The House Select Committee on Cybersecurity met on May 16 to hear invited and public testimony regarding the state of cybersecurity at all levels of government and cybersecurity education and curricula.

This report is intended to give you an overview and highlight of the discussions on the various topics the committee took up. This report is not a verbatim transcript of the hearing; it is based upon what was audible or understandable to the observer and the desire to get details out as quickly as possible with few errors or omissions.

 

Opening Comments

  • Chair Capriglione – Chose UTSA for the hearing today as it isΒ a leading example of cybersecurity in universities, also appropriate as the topics include cybersecurity education
  • Capriglione – Cyber attacks are becoming more common, many public and private entities have been attacked recently
  • Minjarez – Honored that UTSA was chosen as the site of the first hearing of the Select Committee

 

Taylor Eighmy, UTSA President

  • Presents on state of cybersecurity education at UTSA; 70 faculty with cybersecurity specializations, 4 out of 9 colleges with cybersecurity programs, 2,000+ students in cybersecurity-related fields, etc.
  • Also operates research programs, received $100 million since 2000 to support this research
  • UTSA works with private and public partners, including the federal government for cyber programs
  • UTSA is preparing to launch and announce funding for a National Security Collaboration Center, companies such as Microsoft, Raytheon, Accenture, Noblis, etc. have expressed interest
  • Center will contain several research centers, computational technology sector, information facility, etc.
  • Will be speaking with private and public partners to situate UTSA as the cornerstone of university cybersecurity efforts in Texas
  • Blanco – What are the demographics of the cybersecurity programs at UTSA?
    • Would guess it would be as diverse as the enrollment at the undergraduate level, not sure as to the graduate level
    • Nation will have a deficit of personnel ready to fill cybersecurity jobs coming up, UTSA is trying to grow cyber programs to help fill need
  • Minjarez – What is the estimated time frame on getting the Center built?
    • We are currently finalizing funding opportunities with the UT system, anticipating announcing plan this Summer; on a fast track from UT system & will be moving as fast as we can
  • Capriglione – Will not be hearing from all state agencies due to off-site hearing, but will receive overview

 

