Assembly Standing Committee on Emergency Management

Well, good afternoon, everybody, and welcome to the Assembly Select Committee on Cybersecurity, a Joint Committee with the Committee on Emergency Management. I want to thank everybody for joining us in this joint informational hearing. As a reminder, the hearing will be live streamed on the Assembly website and the recording will be posted online.

All public comments must take place here in Capitol room 447. And I want to start by extending a special thank you to Chair Ransom for partnering with us on this hearing and providing Emergency Management's critical perspective. I would like to now give you an opportunity for some opening remarks, Chair Ransom.

Awesome, thank you. All right, good afternoon, everyone. Thank you so much for joining us here at the Capitol on this Joint Hearing. We're here to talk about how we can maximize cybersecurity investment.

And you know, we all know that cyber security attacks are not typically viewed as emergencies or measured in the same way that we calculate things like a wildfire or the magnitude of an earthquake or property loss. But these attacks target our government institution and our critical infrastructure, and individuals are impacted through very serious threats.

And so it's really, to me, this is very timely hearing. And so we appreciate the opportunity to join in in order to have this information put out to the public. And I just look forward to our hearing. Thank you.

Thank you very much, Chair Ransom. I would like to thank all our panelists for joining us today for our discussion on state IT contracts and how we can best maximize the value of those contracts in these tough budget times.

California continues to face persistent cybersecurity gaps within state agencies, and this hearing will explore how we may be able address these with a cost neutral approach by fully utilizing information security tools already purchased by the state.

We will also have a short discussion on how federal funding or support for cybersecurity activities has been or may be reduced by the New Federal Administration. We will have two panels today. Our first panel features perspectives from the vendors contracted with the state. And our second panel will feature representatives from state agencies that oversee California's cybersecurity.

I will ask a series of questions and in the interest of time, I will ask panelists to keep their remarks for each question within three minutes. Without further ado, we'd like to welcome our first panel, Assembly Member Nguyen or Assembly Member Gonzalez. Do you have any comments before we get started? All right, thank you.

And so for our first panel, we have Jeff Brown from Microsoft, we have Thomas McCLellan from Palo Alto Networks, and we have Zscaler, Drenan Dudley. Thank you so much again for joining all Right. So as I mentioned, I have a series of questions and look forward to the answers.

So first, can you please introduce yourself, the company you represent. Briefly describe what IT products and services you are currently contracted to provide to the state and what cybersecurity features or tools are included as a part of part of these contracts. So maybe we can just start with you.

Very good and thank you everybody. I'm Jeff Brown. I'm a Chief Security Officer basically for Microsoft, Cyber Advisor. I actually come from this as a practitioner.

So I used to be the CISO for the State of Connecticut where my optic is really about not only how do we leverage products, but also how do we actually make sure that strategies are in place and that we're having C level conversations with the people who need to actually deploy these products.

Having worked in state government before, I'm very, very in tune with some of the challenges and issues and complexity that we have as well as some of the resource constraints. My role is really making sure that the strategies are clear and in place and that we're actually getting value out of the products that we do use.

Microsoft has a full stack cybersecurity platform that we're deployed in the state. We have over 250,000 users covered in the State of California with our G5 licensing. This is really something that's our premium security stack that covers things like endpoint detection and response compliance, purview DLP, which is data leakage prevention.

I don't want to get too technical on the details. I know different people have different views on what cybersecurity is, but we really have a platform that leverages everything from Cloud and on Prem. We have a defender for almost every single thing, every single piece of that.

And then really we also have up to about 75% of all of the entitlements that are being used. So we really have very good deployment. And then we also have cloud services which are consumption based. So we have two things.

One is the G5 that's a full on purchase and then we also have Cloud Azure consumption which is really think of it like a water utility. So how much water do we use? As every month we get a bill for it. That's how Azure works versus G5 which is a straight out purchase.

Thank you. Drenan.

Great. Hello everyone. Thank you for having us. It's really an honor to be here. I certainly appreciate the fact that it's a joint hearing between where we focus on cybersecurity and also emergency management.

I come from a long career when I worked for the United States Senate on the Appropriations Committee staff, and in my portfolio was the Federal Emergency Management Agency and the Cybersecurity and Information Security Agency.

We constantly tried to get people in the room together to talk because the fields are so married to each other in a lot of ways and interdependent on each other. So, you know, just really, you know, excited to see you guys leading the way and calling a joint hearing to make sure that we talk about this collectively.

I work for Zscaler. It's a cybersecurity company that does Cloud security and through zero trust architecture, I'm the head of state, local, tribal, territorial government partnerships. That is a mouthful, but we wanted to make sure we included everybody because cybersecurity is important everywhere. Thinking about cybersecurity and Zscaler in particular, they really have a modern approach to security.

We often think of a sort of castle and moat perspective to cybersecurity where you think about what you need to protect the most, build a moat around it because you're treating your castle like the crown jewel that it is. Problem is when somebody gets across the moat, they get in and they go everywhere.

We saw this as an example when the SolarWinds breach happened and we had a nation state actor in our systems for nine months and we were unaware of it. Zscaler really tackles that from the perspective of flipping security on its head and thinking about security at every step.

So how do we make sure that every electronic movement that happens on a company or a state agency's network or on the Internet, if they're using the Internet because the Internet is kind of the new network, how do we make sure that action is authenticated, that that person is validated, or the action is approved of?

So we do that through four main products. And we're proud to say that we serve our home state because we are headquartered in California, we serve 21 state agencies as customers, and really through four main products, do we do that. It's Internet access.

So this is where it's kind of like the brain of security, where we make sure that between users and the web and software applications, there's a security transaction that's happening as someone moves around from each of those. So that's our Internet access product. We also have private access.

So this means how can we make it less clear to somebody who wishes to do us harm where you are on the Internet? So if you're approved on your network or on the Internet to move around and do things, you don't necessarily want people who aren't supposed to know that you're doing that, seeing it.

So we have a way to minimize the attack surface by making sure that that's less visible on any network that people might want to see it on. It also prevents that lateral movement. The SolarWinds example that I just talked about, that the company really focused on when we became public in 2018. We also.

So those are kind of the user based products that we have and that we use on state networks. We also think about enterprise solutions as well. And there we have digital experience as a product that Zscaler provides.

And that is where IT teams can sort of see end to end, what's happening and related to security and also look at performance metrics which might be something of interest to the Committee given the topic of the hearing.

And then we also do data loss prevention and making sure that organizations can really understand what data they have, prioritize where they need to protect it and make decisions in budget tight, tight budget times that they can prioritize where they secure to that data.

Thank you.

Thank you very much. Excuse me, Chairs Irwin and Ransom, thank you very much for having me here. Members of the Committee appreciate the opportunity. My name is Thomas McClellan and I head up government affairs for Palo Alto Networks. Just by way of background, I've worked for about 30 years, 25-30 years at the national level.

In my current role at Palo Alto, I head up Governor Ferris for the whole US So I have the opportunity to literally work with every single state, commonwealth, territory, city across the greater US and so I have a very unique perspective on these and other related issues and I'm glad to be here today.

So by way of background, Palo Alto, California based cybersecurity company. We are the world's leading cybersecurity company. We're leaders in 22 magic quadrants and waves. We invest 1.8 billion dollars year in research and development and each day we block about 31 billion attacks by fully utilizing our array of world class cybersecurity tools.

In short, we have a very unique vantage point with respect to cybersecurity threats and trends. Here in California, we have a significant footprint. We are working with the vast majority of agencies and departments here in the state and we are proud to be a partner, a cybersecurity partner of choice here in California.

And we look forward to continuing this, you know our standing there as well as continuing the discussion to see how better we can, how we can do better with California. So I want to touch on a caveat. Without discussing any particular customers, I will provide as much detail to this Committee and publicly as possible.

We take the confidentiality of our customers very seriously. And so I, I apologize if I can't get to the specifics that you care for, Madam Chairman. So how do we work with California?

The very first thing that we do is we help protect what's called the attack surface through the use of a tool called Expanse. Expanse trolls across the public facing Internet and it looks at vulnerabilities and weaknesses that the bad guys can see and attack the network. So we actually have that capability deployed here within California.

We help agencies here in California respond to attacks through our world class incident response team known as Unit 42. So when an attack happens, you've got Palo Alto in your corner through Unit 42 to be able to respond.

