The California Cybersecurity Integration Center (Cal-CSIC) may have a much wider engagement area than many in IT are aware — but its focus, where incidents are concerned, isn’t all-encompassing, Mario Garcia, Cal-CSIC’s acting commander, said Oct. 9 during remarks at the State of California Cybersecurity Education Summit 2019, explaining the agency's mission. Among the takeaways:
• Cal-CSIC’s mission centers on information sharing, Garcia said during remarks that opened a discussion on “Trust Relationships: Mitigating the Inherent Risk.” That includes intelligence analysis, using classified and unclassified tools, and dissemination to partners in state and local, and private sector. This includes threats nationally that could impact California businesses and residents, but public-sector incident response as well — and even engagement with critical private-sector facilities such as the Port of San Diego.
“If you’re within the boundaries of California, the Cybersecurity Integration Center is responsible for doing everything that we can to try to protect you from cyberattack, or at least minimize the impacts of cyberattacks when they do happen,” he said.
Partner agencies include the California Highway Patrol cybercrimes investigation unit, the California Department of Technology, the California Governor’s Office of Emergency Services and the California Military Department (CMD), as well as representatives of the FBI and the Department of Homeland Security. When a cybersecurity incident happens, though, Cal-CSIC’s initial response may come through one of five regional “fusion centers.”
• The agency’s response remains national and it won’t help a government or business reimage “5,000 computers.” Rather, once the agency decides to get involved, officials will deploy a team to “do some hunting, see if the bad guys are still in there, see if the malware is still working on your network,” the acting commander said. Once on-scene, they’ll kill that malware as quickly as possible and work to ferret out any other network issues. “And then we’re going to strategize with you on, ‘OK, how did they get in?’ Let’s make sure that we close that up,” Garcia said.
That involvement, though, should dovetail with the deployment of other local resources, Garcia cautioned. State and local agencies should be sure to work with any vendors on retainer for incident response first — and understand how Cal-CSIC’s presence could interact with any cyberinsurance requiring that company be called first.
• Cal-CSIC’s visibility is enhanced, Garcia said, through vulnerability assessments performed on state agencies every other year by CMD, a process that includes penetration testing. “And they deliver to that agency confidential results so that agency can then turn around and patch or scan or reconfigure whatever the vulnerability is that’s presenting itself,” he told Techwire in an interview. Cal-CSIC and other state agencies with access are able to also view “some of the high-level metrics that come from that,” to track the progress and use of resources pushed out to departments.
• Asked what trends his agency is seeing in cybercrime, Garcia said ransomware and phishing remain prevalent, and counseled departments to get back to the basic protections. Large monetary investments, he said, don’t make “the most effective cybersecurity defensive activity.” Rather, agencies should focus on “patching and scanning” and “life cycle replacements — doing the basics that we’ve all supposed to have been doing for decades.” That includes knowing your inventory, so you can learn whether firmware updates are available. Doing so, he said, can significantly reduce potential threats.
So can user training — giving staff enough time to “learn how best to utilize that tool”; and, as employees leave, fully training their replacements.
“A misconfigured security device can be just as bad as not having one at all,” he added.