Todd Kimbriel, Department of Information Resources

  • InfoSec Academy is the DIRs path to provide info and cybersecurity training and services to state agencies
  • Also run vulnerability tests to check resilience of state systems
  • Security Assessment Program is coordinated with a vendor that runs capability and maturity assessments of state agencies, HB 8 required this to be done every 2 years for agencies
  • Managed Security Services, partnered with AT&T and offered to all levels of government, allows entities to take advantage of maturity services at low cost
  • Statewide Governance Risk and Compliance Portal is funded and maintained by DIR, plans are submitted by agencies and DIR compiles a report from this info for the legislature
  • Presents info on frequency of security alerts, most recent style of attacks are those that try to plant illicit software to take advantage of computing capability to mine cryptocurrency
  • Currently block billions of intrusion attempts every month, Russia and China are the source for the large majority of these
  • Hacktivism is currently a very low threat, involves those organizations with agendas that try and target state agencies or functions; often Denial of Service attacks that attempt to bring down state websites
  • Federal and state regulatory landscape influences cybersecurity rule in Texas; businesses and private security are largely guided by law, DIR authority is limited to state agencies
  • DIR is generally on a 2 year cycle consistent with each legislative biennium, expecting cybersecurity plans from each agency later this year and will provide a comprehensive overview of cybersecurity health in the state in January
  • Texas Admin Code has a framework of rules all agencies must follow, based on federal standards; contains 40 control objectives that measure cybersecurity maturity and capability
  • Dale – So you mandate the standards for agencies and hold them accountable; what are the ways you do? Can yo remove them from DIR services?
    • We can, we would make legislature and state government aware of this
  • Dale – Have you had to do this before?
    • No, agencies are generally compliant, everyone takes the threats seriously and we believe they perform accordingly
  • Dale – How do you ensure agencies aren’t installing or using hardware and software that is not approved?
    • There is a catalog of contracts that agencies are required to use
    • Have had issues in the past, e.g. Kaspersky was removed from contracts
    • Agencies can submit exemption requests, DIR evaluates these
  • DIR rates capability and maturity on a 5-point scale
  • In 2016, 143 plans were submitted out of 143 organizations, some organizations are exempt but evaluated
  • Had 16 different requirements strengthening cybersecurity due to HB 8, have been making good progress on implementation; looking at expanding security training
  • SB 1910, SB 1, HB 8, etc. are all in process of implementation
  • Dean – UTSA/UTA has a scale that measures maturity, is it similar to yours?
    • Dr. White could answer better
  • Dean – We put funds into cybersecurity last session, can you give us an update?
    • DIR is largely self-funded, funded the $25 million appropriation authority through fees
    • DIR strategy is to pay for cybersecurity programs and to not charge agencies; encourages adoption
  • Blanco – Regarding update of security standards, is the 2-year cycle too long?
    • 2 years is appropriate given our legislative schedule, DIR does update TAC to keep up with new threats in between the overall standards update
  • Blanco – DIR participates in the Multi-State Information Sharing and Analysis Center?
    • Yes, we use services from this as well, i.e. forensics services or intelligence services
    • HB 8 also required the creation of Texas info sharing and analysis program, moving forward on this
  • Dale – Do we currently have local governments taking advantage of our information services?
    • Can get this to you
  • Blanco – What are the threats that our state agencies face? Do state employees have required training per agency?
    • By TAC, all state employees are required to go through training once every 2 years, up to each agency to determine scope
    • DIR provides guidance and tools, but agencies are not required to use these
  • Capriglione – Biggest risk in cybersecurity is the individual, easy to imagine false websites or phishing attempts, is there anything done to train for this?
    • Yes, there are organizations that run phishing β€œtests” where they send out seeming phishing attempts and see if employees fall for them, would be good to expand this
  • Capriglione – Asks after DIR asks for bolstering cybersecurity programs
    • Will not provide list publicly, but can get this info to your office
    • The view that it is only a matter of time before an entity gets hacked is becoming more prevalent, building walls and blocks is no longer sufficient; the response and containment is possibly more important
    • Network segmentation can give us a much better response capability
  • Dale – Have we done what we need to regarding open records, etc. to keep certain information secure?
    • Yes, bill last session helped out greatly
  • Dale – So that covers DIR, are there any gaps?
    • That covers all agencies
  • Blanco – What have we learned from the ransom ware attacks in Atlanta and where are we compared to Georgia?
    • Threats are out there, we sought to understand what happened in Atlanta and make sure our systems weren’t as vulnerable
    • We always seek to understand these attacks and then test ourselves
  • Minjarez – Can you speak to the report exemption requests from state agencies?
    • All shared services programs have an exemption process, exemption process exists for those that want to explore non-DIR services, must meet state law requirements
    • If we have the ability to accommodate agency requests with other services, we will push for this
    • Ultimately our criteria is if it is in the best interests of the state

 

Brigadier General Greg Chaney, Texas Military Department

  • We act for the federal government and state as a cost-effective force multiplier in a variety of ways
  • TMD sees itself as growing capacity to be a force multiplier in the cybersecurity realm as well
  • Cybersecurity is an area similar to land, sea, air, and space; we see resources to continue to grow to protect operations within this area
  • Goal is to be the premier state military organization in the cybersecurity realm
  • Texas State Guard is continuing to grow, has some number of cybersecurity experts on the civilian side

 

Colonel Theresa Cogswell, Texas Military Department

  • TMD Joint Cyber Mission Force consists of state and federally focused cybersecurity teams, similar cybersecurity teams exist in other branches; all teams can be leveraged to provide support for state operations; TMD is ready to support the DIR

 

