The California Department of Technology on Wednesday acknowledged the state’s cybersecurity has fallen short and vowed to work with lawmakers to make needed changes.
During a joint legislative hearing at the Capitol six months after the state auditor released a scathing report of California’s Cybersecurity readiness, state Chief Information Security Officer Michele Robinson said the department had either partially completed or completed all of the auditor’s recommendations. For example, she reported that the department has directed state agencies in the use of standardized self-assessments, and plans of action are currently being reviewed.
“Protecting state information, assets and data entrusted to our care is a top priority for us. We take it very seriously,” said Robinson, who thanked the auditor for the report.
Robinson reminded lawmakers of the $1.6 million that Gov. Jerry Brown has requested in his state budget for the department to conduct more frequent risk-based audits and hire 11 new positions.
Lawmakers at Wednesday’s hearing said the Department of Technology has not equipped state agencies with the proper tools and training to deter cyberattacks. Massive amounts of sensitive data held by government needs to be better secured, committee members said.
“It sounds like D-Tech has fallen down on the job,” Assemblymember Jim Cooper, D-Elk Grove, said of the Department of Technology.
In her report, State Auditor Elaine Howle revealed just four of the 77 agencies that responded to her survey had reported that they fully complied with security standards. At the hearing Wednesday, Howle told lawmakers that many state agencies want to protect the data they store, but they just don’t know how.
“I do think that Department of Technology really needs to step up in its leadership role in reaching out to agencies … because many agencies are small and they don’t have the in-house expertise,” Howle told lawmakers.
Concerned about security breaches across government, lawmakers on Wednesday convened the joint hearing of the Privacy and Consumer Protection Committee and the Select Committee on Cybersecurity to discuss the auditor’s findings.
The Technology Department is just one of several entities charged with overseeing cybersecurity in California. All cyberincidents are reported to the California Highway Patrol, which is charged with investigating crimes on state property. The state Attorney General prosecutes cybercrimes, and the Office of Emergency Services provides intelligence about cyberthreats and -crimes.
Lawmakers praised Gov. Jerry Brown for signing an executive order last year that created the California Cybersecurity Integration Center, but they said the state needed to do more to coordinate efforts.
“The governing structure around California’s cybersecurity is disjointed and accountability seems to be falling through the cracks,” said Assemblymember Jacqui Irwin, D-Thousand Oaks, chair of the Select Committee on Cybersecurity.
She suggested lawmakers consider creating a cybersecurity czar, ensuring the state has the talented employees it needs, and developing a better way for the executive branch to communicate to the Legislature about its cyberefforts.
