Cybersecurity: Let’s work together to turn the tide

When you read the news headlines, it’s not hard to get the impression that cybersecurity – or rather the lack of cybersecurity — is a bad problem getting worse. Consider a few recent headlines:

  • 500 new cyber threats emerge every minute
  • Ransomware attacks doubled
  • Businesses fear cyberattacks

Make no mistake, cybersecurity is a big, big issue. It has a far-reaching impact on the lives of all Oregonians, costing companies million in out-of-pocket costs while causing long-term erosion to reputation and consumer confidence online. Compounding the problem, companies struggle to find enough qualified cybersecurity professionals to help them maintain a strong posture online.

The best way we can turn the tide on cybercrime is through public, private, academic and government shareholders working together to raise awareness, educate, prepare for, and respond to cybersecurity threats in a coordinated way. At the Oregon Cybersecurity Advisory Council (OCAC), we believe that cybersecurity is a shared responsibility and must be accessible to all. And, as we saw at the recent Oregon Cyber Summit, a lot has already been done to move cybersecurity initiatives forward in Oregon in a short amount of time.

Statewide coordination

In 2014, Technology Association of Oregon (TAO) published a report that called for the creation of an Oregon Center of Cyber Excellence. In 2015, TAO sponsored a bill, HB 2996, which called for the establishment of an Oregon Center of Cyber Excellence to bring public-private-academic stakeholders together to coordinate a range of cyber activities. At the time, Oregon was one of only five states that did not have such a center, and the lack of statewide coordination made it difficult for universities to obtain cybersecurity grants for research and education.

When Oregon Governor Kate Brown came into office in 2015, she mandated that the state develop a bill (later to become SB 90) to unify IT security within the executive branch and bring all IT security functions, personnel, and associated property under the authority of the State CIO.

SB 90 became effective last September, establishing Oregon’s Cybersecurity Advisory Council (OCAC) as a public/private partnership. As part of this, SB 90 established a Cybersecurity Center of Excellence (CCoE) as a public-private state-civilian interface for information sharing, coordination of cyber incident response, developing a statewide cyber strategy, identifying best practices, and encouraging the development of the cyber security workforce.

Here is a rundown on some of the progress we’ve made to date as part of OCAC’s role to coordinate cybersecurity across the state:

  • Serve as the statewide advisory body to the state CIO on cybersecurity: In the past six months, we have created work groups to incorporate additional practitioners and experts into the advisory body.
  • Provide a statewide forum for discussing and resolving cybersecurity issues: We are continuing to discuss issues through additional policy summits.
  • Provide information and recommend best practices concerning cybersecurity and resilience measures to public and private entities: Established this website and a presence on social media.
  • Coordinate cybersecurity information sharing and promote shared and real-time situational awareness between the public and private sectors in this state: We have created a specific work group dedicated to information-sharing practices.
  • Encourage the development of the cybersecurity workforce through measures including, competitions aimed at building workforce skills, disseminating best practices, facilitating cybersecurity research and encouraging industry investment and partnership with post-secondary institutions of education and other career readiness programs: We are excited to work in partnership with higher education entities to be part of educational summits and other workforce development programs and partnerships. There are several upcoming cybersecurity events and summits:

CCOE moves forward

One of the primary initial tasks for the council is to provide a plan for the development of the Cybersecurity Center of Excellence. This will include:

  • Coordinate information sharing related to cybersecurity risks, warnings, and incidents.
  • Provide support regarding cybersecurity incident response and cybercrime investigation.
  • Serve as an information sharing and analysis organization and as a liaison with the National Cybersecurity and Communications Integration Center within the US Department of Homeland Security, other federal agencies, and other public and private sector entities on issues relating to cybersecurity.
  • Identify and participate in appropriate federal, multi-state, or private sector programs and efforts that support or complement the centers cybersecurity mission.
  • Receive and appropriately disseminate relevant cybersecurity threat information from appropriate sources including the federal government, law enforcement agencies, public utilities, and private industry.
  • Draft and biennially update an Oregon cybersecurity strategy and cyber disruption response plan.

For this year, the OCAC has created two primary committees: One to develop the framework and one to analyze and evaluate the service offerings called out in SB 90. Workforce development was a key component in both committees. In March 2018, the council established work groups with an initial legislative concept of the CCoE. The CCoE will include:

  • Tech services: Focus on incident response and recovery and active monitoring components
  • Education and workforce development
  • Information sharing
  • Public outreach: Events, resources and economic development,
  • Policy and legal: Procurement, administrative and legal structure, NDAs, etc.

When we conducted our first council meeting in August 2017, we began working on the needs assessment research with Portland State University Center for Public Service. The research includes statewide survey and focus groups, as well as additional insight through research in comparative policy analysis from other states. The final report, A Cross-Sector Capabilities, Resources, and Needs Assessment: Research to Support the Drafting of the Oregon Cybersecurity Center of Excellence Proposal, provides extensive research analysis on the cybersecurity capabilities, resources and needs of Oregonians. Download the executive summary and overview to learn more about the findings.

As the chair of the Oregon Cybersecurity Advisory Council, I encourage you to share in the statewide cybersecurity responsibility. The council is seeking additional resources, especially cybersecurity practitioners. If you are interested, please send email to [email protected].