The committee held a hearing to consider the following interim charge:
 
Identify and address potential gaps in cities’cybersecurity policy and ensure that personal information held by cities and other municipal entities is secure.
 
Eddie Block, Chief Information Security Officer and Cybersecurity Coordinator, State Of Texas

  • Been in this role for about 8 months
  • Texas is one of 8 states leading the effort in cybersecurity
  • Focus on protecting the confidentiality and integrity of state information and resources
  • Perform risk assessments and security vulnerability studies
  • Have sponsored security assessments in about 50 different agencies; non-technical reviews
    • Identified a few trends that are issues
      • Staffing challenges
      • Secure software development
      • Security awareness
      • Identity and access management
      • Monitoring
      • Network segmentation
      • Data classification
    • Trying to provide solutions to these issues

 
Mary E. Dickerson, Chief Information Security Officer, University of Houston; Chair, Texas Cybersecurity Education and Economic Development Council (TCEEDC)

  • In 2011 the legislature created the TCEEDC
  • Performed a study that found there areas that could use improvement
    • Looked at state cybersecurity infrastructure and coordinate partnerships between the state and private industry
    • Cybersecurity industry in the state; how to improve the industry and bring more to the state
    • Looked at state cybersecurity education needs
  • Council found that there are pockets of excellence across the state but they are not recognized, promoted and coordinated well
  • Recommended that the state appoint a cybersecurity coordinator
  • Need to leverage private industry in the state to get their support to promote good practices in the state
  • Need to focus on programs at educational institutions that can create leaders in the cybersecurity field
  • There is now a permanent Texas Cybersecurity Council to continue the work of the TCEEDC
  • Goal going forward is to use what that council is doing to forge new and better partnerships between agencies and private industry to continue to improve
  • Block noted an important part of the council has been to work with higher education
  • Chairman Carol Alvarado asked what the biggest threat to cybersecurity in Texas is
    • The state has millions of IP addresses and a significant internet presence; the biggest concern is spear fishing attacks on state employees’ computers to gain access to state systems
    • This can largely be solved through user education
  • Alvarado asked what next steps could be
    • Working to try to build private sector connections and how to develop better curriculum for K-12
    • The threat of identity theft to children under 18 is very high; children do not run credit checks on themselves so the threat can last a long time; children need to be aware of what threats are out there

 
David LaPlante, Chief Information Security Officer, City of Houston

  • City of Houston has 23 different departments with a wide variety of business types and security requirements; very complex environment
  • In 2014 cybersecurity for the City was very immature
  • Since then, have implemented a large framework which includes risk assessments and developing ways to cover the gaps
  • Used federal grants to implement the framework and to create a tool used by other municipalities around the city for guidance in implementing their own frameworks
  • Primary challenges have been awareness issues; employees are the greatest defense line and the greatest liability in cybersecurity defense
  • Key program implemented this year is a cybersecurity awareness program that includes email tests for fishing software

 
Steven Elkins, Chief Information officer, City of Austin
Ken Williams, Chief Information Security Officer, City of Austin

  • Performed a study on city systems to test for cybersecurity weaknesses
  • Implemented a training for all city employees that is mandatory and annual; talks about cyber threats, how they happen, and what will take place should an attack occur
  • Put out an RFP to do a city-wide risk assessment; have not yet executed on this due to some issues with the RFP
  • Alvarado asked if workforce shortage has been a challenge through this
    • LaPlante responded that finding qualified, well trained cybersecurity people has been a challenge
    • Elkins responded that local government competing with the private sector has been a challenge; tech companies in Austin hire all of the qualified people and pay more
  • Alvarado asked what the cost is aside from recruiting and retaining good people
    • LaPlante noted Houston has implemented advanced threat protection technology that automatically acts on advanced cyber threats
    • Do not have any large budget projects planned in the near future; more small improvements
  • Alvarado asked if there is a mechanism to share information and learn for each other
    • There is a multi-state information sharing center that local governments can participate in
  • Alvarado asked if the cities are active with the state council
    • Not yet
  • Alvarado noted the council may need to include representation from cities
  • Rep. Todd Hunter asked how secure the cities are
    • That is subjective; Houston is probably a 7 out of 10
    • Austin is probably a7 as well; there is a lot more to be done; saying a city is very well protected invites threats so it is important to be cautious with what is publicized
  • Hunter noted as cities improve, cyber terrorism will improve as well
  • Rep. Rodney Anderson asked what cyber terrorists do
    • Sometimes they gain access then wait in the system for days or weeks and capture keystrokes and other information to go in and perform one overnight attack to steal millions of dollars
  • Alvarado noted smaller municipalities probably have a much harder time attracting good employees due to less budget room
  • Rep. Diego Bernal asked what the cost of annual training is for a city
    • Austin has computer based training that is integrated into learning programs that include other training such as ethics training, etc.
    • Sometimes bait emails are sent to employees selectively to see if employees will open the emails; if they do they are sent to secondary training; that also helps gather metrics on how well trainings work

 
Ed Hennigan, CTO, Data Foundry

  • We are driven to have high standards without additional regulation
  • Traffic needs to be encrypted by public sector
    • Today he was able to use a legal program to see what people in the capitol were browsing on Instagram
  • Do not support back doors in encryption because they pose a real risk
  • Important to minimize the amount of data that we keep and capture to avoid larger issue in case of a breach
    • We never store credit card information, so a breach would never be able to get credit card information
  • Outsource to companies whose whole focus is on cybersecurity
  • Alvarado asks if Data Foundry have any public clients
    • Yes

 
Mike Raft, Technical Security Consultant, AT&T

  • There is a lack of security professionals available even to the private sector
  • AT&T can provide consulting services such as their threat management service
  • Vulnerability scanning
  • Human element cannot be forgotten either; AT&T has mandatory training and a cybersecurity awareness month

 
Chad Holmes, CTO, Fire Eye

  • Fire Eye is go-to for breach response
  • Out of all responses that we do, 100% of attackers are looking to steal credentials
  • State and local entities have data from all different types of elements, healthcare, personal identification, etc.
  • Texas faces challenges because there is not one owner of security throughout different municipalities, and you are only as strong as your weakest link
    • Some cities have one or two people trying to manage security
  • Average spend is 2-3% of IT budget for security which is almost non-existent – you need more funding
  • We consider security a business risk function as opposed to an IT function
    • Cybersecurity element gets cut drastically as part of IT function
  • Set a benchmark for agencies
  • Alvarado mentions that it may be helpful in the future for larger cities to bring smaller cities under their wing
  • Alvarado asks if there is a state we can look to that is ahead of the curve on cybersecurity
    • Larger states have their own challenges, but Texas is probably the best of the large states
    • Information sharing is important from private sector to public sector and also public to public