IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Does Oregon Need a Cybersecurity Center of Excellence?

The proposed center would provide public entities with cyber solutions, develop the cyber workforce and deliver training and awareness across sectors. Efforts to pass this measure in 2022 ran out of time; a new House bill revives the question.

The entrance to the Oregon capitol building.
Dawn Russ is city recorder for Glendale, Ore., a small 875-person city that is only now recovering from a 2016 ransomware attack.

“The ransomware was terrible,” Russ told Government Technology.

Russ had only been on the job for six months when she returned from a meeting to find her computer encrypted. Later examination suggested that malware was already lurking on the computer and was triggered by some activity she took while working on the budget, she said.

At the time, ransomware was “fairly new,” and the city didn’t have public or private partners to help, she said.

The extortionists, whose identity the city never learned, “wanted more money than what our budget was.” Perpetrators demanded the bitcoin equivalent of nearly $3 million; the city’s budget, meanwhile, was only $1.4 million.

The city’s backups were also infected, giving Glendale no option but to “rebuild the whole system by hand.” Getting running again involved manually re-entering invoices into the computer and spending two months issuing payroll by handwritten check. The city also shifted to cloud backups and hired “two audit firms and an independent certified public accountant (CPA) to help build back all the information,” Russ said. Recovery costs totaled about $400,000.

Today, the city still minimizes using automatic transfers or online bill payments that require bank account information, instead hewing paper checks when possible, out of a sense of caution.

Having experts to turn to for help preventing or coping with a cyber attack and financial support for recovery “would be really huge” for small cities, Russ said.

It’s no secret that local governments — especially small ones — need help with cybersecurity, and Russ is among those who believe a state Cybersecurity Center of Excellence could be part of the answer for Oregon.

A House bill introduced this month would establish such a center, charging it with “coordinating, funding or providing” cybersecurity awareness and training across all sectors, cyber workforce development and cyber services and tools for public-sector entities, with an emphasis on local government. Separate funds would be established to support each of those three goals, as well as a fund supporting overall operations.

Under the proposal, Portland State University would house the center and operate it in collaboration with Oregon State University and the University of Oregon.

The measure would also see the state’s Cybersecurity Advisory Council housed at the center. Under the bill, the Council would comprise “geographically diverse” stakeholders, including representatives of various levels of government, education, the private sector and critical infrastructure.

Oregon officials have heard such ideas before: the proposal picks up after a similar 2022 bill failed to clear committee before the Legislature adjourned last year.

“I think what ultimately killed it is just that they ran out of time,” League of Oregon Cities (LOC) lobbyist Nolan Pleše told GovTech. The LOC had supported the bill.

The 2022 version had received praise from several state officials. During a February 2022 virtual public hearing and work session, CIO Terrence Woods said such a center created opportunities for collaboration, offering support to cyber attack victims and training up cyber skills.

“I’m certainly supportive of this bill,” Woods said.

One goal for the proposed center would be to provide “education, awareness and training” to all sectors, a concern spotlighted by a 2023 survey from data recovery company Secure Data Recovery. That study’s ranking of states found Oregon to be the second-most vulnerable to data loss and second-most vulnerable to stolen passwords based on respondents’ reported digital habits.

Former CISO Gary Johnson spoke similarly to Woods during the February hearing, saying the bill could lead to more coordinated cyber defense.

“Collaboration with local governments and public higher education is really critical in managing our increasingly complex cyber risk,” Johnson said. “What these criminals are doing right now is dividing and conquering. And there’s an opportunity for us, through a collaborative approach … we can take considerable advantages in terms of efficiencies and better cyber hygiene and creating a broader cyber culture, and really improve security for everyone’s data and likely reduce downtime and disruption to our services.”

Both years’ bills also take aim at cyber talent shortages, with public entities likely to feel the effect whether professionals go directly into government or into private companies with which government contracts, Pleše said. Cyber workforce data tool Cyberseek found 7,557 unfilled cyber job openings in Oregon, of which 464 are in the public sector.

The latest bill would direct the state to establish distinct funds for supporting the center and its core initiatives, with money coming from sources like general fund appropriations, donations or other deposits. It does not mention charging fees for services, but says one of the funds — the Cybersecurity Grant Program Fund — could support providing government entities with cyber services and tools “on a competitive basis.”

Affordability has long been a hurdle to local government’s cyber improvements.

“Being able to do cyber protection on a mass scale is kind of difficult, because we do not have the funds for a lot of it,” Russ said.

Pleše spoke similarly, noting, “in the past, sometimes smaller cities are hesitant to hire a firm or outside help on cybersecurity due to the costs.”

The center would also be operated by universities, and Pleše said that having students participate as part of their education could help lower expenses.

The legislation comes as Oregon is pursuing funding through the State and Local Cybersecurity Grant Program (SLCGP).

CISO Ben Gherezgiher’s office has no official stance on the Cybersecurity Center of Excellence bill. But he told GovTech that while the SLCGP will drive important cyber improvements, Oregon needs another way to maintain cybersecurity long-term, after the grants end, and a center of excellence could be one method.

“Grants are a one-time opportunity — they’re not sustainable. … Living on grants for cybersecurity is risky,” Gherezgiher said. “A grant by itself is not going to be able to do long-term solutioning in terms of cybersecurity services and also maintaining the cybersecurity posture the state might have achieved through grant funding. It needs to be sustained through those kinds of channels, like a security center for excellence or even other engagements that states may have.”

Another way the efforts align: both the SLCGP and the Center of Excellence bill call for creating a cyber group with diverse membership from various levels of government. The makeup of the proposed advisory council is broader: unlike the grant’s Planning Committee, the council also specifically includes representation from a Native American tribe, public higher education and private-sector IT or telecoms.

SLCGP objectives “will probably coincide” with the Center of Excellence’s proposed work, Gherezgiher said, and the statewide cyber plan Oregon is creating for the grant program could inform any forthcoming Center of Excellence efforts.

“That’s going to be a very complete plan that will include local governments, city, county, special districts, and state agencies. So, it kind of gives them a good starting point,” Gherezgiher said.

As for the bill, proponents are currently working to schedule a public hearing, Pleše said.
Jule Pattison-Gordon is a senior staff writer for Government Technology. She previously wrote for PYMNTS and The Bay State Banner, and holds a B.A. in creative writing from Carnegie Mellon. She’s based outside Boston.