California’s cybersecurity journey is full of setbacks and successes, hard tumbles and tenacious wins. In every sense, it’s a coming-of-age story, where growth is driven as much by loss as achievement. In this evolution, the Golden State is about to take its next big leap.
Earlier this month Gavin Newsom took to the podium to announce Cal-Secure, the state’s first long-term road map to direct and decide cybersecurity strategies across agencies. The plan represents a Herculean effort. It’s the result of extensive collaboration between agencies, beginning in 2019 as an aspiration to establish statewide cybersecurity standards, defense protocols, and consolidate a patchwork of cybersecurity technologies.
Despite its broad aim, Newsom stressed Cal-Secure has teeth, describing it as something more than soft recommendations, but a new standard that would compel agencies to act through implementation deadlines, mandatory reporting, and dedicated resources. He said funding for Cal-Secure will be drawn from the state’s annual budget that allots $40 million per year for IT security.
“Cal-Secure will define a path for state entities to strengthen their cybersecurity measures, so that they may continue to provide critical services without interruption,” Newsom said. “The strategy isn’t going to gather dust on a shelf, we’re going to issue a directive to all state agencies to implement requirements within specific timeframes and to require agencies to report that progress and completion on the implementation.”
Yet this cybersecurity road map has yet to be officially released to the public, and even when it is released later this month, the plan prompts questions. These unknowns include how the plan will roll out, its specific deadlines, impacts on IT staffing, operations, and for the private sector, which cybersecurity vendors will come out winners or losers as California consolidates services.
A culminating effort
While Newsom said Cal-Secure would be released in early October, a spokesman from the California Department of Technology (CDT) confirmed it had been delayed, saying the department expected the road map “to be available soon.”
Still, the state has released some details, with the most recent packaged within Newsom’s 2020-2021 Governor’s Budget proposal. The document contains a brief description that summarizes Cal-Secure by its top three priorities. These include bolstering California’s cybersecurity staff via training and recruitment, unifying security oversight and enforcement, and creating minimum cybersecurity requirements for agencies when contracting or providing services.
Additional details can be found when looking back at Cal-Secure’s development. Officials have been talking about Cal-Secure since its inception in 2019 when Peter Liebert, the state’s former chief information security officer, began collecting input from 40 state departments for the five-year cybersecurity strategy. At the time, Liebert promoted Cal-Secure as California’s first statewide cybersecurity plan.
Vitaliy Panych, California’s current CISO and Liebert’s successor, continued Cal-Secure’s development. In 2020, Panych revealed at an industry event that the plan would be broken down into three essential components. Security governance, security operations, and technology capability.
Panych said security governance would focus heavily on safeguarding the state’s use of cloud services, while security operations guidelines would aim to improve cybersecurity information sharing between departments, and the last component, technology capability would be geared to improve contract requirements for cybersecurity vendors.
In February, Mike Marshall, the agency information security officer for the California Environmental Protection Agency (CalEPA) offered more insights into why the technology contracting component would be so important, at least speaking for his organization. As a collaborator in Cal-Secure’s development, he said for CalEPA it amounted to lower vendor costs through IT consolidation and better equipped IT staff through cross-training.
“The economies of scale work in our favor if we can get all the [CalEPA’s] boards, departments, and offices to come together and buy one [cybersecurity] product and utilize it, and cross-train people and have those backup types of scenarios with staff that understand the products across the agency,” Marshall said.
“…it’s my job to utilize all the available funds that we have and the staff that we have and the technology to stay on top of any-and-all potential vulnerabilities.”
Statewide cybersecurity consolidation
If Cal-Secure acts as a catalyst for statewide cybersecurity consolidation or shared services, there are likely big benefits for agencies. For instance, the National Association of State Chief Information Officers (NASCIO) has been a long-time proponent for IT consolidation in general. A NASCIO report noted the key advantages include improved operational efficiency, optimized service delivery, and lower costs.