Lt. Colonel Kristy Leasman, Texas Military Department

  • Part of the Guard, cybersecurity specialist; thanks committee or opportunity to be part of the state’s cybersecurity response
  • Dale – How do you get the orders to assist entities other than the TMD?
    • Chaney, TMD – We cannot move our own, within the state authority to command the TMD is with the Governor; would assume deployment on a cybersecurity front is similar
    • We will always be in a supporting role, sometimes resources will not be immediately available, which is why we are interested in developing Guard capacity
  • Blanco – How have cybersecurity teams been deployed? Asks after relationship with DIR
    • Cogswell, TMD – We have one team deployed on the federal side
    • Chaney, TMD – Currently none are deployed on state missions
    • Cogswell, TMD – Working with DIR to develop response plans
  • Capriglione – In Colorado, many systems were hit and went down, they needed a β€œforce multiplier;” State Guard might be a great opportunity to assist local communities on attack response and training
  • Capriglione – DO you have a concept of how many people you would like to have on a state side?
    • Chaney, TMD – We have units that can respond to a variety of situations; we have a response package for cybersecurity that can fit both State Guard and federal missions
    • Cogswell, TMD – Package details equipment, response, etc.; currently have a number of personnel with cybersecurity expertise that can be put into packages and be deployed on a state mission
  • Dale – Certainly we have people who can do these jobs, but is security clearance an issue, e.g. for access to state networks?
    • Leasman, TMD – Everyone has their own job and need-to-know status, rules usually established with each situation
    • Chaney, TMD – Currently the State Guard doesn’t have access to the same systems as the federal cybersecurity professionals, hoping to build more capability

 

Jim Perschbach, Port Authority San Antonio

  • Presents info on Port San Antonio, airfield, flight deck, airplanes, etc.; highlights changes over time
  • Future of air portage is in applied technology and cybersecurity; have had challenges in technology development when developer does not have enough knowledge of the air industry
  • Challenges have led Port San Antonio to explore co-location of technology and airport, launched Project Tech to collaborate with tech industry; new building has information technology resources and Port San Antonio is expecting technology industry leaders
  • StandardAero, Boeing, Northrop Grumman have all invested in Port San Antonio
  • Next phase in Project Tech is to convert air hangers to develop an industrial modeling center, will be located in close proximity to Air Force and industry
  • Port San Antonio is hoping to be the home for industry developments in information technology
  • Minjarez – Have toured Port San Antonio several times, would like Perschbach to highlight community interaction and public school involvement
    • We view ourselves as part of the community, hosts the San Antonio Museum of Science & Technology
    • Interested in working to develop next generation of talent
  • Blanco – Have not heard of Tech Port anywhere else, can you give us other examples?
    • Have not heard of another Tech Port, our operations in upgrading and servicing aircraft means a focus on information technology makes sense

 

Will Garrett, San Antonio Chamber of Commerce, Cybersecurity San Antonio

  • Cybersecurity San Antonio is a P3 housed in the Chamber of Commerce focused on cybersecurity and fostering innovation in the industry; driven by 300 member industry council
  • Cybersecurity focus in San Antonio stems from the activity of the US Air Force in the city
  • Cybersecurity San Antonio has 5 focuses: brand, partners, developing expertise, innovation/development, and global partnerships
  • University and educational partnerships have robust cybersecurity programs, competitive environment works to promote program development
  • BuildSec Foundry is an incubator focused purely on cybersecurity start-ups, works to assist former military bridge into cybersecurity industry
  • In the last 10-15 years, local industry executives have been very active in working with the Texas Legislature to craft legislation like HB 8, HB 8 was a very important step for industry; would like to see more industry involvement moving forward
  • Capriglione – How difficult is it to go to other states and get cybersecurity business? What is drawing people here
    • Perschbach, Port San Antonio – What’s drawing people is the talent and ability to work with mature industry, part of the Project Tech complex is to develop facilities needed for cybersecurity renovations
    • Alabama put massive capital into developing these types of facilities, Florida likewise; has been a challenge in the past for Texas as we lack these types facilities
    • Garrett, Cybersecurity San Antonio – Talent is a big draw here, price point is more competitive than other transitional areas for these industries like the coast
    • As a state, we are seeing more recognition of Texas activity
  • Capriglione – Obviously sometimes incentives matter, I think they do as well
  • Capriglione – Have heard concerns from all different industry sectors on need for training or cybersecurity services, have you found ways to push this type of info through Chamber membership?
    • Absolutely, there are a number of online services available, San Antonio Chamber communicates these issues with its membership; happy to send resources we use frequently
  • Blanco – Can you give an example of how much a SCIF costs, something that would benefit security, but also something that would attract industry?
    • Perschbach, Port San Antonio – Should look to the needs of something like the TMD, something that meets their needs in the range of 30k sq. ft., could probably do this between $5 to $10 million
    • Will be challenges in getting federal sponsorship
  • Dean – As far as building this, could the Port, city, etc. do tax reinvestment zones?
    • Yes, Port is a government entity, there are some assets we can take advantage of

