California officials charged with securing state IT systems and combating cybersecurity threats will face lawmakers Wednesday at a hearing intended to show successful collaboration across state government.
It’s a strikingly different tone from the last joint legislative hearing held two years ago by the Privacy and Consumer Protection Committee and the Select Committee on Cybersecurity, when lawmakers complained about state efforts and the state auditor questioned California’s cyber-readiness.
“There’s been a sea change in the last few years,” Assemblywoman Jacqui Irwin, D-Thousand Oaks, chair of the Select Committee on Cybersecurity, told Techwire in a telephone interview. “This hearing is about letting the public know about the progress departments have been making.”
Lawmakers and state IT experts say a security breach in California, the nation’s most populous state and sixth-largest economy in the world, could expose troves of confidential information or disrupt essential services such as water supply or electric power.
Since the February 2016 hearing, the administration has allocated new staff and resources to the mission of a cyber-ready state. It launched the California Cybersecurity Integration Center, an entity embedded at the State Threat Assessment Center where representatives from varying state agencies sit side by side to share classified information and oversee and coordinate the response to cybersecurity threats against California.
And the California Department of Technology (CDT) last year opened a 24-hour, seven-day-a-week Security Operations Center to monitor the Internet traffic of about 100 state agencies, departments and other state entities — an effort to prevent malicious hackers from targeting the state. Gov. Jerry Brown’s proposed budget — now under review by lawmakers — asks the Legislature to allocate $4.7 million for five positions in the Security Solutions Unit, which will support the security center.
Meanwhile, lawmakers have enacted a handful of cyber-related bills including mandates that state agencies report their annual spending on cybersecurity, craft statewide incident response standards, and provide the CDT with a confidential inventory of their critical infrastructure controls and assets.
And there are new leaders in the CDT who, Irwin says, have made cybersecurity a priority, crafting a plan and centralized strategy for the state.
“I really think California is getting to the place where it is now leading,” said Irwin, once a fierce critic of the administration’s lack of strategic planning on cybersecurity.
The committees will hear from Mark Ghilarducci, director of the Governor’s Office of Emergency Services, and Amy Tong, state CIO and director of the CDT — two of the state’s key leaders on cyber-readiness and prevention. Neither Ghilarducci nor Tong agreed to be interviewed before the hearing.
One area Irwin said she hopes the administration will emphasize going forward is state employee training, and it’s one for which she said she would ask her colleagues to set aside more money in the budget should the administration request it.
“The weakest link is still the employees themselves. We are always the weakest link,” Irwin said. “It’s very important every department focus on employee training and make sure they are not clicking on links or putting their password on a sticky note on their screen.”
Other officials scheduled to testify include Maj. Gen. Matthew Beevers with the California Military Department, CHP Commissioner Warren Stanley; Keith Tresh, commander of CAL-CSIC; Peter Liebert, the state chief information security officer; Jim Parsons, on the cybernetwork defense team at the Military Department; and Chief Scott Howland, the CHP's chief information officer.