Bolstered IT systems, stepped-up education and training, and new partnerships have improved California’s ability to defend against cyberattacks, state officials charged with preventing and responding to such threats told lawmakers Wednesday.
Leaders across state government — not just IT experts — better understand how cyberattacks could cripple their departments, make personal data vulnerable and are taking cyberthreats more seriously.
“We’ve seen a rapid improvement in interagency collaboration to defend our networks,” said Maj. Gen. David Baldwin, the state’s adjutant general.
The report, delivered to a joint hearing of the Privacy and Consumer Protection Committee and the Select Committee on Cybersecurity, showed a transformed government from the last time lawmakers heard from the Brown administration about its cyber-readiness. Two years ago, lawmakers expressed frustration at the state’s disjointed efforts and inability to identify its weakest links.
Today, a team of four “core departments” have created a centralized strategy and are working together to combat what the governor’s homeland security adviser describes as one of the top five threats to California.
“This is an evolving threat,” Mark Ghilarducci, director of the Governor’s Office of Emergency Services (OES), told lawmakers. “It’s changing every day, which means we need to continue to pivot and change with it. That means that we collectively, as a team, need to be very much working closely together to try to anticipate using whatever technology we can to ensure that we can see the threats that are coming forward.”
Key to the effort is the California Cybersecurity Integration Center, an entity embedded at the State Threat Assessment Center where representatives from OES, the Department of Technology, the California Highway Patrol and the California Military Department (the four core partners) sit side-by-side to share classified information and oversee and coordinate the response to cybersecurity threats — and not just against state government.
Since June 2017, the center has responded to more than 325 cyberincidents against educational institutions, state and local government agencies, and private-sector organizations. The attacks have ranged in severity from website defacements to botnet activity, email attacks, ransomware, compromised accounts and stolen network credentials, Keith Tresh, commander of CAL-CSIC, told lawmakers.
California’s process of communicating and reporting cyberincidents is now in a published document for state, local and tribal governments to follow in the event of a cyberincident, known as the California Joint Cyber Incident Communications and Escalation Framework. It has also created a guide to help both private and public entities identify and report cyberattacks, as well as understand the state’s recovery procedures.
“The efforts of the CAL-CSIC are truly making a difference,” Tresh said. “California continues to mature in the area of cybersecurity, and we are taking a more proactive approach to cybersecurity than we ever have before. We have come a long way, but we still have work to do.”
At the Department of Technology, IT experts scan the state network at a 24-hour, seven-day-a-week Security Operations Center to monitor the Internet traffic of about 100 state agencies, departments and other state entities. It feeds any relevant threat information to the state cybercenter to investigate.
The department is also working to measure how state agencies are doing on cyberdefense — developing metrics that will take existing information and give agencies a score from one to four, state Chief Information Security Officer Peter Liebert told lawmakers. And it hopes this year to roll out a long-term strategy for future steps on cybersecurity.
“The main focus here is to deal with incidents when they come up in a swift way, working with our partners and in between incidents working together to proactively educate and mature state agencies,” state CIO Amy Tong told lawmakers. “That is the strategy of what we’re trying to do in cyberdefense.”
Within state government, the independent technical security assessments of agency systems and networks being carried out by the California Military Department have led to senior leaders focusing on cybersecurity, said Jim Parsons, who sits on the Cyber Network Defense team at the Military Department. That has allowed for more sophisticated testing of networks and systems rather than addressing basic vulnerabilities.
As state employees become more familiar with what to look for, they are also reporting more suspicious incidents to the California Highway Patrol, the state entity charged with investigating cybercrime. But the number of successful malware and ransomware attacks has actually dropped, said the CHP’s chief information officer, Chief Scott Howland.
“Folks are reporting more often … but not falling victim,” Howland said.