The California Department of Corrections and Rehabilitation (CDCR) is proposing, through the 2017-18 budget, to spend at least $2.6 million to stand up and staff its own Security Operations Center.
The center would proactively monitor CDCR's network and firewall for penetration attacks, watch for insider threats, and protect key integration points with other agencies and departments.
"As we sit here today, CDCR suffers about 2,000 [cyber]attacks a day against our systems that we are successfully fighting against," Russ Nichols, CDCR's chief information officer, told a State Senate budget subcommittee on Thursday.
Nichols noted that CDCR stores an "immense amount" of personally identifiable information of current offenders and former offenders, parolees, and probationers, as well as visitors, staff and volunteers who come into the department's institutions.
The department also maintains law enforcement data, Health Insurance Portability and Accountability Act (HIPAA) medical information, and criminal offender record information (CORI) data about offenses themselves.
Nichols previously told Techwire that the department's security operations center would be connected to the Department of Technology and the state-level California Cybersecurity Integration Center (CalSIC) under a "first-layer and second-layer approach."
Based on discussion during Thursday's hearing, lawmakers appear to still be grappling with this layered approach.
State Sen. Nancy Skinner, D-Berkeley, said she isn't doubting the need for CDCR's security proposal, but she said it does concern her "if we start to put security personnel in every department of the state because, clearly Department of Corrections has sensitive information, [but] so do many, many, many other state departments. So we could be facing unlimited budget requests if we start doing that in every department."
Nichols explained that there has been a lot of conversation with the state and Department of Technology about how to design and connect the Security Operations Center.
"I completely agree we don't want independent departments out there doing all of our own thing," he said.
The Legislative Analyst's Office said that the CDCR proposal is among a dozen departments that are each proposing cybersecurity improvements through the budget process. In total, those 12 departments are requesting $14 million and 58 new staff positions in 2017-18. Skinner said a larger conversation about all these budget proposals would be forthcoming.
The Department of Finance said CDCR's proposal has been vetted by the Department of Technology's Information Security Office, and was found to be in alignment with California's statewide security strategy.