We provide tools here in the state that prevent users from accessing malicious URLs, unattended applications, and protect users that are leveraging AI based applications. We help agencies automate and orchestrate their security operations through our AI empowered, what we call XIM platform. And I'll talk a little bit more about that later on.

And finally, we also have tools deployed that help agencies ensure the safe use of artificial intelligence. And when you start talking about utilization, you talk about driving innovation. One of the key mantras at Palo Alto is how can you leverage artificial intelligence from an innovative perspective, but safely.

So in short, we are well positioned to support California's cybersecurity mission. And I look forward to future discussions here.

All right, thank you very much. And just want to reiterate again because this is just kind of the heart of what we're talking about is all of you are state vendors and what we would really like to know is using general terms, do you think that state departments are underutilizing the included cybersecurity features in your products? And how did you come to that belief? So we'll start with Mr. Brown.

Yeah, thank you very much. Actually, we have a very good story to tell. We have 98% of state departments licensed for G5, which is in state government 98% of anything is very impressive. I'm actually very impressed with that. We also have, I think significant growth year over year. So this is something that we track very closely.

We have double digit growth starting in 2023, 58% up to 67% utilization, up to 75% utilization. So double digit growth year over year. And we've also started to look at it slightly differently to make sure that day to day usage is also very high.

And at that point we have, you know, up to 75% of entitlements being used daily. So that's, I think, very good. So 98% penetration, 75% utilization. And it's something that we continue to work very closely with the state on to make sure that they understand what products are there, that they are trained in them.

We offer a vast majority of free training for people and also making sure that we're partners and that we're, we're handholding and side by side. We work very closely with Conrad Long and CDT and we really work very closely with the actual people in the field. Again, I come from this as a practitioner, 30 years experience.

And what we want to do is really make sure that people are deploying products correctly, that they're configuring them correctly, and that they're safe once they're actually out there.

All right, thank you. Ms. Dudley.

So Zscaler comes at security, like I said, with a modern approach, but we're also a best in breed company, which means we don't provide a single platform that provides like a wide range of services. We're really able to tailor very specific solutions to the current environment.

So we partner with our government customers and the other companies that they're already using to provide pieces of their complete security picture.

So for that reason we're just a little bit different in that we get a lot of full utilization because we're very tailored to providing a very specific niche product or service to a state agency, you know, in a very dynamic environment, because you do have lots of different players in that situation.

Zscaler has made sure that we're not, you know, showing up, delivering our product and then saying good luck to the state agency and walking away.

We have technical service teams that sit next to state agencies, make sure that they're getting adoption and deployment on a timescale that really meets the security urgency that was the reason for choosing the product in the first place. Those meetings are regular. They can be daily if they want to, but they're at least bi weekly.

And then there's regularly a quarterly review sort of looking big picture at how the product is being used. For that reason and because our products are very focused, utilization has not been something that we've struggled with and working with California agencies. I will say that I think under utilization is an important question to be thinking about.

It's an important question to ask, obviously. I mean, when we think about security, we've sort of had to reengineer security from its beginning. We deployed the Internet because we were excited about innovation, and that's great. And then we started thinking about security after its deployment. Same with a lot of networks.

And so for those reasons, we've layered on security over the years. And I think making sure that we're keeping up with what has happened with that layering different people at different times, making different decisions about security tools there.

It really takes a focus for making sure that we're not, as we're adding new things, we're turning off the things that aren't needed anymore. That's a cost savings that you can apply those savings in the future to new products that you need because the threat action is changing regularly.

So that sort of iterative process I think can be great for agencies to be thinking about and to be focused on as they're thinking about each next step that they go through. That means a lot of documenting. It means a lot of making sure that you understand how products are being used.

And so making sure that the staff is available for that kind of activity is going to be really crucial.

Okay, and then so what I hear you saying is that the utilization rate is high for the departments that are using it and for the people that are specifically requesting it.

Exactly.

But it might not be the same. Might not be highly utilized across all departments. You might not be in.

If it's our product, I'm very confident it's getting full utilization. I can't speak to our partner products.

And then I guess for Microsoft you have 98% utilization, and that's obviously great. But are all the kind of sub cybersecurity products being used at that same rate?

Let me make sure you are clear on that. So we have 98% deployment, 75% utilization.

75%. Okay, 75%. But there are a lot of cybersecurity tools within that. And are those. And you're able to measure how much those are being used?

Absolutely, yes.

Okay. Mr. McClellan.

So in terms of the utilization. So we offer powerful capabilities to California and we see this as a strategic opportunity to enhance their comprehensive development and adoption of these capabilities will directly accelerate progress toward the advanced security maturity levels outlined things like Cal-Secure and CISA Zero Trust.

And since 2001, with the release of Cal Secure, we have been mapping our capabilities to Cal-Secure and working with agencies and departments to further their cybersecurity capability maturity using the tools that they own. So directly to your point, there is a maturity model out in the States with different agencies.

Some agencies are further ahead, some are further behind. And again, without getting specific, I think we have some observations that would be, I think, instructive to this Committee. One is we see a large number of cyber security tools being procured across various agencies, creating some redundancies and some underutilization.

It's just, it's the nature of doing a disparate system procurement. The procurement process, while providing options, does not always allow for a comprehensive and cohesive security architecture, which defeats some of the objectives of full consumption of the tools that are being deployed.

Maximization of tools, the adoption, utilization of the tools that departments have already procured represents another opportunity for improvement. We see departments that are not fully leveraging the features, and this is what I was talking about, and the functionalities of the tools they have.

And sometimes this is due to a lack of awareness of the full scope of the tool's capabilities beyond their immediate intended use. We also see that sometimes tools are procured solely to address specific findings from an audit. And once those findings are closed, the tool's broader potential is often left unexplored.

Finally, there's a skills gap, and I'll revisit this in my comments later on. There's a skills gap. The issue of expertise is a significant contributor. There are just not enough qualified cybersecurity workers out there.

And so when you begin to look at a panoply of different solutions that an agency might procure, that means you need to have somebody who is skilled on each one of those things to make sure that you can deploy them effectively and to their fullest capability. We at Palo Alto, we have tools.

We have teams that actually work, customer success teams that work directly with the customers to help kind of remediate some of those gaps.

Okay, so it's. Did you have questions, too? So you listed three different items. Lack of awareness. And I think, interesting, the response to an audit, that's, that's very perturbing.Oh, there's an audit, let's buy a tool and take care of that criticism. And then the skills gap.

So can you talk a little bit more about what should companies be doing? And I think the other thing you mentioned is purchasing redundant tools. So do each of these department or agencies have, I guess it's varying levels of expertise that know how to integrate all these different tools? Is that what you see as one of the issues?

Yes, and it's not endemic just to California. It is a universal problem right now that there is a, in fact, my next bullet points, we talk about there's about 500,000 missing professionals in the US workforce alone.

And the reality is you're not really going to be able to train your way out of that skills gap. And so you need to begin to figure out what are the different ways to do it. And I'm no way shape or form saying that we should not be working to train and train the next generation of cybersecurity workers.

What I'm saying is that the gap is so significant and the pay disparities between a private sector company and a state agency or organization notwithstanding, local municipal governments is so massive that it's hard to keep retain and keep reskilling qualified workers.

And I guess maybe both of you have might have comments on that.

I have a slightly different perspective coming as a practitioner, which was really that I had a small team and it was difficult to attract and retain talent, it was difficult to pay market rate. So we spent a lot of time training people because three years goes by and now they're three years smarter.

So that's something that I think training is really important. I think that it is something that we want to encourage. You know, that said, I mean, I think when we look at under utilization kind of things, there's a lot of reasons for that. First of all, there's so many different things that a security group needs to do.

Some of them are responding to audits very tactically. We bring in new tools and we don't train people, we don't operationalize the tools right, Because a lot of times we bring in a tool, we don't operationalize it, we don't have people checking it day to day, things like that.

Because a lot of times you just don't have the right number of people. We typically will try to find people who are interested. We train them up, we give them as. Microsoft offers a lot of free training. We do free on site things, we do free online things.

We have one of the biggest course catalogs I've ever seen in it. So all of those things are important. We also kind of see it sometimes that there's opportunity costs. So you may deploy a tool and then a bigger problem comes by. So now you're focused on different things.