 

Sid Hudson, City of McKinney, Texas Municipal League, TAGITM

  • Best practices need to be followed, but majority of medium to small municipalities do not have the required personnel
  • Information sharing is poor at the municipal level, there is no information sharing between municipalities/local governments after attacks; there have been attacks around McKinney and no info shared
  • Capriglione – Can you give us an idea of what they are?
    • Cannot, there was no info shared; we cannot know what to bolster if we have no idea what the attacks were
    • Entities tend to go into lock down
  • Capriglione – How do you find out about this?
    • Got a phone call for personnel to assist in rebuilding systems
  • Dale – What does TML do to help spread the word? Is there anything set up?
    • Not sure what TML does to spread this info; my point is that there seems to be a real lack o mandate or incentive to share this info
  • Dale – Do you think people in other cities are aware that DIR offers security services?
    • I think they are aware, but it is a funding issue, technology is a second,third, etc. priority
  • Dale – Do you know what a local government would pay to obtain DIR services?
    • We looked at between $200k-$250k, no small
  • Capriglione – The cost of not doing it could be significantly higher; asks after what would help
    • Some sort of tool that would require municipalities to report on attack & response that would help us know what to look out for
  • Dale – Have we closed loopholes that would require you to disclose security info through an open records request?
    • I believe we can protect all of this info as infrastructure
  • Funding constraints mean it is difficult to justify costs for attacks that have not yet happened
  • Personnel can make much better salaries in the private sector
  • DIR is a great resource for procurement
  • Contract language needs to be uniform and possibly state mandated; should not indemnify technology vendors and liability caps should not be limited to fees
  • Have spoken with communities around McKinney, most communities do not have the resources for cybersecurity staff; key city functions depend on secure data
  • Would encourage state to supply matching grants to help hire cybersecurity staff an technology

 

Gregg Cannon, Grimes County IT

  • County resources are very limited to prepare for cyber threats, work with CIRA & others to learn about security laws and regulation, as well as grant programs and other supports
  • Counties are seeing an increase in phishing attacks, also seeing attacks against individual office firewalls
  • Use cloud-based protection, staff education, monitoring software, etc. to protect against threats
  • With limited resources, county depends on grant and agency assistance to help maintain these defenses
  • Capriglione – Do you train your employees?
    • We are starting to have that capability
  • Capriglione – Asks after how the county responds to a breach
    • New in this position, currently drawing up policies and procedures for breach
    • First steps would be to stop or block the threat, next to notify HR, reach out to credit agencies, etc.
  • Capriglione – What about McKinney?
    • Hudson, McKinney – Had a breach in another community; we reached out to residents and told them we had a breach, covered the cost for credit and bank monitoring
  • Capriglione – Does McKinney have hackers insurance?
    • Something I need to look into
  • Capriglione – How long did it take to respond to the attack you experienced?
    • No more than a couple of days
  • Capriglione – If you’re hit by ransom ware, do you have a policy on whether you would or would not pay?
    • Both communities run backups and would not pay
  • Blanco – Regarding Grimes working with CIRA on grants, what is available?
    • Cannon, Grimes – Most of what we get is in partnership with other departments, e.g. grants for cameras that ride on Grimes County IT infrastructure
    • Hudson, McKinney – Not aware of anything the state does to assist McKinney, have looked for grants, but not found any resources
    • FBI has helped on specific attacks
  • Blanco – Have your budgets increased for cybersecurity?
    • Cannon, Grimes – Looking to double overall budget and cybersecurity funding might come with that
    • Hudson, McKinney – Added about a half million dollars to the cybersecurity budget
  • Capriglione – Some of the least well funded areas are probably some of the most at-risk
  • Dean – I never realized that TML did not assist in city cybersecurity issues
    • As far as I’m aware, don’t want to go after anyone in particular
  • Dean – Should at least look at some regional collaboration so smaller communities have a pool of talent to draw on

