As the most populous state with the nation’s largest economy, California also has the most to lose at the hands of cybercriminals bent on crippling critical infrastructure, shutting down essential services or stealing the private data of millions of people.
In an effort to prevent and respond to these threats, state information security officials are designing and implementing systems and policies to meet the growing and ever-changing demands.
“This is an ongoing and evolving threat,” said Danjel Bout, assistant director for response at the California Office of Emergency Services (Cal OES). “If the expectation is we are going to solve it, I wouldn’t be optimistic, but I am certain we are going to put in place the best practices in the world to address cyberthreats.”
Prodded by anxious lawmakers and guided by legislative and executive mandates and federal initiatives, state agencies and departments across a range of disciplines are gradually building California’s cybersecurity systems.
The focus: threat monitoring and incident response, as well as prevention and education.
Leading the threat monitoring and incident response is the California Cybersecurity Integration Center, or Cal-CSIC for short, which joins several state government agencies including Cal OES, the California Highway Patrol (CHP) and the Department of Technology (CDT), together with federal agencies such as the FBI and the Department of Homeland Security. California is a volunteer partner with the National Cybersecurity Communications Integration Center’s Cyber Hygiene Program, for example, with a goal to get a broader picture of the state’s cybervulnerabilities, measure performance of cyberdefense and help develop long-term strategies.
Cal-CSIC, which launched a few months ago, also engages academic institutions, tribal governments, utilities and key private companies like Verizon Communications Inc., which puts together a Data Breach Investigations Report that provides state information security officials with insights into
national trends and risks.
Set up through an executive order in 2015 to be the “central organizing hub” of the state’s cybersecurity activities, Cal-CSIC has the potential to be a cybersecurity game changer for California, said Keith Tresh, CIO of the state High Speed Rail Authority and former chief information security officer at CDT.
“Cal-CSIC is going to be something the state agencies can tap into and ... be the gel to help the state move in the right direction,” he said.
Cal-CSIC is co-located with the California State Threat Assessment System, an arrangement made to better connect law enforcement, the intelligence community and the state’s fusion centers, which, Bout said, “help our local and federal partners by looking at the threat environment and ensuring coordination and information sharing to increase the overall security of California.”
Also at the table are representatives from the CHP, which is closely aligned with the FBI on many cybercrime investigations.
“When state departments make a notification about a crime, my unit collects evidence and does follow-up to track down the bad guys and hold them accountable,” said Scott Howland, the CHP’s CIO and chief of its Information Management Division.
Each member of Howland’s nine-person investigations team is federally sworn, allowing them to partner with federal law enforcement to investigate and solve cases.
“While my computer crimes investigation unit is in Sacramento, we are statewide, and I can reach out for additional assistance,” he said. “We use personnel across the state and tap into the FBI and other law enforcement agencies across the nation to solve these crimes.”
The greatest challenge for law enforcement, Howland said, is that while California may be the target of cybercrime, the attacks can come from anywhere.
“With a property crime, the suspects show up at a physical location, you collect evidence from there and the suspect starts in your geographic proximity,” he said. “With cybercrime, a suspect can commit a crime in California from China or Arizona. They could be anywhere, and that adds to the challenge of tracking them down.”
Meanwhile, the state Attorney General’s Office collects information about data breaches involving more than 500 people from businesses and governmental bodies. The office issues an annual breach report, enforces state data breach laws, and recommends policies and procedures that entities
can use to enhance protections against data theft.
On the prevention and education side, the California Military Department, which had previously conducted state department cybersecurity assessments as part of a pilot program, is following a legislative mandate to conduct assessments of at least 35 state agencies annually.
Assessors use the National Institute of Standards and Technology’s Cybersecurity Framework to evaluate different areas at each agency, such as their protection of communications and website functions, to find gaps and recommend fixes, said Col. Darrin L. Bender, director of external affairs at the department. They also can draw upon the Department of Defense resources to assess state vulnerabilities and help individual agencies reduce their risk of cyberattacks.
As of mid-July, the department had conducted five of the mandated 35 assessments, he said. “We are at the very beginning, the starting line,” said Bender. “We have the remaining assessments scheduled, and we are on track to get them done before the end of the year.”
For its part, the CDT works internally through its Office of Information Security to conduct audits of each department to determine compliance with state requirements and policies like use of passwords and handling of records.
“We are working to educate the departments on what they need to do to step up their efforts on cybersecurity,” said Amy Tong, CDT’s director. Taken together with the Military Department’s assessments, she said, it’s a way to help departments be more ready — not only from the technological perspective, but also from a people and process perspective.
Playing a key advisory role over all of California’s cyberdefense activities is Gov. Jerry Brown’s Cybersecurity Task Force, first convened in 2013 under OES and CDT. The task force pulls together security experts from government, universities and laboratories, and major corporations and technology companies to advise senior administration officials on all cybersecurity issues.
The High Speed Rail Authority’s Tresh said the state’s responsiveness has come full circle in the past few years to focus on building a solid cybersecurity response system.
“Government as a whole is very aware and very concerned about today, tomorrow and the future,” he said. “We have made some great strides. It’s like guerrilla warfare. It’s hard to catch up, but we are trying to get ahead of the game."
This story is published in the fall 2016 issue of Techwire magazine.
