Striking Back Against Cyberattacks

California takes collaborative step to stop cyber threats, but is it enough?

Back Web Only Dec 16, 2015 By Russell Nichols

From small businesses to big chains and state agencies, no system is 100-percent hacker-proof. But in September, Gov. Jerry Brown took another step to prevent cyberattacks that cause data breaches with an order to create the California Cybersecurity Integration Center (Cal-CSIC).

As the central hub for the state’s online community, Cal-CSIC will coordinate with state departments, federal agencies and local governments, in addition to service providers, academic institutions and non-governmental organizations. Through a multi-agency incident response team, the state also aims to find cyber threats sooner and shut them down faster.

But the executive order does have one critical hole, says Zuk Avraham, founder, chairman and CTO of Zimperium, a mobile security startup based in San Francisco.

“One foreseeable issue is the center’s lack of attention to mobile security threats, which are not addressed in Governor Brown’s executive order,” Avraham says. “Between mobile payments and the growing number of individuals who use a smartphone for work, mobile devices are becoming increasingly appealing to hackers. We would like to see more concrete terms around mobile security to ensure employees’ devices are better protected from cyber espionage.”

Finding security holes and trying to fill them has been part of California’s ongoing cyber battle. For more than a decade, state officials have been passing new laws and enacting protocols to safeguard data. But the fact is, California is a prime target for cyberattacks. In 2014, the state was ranked the world’s eighth-largest economy. The state’s Department of Technology reported that hackers try to breach the state’s data centers thousands of times every month. However, efforts to prevent attacks might be useless because many agencies don’t comply with California’s information technology standards, according to the state auditor’s report.

The report, which came out just before Brown’s order, showed that many agencies had no solid plan in place for online interruptions or disasters. Auditor Elaine Howle also found that the Department of Technology, which was supposed to ensure agencies complied with IT standards, hadn’t been doing its job. By not complying, these agencies are vulnerable to a major security breach of sensitive data (Social Security numbers, health information, tax returns).

Compliance isn’t the only area of weakness. There’s also the issue of personnel. State governments across the country struggle to find and hire qualified cybersecurity experts with the skills to defend against cyber criminals, according to a report by the National Association of State Chief Information Officers. Reasons range from uncompetitive pay to a shortage of qualified candidates and slow hiring processes. In the survey, 86 percent of states reported having difficulty recruiting new employees to fill vacant IT positions. But even among the baby boomers postponing retirement, the technology is evolving so fast, many are struggling to keep up.

“The most common ways states are being affected are through outsourcing, consolidation, staff reorganization and increased use of cloud services,” the report notes. “Respondents also noted that they continue to experience a growing skills gap between more experienced, closer-to-retirement, legacy-system-knowledged staff and entry level staff members.”

It may be too early to tell how Brown’s initiative will impact the private sector. Partnerships and strong leadership play a crucial role in solving issues of cyberattacks. But for the agency to be efficient, the team needs to find the right balance between transparency and privacy, and also be more proactive, says Tony Vargas, co-founder and CEO of Security Together, a cybersecurity company based in Roseville.

“The cybersecurity industry overall is a heavily reactive industry,” Vargas says. “If the agency can be proactive and strategic in dealing with cyber threats and also protect the privacy of individuals, then I can see it being effective.”