'We Are a Target': California's Top Cybersecurity Job Remains Vacant

You might think the home of Silicon Valley would rush to hire a cybersecurity chief, but you’d be wrong: California has left its top cybersecurity post vacant for nearly two years.

A spokesperson said there is no current timeline for Gov. Gavin Newsom to appoint anyone for the position of commander for the Cybersecurity Integration Center.

“We are a target,” as a tech industry leader, the most populous state in the country, one of the busiest ports in the world, and the fifth largest economy in the world, said former cybersecurity integration center commander Jonathan Nunez in a video posted to YouTube two years ago. He took the helm in June 2020 and was the last commander appointed by Newsom, leaving the position in June 2022.

State officials said the vacancy hasn’t hampered the state’s ability to respond to threats, but experts outside the state government are concerned that an acting commander is spread thin.

The commander job entails assisting law enforcement agencies with criminal investigations and safeguarding California’s economy and critical infrastructure. Other job duties include maintaining a security operation center that disseminates actionable information to all state entities, forming public and private partnerships, and developing state cybersecurity strategies. The commander is paid a salary of up to $187,000 a year.

The challenge of a position like cybersecurity commander is it’s not a matter of public or media interest until something goes wrong, said Dan Schnur, a former spokesperson for Gov. Pete Wilson, who now teaches political communication at the University of Southern California and University of California, Berkeley. There’s no set timeline for appointments, and it depends almost entirely upon the urgency to fill the job and the quality of applicants, but in his experience, taking more than a year to appoint is an unusually long amount of time.

“Either they’re going through a painstaking process to pick the right person, or it slipped through the cracks, and there’s no way to know which of the two it is,” he said. “Unless you find a unicorn who’s willing to forego that kind of financial compensation in exchange for public service, you’re already starting out with a compromise.”

There have been four full-time commanders before the current acting commander.

Keith Tresh was appointed by former Gov. Jerry Brown and acted as commander from 2016 to 2018. He is now chief information security officer at consultancy firm AMEG. Mario Garcia served as acting commander from 2018 to 2020 and now works as state coordinator for the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. Jonathan Nunez was appointed by Gov. Newsom in 2020 and now works as an analyst at consultancy firm Gartner. David Lane served as acting commander for an unspecified period in 2022. Deputy Director of Homeland Security Tom Osborne is also the acting commander.

Tresh previously served as chief information security officer for the states of California and Idaho and was the first Cybersecurity Integration Center commander. He said he jumped at the opportunity because the job acts as a second set of eyes for public institutions like city and county governments, not just the state of California.

“We helped school districts and regional transit authorities when they had breaches,” he said. “That’s why I think it’s absolutely a perfect position to continue on.”

Cyber attacks on public institutions like local governments, hospitals, and school districts are on the rise. Hospitals and health care providers are still recovering from a ransomware attack that affected payment processing for Change Healthcare, which processes roughly half of all health care claims and payments nationwide.

The Cybersecurity Integration Center receives reports when a school district, state agency, or private company experiences a data breach. The center also receives threat reports from federal agencies such as the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, and the Department of Homeland Security.

Former Gov. Jerry Brown created the cybersecurity agency in 2015 to operate within the governor’s Office of Emergency Services. It works with the Department of Technology to investigate and report incidents and helps restore operations after an attack. Director Liana Bailey-Crimmins told CalMatters in an interview in February that her agency works closely with the Office of Emergency Services to address the needs of the state as they fill key positions so they never miss a step.

A spokesperson for the governor’s Office of Emergency Services said Osborne is serving as acting commander while the governor carries out a nationwide search for a qualified candidate.

Over the past month, CalMatters repeatedly asked for details about data breach reports and compliance with additional duties assigned to the commander and cybersecurity integration center by a five-year cybersecurity plan approved in 2021 (PDF) but received no comment.

The last time the state compiled a report detailing the types of data breaches, the number of records compromised, and the number of Californians affected in cyber attacks was back in 2016 (PDF) before the cybersecurity integration center existed.

CalMatters reached out to the office of Attorney General Rob Bonta for the latest data breach report. The attorney general’s office referred CalMatters to the cybersecurity center, which did not share new information but said it would post new data publicly later “this spring.”

After audits found that state agencies were woefully unprepared for cyber attacks, California Assemblymember Jacqui Irwin, a Democrat from Thousand Oaks, coauthored a 2018 law that made the Cybersecurity Integration Center a permanent state agency and required development of a state cybersecurity strategy. Irwin, who is also chairperson of the Assembly cybersecurity committee, told CalMatters in a statement that finding a new commander has not been easy.

“The state has struggled to recruit and retain cybersecurity specialists, just as many businesses have, with their skill set in high demand,” she said.

Competition with private sector

Former state cybersecurity employees told CalMatters they think it’s difficult for the cybersecurity center to keep commanders because the pay is less than for similar jobs in the private sector. State employees may treat an acting commander — who will be in the job temporarily — differently than a commander appointed by Newsom.

A former cybersecurity center employee who spoke to CalMatters on background for fear of professional reprisals said the biggest issue with the position is the lack of real authority; the commander has limited capacity to act and hold people accountable.

Public agencies, especially in California, are major targets for cybercriminals seeking confidential information or just want to cause panic, said Steven Ward, a cybersecurity fellow at center-right think tank R Street Institute and former digital forensics examiner for law enforcement agencies in Sacramento.

Ward said the vacancy reflects several trends: First, the cybersecurity threat landscape moves quickly, and public agencies move slowly. Second, it mirrors a larger cybersecurity workforce shortage. California has the second-highest in the U.S., according to a 2022 report (PDF) by the nonprofit International Information System Security Certification Consortium.

Third, public agencies can’t compete with the pay and benefits offered by private companies. Another 2022 study found that the private sector pays 14% more than government agencies. The pay gap creates a situation in which entry-level employees guard highly sensitive systems. It’s hard to say what the consequences of the vacancy are, but since the center develops the state cybersecurity strategy and is a hub for sharing attack threat information and how to patch vulnerabilities, Ward said he’s worried that the acting director might be spread too thin.

“It definitely needs to be filled,” he said. “It’s important that this type of work continues without interruptions.”