The state of California recently showcased its updated plans for its statewide Cal-Secure cybersecurity strategy. These details included Cal-Secure’s current impacts, how it is hoped to protect agencies and the plan’s ambitious expansion goals for 2023.
The new insights surfaced in Cal-Secure’s nomination for the National Association of State Chief Information Officers (NASCIO) 2022 State IT Recognition Awards. In the nomination, officials from the California Cybersecurity Integration Center further outlined their reasons behind Cal-Secure’s launch, detailed the collaboration process behind it, and laid out ongoing efforts to implement the strategy throughout California’s vast set of offices, agencies, and departments.
“The Cal-Secure Plan is an exemplary illustration in providing a vision that brings the State to a common security framework for policy effectuation as well as alignment with the criticality of solidifying the pillars of people and process to deliver a sound platform of technology capable solutions,” said Chris Cruz, Tanium Public Sector CIO and former Deputy State CIO for California.
Referencing Gov. Gavin Newsom message at Cal-Secure’s launch in 2021, officials underscored the dangers of cyberattacks on residents’ data and rallied “to safeguard the state’s critical infrastructure, intellectual property, and [California’s] status as one of the world’s leading economies.”
Cyberattacks and cybersecurity risks in California
The state also didn’t hesitate to acknowledge its vulnerability and recent attacks that led to Cal-Secure’s development.
Examples of notable cyberattacks in recent years include a 2018 ransomware attack that disrupted administrative operations at the Port of San Diego, a 2022 ransomware attack at the University of California, San Francisco School of Medicine that extorted $1.1 million, and an attack in 2021 where an employee at the State Controller’s Office accidentally clicked a malicious email link and provided confidential reports with residents’ names, addresses, Social Security numbers, and birth dates to attackers. That same year, a hacker also tried to poison local drinking water by erasing critical treatment programs at a San Francisco Bay Area water treatment plant.
Then there was COVID-19. The state said that with the pandemic came a “cyber pandemic,” where hackers tried to take advantage of work-from-home employees and fluctuating operations. The hackers potential victims spanned more than 75 percent, or 190,000, of California’s government workforce.
“As many employers turned to remote work, thousands of government institutions became low-hanging fruit for cybercriminals. In fact, 70 percent of all ransomware attacks in the United States continue to target state and local governments,” officials said.
In light of these attacks and vulnerabilities, the state said a comprehensive, “universal” cybersecurity strategy became essential. And so much so, that Cal-Secure initiatives will draw direct funding from the state’s $38.8 million annual IT security budget.
Implementation and impact of Cal-Secure
Since work began on Cal-Secure, agencies have invested months into planning, collaboration, and interagency partnerships to design a cybersecurity framework that can be applied across the state. All said, the process called for 20 workshop sessions and required 450 hours of development from 40 different organizations.
That new strategy, officials said, is based on three pillars that support a strong cybersecurity workforce, modern technology, and establishes clear processes to implement and oversee operations. The unified vision, officials confirmed, could also lead to potential IT consolidation and potentially save the state money when buying services and technology.
Yet, if Cal-Secure does one thing well, it’s setting expectations. The strategy is more than general guidelines. It carves out specific, minimum technical cybersecurity capabilities every agency must follow and holds agencies accountable with regular inspections from the California Department of Technology (CDT). Because of this, the CDT plans to measure Cal-Secure’s impacts on agencies based on adoption.
Before Cal-Secure, it was the responsibility of individual entities within California’s state government to make sure their security procedures were up-to-date and adhered to policy. Yet officials said this self-assurance wasn’t always effective. Some departments struggled with patching critical software updates, performing security audits, and shielding themselves from security gaps.
“While the baseline capabilities are already required by state policy, the roadmap removes any ambiguity by establishing specific, prioritized milestones that clearly define roles and responsibilities,” officials said. “Cal-Secure’s specific, prioritized roadmap depicts a five-year horizon. Success is measured on a yearly basis, according to CDT’s Office of Information Security Foundational Framework, the California Cybersecurity Maturity Metric, and the California Homeland Security Strategy.”
It’s expected that all state agencies will adopt Cal-Secure by the end of 2023. However, the state said many agencies are already adopting the framework into their operations and even state IT contractors and vendors are using it in their services and technologies.