During testimony to the California State Senate, cyber-security expert Dr. Tony Coulson outlined the concerns that California must contend with in order to protect its critical infrastructure sectors. “California needs the ability to coordinate effectively for cyber-attack responses. A cyber-attack is not just a possibility, but a probability, stated Dr. Coulson, outlining why the state needs to enhance it cyber-attack preparedness. After input from security experts, I am carrying Senate bill SB 265, which directs the California Office of Emergency Services (Cal-OES) and the California Cybersecurity Integration Center (Cal-CSIC) to prepare a multi-year outreach plan to assist critical infrastructure sectors specifically in efforts to improve cybersecurity.

Despite the advanced age of some critical infrastructure components in California, there is remote accessibility that allows an intentionally wide spaced system like the State Water Project (SWP) to operate in a manner efficient for the unique environmental circumstances of each particular component. It is what allows Shasta Dam to maximize rainwater capture while Oroville focuses on snowmelt, all part of the same water management network. This same accessibility also makes these systems vulnerable to a cyberattack, and it is why California must prepare for the inevitable.

Infrastructure modernization is needed across the board ranging from our state’s highway system to the water conveyance systems that make California the nation’s agricultural leader. A key component of this effort will be the integration of advanced technology into pre-existing structures. However, as operational technologies converge with information technologies to bring California’s infrastructure into the 21^st century, our exposure to cyber-attacks increases as previously inaccessible systems go online or are subject to remote commands.

A cyber-attack on a public institution is a disruptive event with the potential to affect thousands. When hackers targeted LA Unified School District over Labor Day weekend in 2022, the attack was described as a significant disruption to the district’s systems infrastructure.[1] The security climate that presaged this attack may be analogous at the state level according to a recent report by the State Auditor’s office, which noted that the California Department of Technology has yet to identify the systems statewide that are outdated or obsolete and require modernization to protect against cyber-attacks, outage or failure.[2] Without an expansive, state-level security review and comprehensive preparedness plan, the next cyber-attack could take a critical system offline and leave investigators uncertain whether sensitive information was stolen, an experience San Bernardino law enforcement contended with during a ransomware attack costing the County and insurers $1.1 million in ransom money.[3]

A state-level approach to cybersecurity will enable California to balance infrastructure modernization efforts with security concerns requiring proactive preparedness. The security-needs landscape is evolving, and to protect critical infrastructure, California’s security must evolve at an even faster pace to stay a step ahead of the next cyber-attack.

Op-ed appeared in GV Wire, May 23, 2023 https://gvwire.com/2023/05/23/state-level-cybersecurity-preparedness-needed-to-protect-critical-ca-infrastructure/

[1] Hackers infiltrate second-largest US School district in growing trend, the Guardian, Sept. 6, 2022 https://www.theguardian.com/us-news/2022/sep/06/los-angeles-unified-school-district-cyber-attack

[2] Weaknesses in Strategic Planning, Information Security, and Project Oversight Limit the State's Management of Information Technology, CA State Auditor’s office report, April 20, 2023 https://www.auditor.ca.gov/reports/2022-114/index.html

[3] San Bernardino County paid $1.1 million ransom to hacker of Sheriff’s Department computers, The Sun, May 8, 2023 https://www.sbsun.com/2023/05/04/san-bernardino-county-paid-1-1-million-ransom-to-hacker-of-sheriffs-department-computers/