So I think just the sheer amount of, of problems that a cybersecurity group needs to deal with can definitely explain. We purchased the tool, things changed and now we have to maybe revisit it in the future.

And I agree, I think on the, on the skills front there aren't enough people to do cyber jobs. So we've got to figure out a way to make sure that we're not only recruiting people into cybersecurity space, but also training them for the job that's going to be when they're in the workforce.

Because a lot of times we train for what we need right now and, and in the cyber world that's just not sufficient because you know, things are going to change really quickly. So we need to be making sure that we're looking down the road.

Particularly with the advent, I mean it's a technology hearing, so you got to mention artificial intelligence. Particularly with the advent of artificial intelligence. That's really going to change the dynamic on what our workforce needs to look like.

And so we need to be thinking about that now and planning for it so that we're ready to be training people in the right way for the right jobs. So I think that's really important and I agree. I think a lot of times it's like what they need to be focused on can be very different.

I also wanted to add one other comment and in terms of resolving the gap of utilization and I think that means that often we think of like oh, that's an IT job or that's an over there problem that only people who code and implement know how to do. We've seen some of the most successful activity happen.

And this is, you know, when I worked in the Office of the National Cyber Director when I was on appropriations in at Zscaler. When you involve the whole team, so what does that mean?

You need to make sure that your budget people and your procurement people are up to speed on what it means to purchase cybersecurity tools in a way that really are going to get implemented and that they're expecting changes.

I remember when I was on the Appropriations Committee staff, I was like, when are we going to be done paying for this so that we can move on to pay for other things? Well, you're never going to be done paying for cybersecurity. You just need to be smart about it.

You need to think about what's on going models, you need to think about adoption. And great. This hearing is great because you're thinking really about like how are you wringing every single bit of productivity out of the products that you have. And so I think that's really important. So get your budget and procurement teams up to speed.

Make sure that the IT folks are talking to them regularly. I think also making sure that the user of the product is involved in the process right from top to bottom. So if you're employing something at be IT A health care organization, transportation, if you're thinking about child protective services, having the customer, the person who's using the product, really understand what's at risk for their business.

A lot of times again, we think, oh, I got to spend IT dollars, which is a dollar taken away from my mission. Well, when you're talking about child protection, of course you want to spend every single dollar that you can on the mission. I don't think anyone questions that.

But in today's interconnected world, you're not going to be able to deploy the mission without investing in technology and the security of when you're talking about, you know, personal identifiable information or children that are vulnerable, that can be something that really becomes a part of the mission.

And so making sure your budget and procurement people are read in to make sure and bought in, I think is probably a key. Making sure that the customer know why they're doing security of their data and how critical it is to their mission. And then I'd be remiss if I didn't mention emergency management, given the hearing and all of your leadership on this.

I think also knowing that when a bad thing happens, whether it's a technological bad thing or a physical bad thing, you're going to need your IT folks ready to really engage in this, not only in a how are we going to respond to this bad thing that happened? But also on the dependencies that exist in advance.

And so if you're making a business case for cybersecurity, particularly at state agencies, I think one of the things that really resonates for people who are interested in this kind of thing, like you guys, is making sure that we can mitigate the bad thing from them, that you get services on as quickly as possible. And that really takes a fundamental understanding of where the dependencies are.

So incorporating, we often think of partners in IT deployment as the vendor and the IT team, but there are so many other people that need to be involved in that conversation to really make the full case and to get full utilization that I think finding a way to incorporate all those other elements are going to be really key.

Like that and bringing in, I think one of the key things you mentioned is making sure that the person that's going to be using the tools has buy in from from the very beginning.

And then another point that we've been hearing, whether I'm at NCSL or a hearing here, we're constantly hearing how difficult it is to hire technical employees. And then especially at the state level, I mean, the private sector is hiring, is paying more, and even if somebody has some state experience, I think often they're pulled to the outside.

So it becomes very critical to train up the employees at the agencies. And so do you think that that is more of a job for these outside groups like you? I mean, it sounds like you all have training programs or is it also up to the agency to keep their skills fresh?

I think it's a partnership. And you know, we describe ourselves as a cybersecurity partner of choice.

And when you look at training and when you look at how fast the tools are evolving, whether it's through artificial intelligence, whether it's through discovery of different nation state attackers, different threat vectors, keeping your customers up to speed on that has to be job one. You've got to be a partner in this.

And so the training has got to be a push me, pull me. We provide training, we do constant work with their agencies to help them understand new functionality and let them understand where and how they can turn those things on to deal with the latest and greatest threat that's out there.

Likewise, we also provide training free of charge. We call it the Academy, Cyber Academy where we provide to higher ed K12 post secondary curricula on helping the new generation of cybersecurity workers know how to use Palo Alto's tools in a way that that makes them marketable so they can walk into a place and know that.

I wanted to give people a chance to ask some questions. I have some more later, but do you have some.

I do worry about the workforce component of things, as you were mentioning, and you're right. I think Madam Chair talked about how at the state level, we do lose them to the private sector. Right. And so, there's got to be a way, we have to ensure - this is an up and coming.

You know, cybersecurity is a big, big thing. It's going to impact all of us. And we have to do everything we can to ensure that we have a workforce that is going to be able to take on this as we grow. And so, I appreciate you all being here. Thank you, Madam Chair, for pulling this together.

I have to run back. I have another committee I have to sit on, but I have staff watching this at the office as well, too. So, if we have any other questions, we'll get it over to Madam Chair here and then I think we'll get it answered then. Thank you.

Thank you, Assemblymember Nguyen. I'm sorry, Chair.

Again, thank you so much for being here. And I know you've talked kind of vaguely and I don't know if that's in purpose in regards to like, the tools because, you know, we've definitely talked about the utilization and the need for employment.

So, I'm wondering if you can kind of share with us what some of the biggest risks are that we're trying to solve with the tools and products that you provide and what are the, if you can just very briefly, what are the top features, if you're able to do that?

I didn't know if you didn't want to like share any big secrets, because we know that when we're talking about governmental institutions, we're talking about information systems, we're talking about financial systems, infrastructure safety. There's so many things that are now in the cyber world that used to be very manual.

So, if you can kind of share with us, if there's any information that you have, that would kind of show some of the top risks that you are using these tools for - to protect us from, you know, there's ransomware, things like that. I just think that would be very helpful for us as well.

I'll take the first crack at that, if that's all right. And I'll give you two answers. One, our attack surface management tool is called Expanse. So, what Expanse does is trolls across 98-99% of the publicly facing Internet.

What the bad guys can see of agencies and organizations to identify vulnerabilities and threat security risks that the bad guys can see. We often will go into different organizations, and we'll do an Expanse scan run and say, "Hey, how many things do you have connected to the Internet that you were aware of?"

And they may say, and I'm not going to say the agency, but it's a very large agency, and they said 100 million. And this is not in California; this is another agency. And we went in and did an Expanse run and it was 300 million. You cannot defend what you can't see.

And that was a very sophisticated organization. And we often find that kind of two to one ratio holds with different organizations. That is a real and evident threat to any organization cybersecurity.

Not knowing what's out there, not knowing that you have an unpatched vulnerability that an actor, a bad actor, can find in minutes and exploit it in minutes. When you - the biggest change, you talk about threats; the biggest change that has taken place in large part because of the role of artificial intelligence is the speed and the scale and the velocity of the attacks going out there. Whereas a couple years ago it was days or weeks to exploit, now it's minutes.

And if you don't have a system that can identify something that's been put on the internet that exposes an organization, it is - you just can't keep up. If you can't, we call it mean time to detect, mean time to respond.

As policymakers, that's the fundamental question you need to be asking to people, what's our mean time to detect? What's our mean time to respond? Nothing else really matters. However, you make the sausage, that's the most important thing.

The second thing I would say is that when you look at our incident response report, highlights that 75% of major breaches. Logging data existed that should have alerted defenders to anomalous behavior, and that is the challenge with these disparate systems.

It's so hard to see across the different solutions that are out there to get that identification, to find the signal from the noise.

Thank you.

Yeah, and I, you know, doubling down on some of those messages, I mean, California, with the fourth largest economy in the world, congratulations on going from 5 to 4. You've got a ton of data that people are interested in. So, data loss is something that I think is a concern for everybody.