 

Greg White, UTSA

  • Texas is not doing a bad job in increasing the cybersecurity workforce compared to other states; many programs exist
  • Other side of this is needing to fill these programs, Texas is doing a very good job in getting cybersecurity introduced early
  • However, could be doing more; could have more programs with more schools participating
  • Regarding diversity, UTSA is doing fairly well representing community demographics, but definitely lacking women in the programs; need to get people interested at an early age
  • All of this effort is not enough to fill the upcoming cybersecurity jobs, need to work on more ways to push the cybersecurity workforce
  • Could be doing more with certifications at the high school level, could focus on hiring based on certifications and move away from the large experience requirements
  • DIR is doing a good job to support agencies, but is not resourced to help local communities currently; educational institutions could be used to help communities develop response plans and provide cybersecurity service through student action
  • Could be challenging for outside personnel to come into a community and assist, but educational institutions are local and familiar with the community systems; UTSA could serve an example of these efforts, i.e. in information sharing, training coordination, etc.
  • Shares account of setting up fake community to draw cybersecurity attack, found a large number of attacks & large majority were only detectable through looking at the community as a whole; attacks focusing on one administrative β€œsector” of a community
  • Minjarez – Have you taken a proactive approach to discover why women aren’t joining the cybersecurity programs and to encourage women enrolling?
    • LA Unified School District did a study on this issue, they found out women were not interested in STEM for two reasons: the perception that smart women aren’t pretty & that omen did not want to be smarter than their boyfriends
    • Programs like Cyber Patriot try and eliminate fees for all-girl teams
  • Capriglione – So what sector of your fake community was targeted most?
    • Local government and infrastructure
  • Dean – One of the goal is to set up ISAC immediately, has DIR done this?
    • DIR has done work on this, waiting on personnel
  • Dean – Did HB 8 give any time frame?
    • Capriglione – It was effective last year, my expectation is to get it done ASAP
  • Dean – I think the framework under HB 8 is there
    • If DIR is looking at agencies and part of the goal is information sharing and analysis, should also look into doing this for the entire state of Texas; UTSA is uniquely positioned to coordinate
  • Capriglione – Could you highlight some of the potential risks to the election system and some potential solutions?
    • Equally important to breach is the confidence the public has in the system; has taken a hit due to recent media attention
    • Stem assessments are crucial, US is not ready for internet voting yet
    • Need to have some sort of paper verification that the user can see & keep, builds confidence that vote was made correctly
  • Capriglione -Might be very difficult to find a technology version of physical person verification

 

