On May 13, California government officials and private-sector leaders met behind closed doors to discuss a comprehensive cybersecurity plan for the state -- it was the beginning of the California Cybersecurity Task Force, the first state-led collaboration of its kind.
Because of the interconnectedness of government and private-sector IT assets, collaboration has become crucial, said Michele Robinson, acting director for the Office of Information Security.
“Those working relationships need to be strong in order to really affect this area,” she said. “We all own a piece of that infrastructure, so it’s a shared responsibility."
And the ultimate goal, she said is to collaborate and work together to improve cybersecurity for the state.
The meeting allowed discussion on several topics, all with the goal of establishing a framework and overall plan for statewide cybersecurity. Among the topics discussed were information sharing between governments and the private sector; challenges to industry, such as the need for improved laws and regulations; and the need for increased cybersecurity research and education.
Among the meetings participants were officials from the National Fusion Center Association (NFCA), the FBI, the Sacramento Utility District, CyberWatch West (CWW), and private companies such as Verizon, Bank of America and Symantec.
State CIO Carlos Ramos, pictured above, said one of the California Technology Agency’s biggest goals with respect to this effort will be improving the awareness of the importance of focusing on cybersecurity. Whether it’s hactivists, state-sponsored cyberattacks, cyber-terrorism, espionage or just opportunistic hackers, he said, attacks on government are on the rise -- which a 2013 report released by Verizon also found.
Protecting the state’s infrastructure, while also leading the way for the nation makes this task force an important effort, Ramos said, adding that private industry, local government, state government, financial organizations and even the federal government stand to benefit from the collaboration that will take place in California. By being proactive, he says the state will have a better chance at staying ahead of the curve in the never-ending battle of network security.
David DeWalt, CEO of cybersecurity firm FireEye, said he sees the state as trying to get more proactive in dealing with cyber security, and creating this task force is a step in the right direction -- not just for California, but the nation as a whole.
“This sort of a council would be a precedent setting event for the entire country," DeWalt said, "and California likes to take a leadership position, so I would encourage them to take advantage of this type of thinking.”
Ramos agreed that the development of a state-wide cybersecurity task force, something not yet undertaken in any other state, is a proactive advancement. “I’m very optimistic because [of] the level of expertise and commitment we have from the participants from the task force,” Ramos said. “These are the kinds of folks who know what they’re talking about and know how to get things done.”
No definite timeline has been established, but Ramos indicated the state was interested in pursuing this project with an aggressive time frame, and that new initiatives will be implemented piecemeal as they are discussed by the task force. For instance, discussions on how best to implement an education and awareness campaign around cybersecurity may be rolled out while longer-term efforts around information sharing could take longer to establish.
“California really is out in front of other states,” Ramos said. “We’ve seen a number of areas, particularly in technology, where governments tend to follow our lead. I am quite hopeful, from that perspective -- the framework and the work that we do here -- that other states will take and emulate and put in place across the country.”
California has been a leader in the past when it came to technology projects, said Mark Ghilarducci, secretary of the California Emergency Management Agency, and the state will continue to be a leader with this project.
In 1995, California implemented the Standardized Emergency Management System, which brought together disparate agencies in the state to work on a common platform, Ghilarducci said, and that program eventually became the template for the National Incident Management System. There have been other examples, too, he said, but the point is that California will again be a laboratory that creates and tests a path for other states and federal government to follow.
Specific examples of changes that could improve cybersecurity efforts in the state include things like whitelisting certain software in the wake of a bring-your-own-device trend that has introduced an unprecedented amount of applications onto the state’s networks. Another tactic would be to require more rapid patching of operating systems and applications to cut down on vulnerabilities and security holes. Another tactic is to limit the number of users with admin privileges on any given network.
“These are things that help harden our networks, and a lot of this, just like any kind of security -- it’s always about layers of security,” Ghilarducci said. “The cybersecurity situation is no different. We want to make sure we incorporate as many of the things thread into our cybersecurity work environment. It may seem very intuitive and basic, but across the board, it’s not consistent.”