Not only personally identifiable information that can do harm to citizens, but also information about upcoming decisions that are going to be made that might change and influence what ultimately happens so that California's economy is protected. It is hard sometimes to get real specific about what is the bad thing that could happen.

And I think data loss is one of the key things there.

We also know that a lot of nation state actors really want to make sure that they know that their presence is here and they're finding ways to do that in cyberspace because they want to use it as a way to exert control over us in the future.

And so, I think between data loss and also just being present so that they can use it for whatever means, they want to sort of push their geopolitical power around later are key. So that goes back to, I think, our data loss prevention products that we offer. Also, private access meaning let's shield what people are doing regularly.

So, the attack surface just gets smaller. That lessens the ability for the bad guys to come in and exfiltrate that data and see what's happening there. And then also as traffic is flowing, right, Zscaler sees 500 billion actions a day.

That's because each time you're moving your ones and zeros around to figure out where you're going, somebody else might be able to have access to that too. And so, you want to minimize that to the biggest expense possible.

I'll try to give a brief answer. Microsoft fits into almost every single phase of the Cal Secure project. That really means that we have multiple products that do multiple things, not only from the network level, but also from the data level and from the identity level.

So, we really, you know, in a world where people can work from anywhere, in a world where people are traveling all over the place, we don't just see kind of the moat model, we actually see a data model, an identity model. So, who you are gives access to, what you can do, things like that.

So, it's actually very complicated. But we do have a lot of different products across multiple spectrums in compliance, in privacy, and in cybersecurity, both on the network level, on the data level, and just about any other level that you can think about. So that's sort of the short answer.

Thank you. Assemblymember Gonzalez.

Thank you, Madam Chair. You know, one of the things that, that I look at is, is utilization and the vulnerability within the utilization or the vulnerabilities across the board.

IoT: when we're looking at all the different products in nodes across the board, you know, a lot of us might think that it's only the computer, right, that that you're protecting. Can you talk to - it's been my experience the other products that are not the computer, that are also vulnerable, and what your products do to protect against that?

I'll take that first then. So, I'll give you one example, and we got plenty. First off, we protect the worlds, the majority of the world's largest utility provider providers which include Internet of thing devices and OT, operational technology, devices that turn things on and on. We are working with a number of states right now around departments of transportation.

So, when you think about IoT, you drive down the road, there's a red-light camera, there's a camera that's controlled, there's a light, a traffic light that's controlled by something. They're the, I don't know what they call them in California. I'm from Maryland.

So, the lights that turn on and off and let people go on the highway, all those things are run by IoT Systems. We are currently working with a state, I can't say the name of the state, but where we ended up replacing, hardening, 30,000 Department of Transportation devices that were easily exploited.

Those devices lead directly into the state network. And so, when you begin to think about the whole world of IoT beyond things just like water, think intelligence, transportation. We got FIFA coming up, we got the World Cup.

When you think about all the ancillary systems that are going to be involved, the bad guys are going to be looking for that kind of stuff. And so, we have technologies that work specifically on the IoT connections.

Well, that was, that's where I was going to next. Right. We have major events coming up and my question is not only from military departments, but everyone in between: are we... are we prepared for the eyes of the world looking in on California? Because we want to safe, we want a great event, no issues. Right.

And if we're not, where are we? But if we're not, do we have the capability to protect against it within the vendors that we currently have?

I would say yes. I think you do have that capability there. I absolutely think you've got the capability there. There's two challenges and I don't want to take any more of your time. There's two challenges. One is you have disparate systems that don't work well together.

You have best in breed solutions that, that are, that don't, that just don't give you that single pane of glass. The other is that you have haves, and you have nots.

You have, you have the City of LA, but you have all of those other little counties, all those other little cities, all those municipalities that feed in together that at some level will have something to do with the World Cup. Any approach that you can do to create a whole of state approach is a good thing.

It has to become a team sport, because the bad guys are definitely treating it as a team sport.

I do worry about the seams. You know, when you start getting between jurisdictions and trying to protect a large area for an event where multiple entities have the responsibility for security of that event, you create seams. And so, making sure that there's a way to sew those up, I think is important.

There are plenty of offerings, I think, you know, again, thinking about just in general internet access and making sure that that's being protected, that's really where you're going to get the bang for your buck and the security on that front, because if you have the Internet access secured, then whoever's on, from whatever part of the network they're on, you're going to sew up those seams.

And I would encourage the Chair, and actually both Chairs as we go through the planning of - I know there's another committee on the Olympics that we could get info as well to make sure, just from our eyes, right, that we are supporting them accordingly.

I've seen things go bad, and I hate to see things go bad. And if we can get people together to work as a team to make it a flawless event as best as we can, and if we have this committee like this, why not be able to bring the right players to say, "We're all here to help."

If I could just add just a little bit. So, we have specifically a product called Defender for IoT. That's great. But we also look at things very holistically, so we don't just want to say there's a defender for everything, There's a product for everything. Usually, an IoT is protecting a database in the back end. Right.

So, we have all of that kind of stuff. And then AI being able to talk to all of that, because what happens is people deploy too many tools, they don't talk to each other. And then once we start introducing things like AI, now you can start to get a better picture of things.

And AI helps us to upskill both the junior people in the SOC, as well as making the more senior people in the security operations center a little bit more productive.

I want to just ask a little bit more about AI. I think if we looked years ago at when we started cybersecurity, everything, you would have a breach, and then somebody might have to patch it manually. And now you're talking about millions of vulnerabilities, and then the bad guys have the same.

They have the ability to find those vulnerabilities very quickly. But now we're moving into AI with cybersecurity; are we able defensively to stay ahead of the new offense that is made possible with AI?

I'll start with that one. I think the short answer is yes, but CISOs need to embrace it. A lot of times new products like AI tend to get people a little bit nervous. We're actually looking at things. We have a tool called Security Copilot is a good example. It actually has agents.

These agents can do simple things like triage a phish. I used to have a single person that could triage a fish. Somebody says, "I have a phishing email. I'm nervous. I shouldn't click on the link." I have one guy who can look at that. Now we have agents that can look at that.

And it does it really well. We have one for phishing, we have one for data loss prevention. We have one for each of these things. And it's going to - we always say human in the loop. So, we don't necessarily say, just turn AI on, everything will be fine.

But what it does do is it tends to make the junior people uplift them and the senior people more productive. So, I think it's something that is really going to help a lot and it's also going to be able to help us respond at speed.

As a CISO, I can tell you I had 1,2,3 holidays in a row. Every single one Friday afternoon. That's when they're attacking. Absolutely. You can't - you have to have 24/7 coverage and the quicker you can respond. I think we've already talked about the time to detect time to respond.

I mean, it has to be seconds and minutes. It can't be hours and days.

I think that's right.

There are a lot of states who are now starting to find, that are serving as good models for how to pull together, an artificial intelligence process so that they're evaluating the tools that are coming in that they need to use and they need to think about and also how to evaluate when AI is a component of the tool.

So, I would just say that as states continue to figure this part out, there are a lot of good models out there for people who are experimenting with it.

So, we're looking at AI in - I cut you off, I apologize if I did. We're looking at AI really kind of in four different buckets. And I do - AI is already here. And in your comments, why are we getting ready for it?

First off, AI has been part of Palo Alto Stack for the last dozen or more years. So, there's four ways that AI is changing cybersecurity. One, the attack vectors: just as I said, the size, the scale, the velocity of attacks. Leveraging AI by the bad guys is just doubling on the defender side.

We cannot do what we do as the world's, you know, as the world's largest cybersecurity company out there. Every day we're seeing 60 billion events. 30 of those are actual attacks. We window that down. Leveraging all our artificial intelligence tools to a handful of.

And we have 10 or 12 security operations specialists that are in our SOC, and they work nine to five. They go home at night. We have some cover, the sun models, we have a bat phone if something goes wrong.

But the only way they're able to defend is by leveraging all the aspects of artificial intelligence from a defender's capability. Third, or excuse me, third: one of the things that we also focus on as a company is protecting artificial intelligence systems themselves. Junk in, junk out.

If we were able to jailbreak Deepseek and we published that, we published that; so, are the artificial intelligence systems that are being used, are they being used appropriately? Can they be defended? Can we protect the data that goes in and comes out?