David Abarca, Del Mar College

  • Del Mar was one of the first institutions to understand the need of cybersecurity education, developed courses that are used in community colleges across the state
  • Currently 11 courses in the program, Del Mar shares all material involved
  • Working with 18 other community colleges across the country to develop similar programs
  • Program involves online and face-to-face courses, but there are some that require a physical lab
  • Job postings reflect a large number of IT and cybersecurity openings, many with a preference for prior military service
  • A lot of IT security education begins with transfer of data across networks, network administration and information security are β€œtwo sides of the same coin”
  • Del Mar operates programs to encourage women to participate in STEM, Del Mar is demographically diverse
  • At many small community colleges, student base is also the IT staff
  • Capriglione – How many students finish out the program?
    • Many students come to UTSA and work in private industry as well, can take some time to transfer into a security role
    • Del Mar is on pace with rest of the state, about 25%-35% of first time students do not return, either finding other careers or otherwise
    • Del Mar works to prepare students to be the sole IT person, try to train for a number of issues; 60% go on to immediately attain their bachelors

 

Joe Sanchez, CyberTexas Foundation

  • Nonprofit operating in San Antonio that collaborates with academic, business, and public sector to improve cybersecurity programs, increase number of personnel, grow and maintain cybersecurity businesses, and improve awareness and preparedness
  • San Antonio is home to the second largest cybersecurity workforce concentration in the US, UTSA, federal cybersecurity elements, five NSA/DHS β€œCenters of Excellence,” many other cybersecurity resources
  • High school and middle school programs are developing, San Antonio teams doing very well in CyberPatriot
  • CyberTexas has trained teams at large venues, have moved on to training coaches and providing mentoring due to volume of new teams
  • Co-created TEA approved Principals of Cybersecurity course
  • Also provide scholarship & internship opportunities
  • Goals include expanding cybersecurity curricula, fielding more CyberPatriot teams, increase number of β€œCenters of Excellence,” as well as double of cyber/IT workforce, companies, and economic impact

 

Sarah Matz, CompTIA

  • CompTIA is a nonprofit focused on IT certification and promoting the IT/security industry
  • Texas recently saw an over 40% growth in tech industry postings, jobs and economic impact have grown dramatically, Texas is 2nd in IT workforce in the US
  • Industry has cybersecurity as a priority, but many are unsure of the right steps to take to address security issues; there is a gap between how important these issues are and how much attention is devoted to them
  • Organizations and the state need a top-level security approach and must be treated as a critical concern
  • CompTIA recently released a report called β€œBuilding a Culture of Cybersecurity” with the goal of arming company executives with necessary knowledge to guide cybersecurity approaches
  • Cybersecurity is the state’s #1 challenge, but approach must be rethought to be more encompassing & integrated at all levels
  • Capriglione – Thanks CompTIA for their help with HB 8
  • Capriglione – One of our challenges is staff training, state has many employees; what is the right level of training? Are there employees that need extra focus?
    • CompTIA found that entity leaders can direct cybersecurity approach, but often do not have a good enough understanding of the details; likewise, IT department knows details, but has issues with the operational side
    • This is why a holistic approach is necessary; everyone needs to be included in the training program

 

Michael Wyatt, Texas Business Leadership Council, Deloitte

  • There are lessons learned from other states with breaches that can be incorporated in Texas
  • Public sector organizations are clearly a prime target, espionage can also be a major goal
  • Verizon 2015 data breach report highlights large number of cyber attacks across the US
  • Cyber criminals continue to have success with older techniques, reflects a lack of cybersecurity maturity
  • Statistics show that no matter amount of training telling staff not to click, 4% of employees and contractors will still click
  • 80% of attacks take only minutes, detection can take months or longer
  • Ultimately, prevention doesn’t work, detection of threats before they get more severe is very important
  • 2016 study shows that government awareness is here & governments are focusing on cybersecurity more and more
  • Formal plans and strategies dramatically increase ability to leverage funding and resources
  • Key challenges include lack of funding, inadequate availability of professionals, increasing number of threats, etc.
  • States typically lag behind levels of investment in private industry; not all funding needs to be collected through appropriations, interagency contracts, grants, and business investments can help
  • Regarding workforce development, by 2022 some expect a 1.8 million FTE cybersecurity deficit, training opportunities are failing to meet needs
  • National Initiative for Cybersecurity Education could be of interest to state in developing workforce
  • Conducting risk assessments is absolutely necessary, you do not need to protect all assets similarly; knowledge of risk can help direct funds and investment
  • Also important to balance funds devoted to prevention and resilience for if a breach happens; quick detection is very important
  • Texas A&M recently won the DSS Counterintelligence Award, can help attract staff
  • Can leverage automation to perform analysis & use staff to act on information
  • Capriglione – Where was Texas on percent spend on cybersecurity?
    • Kept confidential
  • Capriglione – Are there tools that can keep track of employees & assure security?
    • One of the fastest growing areas, insider threat programs can work with HR to identify threats or compromised individuals

