Two governors, on opposite sides of the country, took executive action to beef up cybersecurity in their respective states on Monday, Aug. 31. California Gov. Jerry Brown and Virginia Gov. Terry McAuliffe both instituted aggressive cybersecurity orders to prepare for and defend against potentially damaging cyberattacks in their states.
While both mandates are geared toward the implementation of better cyberprotection protocols, Brown’s order outlined the need for a multi-stakeholder California Cybersecurity Integration Center (Cal-CSIC) under the state’s Office of Emergency Services (OES).
Brad Alexander, spokesperson for the OES, said the newly announced center will serve as a single location for cyberthreat reporting and will help to ensure best practices are adopted across the state’s public and private sectors.
“The governor’s order will strengthen the integration between cyberintelligence and law enforcement communities in California and will increase our ability to effectively prepare for, prevent and respond to cyberattacks. Such attacks are a very real threat to Californians and this order is the next step to increase the state’s security and decrease our vulnerabilities.” he said.
As part of the order, a Cyber Incident Response Team will also be created to coordinate with private and public stakeholders and law enforcement in the event of an incident.
According to the text of Executive Order B-34-15
, “The Integration Center's primary mission will be to reduce the likelihood and severity of cyberincidents that could damage California's economy, its critical infrastructure or public- and private-sector computer networks in our state.”
Center stakeholders will include representatives from state information technology, education, health-care and law enforcement agencies, as well as representatives from federal agencies, like the FBI, the Department of Homeland Security and the U.S. Coast Guard.
Other members can be designated at the discretion of OES Director Mark S. Ghilarducci.
In Virginia, McAuliffe’s executive directive
took a less extensive, but no less focused, approach to the state’s technology-based security and set a hard timeline for the Virginia Information Technologies Agency (VITA) to fully review the state's cybersecurity risk management stance.
The IT agency will be responsible for taking a comprehensive inventory and reporting on data and computer systems to the governor’s office no later than Oct. 15, 2015. In addition to the general inventory, the agency is expected to prioritize risks and determine the sensitivity of the state data systems.
Virginia Secretary of Technology Karen Jackson and VITA are also obligated to make recommendations on statewide strategies to strengthen and modernize agencies’ cybersecurity profiles by Oct. 15, 2015. This is expected to include the completion of cybersecurity audits, risk mitigation and resilience plans and remediation plans with defined end dates.
“A key ingredient to building a new Virginia economy is a solid cyberinfrastructure,” said Gov. McAuliffe in a press release. “That is why it’s vital that the Commonwealth take the proper precautions to protect and safeguard the information entrusted to our care. I am proud to sign this directive, which initiates enhanced risk management processes that will increase our ability to mitigate the ever increasing flow of cyberthreats.”
According to the text of McAuliffe’s directive, VITA will also be held accountable for reporting the progress of statewide strategy implementation by Oct. 1, 2016.
“Cybersecurity is a responsibility shared by every level of government,” said Secretary Jackson in the release. “These risk mitigation steps will allow the Commonwealth to take a more strategic approach to securing our systems and data.”
Officials from the Virginia Office of the Governor and the Office of the Secretary of Technology were not immediately available to comment on this directive as of press time Tuesday.