Finally, the other thing that we're working with customers on, including here in California, is helping agencies understand what their artificial intelligence footprint looks like. I did a panel a couple months ago with a number of state people. Well, we're debating whether or not we can adopt AI in our business day to day.

And the answer is, you already are. You just don't know it. You may not know it, but it's already being used. So, you take, you take ChatGPT, you take any, any AI engine you want. People may be uploading PII into that to get answers to help drive efficiency.

Our goal at Palo Alto is to help organizations use AI as an innovative tool, but safely.

All right, and then before we wrap up, I just want to ask, and this is probably for you, Mr. MacLellan, that because you did talk about a gap between different state agencies and their utilization of tools; there are some that are very successful and fully utilizing and have good plans in place to protect their data, protect from breaches.

And then there's some who are slower to adopt. So, what are the characteristics of, like, leadership or in those agencies that are adopting and fully utilizing and providing the training for their employees is driven by the CISCO, the leader. I mean, what is it that really predicts success?

Again, I would say it's a team sport. You definitely need leadership. As a former CIO or CISO in Connecticut, it all starts with leadership. I spent years working with governors on helping them understand what cybersecurity is, what it means, why it's not an IT issue, why it's a business issue.

I think the other thing, and I'm beginning to see more and more of this that's making, you can see good organizations versus great organizations, is those that take an unbiased, realistic, callous eye to what their systems are and what their investments are. You're investing in buying down security.

You're investing to try to improve your mean time, to detect your mean time, to respond. We call it business value consulting where we sit down with organizations and, and we, and we say, "What are you investing in? How does that fit within a NIST zero trust? How does that fit within a Cal Secure?

Are you getting the results that you're actually paying for?"

Do we have any other.

I just want to say thank you very much for holding this hearing. I think it's just so important.

One of the key things that I failed to mention earlier about what I think helps solve that gap in utilization is, you know, high levels of government calling attention to the issue and really making sure that everyone at every level knows that people care about this, that it's important, and it gets the focus that it has.

So, both of your leadership and everyone on the panel's leadership to just make sure that this continue gets the light of day is really important.

Yeah, I might just add to that that part of, part of working with state government is that it takes time. So, we, you know, we're, we're working very closely with the State of California. We've seen double digit growth year over year. There's still some room to grow, we're still growing. A lot of that takes partnership.

It takes sitting at the table. It takes understanding what the issues are. It takes understanding what some of the other challenges are of getting there. And in a lot of cases, it also takes people's focus. Right. There's just so many things that we have to do as cybersecurity professionals, and it really is about focus, learning, and growth.

Agree with all that. And you were talking about investment, and we have been really, our office has always been pushing on cybersecurity investment and unfortunately, it's, you know, this is all defense and it's not the, it is very difficult to get people interested in that area until there's a big breach.

And so, I think it's so important to continue to elevate the conversation and make sure that we are explaining the costs, the potential costs to state agencies of or infrastructure or cities or counties of big breaches. So, hope that all of you continue to preach. And we really appreciate you joining us this afternoon.

Do you have any final words, Assemblymember?

Not much to add. Just thank you for your attention to the needs of the state and what we need to do. As you know, clearly folks get more sophisticated in their approach. I appreciate hearing that you all are matching the same ability to expand what you're doing.

So, we're just here to be able to educate the community a little bit more, educate ourselves a little bit more about not only what's happening, but what's needed. So, thank you very much for being here.

Right. Okay. All right. Thank you very much for joining us this afternoon. All right, we are going to move on to our second panel, and as they come forward, I will start the introductions.

We are pleased to be joined by Lt. Col. Mikael Magnuson, the Chief of the Cyber Defense Network Team, Jared Johnson, the Chief Deputy Director of the Department of Technology, Douglas Novak, the Chief State - the Deputy Chief State...Chief Information Security Officer with the Department of Technology. Sorry about that.

And Jonathan Snow, Deputy Director of Homeland Security with Cal OES. So, thank you again for joining us. And our - our first question is for CDT. CDT conducts information security audits for state agencies and departments. These audits evaluate compliance with state security and privacy policies by validating security systems. Procedures and practices are in place and working as intended.

Can you discuss generally if trends from audits support the conclusion that cybersecurity features and vendor products are being underutilized?

Good afternoon, Chair Irwin, Chair Ransom, members of the committee. I do have prepared opening remarks that might be helpful in setting some context.

Yeah, why don't we start with that? If everybody would like to give their opening remarks. I probably should have started with that.

That's okay. Thank you. I wanted to follow your lead on this. Good afternoon. Thank you for the opportunity to speak with you today about cybersecurity in the State of California. My name is Jared Johnson, and I am the Deputy State Chief Information Officer and Chief Deputy Director for the California Department of Technology.

Also joining me today is Mr. Doug Novak, the Deputy State Chief Information Security Officer. The California Department of Technology is responsible for the oversight and maturity of cybersecurity for the State of California's Executive Branch.

The work that is done within CDT's Office of Information Security is critical to the state's protection and overall approach to enhancing the state's cybersecurity capabilities. CDT accomplished this as accomplishes this by setting statewide security policies and standards, conducting audits and assessments, and independent security assessments and supporting departments in strengthening their cybersecurity posture through shared services, guidance, and workforce development.

We take a balanced approach that addresses people, process, and technology with an emphasis on maturing cybersecurity capabilities. This approach is reflected in Cal Secure, the State Cybersecurity maturity roadmap, and Envision 2026, California statewide technology strategic plan.

Both are foundational components of the state's overall approach to cybersecurity and represent our deep commitment to preserving public trust by protecting the state's technology assets and, most importantly, our resident's data.

CDT also maintains strong relationships with industry experts, local governments, schools, and the broader vendor community to share knowledge, stay abreast of the latest adversarial tactics, and develop strategies for mitigating risks.

This collective knowledge and expertise helps CDT provide tailored support where it is needed most to help departments close gaps that may exist and reduce the overall risk to the state.

CDT's oversight also includes close coordination with our core partners in the California Cybersecurity Integration Center, including the California Governor's Office of Emergency Services, California Highway Patrol, and the California Military Department. This coordination provides a broad and unified approach to cybersecurity and incident response across the state.

At the core of California's cybersecurity strategy is a robust and evolving framework of statewide IT security standards and policies. These standards and policies, documented in the state administrative manual and statewide information management manual, provide the foundation for consistent, measurable risk informed cybersecurity practices across all executive branch entities.

These policies and standards form the backbone of the state cybersecurity governance framework, providing clear and evolving expectations, capabilities, and outcomes. It also allows the state to take a threat-based approach to protecting California's public sector systems and data, highlighting relevant priorities as the threat landscape evolves. These standards do more than set requirements.

They serve as a roadmap for building cybersecurity maturity. By establishing clear expectations, providing meaningful support, CDT statewide standards not only improve individual agency resilience, but they also help raise the bar for cybersecurity across the entire state ecosystem, protecting Californians and the services they rely on every day.

As cyber threats evolve and grow more sophisticated, CDT must not only measure compliance but also enable the departments to adapt and mature. We have made significant strides in measuring state entity resiliency, completing an additional 48 high risk audits covering all state entities.

Additionally, CDT has updated statewide information management manual standards to address emerging threats, such as phishing and endpoint vulnerabilities, ensuring alignment with federal guidelines. CDT also provides shared services that are infused with security, technical and workforce development standards and best practices.

These services strengthen and advance cybersecurity maturity across state entities, resulting in measurable, safe, secure and resilient services delivered to all. Lastly, CDT remains committed to developing a world class cybersecurity workforce, recognizing that people are the cornerstone to effective cybersecurity in California.

Through the Information Security Leadership Academy, over 200 information security officers and professionals have received hands on training in risk management, incident response and compliance. Many graduates now serve as Chief Information Security Officers, Chief Information Officers, and Cyber Advisors.

Beyond this academy, CDT also hosts the annual California Cybersecurity Education Summit with Cal OES, California Highway Patrol, and the California Military Department, bringing together public and private sector leaders to share best practices, discuss emerging threats, and foster workforce development. In 2024, the summit attracted hundreds of attendees including top national security experts and advisors.

This concludes my opening remarks, and I would like to turn it over to Mr. Doug Novak.

