California Gov. Jerry Brown spent considerable time this year forging ties with China — seeking economic partnerships for the state during a weeklong trip there in April, then signing a non-binding climate change pact with the emerging superpower in September.
But agreements on paper only go so far amid the ever-changing dynamics of foreign relations. As Brown was touring China in search of trade opportunities, China’s military likely was continuing what it has reportedly done for years: methodically probing for vulnerabilities in critical computer systems maintained by California government agencies and the state’s biggest companies.
The fact that foreign actors are engaged in sophisticated hacking against California and its businesses certainly isn’t lost on the Brown administration and the governor’s homeland security adviser. "There could be a win-win out of it for the state’s economy, but we also need to understand the threat that exists and put in processes here in California to mitigate," said Mark Ghilarducci, director of the Governor’s Office of Emergency Services.
The state is taking action. Ghilarducci’s office is partnering with the California Department of Technology and state CIO Carlos Ramos to convene what’s called the California Cybersecurity Task Force. The first-of-its-kind advisory workgroup is composed of high-level security experts from state and local government, universities and laboratories, and major corporations and technology companies that call California home. "From a homeland security standpoint, we really needed to develop a platform to bring these stakeholders together," Ghilarducci said.
The group, which had its first closed-door meeting in May, is working on a range of issues, such as enhancing cybersecurity products, improving coordination and information sharing between the public and private sector, securing funding, developing breach remediation guidelines, and creating cybersecurity education programs for the work force and California’s schools and universities.
The initial goal, Ghilarducci added, is to make it more difficult for hackers to infiltrate the electrical grid and other key systems, or to steal companies’ intellectual property and the public’s personal information — realizing along the way that it’s impossible to eliminate all incidents and breaches. Threats are coming in from all directions, whether from individual "hacktivists" or large nation-states that are conducting cyber espionage, so eliminating all cyber threat is unrealistic.
"But by putting in some basic awareness, some training and auditIng and basic security procedures — to start off with — I think that will go a long way. But we all have to be one the same page, and that’s part of the initial set of objectives," Ghilarducci said.
"We could get all the stakeholders, no matter what sector they’re in, going through their networks and putting in something as simple as two-form authentication or making sure passwords are changed routinely, or having auditing so that they could determine if they’re being hacked or not," Ghilarducci continued. Patching applications more frequently and taking a harder look at who has system administrative rights are other ideas.
In the few months since the task force formed, approximately 50 entities have joined the effort, including representatives from the National Fusion Center Association (NFCA), the FBI, the Sacramento Utility District, Cyber Watch West (CWW), and private companies such as Verizon, Bank of America and Symantec. Ghilarducci initially feared the group’s size would hinder its effectiveness, but he said it quickly became clear that everyone brought a different perspective and all are essential.
The task force has split into seven subcommittees organized under key topic areas such as emergency preparedness and risk mitigation; each group is beginning to formulate a work plan. Meetings will occur at least quarterly, rotating among various locations. The Office of Emergency Services hosted the Sept. 30 meeting in Sacramento. The task force is writing its charter and sometime in 2014 could finalize a document detailing California’s official cybersecurity strategy. Officials expect the group to take on other tasks and projects in the future as need arises.
Those involved believe the California Cybersecurity Task Force is unique among the states due to the wide range of stakeholders that are coming together at the table. Shortly after the new effort was announced, Ramos said it was yet another example of California leading on an important technology issue. Eventually the task force is something other states could emulate, he said.
Meanwhile, the federal government already has found results from a similarly inclusive approach. For example, the National Infrastructure Advisory Council — a Department of Homeland Security body that includes utilities, chemical makers, state and local organizations and law enforcement — is giving recommendations for new information-sharing systems.
Consequently, Ghilarducci is hopeful that federal homeland security dollars will be sent to California in support of the state’s effort. But he won’t wait on funding. All sectors are realizing that investments in security are a necessity, he said, and the work must start now and can’t be put off. Since the task force met for the first time in the spring, Ghilarducci says what he has learned in a few short months through the task force has only strengthened his belief that California is making a wise move bringing together stakeholders from across the state.
"I’m blown away by the level of intrusiveness that has occurred — literally how vulnerable we are, without getting into too much detail or our vulnerability," Ghilarducci said. "It’s safe to say that we, as a nation, it’s our culture; we are very open and this threat has raised up very rapidly, and as a result I think people are seeing it but not necessarily knowing what to do about it. I’m really amazed how vulnerable we are and how much a lack of knowledge there is in this particular area."
The stakes are high, and the potential losses to California’s economy are great. With more than 38 million citizens living here, there’s a rich trove of credit card numbers and personal information that can be targeted. And with high-tech companies Google, Facebook, Twitter, and many others with headquarters in Silicon Valley, California is likely target No. 1 on a hacker’s wish list.
"Let’s not make it easy for them," Ghilarducci said.
This article was originally published in Techwire Magazine.
