Analyst Urges More Openness in State's IT Security Spending

The state Legislative Analyst’s Office on Tuesday scrutinized the funding of information security in state government — a topic whose details are so sensitive that legislators themselves can’t be fully briefed on what they’re buying.

Opening that process up is one of three key recommendations to the Legislature that the Legislative Analyst’s Office (LAO) makes in its new report, part of the office's ongoing examination of the governor’s proposed budget.

Gov. Gavin Newsom, in his proposed spending plan for fiscal year 2020-2021, includes 20 requests for resources to improve information security in various state government and agencies. Three of those 20 requests would enhance security across all agencies; the others would be more narrowly tailored.

This is the second time in a week that LAO has examined Newsom’s spending plans. Last week, the office made recommendations on Newsom’s overall proposed IT spend. The latest report addresses only the security aspect of state IT.

In the report’s introduction, the LAO addresses the Catch-22 of budget requests for information security measures that, by definition, shouldn’t be widely shared because that knowledge might tip off those who would try to hack around the protections.

The LAO wants state IT leaders to try to be more open with the legislators who fund their operations -- or to at least give them a little bit more to go on.

“These constraints relate to the significant amount of information in support of these requests that is kept confidential by the administration and not made available to the Legislature,” the report says.

And that leads to the first of the report’s three key recommendations, which is directed at the California Department of Technology (CDT), one of four state entities that represent the administration in the state’s IT governance structure:

“We recommend the Legislature consider requiring CDT to determine what type of information the administration could feasibly share with the Legislature (both confidentially and publicly),” the LAO writes, “and present several options for the Legislature to consider in a format specified through supplemental report language (SRL).” In short, the LAO wants CDT to rank the governor’s budget requests by priority, even if they can’t reveal a lot of details about them, and provide metrics showing whether those agencies can justify their security spend by demonstrating results. 

CDT told Techwire in an email Tuesday afternoon that it would weigh the LAO recommendations.

“The California Department of Technology welcomes the Budget and Policy Post on information security from the Legislative Analyst’s Office,” said CDT spokesperson Bob Andosca. “The Department will take the time to thoughtfully review its findings and recommendations.”

The “maturity” of a given department or agency’s security has been a key focus of CDT’s Office of Information Security (OIS) for the better part of two years. In March 2018, the state’s then-Chief Information Security Officer, Peter Liebert, implemented an assessment of state agencies’ maturity metrics – a way to assess and grade their cybersecurity defenses — before leaving his CISO position last May. Oversight of OIS now falls under the jurisdiction of Liebert’s successor, acting state CISO Vitaliy Panych.

LAO’s second recommendation to the Legislature centers on funding security improvements for departments and agencies that need them by using money that until now has been designated to pay for the security audits themselves.

“We recommend the Legislature adopt revisions … (that) would ensure this funding will be used to improve the maturity of entities’ IS programs, which we find has merit,” LAO says.

The third recommendation says those several state agencies whose IT isn’t subject to CDT’s oversight or governance should nonetheless be held to the same information security standards as agencies that do fall under CDT’s aegis.

“Without common IS standards that every entity follows and a common oversight governance structure to enforce the standards, the administration and Legislature cannot be confident that entities not under CDT’s authority are effectively mitigating their IS risks,” the LAO report says. “Limited visibility into the IS programs of these entities also means attacks and/or threats could occur without a coordinated response within the administration. We therefore recommend the Legislature consider statutory language that would require these state entities to follow state IS standards (or comparable standards) and be subject to a similar IS oversight governance structure.”

The single largest funding request in Newsom’s budget is for the four entities that make up the state’s cybersecurity operation: CDT, the California Highway Patrol (CHP), the California Governor’s Office of Emergency Services (Cal OES), and the California Military Department (CMD). Newsom’s request, which would go toward the California Cybersecurity Integration Center (Cal-CSIC), totals $11.06 million for fiscal 2020-2021.

The next-largest IS funding request from Newsom is for the California Department of Food and Agriculture, for which he seeks $5.37 million for its “IT Workload Growth and Sustainability”; and CDT, for which Newsom seeks $5.06 million for a statewide endpoint-to-endpoint platform. The LAO notes that these figures represent, in some cases, only a portion of security-related costs.