Thank you, Deputy Director. Good afternoon, Chair Irwin and Chair Ransom and members. My name is Doug Novak. I am the Deputy State Chief Information Security Officer for California Department of Technology.

I would like to provide more detail on the state's cybersecurity efforts, namely how we measure risk and promote security. CDT employs a robust framework to baseline and measure cybersecurity risk across state entities, primarily through California Cybersecurity Maturity Metrics Program. This program provides an objective evaluation of each entity's information security program effectiveness across the state.

It assesses entities against standards and matrix aligned with the National Institute of Standards and Technology frameworks, as well as how effectively they govern their information security programs. These metrics enable CDT to identify gaps in security postures, prioritize high risk entities, and track progress over time.

The California Cybersecurity Maturity Matrix Program underwent a major update on July 12025 transitioning to NIST newly released Cybersecurity Framework 2.0. Starting in fiscal year 202526 independent security assessments and audits conducted by CDT and the California Military Department will align with this updated framework incorporating a modern security control and adaptive best practices.

The NIST Cybersecurity Framework 2.0 reflects a stronger emphasis on governance, measurable outcomes, and maturity. By adopting this new framework, CDT has demonstrated an ongoing commitment to to continuous improvement and reinforce our expectations that departments implement current effective cybersecurity strategies and capabilities.

CDT's independent security assessments, also known as ISAs, have evolved as well and remain an important aspect of our risk identification strategy. ISA is providing external objective evaluation of an entity's implementation of technical security controls and performance, identifying vulnerabilities and gaps that may not be detected through internal audits.

For example, ISAs conducted by our third party assessors have begun instrumental in measuring effectiveness and security control adoption, particularly in areas of network security, endpoint protection, incident response capabilities. These assessments complement CDT's internal audits which focus on compliance with the state's security policies, such as requirements for security awareness training or governance of vulnerability management programs and plans.

CDT also baselines and measures risk through quarterly updates to departments plans of actions and milestones, which document identified risk, remediation plans and resource constraints provided by the entity and system security plans collected through the California Compliance and Security Incident Reporting System, which document the implemented security controls around the state's critical systems.

These metrics allow CDT to aggregate and correlate data to paint a holistic picture of the state's cyber landscape. CDT also conducts 247 continuous internal monitoring for nearly 110 departments and programs via our Security Operations center as a Service, also known as the State soc.

This continuous monitoring approach has shifted from a point in time review to real time scanning of networks, reducing exposure to threats by enabling early detection of anomalies and faster response times. This proactive approach significantly improves the state's ability to contain incidents before they escalate and produce objective metrics and threat intelligence.

Continuous monitoring is essential for maintaining real time visibility into threats and vulnerabilities, especially threat during off hours when threat actors are the most active to immediately detect and respond to anonymous activity. The State SOC program monitors the State's primary enterprise network 247365 detecting and responding into threats in real time.

The program capabilities have expanded significantly, now covering over a thousand adversarial attacks and techniques compared to 110 in earlier iterations. Addressing 90% of commonly observed attack methods. The program sees a monthly volume of approximately 35,000 threat alerts processed with 85% remediated in real time. This capability ensures a robust protection for state entities and their critical systems.

CDT has operationalized comprehensive advisory services to provide meaningful support to help entities close the gaps with assisting remediation and risk treatment. Our advisory program assists our statewide risk and program provides tailored guidance to departments helping them implement corrective actions and strengthen their security postures, attaining maximum risk and reduction to their security investments.

These services include to technical assistance for configuring security controls, developing incident response plans and governance frameworks to align with the state's and federal standards. CDT offers step by step recommendations for remediation. This hands on support is particularly critical for smaller entities with limited resources enabling them to prioritize high impact fixes without incurring prohibitive cost.

By fostering this collaborative approach, CDT ensures that this remediation efforts are practical and sustainable, reducing the likelihood of reoccurring vulnerabilities. Recent efforts have resulted in a 15% increase in maturity scores in audits and assessments. These advisory services are pivotal in helping entities navigate complex compliance requirements and build resilience against cyber threats.

We have conducted over 190 engagements within 18 month period to help drive better security tool adoption. CDT has developed a transformative program to strengthen the protection of California systems through its Vulnerability Disclosure Program. This program. Excuse me. This proactive initiative engages independent security researchers to identify and report vulnerabilities before they can be exploited by malicious actors.

The Vulnerability Disclosure Program adds an important layer of defense enabling state entities to adjust weaknesses, implement security controls and patch of systems that might otherwise go undetected. California's Vulnerability Disclosure Program is the largest of its kind in the state covering ca.gov domains and serving approximately 150 public sector entities.

Why it began with a focus on Executive branch departments, it has since expanded to include Non Executive entities such as cities and local governments. Its broad scope ensures timely identification and remediation of risk across wide range of public systems, which is why it has become a vital part of California's cybersecurity efforts.

The effectiveness of the Vulnerability Disclosure program is reflected in its strong performance metrics. In 2023 it received 2,729 vulnerability reports including 236 identified as critical. In 2024 over 1,072 reports were submitted and more than 400 were remediated.

These results are likely to save the state millions in cost avoidance, highlighting its effectiveness importance in Enhancing Security for California CDT is committed in protecting California's public sector through robust oversight, risk assessment and innovative services. Our work with ISA audits of the California Cybersecurity Maturity Metrics ensures that we identify and address gaps effectively.

Our advisory service empowers the state entities to remediate vulnerabilities while our collaboration with CALCIC strengthens statewide security operations. Through initiatives like Information Security Leadership Academy and the Cybersecurity Education Summit, we are building a skilled workforce to meet future challenges. The State socifies our commitment to cost effective, scalable solutions that uplift cybersecurity for all of public entities.

CDT looks forward to continuing our mission to ensure California remains a national leader in cybersecurity, protecting our residents and critical service from evolving threats. Thank you for your time and we're happy to answer any questions.

All right, thank you. And I always enjoy hearing about how far the Department has come in the last decade ago in the last decade. And I also love when you're talking about independent security assessments because of course, course that was our bill AB 670 and you are fully utilizing it and complying and we'd love to see that.

Gentlemen, would you like to open and introduce yourselves?

Good afternoon Madam Chair Irwin and Madam Chair Ransom and Members of the Committee. Thank you for the invitation to speak today. My name is Jonathan Snow and I'm the Deputy Director of Homeland Security within the Governor's Office of Emergency Services, which includes the California Cybersecurity Integration center were the CALSIC and the State Threat Assessment Center.

Since our codification by Assemblymember Irwin In 2018, the Calcic has become a thriving integration center that contributes to the cybersecurity posture of California.

The CALCIC safeguards California's economy, critical infrastructure and public trust by reducing the likelihood and impact of Cyber incidents As the state's central hub for cybersecurity, we bring together government, private sector and critical partners to coordinate responses, strengthen defense and enhance resilience against evolving threats.

The CALCIC is a clear demonstration of the value of interagency and private sector collaboration and the need for continuous learning due to the changing threat landscape. As you know, the CALC is made up of the Core four cdt, chp, CMB and Cal oes, which allows the CALCIQ to be a force multiplier for cybersecurity in California.

In 2021, Governor Newsom announced the development of Cal Secure, a multi year cybersecurity roadmap for California. Leveraging the expertise of the CALCIC and its Core four partners, Cal Secure enables the state to mitigate existing and future threats more effectively. At the calc, these growing capabilities include training, cyber intelligence, advisory services, digital forensics and incident response.

To support this collaboration, the CALC facilitates and manages cybersecurity trainings. Each year since 2024, the CalSIC has facilitated and managed at least 54 trainings. Beyond in class trainings, the CALCIC offers educational opportunities which includes advisories. These advisories share valuable cyber information with partners to enhance the their preparation and cyber defense postures.

Since 2024, the CALC has issued more than 200 advisories. Another capability, the CALCIC, is a recent development of our Cyber Advisory Team. This forward leaning team identifies achievable actions that the outside organizations may make to improve the organization's cybersecurity posture.

These actions include enhancement to user network configurations which which can oftenly be costly but are essential to cybersecurity posture. These are just a few of the examples how the CALCIC serves in California and strengthens our resilience.

Just a bit ago we heard from our vendors who provided additional support to the State of California and this expanding cybersecurity landscape. Keep in mind the flexibility and innovation that Cal Secure provides in the growing cybersecurity maturity of the state agencies.

