You might think the home of Silicon Valley would rush to hire a cybersecurity chief, but you鈥檇 be wrong: California has left its top cybersecurity post vacant for nearly two years.
A spokesperson said there is no current timeline for Gov. Gavin Newsom to appoint anyone for the position, commander for the Cybersecurity Integration Center.
鈥淲e are a target,鈥 as a tech industry leader, the most populous state in the country, one of the busiest ports in the world, and the fifth largest economy in the world, said former cybersecurity integration center commander Jonathan Nunez in a two years ago. He took the helm in June 2020 and was the last commander appointed by Newsom, leaving the position in June 2022.
State officials say the vacancy hasn鈥檛 hampered the state鈥檚 ability to respond to threats, but experts outside the state government are concerned that an acting commander is spread thin.
The entails assisting law enforcement agencies with criminal investigations and safeguarding California鈥檚 economy and critical infrastructure. Other job duties include maintaining a security operation center that disseminates actionable information to all state entities, forming public and private partnerships, and developing state cybersecurity strategy. The commander is paid a salary of up to $187,000 a year.
The challenge of a position like cybersecurity commander is it鈥檚 not a matter of public or media interest until something goes wrong, said Dan Schnur, a former spokesperson for Gov. Pete Wilson who now teaches political communication at the University of Southern California and University of California, Berkeley. There鈥檚 no set timeline for appointments and depends almost entirely upon the urgency to fill the job and quality of applicants, but in his experience, taking more than a year to appoint is an unusually long amount of time.
鈥淓ither they鈥檙e going through a painstaking process to pick the right person or it slipped through the cracks and there鈥檚 no way to know which of the two it is,鈥 he said. 鈥淯nless you find a unicorn who鈥檚 willing to forego that kind of financial compensation in exchange for public service, you鈥檙e already starting out with a compromise.鈥
There have been four full-time commanders prior to the current acting commander.
Keith Tresh was appointed by former Gov. Jerry Brown and acted as commander from 2016 to 2018. He is now chief information security officer at consultancy firm AMEG. Mario Garcia served as acting commander from 2018 to 2020 and now works as state coordinator for the U.S. Department of Homeland Security鈥檚 Cybersecurity and Infrastructure Security Agency. Jonathan Nunez was appointed by Gov. Newsom in 2020 and now works as an analyst at consultancy firm Gartner. David Lane served as acting commander for an unspecified period of time in 2022. Deputy Director of homeland security is also the acting commander.
Tresh previously served as chief information security officer for the states of California and Idaho and was the first Cybersecurity Integration Center commander. He said he jumped at the opportunity because the job acts as a second set of eyes for public institutions like city and county governments, not just the state of California.
鈥淲e helped school districts and regional transit authorities when they had breaches,鈥 he said. 鈥淭hat鈥檚 why I think it鈥檚 absolutely a perfect position to continue on.鈥
Cyber attacks on public institutions like local governments, hospitals, and school districts are on the rise. Hospitals and health care providers are that affected payment processing for Change Healthcare, which processes roughly half of all health care claims and payments nationwide.
The Cybersecurity Integration Center receives reports when a school district, state agency, or private company experiences a data breach. The center also receives threat reports from federal agencies such as the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, and the Department of Homeland Security.
Former Gov. Jerry Brown created the cybersecurity agency in 2015 to operate within the governor鈥檚 Office of Emergency Services. It works with the Department of Technology to investigate and report incidents and helps restore operations after an attack. Director Liana Bailey-Crimmins told CalMatters in an interview in February that her agency works closely with the office of emergency services to address the needs of the state as they fill key positions so they never miss a step.
A spokesperson for the governor鈥檚 Office of Emergency Services said Osborne is serving as acting commander while the governor carries out a nationwide search for a qualified candidate.
Over the course of the past month CalMatters repeatedly asked details about data breach reports and compliance with additional duties assigned to the commander and cybersecurity integration center by a but received no comment.
The last time the state compiled a report detailing the kinds of data breaches, number of records compromised, and number of Californians affected in cyber attacks was , before the cybersecurity integration center existed.
CalMatters reached out to the office of Attorney General Rob Bonta for the latest data breach report. The attorney general鈥檚 office referred CalMatters to the cybersecurity center, which did not share new information but said it would post new data publicly later 鈥渢his spring.鈥
After that state agencies were woefully unprepared for cyber attacks, California Assemblymember , a Democrat from Thousand Oaks, coauthored law that made the Cybersecurity Integration Center a permanent state agency and required development of a state cybersecurity strategy. Irwin, who is also chairperson of the Assembly cybersecurity committee, told CalMatters in a statement that finding a new commander has not been easy.
鈥淭he state has struggled to recruit and retain cybersecurity specialists, just as many businesses have, with their skill set in high-demand,鈥 she said.
Competition with private sector
Former state cybersecurity employees told CalMatters they think it鈥檚 difficult for the cybersecurity center to keep commanders because the pay is less than for similar jobs in the private sector. State employees may treat an acting commander 鈥 who will be in the job temporarily 鈥 differently than a commander appointed by Newsom.
A former cybersecurity center employee who spoke to CalMatters on background for fear of professional reprisals said the biggest issue with the position is lack of real authority; the commander has limited capacity to act and hold people accountable.
Public agencies, especially in California, are major targets for cybercriminals seeking confidential information or just want to cause panic, said Steven Ward, a cybersecurity fellow at center-right think tank R Street Institute and former digital forensics examiner for law enforcement agencies in Sacramento.
Ward said the vacancy is reflective of a number of trends: First, the cybersecurity threat landscape moves quickly, and public agencies move slowly. Second, it mirrors a larger cybersecurity workforce shortage. California has the second-highest in the U.S., according to by the nonprofit International Information System Security Certification Consortium.
Third, public agencies can鈥檛 compete with pay and benefits offered by private companies. found that the private sector pays 14% more than government agencies. The pay gap creates a situation in which entry-level employees are responsible for guarding highly sensitive systems. It鈥檚 hard to say what the consequences of the vacancy are, but since the center develops the state cybersecurity strategy and is a hub for sharing attack threat information and how to patch vulnerabilities, Ward said he鈥檚 worried that the acting director might be spread too thin.
鈥淚t definitely needs to be filled,鈥 he said. 鈥淚t鈥檚 important that this type of work continues without interruptions.鈥
is a nonprofit, nonpartisan media venture explaining California policies and politics.