 

Chris Humphreys, The Anfield Group, Texas Cybersecurity Council

  • New cybersecurity resources and programs have been very helpful in developing workforce, originally it was largely only ex-military
  • Military and other organizations need to continue to bridge gaps and develop workforce
  • Has worked across the entire industry, staff is in high demand and in short supply
  • Would caution against using more regulation to try and solve the issue, once frameworks get rolled out, threats typically have evolved
  • ISAC model is great in concept, but need to encourage entities to participate and share data; risk or exposure of flaws in the system can be a deterrent
  • In work with Cybersecurity Council, it was surprising how many cybersecurity professionals there were and how little coordination there was among them; new efforts may not be aware of other efforts
  • There also needs to be some accreditation coordination to validate which cybersecurity programs are worthwhile; programs discussed today are very cognizant of this
  • Capriglione – Regarding utilities and the electric grid, how significant of a risk is there to these utilities and what should we be doing?
    • The latest supply chain management standard NERC developed has taken 4 years, alarming time-frame
    • More alarming that utilities would be waiting for a regulation to tell them they should be verifying third party resources
    • There needs to be some foundational checks & balances, but there should be some sort of incentive-based program to guide entities
  • Capriglione – Makes sense that entities would just try to check boxes and meet minimum requirements
    • NERC scope is not that large, does not protect energy resources entirely
  • Dale – Have become more worried about cybersecurity threats recently
    • β€œIgnorance is bliss” can be very calming for smaller entities

 

Bob Butler, AECOM, Texas Cybersecurity Council

  • Recommendations from previous years that still hold true include:
    • Establish a coordinator for the state
    • β€œBusiness Executives for Texas Security,” P3 that allows business leaders to come together with other stakeholders and provide framework
    • Establish a Cyber Star program for resiliency in products and services
    • Increasing number of cybersecurity professionals
    • Provide a consistent voice for industry to discuss cybersecurity policy
    • Continue investment in higher education cybersecurity programs
    • Promote collaboration, innovation, and entrepreneurship; saw many patents that got lost on the way to commercialization
    • Increasing pathways between education programs in primary and secondary education
    • Promoting leadership role of DIR; much progress has been made, a lot more needs to be done
  • State still has need for stakeholder P3, workforce development, and comprehensive education approach
  • Needs some modest investment, also should probably look at liability protection
  • Speaks to the Jack Voltaic cybersecurity exercise in New York, involved military, government, first responders, etc.; as a result army came to Texas and set up a similar exercise in Houston that involved many different sectors
  • These types of exercises are important to determine the way different stakeholders interact and respond; can be used to develop a statewide incident response plan
  • Capriglione – One thing I want to work with you on is the Cyber Star concept; town halls, etc. could be helpful for communities
    • Would be happy to

 

Public Testimony

Chuck Rodriguez, Rackspace

  • Using third parties to provide cybersecurity support can alleviate need for resource investment
  • Customers can take advantage of Rackspace’s economy of scale, other companies perform similar services
  • Cloud providers are well-versed in cybersecurity threats, often communicate with other industry stakeholder to share information on threats
  • Cloud data centers can be more secure than local data centers; local centers are still accessible from the internet
  • Companies like Rackspace can also leverage a large number of qualified staff
  • Rackspace supports the efforts of institutions like UTSA to develop the workforce and coordinate communities, Rackspace encourages additional time off for employees to support and receive education