The choice to utilize private sector contracts is one that requires an examination of the needs and existing capabilities of our organizations. Within the calcic, we strive to strike a balance between providing the necessary functionality for users and ensuring the security of systems across the state and their data.

Thus, it's not a lack of awareness that resulted in limited usage of some contracts or systems. Sometimes it's due to the duplicative nature of some of the tools within various systems. Other times it's due to the technical issues within system features. As private sector industries continue to implement cybersecurity to protect their architecture, users and applications and infrastructure.

There are lessons to be learned applying to our conversation here today. We at the State need to discern what option is the best for our current and future landscape. In some instances, limited functionality of a particular system is due to the lack of a state agency cyber maturity.

Yet currently there are reasons to limit software features for security purposes. One is reducing cyber attack surface. Every enabled feature in a software system presents a potential entry point or target for cyber incidents encompassing both digital and physical attacks.

This is because each feature introduces code and functionalities that can potentially that can potentially contain vulnerabilities that the attackers could exploit. Thus, by disabling or restricting unused or non essential features, we can then reduce our overall attack surface and limit opportunities for bad actors to exploit vulnerabilities and gain unauthorized access to our systems and data.

Another reason state agencies and institutions may limit system features may be to minimize the complexity of the system and enhance user experience. More features often mean more complexities, making it harder to identify and managing security risks effectively and limit user functionality.

Despite the limited use of capabilities within some systems, the CALC continues to respond to any agency or organization that requests our assistance to provide vulnerability assessments and incident response. One significant area to increase cyber education in California is the fulfilled exercise called Cyberdawn through Events.

Through these events, the CALCIC and its partners continually learn, develop and engage private and public sector partners on advanced cybersecurity issues. CyberDawn is a multi state, multi service cyber incident response exercise facilitated by the CALSIC and the California Military Department.

This year was its sixth iteration of the exercise, the largest to date, bringing nearly 400 participants 52 organizations together. This included 21 military units, 16 government agencies, four educational institutions, and 11 private sector infrastructure companies. 2026 will include additional state agencies.

Opportunities for collaboration among these experts is unique and highly sought after to best serve the people of California. CALSIC and its Core four team continues to place an emphasis on personnel and system development to more importantly in these uncertain times. Thank you for your time and I am available to answer any questions afterwards. Thank you.

Thank you very much. Lt. Col.

Good afternoon, Madam Chair Irwin, Madam Chair Ransom. Thanks for inviting me to speak today. My name is Lieutenant Colonel Michael Magnuson. I am the Chief of the Cyber Network Defense Team. The California Military Department currently has over 60 service Members working full time in cybersecurity throughout the state, 27 of which are on my team.

34 work at Cal OES and 6 work at the Department of Technology. My team conducts independent Cybersecurity assessments. As you know, ma', am, we conduct approximately 50 of those per year and have been doing them since 2017. In just the last four years, we've seen nearly a 50% increase in scores across agencies and departments.

And I just want to say we greatly appreciate your leadership in this space. To both of you. And that concludes my opening comments.

Okay. Well, we had arranged a lot of your comments did answer questions, but I will the questions that we had about underutilization. I think Mr.

Snow went deeply into that issue, but I was wondering if anybody else had comments on these, on vendor software under utilization of cybersecurity features and what we might be able to do to improve utilization. If you haven't commented on it already.

I'll take the question. Thank you, Madam Chair. I think we approach this not as a single set of tools that can address the state's deficiencies in cybersecurity. We have to take this from the perspective of evaluating the capabilities and the risks individual of entities and then, as I mentioned in my remarks, taking that balanced approach.

So there are tools that can assist in a entity's cybersecurity maturity, but it also falls on process and people to make it a complete holistic solution. So oftentimes, training awareness for employees of an organization can help address the gaps we find through our assessments.

Oftentimes it can be process changes on how certain types of data are handled, how incidents are reported, and then it can be a tool solution. But CDT does not prescribe individual tools that should be used. We recommend to entities types of tools that might be helpful in improving their overall maturity.

So our approach is less about looking at tools as the blanket solution for this problem and again, taking that balanced approach.

And are you getting feedback from different departments, organizations on how those tools are working? Is there some way that across all these different state departments that there could be a repository of information on how tools are working?

There are two things we do. We work with the individual vendors. Those are very important relationships with us to look and evaluate at how tools can be an important part of the equation for addressing cybersecurity. And then to my colleagues at Cal OES and California Military Department talking about the increase in maturity scores.

Oftentimes we can attribute that to the people, process and technology. And we'll find that departments do benefit and can share with us the benefits of certain tools to address certain gaps.

Do you have any comments there?

Yeah, I can speak to our SOC as a service when we do onboarding for a Department, we're identifying all their landscape and all their technology stacks, regardless of security related or not. And a lot of the vendors products have a bit of overlap. So it could be a competing product or coverage.

So if you turn everything on, it would be conflicting. And in the interest of not breaking business, we, we are very careful in what we recommend as far as what we turn on or what the Department turns on and understanding the their landscape as far as most of the time they may not know everything in their environment.

So when we do our process for onboarding, we do that discovery process and we do identify some of those competing areas so that we have to be very cautious about that.

I would just add two things. One is I do think that the scores increase in scores specifically over the last four or five years has really shown that agencies and departments are busy implementing solutions to the problems that they have. And I think it takes time.

Networks are complex and unique and so anytime that there's a solution at hand for a problem that you're having, it takes time to figure out how to implement it. And also protect the confidentiality, integrity and availability triad that's so important for data. So that's one thing.

And then I would say that for sharing of information across the different agencies and departments, I think Department of Technology has done a great job of setting up monthly meetings with agency ISOs or CISOs and quarterly meetings with all of the CISOs of all the departments so that they can share information and technologies and what's working and what's not working.

So we see wide adoption in some products and not so much in others. We stay product agnostic in our recommendations. But overall I would say that the increase in scores just shows that people are hard at work doing this work.

And then we had talked a lot with the vendors about training of employees and how difficult it is to. I should start with how difficult it is to hire people with technical expertise and keep them, you know, they have to have a real passion for public service.

Are you finding in, you know, these overlapping areas, issues with hiring people? And if so, do you have training programs in place? And I know some of you have mentioned it already, but I just wanted to pull it, pull it out because it is a concern.

Yeah, I can start with that on my team. Over the course of my five years of state service, my retention has been near 100%, which is outstanding. Very proud to say that. And I think that it has to do with dedication to service. I think that also we do provide an outstanding level of ability to train.

We do provide a lot of training to our Members and we need to because our salaries are obviously capped at Military Department salaries, which is what everybody expects. So we provide training and that adds a benefit.

And yeah, and I would also say that I think across the industry, more commercial industry companies are hiring people with more experience. And you know, at least on my team, we're willing to hire people that have a lot of experience, passion and dedication, but not so much experience and then train them up to it.

And so in that way, I don't think we have any trouble finding candidates. There's a lot of, a lot of applicants for every position that we post, Mr. Stone.

So we are growing our staff and we put our staff through a very vigorous training program. I would say we really look for mission focused and encouraging them to be part of something. They get to contribute to a much larger effort. Protecting the State of California versus working at a private sector firm.

And we do use State of the art private sector training facilities. We work with the private sector and as I mentioned in cyberdawn where we can work with some of the best utility companies in the world and our employees get to really get best practices and really get a one of a kind training.

And I think that's what makes it gel. And as CMD mentioned, it's the interaction they get to have with us that really offers a chance of public service, that they get to be part of something much bigger than who they are and contribute to our larger mission.

Thank you.

One of the issues we're seeing is due to the vendor products maturing so quickly. It's hard for our staff to be proficient on those new capabilities. So we do work closely with the vendors and we have great vendors in state to help fill that gap.

You know, they come in and they work with us to really help train up our staff to meet their support level. So there is no gap.

Thank you.

I don't have much to add. My colleagues covered it. I would say public service is a mission driven career for many and so we do see that our cybersecurity staff are passionate about the roles and the jobs that they have with us. Cybersecurity skills are coveted.

If I were to rewind my career 30 some odd years, I might consider a different career path knowing how coveted it is. But I think we do many of the things here. World class training, there's innovation on the cybersecurity front which is exciting for many people.

