While California cybersecurity officials agree that speaking out after an incident can be a disheartening experience, they also agreed that it is essential to communicating a potentially active threat and coordinating an appropriate response.
At this point in the cybersecurity game, there are almost as many theories and strategies as there are attack vectors. While symposiums and supposition often start the conversation, they often do little to implement real change within organizations.
During the California Public Sector CIO Academy held March 2 in Sacramento, a panel of state experts talked about the strides they are making to better secure state systems. While many similarly themed panels focus on preventing cyberattacks, this six-member public/private panel, recognizing that impenetrable security is impossible, focused their attention on coordinating response and communication following a cyberincident.
One of the more prevalent points of conversation among the cybersecurity colleagues to improve communications throughout the state’s many agencies and departments following an incident.
“If something occurs within your network, the common question I would get was ‘Who do I call and what happens when I do call?’” said Peter Liebert, chief information security officer for the California Department of Technology.
To improve the not only the initial communication but the response that follows, the CISO said a multiagency framework will soon be released, detailing the response and chain of notification.
While the panelists all agreed that speaking out after an incident can be a disheartening experience, they also agreed it is essential to communicating a potentially active threat and coordinating an appropriate response.
“What this means is, yes, you will get increased attention when an incident occurs within your networks, but also, you get a whole host of capabilities that you can roll in to help you resolve your issue,” Liebert said, adding that he hopes agencies will allow the California Cyber Security Integration Center (Cal-CSIC) to handle large-scale incidents, while day-to-day operations and minor incidents would remain in the hands of federated response teams.
As with much of IT, cybersecurity is misunderstood by outsiders as to its importance in the larger operational picture. Where many might brush off the importance of secure networks, the panel said a state as large as California cannot afford to allow vulnerabilities to persist.
Liebert said even disruptions to revenue intake and payment systems could have a far-reaching impact on the rest of state services.
“That means we can’t pay our folks, which means we don’t have policemen on the corner, we don’t have your fire services, your educational system. Everything digresses from there and that’s just for the payment system,” he said. “What’s at stake? Well, everything, I would say."
As California Highway Patrol (CHP) CIO Scott Howland points out, cyberincidents are no longer relegated to convenience; rather they are now directly tied to whether an organization is able to complete its mission. For the CHP, a targeted attack on the agency's call centers would have widespread implications for public safety.
Whereas Howland said cost, reputation and public trust would have historically been at the forefront of a CIO’s mind in the wake of an attack, now he said the concern is about being able to deliver services at all. “The game has changed," he said. "What we have to worry about now is our ability to do our mission.”
Col. Keith Tresh with the California Office of Emergency Services Cyber Integration Center said the size and wealth of the state makes it an attractive target for attacks. As the owner of a wealth of voter and constituent data, Tresh said protecting it is not only a matter of data security, but also constituent confidence.
Tresh, Howland and Liebert have been partnering with the military department to outline a more accessible and understandable program for response and recovery. He calls the partnership the “Four Amigos.”
Whatever the incident, Tresh said it is vital that the target of the attack be a willing participant in the events that follow.
“The big thing for us is that we want to make sure that everyone understands that we are there to help, not to embarrass anybody," he said, "and we want to learn from all these things so that other entities don’t necessarily have to go through the pain that they had to go through.”
Though the words “audit and assessment” are not popular in the IT/cybersecurity vernacular, Howland said IT shops need to be more willing to look holistically at their systems to identify potential issues.
And cybersecurity teams, he added, should embrace a more positive view of the proactive assessments as part of a cultural “mind shift.”
“But when it comes to security," he said, "we really need to see that as a helpful road map to address the problems that we have."