It also should be noted that most state CIOs are in favor of IT consolidation where it makes sense. A NASCIO poll showed IT consolidation was one of the top 10 priorities for state CIOs in 2021, ranked seventh, while cybersecurity was ranked number one.
Outside of research, there are prominent use cases that support statewide cybersecurity. For example, in Louisiana the state saved $75 million in its first year after it consolidated its services in 2015. The consolidation helped departments eliminate redundant security IT services while also expanding protections to department and offices that had cybersecurity gaps.
After the consolidation, Dustin Glover, Louisiana’s former chief information security officer told The Advocate that change had improved the state’s defenses considerably.
“Right now, I think the state is in its best posture ever, and we’re continuing to improve upon that,” said Dustin Glover, Louisiana’s former chief information security officer to The Advocate.
Other instances of state cybersecurity consolidation have happened in Virginia, where in 2012, its former CIO Sam Nixon said the move had led to more efficient threat detection and defense technologies. He compared the consolidation to Virginia departments receiving services through the same “pipes.”
“In Virginia, at least we’re fortunate to have a unified, consistent, reliable, and secure infrastructure that everyone is connected to,” Nixon said. “We have a single set of pipes that are shared by all agencies, but through that we’re able to place more sophisticated shared services and 24-7 security monitoring. So, we’re seeing the threats…and we can take pretty immediate action.”
Yet Nixon said the work to consolidate services didn’t come without challenges. Teaching agency administrators to use new technologies and convincing departments to see the value in new cybersecurity tasks had been an ongoing obstacle.
“We’re not always sure the agency leadership is aware of the threat, and it embraces some of the things that we have to do — or ask them to do — which are inconvenient to them, require more resources, and require them to reorder priorities,” Nixon said.
A moving target (California momentum)
Once Cal-Secure’s road map is published and agencies begin to apply its strategies it will represent another cybersecurity milestone for California. Likewise, its adoption may serve as a guidepost to prevent severe data breaches and attacks on systems.
Recently, state agencies have been the victims to number of cyberattacks. These include a ransomware attack on California’s Department of Motor last February where millions of records were compromised in a data breach. During the height of the pandemic in 2020, the California Employment Development Department also suffered from more than 30,000 false unemployment claims. This agency’s vulnerabilities were brought to light when district attorneys showed that claims had been filed by incarcerated state residents.
Newsom said that in recent years California has spent more than $260 million in its battle against cyberattacks, and that Cal-Secure will complement an array of cybersecurity initiatives that are already underway. In 2017 California launched the state’s first Security Operations Center (SOC), that continuously monitors and responds to cyber threats on the California Government Enterprise Network (CGEN), California primary enterprise network. And within the governor’s budget, funding has been allocated for a range of ongoing cybersecurity initiatives that include everything from IT security performance metrics to resources for state organizations to increase or improve their cybersecurity programs.
In a statement, the California Department of Technology (CDT) said that one of the biggest differentiators in Newsom’s 2021-2022 budget is direct funding for the CDT to provide cybersecurity service to all state agencies—as opposed to charging agencies individually for cybersecurity services. It’s unconfirmed if this move is tied to Cal-Secure or a statewide cybersecurity consolidation plan, but CDT said it will expand its reach.
“The new centralized funding model ensures SOC and Statewide Information Security Oversight benefits for all state entities and supports maturing the statewide information security infrastructure as a default and a built-in function across state government,” the CDT stated.
In his announcement of Cal-Secure, part of the state’s celebration of Cybersecurity Awareness Month, Newsom stressed his administration’s commitment to protect the state through cybersecurity and pledged continued support.
“Hackers steal our time, money, and they also steal our peace of mind. So protecting our data, and more importantly, other people’s data, is among the most important things we can do to prevent disruption in our daily lives,” Newsom said.
Image: YouTube: Gov. Gavin Newsom kicks off Cybersecurity Education Summit on October 6, 2021.