How California Is Improving Cyber Threat Information Sharing

The California Cybersecurity Integration Center alerted its partners to the Thomas Fire along Interstate 5, before the largest wildfire in the state’s modern history was phoned in last December.

Someone had taken to Twitter to first report the blaze, and Cal-CSIC’s media scrapers—which plug into its automated threat feed—noticed.

Cal-CSIC, pronounced “cal-sick,” was created by Gov. Jerry Brown’s executive order in August 2015 to prioritize cyber threats to public sector agencies and expand into the private sector.

Maxim Kovalsky, senior manager of cyber risk services for Deloitte, told Route Fifty there were concerns about convincing companies to partner in the effort. “Naturally I think there’s a reluctance to share information from members of these kinds of collectives,” he said.

Deloitte, a New York City-based consulting firm, has worked with Cal-CSIC since its inception to share threat information at pace with cyber criminals’ activities. A tech stack, or framework, was developed to detect bad behavior and automatically flag and send the information to Cal-CSIC.

But the private sector, in particular, is protective of its data, so memorandums of understanding have been established with partners—among them three state agencies, a large bank and a major Northern California utility about how Cal-CSIC can use their information.

“Once we started doing what my analysts were doing with the data, we’ve actually had a few really big wins,” said Keith Tresh, Cal-CSIC commander. “We are definitely looking into expanding.”

Two cities may soon be joining the automated threat feed program, which has eight partners and is carefully adding others due to staffing limitations. In Cal-CSIC’s business plan, it’s considering onboarding every city and county in the state over a four- to five-year period.

When Cal-CSIC pinpoints a cyberattack, it reaches out to the victim or victims and recommends action to them, as well as other partners that may still be threatened.

For instance, if a system is infected with malware or reaches out to a malicious domain, that information is shared with Cal-CSIC.

“We want to know what IP and what domain that malware reaches out to—how many calls in what period of time,” Kovalsky said.

Sometimes the malware may communicate with the domain of a legitimate website that’s been compromised by a threat actor in a single attack. In those cases, you don’t want to blacklist the site forever but block it for a few days, Kovalsky said.

Cal-CSIC has made strides lowering its rate of false positives, like that, and false negatives, Tresh said.

In February 2017, authorities evacuated 188,000 residents near Oroville after a hole opened in the local dam’s spillway threatening flooding. Officials at Cal-CSIC became concerned about what might happen if a cyberattack leveraging industrial control system data was able to open the dam’s floodgates, Tresh said.

Cal-CSIC works closely with the state’s Critical Infrastructure Protection team to monitor for such possibilities.

“We’ve seen a lot of attacks coming from nation states looking to probe or test critical infrastructure protection,” Tresh said.

Russia targeted Ukraine’s electrical grid in a December 2015 cyberattack, successfully shutting down service, in what was likely a test of hacks it might carry out in the U.S., Tresh said. Open source information shows that, since 2015, the administrative systems of several water treatment dams have been hacked but not the systems that could shut them down or open the floodgates, he added.

The health care and banking industries are two other big cyber targets. When vulnerabilities were discovered in automated syringes that could lead to them being remotely activated, Cal-SCIC sent an advisory to health care industry partners about the syringes’ make and model and how to remediate potential attacks, Tresh said.

Cal-CSIC happens to be located in the same place with the California State Threat Assessment Center focused on preventing terrorist and other physical attacks.

When protests occur at places like the University of California, Berkeley, Cal-CSIC monitors local law enforcement websites in case a denial-of-service attack or defacement occurs, but nothing major has happened yet, Tresh said

The vast majority of attacks, 80 to 90 percent, remain financially motivated from bad actors who don’t care whether they’re hitting a hospital or utility, Kovalsky said, so identifying opportunistic threats is just as important as monitoring industry trends.

Currently, Cal-CSIC is working on identifying threats by sector to warn partners of possible incoming attacks more quickly. The threat feed program was able to warn California ports of a cyberattack on Danish shipping group Maersk in June 2017 and minimize the risk, Tresh said—not that he’s taking that for granted.

“We are not where we need to be yet,” he said.