On May 13, I was pleased to represent Symantec at the inaugural California CyberSecurity Task Force meeting. California government officials and private-sector leaders met to discuss a comprehensive CyberSecurity plan for the state.
Attendees included officials of many state agencies, academia, the National Fusion Center Association (NFCA), the FBI, the Sacramento Utility District, Cyber Watch West (CWW), and private companies such as Verizon, Bank of America and Symantec.
“Because of the interconnectedness of government and private-sector IT assets, collaboration has become crucial” said Michele Robinson, acting director for the Office of Information Security. “The ultimate goal,” she added, “is to collaborate and work together to improve CyberSecurity for the state.”
The Task Force stated strategic roles are to act in an advisory capacity in the following areas:
- Identify areas where stakeholders can improve statewide collaboration and information sharing to identify potential threats.
- Review areas where coordination will enhance security, emergency response.
- Developing and reviewing a statewide Cybersecurity strategy.
The meeting allowed discussion on several topics, all with the goal of establishing a framework and overall plan for statewide CyberSecurity. Among the topics discussed were information sharing between governments and the private sector, challenges to industry, such as the need for improved laws and regulations, and the need for increased CyberSecurity research and education.
The Keynote Speaker was Mark Weatherford – The Chertoff Group – and former DHS Security Deputy Undersecretary. He addresses many interesting points to the group including calling out 3 types of outside attackers:
- Cyber Criminals (Russia gangs and organizations leading the pack)
- Espionage (current 90% from China)
- Others
Mark pointed out that Cyber issues are the top concern for all organizations regardless of size. He said, “If interest is at the CIO/CISO level, we have an issue!! It needs to be at the CEO, COO, CFO level.” He quoted Baker’s Law – “Yeah, our Security Sucks but so does theirs”.
He then focused on an area that is widely recognized but lacking the focus required. He pointed out we are getting our lunches handed to us in the USA – lack of Cyber Talent. I think this is exciting for Symantec as we launch the beta of our new Academic Alliance program!! Discussion was around how this could be addressed at the K-12, community college as well as the university level. It then continued to discussion of immigration issues (We have some of the best and brightest coming to be educated in California as well as the rest of the USA, then after they are trained we force them back to their home counties). The discussion was highly engaged and very enlightening. We are at a crossroads in our cyber security world based upon this lack of talent issue.
The Presidential Executive Order on Cybersecurity was the focal point on the agenda for this initial task force meeting. Much of the discussion was centered on how this task force could influence the directive to NIST. One of Mark’s comments was that almost 40% of the Cybersecurity focused companies in the US are California based (including of course Symantec).
This kicked off a major discussion that was discussed repeatedly throughout the day around how California is in a unique position as the largest state to have the desired influence on NIST. Then, for the rest of the afternoon there were panels discussing information sharing, challenges to industry, research and education.
Concluding the day was State CIO Carlos Ramos and Mark Ghilarducci, secretary of the California Emergency Management Agency. They mentioned that specific examples of changes that could improve CyberSecurity efforts in the state include things like whitelisting certain software in the wake of a bring-your-own-device trend that has introduced an unprecedented amount of applications onto the state’s networks. Another tactic would be to require more rapid patching of operating systems and applications to cut down on vulnerabilities and security holes. Another tactic is to limit the number of users with admin privileges on any given network.
“These are things that help harden our networks, and a lot of this, just like any kind of security -- it’s always about layers of security,” Ghilarducci said. “The CyberSecurity situation is no different. We want to make sure we incorporate as many of the things thread into our CyberSecurity work environment. It may seem very intuitive and basic, but across the board, it’s not consistent.”