CA's top cybersecurity job remains vacant for almost two years

You might think Silicon Valley headquarters would rush to hire a cybersecurity officer, but you'd be wrong. California's top cybersecurity officer position has remained vacant for nearly two years.

A spokesperson said there is no current timeline for Gov. Gavin Newsom to appoint someone to lead the Cybersecurity Integration Center.

As a state that is a leader in the technology industry, the nation's most populous state, one of the world's busiest ports and the world's fifth-largest economy, “we are a target,” said a former cyber activist. Jonathan Nunez, director of the Security Integration Center, said in a video. Posted on YouTube 2 years ago. He took the helm in June 2020 and was the last commander appointed by Newsom, retiring in June 2022.

State officials say the vacancies do not affect the state's ability to respond to threats, but experts outside the state government are concerned about the small number of acting commanders.

The commander's job includes assisting law enforcement with criminal investigations and protecting California's economy and critical infrastructure. Other duties include maintaining a security operations center that disseminates actionable information to all state organizations, forming public-private partnerships, and developing the state's cybersecurity strategy. Commanders are paid up to $187,000 annually.

Dan Schnur, a former spokesman for Gov. Pete Wilson who now teaches political communications at the University of Southern California and the University of California, said the challenge of a position like cybersecurity commander is that until something goes wrong, He says this is not a concern for the public or the media. , Berkeley. There is no set timeline for appointment and it depends almost entirely on the urgency of the job and the quality of the applicant, but in his experience more than a year is an unusually long time for appointment. is.

“Either they go through a painstaking process to select the right people, or they slip through the cracks, and there's no way to know which.” “Unless we find a unicorn company that will waive such financial compensation in exchange for public services, we are already starting with a compromise.”

There were four full-time commanders before the current acting commander.

Keith Tresh was appointed by former Governor Jerry Brown and served as commander from 2016 to 2018. He currently serves as chief information security officer at consulting firm AMEG. Mario Garcia served as Acting Commander from 2018 to 2020 and currently serves as the State Coordinator for the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency. Jonathan Nunes was appointed by Governor Newsom in 2020 and currently works as an analyst at the consulting firm Gartner. David Lane served as acting commander for an unspecified period in 2022. Tom Osborn, deputy secretary of the Department of Homeland Security, is also acting commander.

Mr. Tresh previously served as chief information security officer for the states of California and Idaho and served as the first commander of the Cybersecurity Integration Center. He said he jumped at the opportunity because the job serves as a second set of eyes not only for the state of California, but also for public agencies such as city and county governments.

“We assisted school districts and local transportation authorities with violations,” he said. “That’s why I think this is absolutely the best position to continue.”

Cyberattacks against public institutions such as local governments, hospitals, and school districts are on the rise. Hospitals and health care providers are still recovering from a ransomware attack that affected payment processing at Change Healthcare, which processes about half of all health insurance claims and payments nationwide.

The Cybersecurity Integration Center receives reports when a school district, state agency, or private company experiences a data breach. The center also receives threat reports from federal agencies such as the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, and the Department of Homeland Security.

Former Gov. Jerry Brown established the Office of Cybersecurity in 2015, which operates within the Governor's Office of Emergency Services. Work with the Department of Technology to investigate and report incidents and assist in restoring operations following an attack. Director Liana Bailey-Crimmins told CalMatters in a February interview that her agency is working closely with the Office of Emergency Services to meet the state's needs in critical positions and to ensure we never miss a beat. He said he was there.

A spokesperson for the Governor's Office of Emergency Services said Osborne will serve as acting commander while the governor conducts a national search for qualified candidates.

Over the past month, CalMatters has repeatedly asked for details about data breach reporting and compliance with additional duties assigned to commanders and cybersecurity integration centers by the five-year cybersecurity plan approved in 2021, but no comments were received. I couldn't get it.

The last time the state compiled a report detailing the types of data breaches, the number of records compromised, and the number of Californians affected by cyberattacks was before the Cybersecurity Integration Center existed. It was 2016.

CalMatters reached out to Attorney General Rob Bonta's office regarding the latest data breach report. The attorney general's office referred CalMatters to the Center for Cyber ​​Security, which did not share any new information but said it would release new data “later this spring.”

After an audit found state agencies woefully unprepared for cyberattacks, California state Rep. Jackie Irwin, D-Thousand Oaks, called for the Cybersecurity Integration Center to become a permanent state agency. He co-authored a 2018 law requiring the state to develop a cybersecurity strategy. Irwin, who is also chairman of the Congressional Cybersecurity Committee, told CalMatters in a statement that finding a new commander will not be easy.

“Like many businesses, states are struggling to recruit and retain cybersecurity professionals, and those skills are in high demand,” she said.

Competition with the private sector

Former state cybersecurity officials told CalMatters they believe the cybersecurity center will have a hard time retaining commanders because the salaries are low compared to similar jobs in the private sector. State officials may treat acting commanders who serve on a temporary basis differently than Newsom-appointed commanders.

A former Cyber ​​Security Center employee who spoke about his background to CalMatters for fear of professional retaliation said the biggest problem with the job was the lack of real authority. There are limits to a commander's ability to act and hold people accountable.

Stephen Ward, a cybersecurity researcher at the R Street Institute, a center-right think tank, and a former digital forensics examiner for law enforcement in Sacramento, said public agencies in California are especially vulnerable to cybercriminals seeking sensitive information. It has become a prime target for cybercriminals looking to cause panic or simply cause panic.

Ward said the vacancies reflect a variety of trends. First, while the cybersecurity threat landscape is changing rapidly, public authorities are moving slowly. Second, it reflects a growing shortage of cybersecurity talent. California ranks second in the U.S., according to a 2022 report from the nonprofit International Information Systems Security Certification Consortium.

Third, public organizations cannot match the pay and benefits offered by private companies. Another study in 2022 found that salaries in the private sector were 14% higher than in government. Pay disparities have created a situation where entry-level employees are responsible for protecting sensitive systems. It's difficult to say what impact the vacancy will have, but the center is developing the state's cybersecurity strategy and is also a hub for sharing threat intelligence and how to patch vulnerabilities. Ward said he was concerned that the acting director's role would be too fragmented.

“It definitely needs to be filled,” he said. “It is important that this type of work continues without interruption.”