When Gov. Jerry Brown created a cybersecurity task force, he positioned California at the forefront of state efforts to protect sensitive information and critical infrastructure.
Three years later, California has earned praise for its work — bringing together government, academia, technology experts and the private sector to identify vulnerabilities statewide and to require that state workers undergo cybertraining.
But the Brown administration also has garnered criticism for its fragmented approach, lack of accountability, and slowness to identify and assess vulnerabilities.
In 2015, a blistering state auditor report questioned California’s cyber-readiness and faulted the Department of Technology for failing to ensure that state entities had complied with mandated security protocols. State agencies reported that the security rules were confusing and they had little help from the state’s top IT department.
Earlier this year, the state chief information security officer, Michele Robinson, stepped down after tough questioning by lawmakers, and Department of Technology Director Carlos Ramos resigned to pursue a career in the private sector.
“We were definitely not where we needed to be,” said Assemblymember Jacqui Irwin, D-Thousand Oaks, who serves as chair of the Assembly Select Committee on Cybersecurity. “I don’t think it had really been prioritized in California.”
Irwin and other lawmakers have called on the Brown administration to account for cybersecurity spending and deliver a blueprint for how it plans to protect the state’s critical infrastructure and respond should there be an attack. In response, Brown’s staff has met with lawmakers and provided tours of a new cybersecurity integration center — part of a concerted effort to educate lawmakers about the work being done.
Both the legislative and executive branches have expressed mutual concern that a security breach in California, the nation’s most populous state and seventh-largest economy in the world, could expose confidential information or disrupt essential services like the water supply or electric power. Breaches at the Pentagon, the White House, California hospitals, universities, retailers and the Democratic National Committee have underscored California’s vulnerability.
“There is no 100 percent guarantee to cyberprotection,” said Mark Ghilarducci, director of the Governor’s Office of Emergency Services (Cal OES). “It’s an evolving and complex threat that is going to continue to proliferate.”
By far, the biggest structural change in cybersecurity defense this year was the launch of the California Cybersecurity Integration Center (Cal-CSIC), an entity embedded at the State Threat Assessment Center that is intended to foster collaboration among the various state agencies that oversee cybersecurity.
Representatives from Cal OES, the Department of Technology, the California Highway Patrol, the state Attorney General and the California Military Department now work side by side at the center, in a secure room at OES headquarters outside of Sacramento, where they share classified information about potential threats and gaps, and collaborate on cyberstrategy.
“They were all doing a good job, but they were doing it under their own authorities,” said Ghilarducci, who as California’s homeland security adviser has overseen the launch of the center. “Now it’s a much more cohesive way. Everybody is under one roof.”
Modeled after the National Cybersecurity and Communications Integration Center, Cal-CSIC was created after Brown last year issued an executive order declaring that the increasing number and complexity of cyberattacks demanded “heightened levels of coordination,” not just within state government but also across local and tribal governments, private companies and academic institutions.
His order came a week after the critical state auditor report, which found California had weaknesses that “leave some of the state’s sensitive data vulnerable to unauthorized use, disclosure or disruption.”
Earlier this year, state lawmakers pointed to the report as evidence that the state’s cybersecurity was in disarray, with one member accusing the Department of Technology of “falling down on the job.” Others were frustrated at the lack of a plan should any of California’s critical infrastructure be hijacked by hackers.
Ramos, who served as the Department of Technology chief at the time, defended the administration in a recent interview, calling the report “incomplete” and one that “didn’t paint an adequate picture of all the efforts that have gone on.” He added that the auditor did not share the surveys or methodologies that supported her findings.
Lawmakers also held a cybersecurity legislative hearing six months after the report, leading several key administration officials to complain that lawmakers were simply out to get headlines or, as Ghilarducci described, conduct “political theater.”
For example, administration officials say, work was already underway to launch the Cal-CSIC in hopes of providing leadership, coordination and information. Whether the work was already underway, or as Irwin believes, moved forward after legislative scrutiny, the progress has been welcomed by lawmakers.
“I’ve seen a big change,” Irwin said. “We don’t want an environment of the Legislature versus the administration. We want to make sure we work together to get things really going for the state.”
Despite the growing pains in California’s cybersecurity mission, its recent efforts, coupled with its first-in-the-nation data breach identification law passed in the early 2000s, have positioned California ahead other states, said Francesca Spidalieri, a senior fellow for Cyber Leadership at the Pell Center for International Relations and Public Policy at Salve Regina University.
“When you compare California to the other states and how immature and unprepared they are, that’s when you can give California a better score,” said Spidalieri, who wrote a November 2015 report titled State of the States on Cybersecurity. “California is the example everybody looks at.”
There’s still room for improvement, however, she found. In her report, Spidalieri said California’s cybersecurity efforts remain decentralized and lack a clear leader to coordinate the many cyberefforts across state government.
With the formation of Cal-CSIC, Ghilarducci has emerged as the key public face for state cybersecurity efforts. He’s testified before Congress, and he reviewed agency cybersecurity budget requests — like equipment upgrades or security assessments — submitted this year to the Department of Finance. As a rule, departments were instructed to first spend their money on security assessments, he said.
In spite of Ghilarducci’s more prominent role, administration officials have been careful to describe the state’s cybermission as a collaboration and partnership across government. Duties for cybersecurity remain spread throughout state government, and each of California’s 151 agencies, departments and commissions is responsible for implementing the required security policies, upgrading equipment and reporting any hacked systems.
To help them, the Department of Technology has increased its consultation with agencies and departments to prioritize and implement security improvements, said Amy Tong, California’s state CIO and Department of Technology director.
“The administration has given us great support,” said Tong, who was appointed to the role in June. “It is a priority of the administration to have a highlighted focus on that.”
In addition, the Department of Technology and Cal OES are working with the California Military Department to perform independent network security assessments of at least 35 state agencies per year — a mandate the Legislature imposed last year with the passage of AB 670.
Meanwhile, work is underway at Cal-CSIC to complete an assessment by this fall of California’s vulnerabilities, and technological and infrastructure needs so that lawmakers and policymakers are better informed about what it will take to “make a more resilient and capable California,” said Danjel Bout, assistant director for response at Cal OES.
“One of the early efforts we’ve identified is to address the scope of threats that face us,” Bout said. “We’re trying to do a careful assessment because one of the dangers is to ask for something without understanding the full scope.”
This story is published in the fall 2016 issue of Techwire magazine.
