Officials from the California Department of Technology (CDT), the Government Operations Agency (GovOps) and the California Governor’s Office of Emergency Services (CalOES) compared Pacific Gas & Electric Co.’s electricity shutoff to more than 1 million residents around the state, to mitigate the wildfire danger, to a large-scale incident or breach, at the State of California Cybersecurity Education Summit 2019. But they also highlighted its learning potential.
“What we’re seeing, sort of, with the power outage, [is that] it gives us a better idea of what kind of impacts things that could happen should we have a cyberattack that impacts our utilities, our critical infrastructure, that would result in something like a black sky event where we would lose all of our power throughout the state,” said CalOES Director Mark Ghilarducci. Among the takeaways:
• The state is following “four key goals” in cybersecurity, the director said. It continues to identify ways for stakeholders to improve coordination, information and intelligence sharing, to identify threats. That’s the concept behind the California Cybersecurity Integration Center (Cal-CSIC), which examines classified and unclassified data. The state also wants to assist departments and other governments in developing “threat detection, prevention, remediation and response, and recovery strategies.” Officials want to review “areas where coordination will enhance security” and emergency response and focus on building education and workforce development in cybersecurity.
“And we want to really continue to review our state cybersecurity strategy in coordination with our state’s homeland security strategy, so that we can be as resilient as possible,” Ghilarducci said, joking that “… hopefully, we can keep the lights on for the rest of your session." On Sept. 26, former Gov. Jerry Brown signed Assembly Bill 2813, charging Cal-CSIC with developing a “statewide cybersecurity strategy.”
In an interview with Techwire, state CIO Amy Tong — whose agency and CalOES are two of Cal-CSIC’s four core partners — said officials are working on a cybersecurity strategy known as Cal Secure, which is “under continuous improvement” and refinement to ensure it aligns with California homeland security and Vision 2020, the strategic plan for IT. That statewide strategy, Tong said, could arrive as soon as year’s end.
• The state’s online network still receives “200 million-plus probes” daily from bad actors, Tong said in her opening remarks, pointing out that California led the nation last year with 35,000 cybersecurity job openings — a fraction of the estimated 3.5 million cybersecurity jobs believed to go unfilled by 2021. In an interview, she counseled agencies and governments to remain watchful for phishing and ransomware, noting “although those seem basic and fundamental, the fact that they’re still not being done, that of itself is an epidemic.”
She counseled “prioritization” of services that must be secured but said state and local are “all part of the government,” which informs their parameter of taking a holistic view of government. The fact that it’s often smaller organizations, not the big ones, that are breached means the state wants to “make sure that there is an equal focus to the haves and the not-haves — the smaller entities — and help them to be maturing their services,” Tong said.
• In an interview, Lorenzo Smith, dean of the College of Engineering and Computer Science at California State University, Sacramento, said the event’s educational partner can’t produce what Ghilarducci called “the cyberwarriors of the future” fast enough, while ensuring students learn the technical skills they need — and receive practical training from mentors like Tong.
“I think it’s a given that our students are going to be well-prepared from a technical standpoint, but are they creative? It’s the soft skills and the ability to grapple with the quickly changing environment, that’s the sort of warrior that we want to put in front of us to protect us from cybersecurity threats,” Smith said.
• CDT and DMV officials are coming to the Oct. 17 DMV Vendor Day, and the pitch day that will likely follow in November, with open minds. Asked whether Newsom’s RFI2 “flexible approach to procurement” was an inspiration for the event, Tong said the state’s “evolution of the past couple of years” — taking up Agile and using its 6611 contract negotiation ability, along with the Project Approval Lifecycle’s emphasis on market research — all played a part.
“I think it’s a culmination of all of that, really [leading] to: You just need to talk to people, you just need to put the problem out there,” Tong said, indicating there’s little in the way of preconceptions about whether the event could lead to small or large solutions, or the selection of a single vendor or a team. “All options are on the table,” she added.
