state agencies, private businesses and other relevant entities.
In a separate move to centralize cybersecurity management, Brown signed an executive order in August directing OES to establish the California Cybersecurity Integration Center to serve as the organizing hub for state cybersecurity efforts.
The center will create the Cyber Incidence Response team to coordinate with private and public stakeholders and law enforcement in the event of an incident.
Ghilarducci, who also serves as the governor’s homeland security adviser, said that historically agencies like the Department of Technology, Highway Patrol, state attorney general’s office and the California Military Department each have taken on specific aspects of cybersecurity but with little centralized oversight or coordination.
Ghilarducci said OES is the best choice to ensure all the pieces work together, and he downplayed that there was duplication of effort among the various agencies working on the problem.
“Our role is to take all of these organizations and pull them into a coordinated center to make sure we are all moving on the same path,” he said. “My role is to ensure we’re all using the same strategy and standardized approach, and working effectively with private entities, academia and local governments to make sure we are working on a common set of objectives. This is important because, if you are disjointed, you are vulnerable to attack. There is never a dull moment.”
In an email to Techwire, the California Department of Technology said collaborating across agencies will “identify and best leverage existing capabilities, and can eliminate duplication and overlap.” (The involvement of OES also should help build capacity atop the resources and expertise already provided at the Office of Information Security, Ghilarducci added.)
For its own part, the Office of Information Security said it led several efforts designed to improve state security.
Ghilarducci also emphasized the important role of the state’s Cybersecurity Task Force, created three years ago with the public and private sectors. Assemblyman Ed Chau, D-Monterey Park, had pushed a bill to codify the task force but pulled the bill after the governor issued his executive order creating the Cybersecurity Integration Center. The task force most recently met in San Diego in November.
“We need to be all working together, looking at everything — from public cyber- hygiene to building resiliency to threats and ensuring that we are on the same page in terms of detection and deterrence. It is a full life cycle, and it takes a community to do it,” Ghilarducci said.
To strengthen its enforcement capabilities, the Department of Technology in August began requiring state agencies and departments to develop and report a “plan of action and milestones” process to address security program deficiencies, a tool to be updated quarterly.
The department’s readiness to battle cyberthreats had been called into question in a sweeping state audit released just a week earlier, which cited the department’s failure to provide oversight of and guidance to the departments charged with safeguarding the state’s information systems. The audit found that only four of the 77 reporting agencies and departments that maintain confidential and sensitive data had fully complied with security standards.
Legislation signed by Brown in October further ramps up demands on the Department of Technology to pressure departments and agencies to improve their cybersecurity systems — and gives OES additional oversight authority.
Assembly Bill 670, by Irwin, requires the Office of Information Security, in consultation with OES, to perform IT audits of at least 35 state agencies per year. It also specifies that the Military Department can perform independent security assessments of any state entity and charge that entity for the work. In the past, the Office of Information Security was authorized to conduct security assessments, but not required to do so, and agencies were required to conduct their own IT risk assessments once every two years.
The Office of Information Security is now required to notify OES, Highway Patrol and the state Department of Justice about any criminal cyberactivity that affects a state entity or aspect of the state’s critical infrastructure. And the Office of Information Security must report any state entity that doesn’t comply with security requirements.
Ghilarducci remains circumspect about the state of California’s cybersecurity.
“We are not where we need to be because it is such a broad threat, but we are getting there,” he said.
This story appears in the Winter 2015 issue of Techwire magazine.
