Top cybersecurity job has been vacant for nearly 2 years
You might think the home of Silicon Valley would rush to hire a cybersecurity chief, but you'd be wrong: California has left its top cybersecurity post vacant for nearly two years.
A spokesperson said there is no current timeline for Gov. Gavin Newsom to appoint anyone for the position, commander for the Cybersecurity Integration Center.
“We are a target,” as a tech industry leader, the most populous state in the country, one of the busiest ports in the world and the fifth largest economy in the world, former cybersecurity integration center commander Jonathan Nunez said in a video posted to YouTube two years ago. He took the helm in June 2020 and was the last commander appointed by Newsom, leaving the position in June 2022.
State officials say the vacancy hasn't hampered the state's ability to respond to threats, but experts outside the state government are concerned that an acting commander is spread thin.
The commander job entails assisting law enforcement agencies with criminal investigations and safeguarding California's economy and critical infrastructure. Other job duties include maintaining a security operation center that disseminates actionable information to all state entities, forming public and private partnerships and developing state cybersecurity strategy. The commander is paid a salary of up to $187,000 a year.
The challenge of a position like cybersecurity commander is it's not a matter of public or media interest until something goes wrong, said Dan Schnur, a former spokesperson for Gov. Pete Wilson who now teaches political communication at USC and UC Berkeley. There's no set timeline for appointments and depends almost entirely upon the urgency to fill the job and quality of applicants, but in his experience, taking more than a year to appoint is an unusually long amount of time.
“Either they're going through a painstaking process to pick the right person or it slipped through the cracks and there's no way to know which of the two it is,” he said. “Unless you find a unicorn who's willing to forego that kind of financial compensation in exchange for public service, you're already starting out with a compromise.”
There have been four full-time commanders prior to the current acting commander.
Keith Tresh was appointed by former Gov. Jerry Brown and acted as commander from 2016 to 2018. He is now chief information security officer at consultancy firm AMEG. Mario Garcia served as acting commander from 2018 to 2020 and now works as state coordinator for the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency. Nunez was appointed by Newsom in 2020 and now works as an analyst at consultancy firm Gartner. David Lane served as acting commander for an unspecified period of time in 2022. Deputy Director of homeland security Tom Osbone also is the acting commander.
Tresh previously served as chief information security officer for California and Idaho and was the first Cybersecurity Integration Center commander. He said he jumped at the opportunity because the job acts as a second set of eyes for public institutions like city and county governments, not just the state of California.
“We helped school districts and regional transit authorities when they had breaches,” he said. “That's why I think it's absolutely a perfect position to continue on.”
Cyber attacks on public institutions like local governments, hospitals, and school districts are on the rise. Hospitals and health care providers still are recovering from a ransomware attack that affected payment processing for Change Healthcare, which processes roughly half of all health care claims and payments nationwide.
The Cybersecurity Integration Center receives reports when a school district, state agency or private company experiences a data breach. The center also receives threat reports from federal agencies such as the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency and the Department of Homeland Security.
Brown created the cybersecurity agency in 2015 to operate within the governor's Office of Emergency Services. It works with the Department of Technology to investigate and report incidents and helps restore operations after an attack. Director Liana Bailey-Crimmins said in an interview in February that her agency works closely with the office of emergency services to address the needs of the state as they fill key positions so they never miss a step.
A spokesperson for the governor's Office of Emergency Services said Osborne is serving as acting commander while the governor carries out a nationwide search for a qualified candidate.
Over the course of the past month CalMatters repeatedly asked details about data breach reports and compliance with additional duties assigned to the commander and cybersecurity integration center by a five-year cybersecurity plan approved in 2021, but received no comment.
The last time the state compiled a report detailing the kinds of data breaches, number of records compromised, and number of Californians affected in cyber attacks was in 2016, before the cybersecurity integration center existed.
CalMatters reached out to the office of Attorney General Rob Bonta for the latest data breach report. The attorney general's office referred CalMatters to the cybersecurity center, which did not share new information but said it would post new data publicly later “this spring.”
After audits found that state agencies were woefully unprepared for cyberattacks, California Assemblymember Jacqui Irwin, a Democrat from Thousand Oaks, coauthored a 2018 law that made the Cybersecurity Integration Center a permanent state agency and required development of a state cybersecurity strategy. Irwin, who is also chairperson of the Assembly cybersecurity committee, said in a statement that finding a new commander has not been easy.
“The state has struggled to recruit and retain cybersecurity specialists, just as many businesses have, with their skill set in high-demand,” she said.
Competition with private sector
Former state cybersecurity employees said they think it's difficult for the cybersecurity center to keep commanders because the pay is less than for similar jobs in the private sector. State employees may treat an acting commander — who will be in the job temporarily — differently than a commander appointed by Newsom.
A former cybersecurity center employee who spoke on background for fear of professional reprisals said the biggest issue with the position is lack of real authority; the commander has limited capacity to act and hold people accountable.
Public agencies, especially in California, are major targets for cybercriminals seeking confidential information or just want to cause panic, said Steven Ward, a cybersecurity fellow at center-right think tank R Street Institute and former digital forensics examiner for law enforcement agencies in Sacramento.
Ward said the vacancy is reflective of a number of trends: First, the cybersecurity threat landscape moves quickly, and public agencies move slowly. Second, it mirrors a larger cybersecurity workforce shortage. California has the second-highest in the U.S., according to a 2022 report by the nonprofit International Information System Security Certification Consortium.
Third, public agencies can't compete with pay and benefits offered by private companies. Another 2022 study found that the private sector pays 14% more than government agencies. The pay gap creates a situation in which entry-level employees are responsible for guarding highly sensitive systems.
“It definitely needs to be filled,” he said. “It's important that this type of work continues without interruptions.”