But what we haven't mentioned is we also are partnering with our colleges and our high schools in fact, to be able to look at how we can recruit new and upcoming talent into the state workforce to help keep that flow of talent within the state and raising the interest early with those students so that they are interested in taking these jobs with us when they're available.

It's very important tactic we use as well.

Thank you. And then my last question before I turn it over to my co chair, it's for OES in the military Department. So for OEs where we have many shifting priorities at the federal level when it comes to funding and personnel as it relates to Cal CSIC and Cal OES's relationship with CISA.

Can you provide updates on the availability of cybersecurity offerings like Ms. ISAC and the state and local cybersecurity grant program which I think I heard at my last cybersecurity meeting that that was being threatened.

We heard that at NCSL and other any other changes that may enhance or put at risk Cal C6 ability to provide cybersecurity services to state and local entities.

So I'll try to answer all your questions. So the CALC continues to work with federal partners including DHS and CISA and we continue to have a very strong relationship and we will and we work with them. They visit our facility on a regular basis and we involve them in any major decision making.

But as you know the Multi State Information Sharing Analysis Center Ms. Isac, one of the most effective cybersecurity programs for state was threatened.

In fact, funding was cut in late March and then we were notified recently as part of the NOFO for this state cyber security grant funding that it would not be eligible and that was released in August. So we are working collaboratively with those agencies.

And I will tell you of the In California there are 1352 California organizations who currently enrolled in Ms. ISAC. So we are trying to understand what their needs are and how to fill that with the lack of funding that's available.

So how much funding was then cut.

From so the federal On a federal level they cut for every state that was a federally run program. So each so the agency signed up through the federal portal, not through the state. So when the funding was cut, all of those agencies are considered at risk. It expires September 30th.

Yeah, that's great because you know we're seeing decreased cyber threats. So why don't we just decrease the funding?

Go ahead, I'll talk about the so as I did mention, the state and local cybersecurity grant was renewed. This is the fourth year. zero, it was renewed and it was put forward. We just noticed a funding opportunity was filed on August 1, but this is the last year of the program.

But that was. The program was supposed to end, right? Is it ending prematurely?

It was not ending prematurely. They continued the fourth year, but this will be the last year.

That's unfortunate because I would say the group that needs the biggest help right now are local cities and counties and special districts. All right, and then for the military Department, as I said, we're. We have shifting priorities at the federal level when it comes to funding and personnel.

As it pertains to California Military's Department with DOD, can you provide any updates on future availability of specialized cybersecurity training for soldiers or other changes that may enhance or put at risk CMD's ability to provide expert services to the state?

Yeah, we don't. We don't see any impact at this time, ma'. Am.

Zero, well, that is good news then.

Very short answer. All right.

Okay. Chair Ransom.

Well, thank you all for being very prepared. A lot of the concerns you addressed in your opening remarks, so we really appreciate that. I have a couple of questions. One, in regards to, you know, the funding that is set to expire, a lot of state and local agencies are.

Are doing advocating because it's very important to clearly the security of our government institutions. Is Cal OES doing any advocating to Congress or doing anything to assist in those efforts in order to protect our local communities interest.

We have advocated through CISA and our DHS partners on the needs for the local what they need, and we're trying to encourage that relationship with CISA and those partners.

And what kind of response are you getting from federal partners?

They have said that there was an outpouring of requests across the country, not just California, from many states, about the reduction in Ms. Isac.

And they were evaluating it, evaluating the huge outpouring. Okay, great. Thank you. I want to kind of pivot to awareness.

I know we talked a little bit about the different reasons for underutilization, all of the different training opportunities, but I'm wondering, does CDT have any programs or tools that seek to provide awareness of the features of the tools that are available in the different products that CDT and DSG it catalogs include?

And my thought is clearly, you know, a product is only as good as it's used. Right.

So we do have an outreach program that really encompass all the technology stacks. And that's, that's, I don't know, maybe a couple years old. But that's a practice that we're trying to advocate right now is, you know, whatever need help they need as far as cyber or it.

And if they want any help as far as training, we can help with the direction of training and really configuration and implementation as well.

Awesome. Thank you. And then lastly, how does CDT enforce Sam, SEM and SIMM standards that require the use of cybersecurity features? When you know, if there's an entity that kind of lacks the compliance, like what are you doing to ensure that they are using the features?

So instead of having a heavy hand, we try to have a helpful hand and really reach out and offer our assistance and whatever that case might be. With all the different state departments, those landscapes are very different and unique. But we have enough staff that's experienced well enough to understand each of those environments.

So it's really up to the Department to accept that offer.

And do you have triggers or things that'll say if maybe one portion of the Department is not using like multi factor authorizations or something that'll say, hey, there's something going on here. Or how do you identify when those features are not being utilized?

Well, part through the California military, their assessments is a key for us to target those weak areas. But if we're in there as far as SOC as a service, we do that on that 247 monitoring. But we also reach out to them quarterly and do a health check.

We want to see how that is working out for them and identify any gaps in what they're seeing or what they're expecting. So if they do share that there's some technology that they want to enable additional capabilities, we'll definitely help them with that.

I'm sorry, Chair, may I add, please, I would just say we offer the helping hand and advisory services as a result of the audits and assessments. We also produce what's called a plan of action, of milestones, a poem. And the POAM is used to hold that Department accountable to address those deficiencies.

That's where our advisory services come in and we advise on different approaches to solving the capability gaps that could be tools that could be process changes, security training, things of that nature. So it's helpful, but it's also a documented plan that we work together with those entities to achieve a certain level of maturity to address those gaps.

Okay, thanks for clearing that up. Because when you say helpful, I was looking for like the enforcement and it sounds like that's the accountability and enforcement piece is also built in. Those are all of my questions. Thank you so much. I appreciate you.

All right, well, panelists, we know that you are very busy, so really appreciate your time this afternoon.

Thank you for the opportunity.

And so that concludes the Q and A portion of our hearing, and we will now move on to public comment. All right, looks like we have, yes, we have somebody who would like to publicly comment.

I apologize. I'll keep my my comments as brief as possible here. My name is Scott Drexel and I'm here on behalf of the Coalition for Fair Software Licensing, which is comprised of North American companies and trade organizations representing a cross section of industries including cloud software and cybersecurity providers.

So our mission is to promote policies that curb restrictive software licensing practices, which are provisions in software agreements that leverage the popularity of market dominant software such as productivity or virtual desk tools, to lock customers, in this case the State of California, into goods and services beyond the scope of what they want or need.

The vendor lock furthermore, hinders or even prevents software purchasers from switching between technology providers as circumstances and needs evolve. So restrictive licensing and cybersecurity risk go hand in hand. And when major cybersecurity attacks occur, the question lawmakers, cybersecurity officials and regulators should ask is not just what happened, but what role did restrictive licensing play?

So restrictive software licensing practices create unnecessary cybersecurity vulnerabilities by limiting customers ability to utilize their preferred vendors, leaving their IT infrastructure susceptible to risk. They inhibit modernization efforts. They limit interactions and integrations with third party providers, making it difficult to diversify systems. They restrict how customers can use their previously purchased software on other cloud providers.

These aren't just business practices, they are serious security concerns. So restrictive licensing practices prioritize vendor control at the expense of cybersecurity best practices. And these limitations can compromise visibility, delay response times, and prevent necessary protections. There's a small handful of very large legacy software providers that have had a significant number of cybersecurity events in recent years.

And we can't operate under this assumption that a single legacy provider can say we are your sole solution for addressing a vulnerability when they're also the source of these increasingly frequent vulnerabilities themselves. That's especially true when the underlying contract was for productivity software or virtual desk tools.

When you silo tech spend with a single vendor or small number of vendors, a vulnerability in one very quickly becomes a vulnerability in all of them. So diversity of cybersecurity vendors, redundancies and contingencies is essential to a full stack cybersecurity strategy and a shift toward open standards, Greater transparency and flexible licensing is critical to enhancing cyber resilience.

Thank you very much. Thank you very much. Appreciate it.

Okay. And with that, I'd like to thank everybody for joining us today. I look forward to continued dialogue with all of the panelists. Maybe tomorrow. And we will, at this point, adjourn the joint meeting of the Assembly Select Committee on Cybersecurity and the Assembly Committee on Emergency Management. Thank you very much.

Thank you.