Assemblymember Ed Chau has proposed "bug bounties" to discover unknown security vulnerabilities in California's computer systems. Photo courtesy of CalChannel

Frustrated that California’s cybersecurity readiness suffers from “underlying systemic issues,” two Assembly lawmakers have urged Gov. Jerry Brown to rethink how the state prepares for a potential cyberattack.

The request by Assemblymembers Ed Chau, D-Arcadia, and Jacqui Irwin, D-Thousand Oaks, came just weeks after California’s chief information security officer (CISO) struggled to defend the Department of Technology’s cybersecurity readiness before two Assembly committees.

At issue is a state auditor report released last summer that revealed California’s dismal compliance with its own security standards to protect sensitive information.

“If we do not take substantial action now, we are concerned that the unaddressed weaknesses will lead to similar problems — with similar unfortunate results,” the lawmakers wrote in their March 16 letter to Brown.

Among the questions raised in the letter is whether the Department of Technology’s CISO would be more effective and autonomous at the Office of Emergency Services, the Department of Finance or the governor’s office.

“There is some question [of] whether CISO should really be under the department,” Irwin told Techwire in a sit-down interview. “Should that be more of somebody functioning independently as opposed to reporting directly to the head of Technology?”

That office is currently vacant after Michele Robinson resigned in March, just two weeks after lawmakers pointedly questioned her at a joint hearing held by the Privacy and Consumer Protection Committee and the Select Committee on Cybersecurity. A week and a half later, Department of Technology head Carlos Ramos announced his resignation.

In their letter sent the day of Ramos’ announcement, lawmakers suggested Brown consider designating a single individual to coordinate cybersecurity across the executive branch. Currently cybersecurity oversight falls to a handful of entities, including the Technology Department, the California Highway Patrol, the state Attorney General, and the Office of Emergency Services.

That’s problematic to lawmakers who say they want better coordination, oversight and accountability.

“We want to see how a response is going to be structured and who is in charge,” Irwin said. “Whether it is OES or Department of Technology, I don’t think that’s necessarily our role to define who that is.”

Lawmakers also want to know exactly how much the state spends each year on cybersecurity, a fact Robinson was unable to provide lawmakers at last month’s hearing. They also urged Brown to direct state agencies to complete emergency response plans for cybersecurity within the next 12 months, which mirrors a bill Irwin is shepherding through the Assembly.

Other recommendations in the letter include:

  • Ensuring the timely implementation of independent security assessments as required by Irwin’s AB 670 passed in 2015.
  • Establishing a process to inform lawmakers of sensitive information related to cybersecurity so resources can be allocated appropriately.
  • Requiring all state agencies to comply with any future state audits related to cybersecurity. (Twenty state agencies did not respond to the state auditor’s survey last year.)
  • Direct the Department of Technology and OES to work with lawmakers and other stakeholders to develop a comprehensive set of performance metrics that would provide greater transparency and accountability.