Home 5 Office of the Director 5 Operations 5 Homeland Security 5 California Cybersecurity Integration Center

California Cybersecurity Integration Center

The California Cybersecurity Integration Center’s primary mission is to reduce the likelihood and severity of cyber incidents that could damage California’s economy, its critical infrastructure, or public and private sector computer networks in our state.

Mission

The California Cybersecurity Integration Center’s (Cal-CSIC) mission is to reduce the number of cyber threats and attacks in California. The Cal-CSIC’s focus is to respond to cyber threats and attacks that could damage the economy, its critical infrastructure, or computer networks in the state.

The Cal-CSIC is the hub of state government’s cybersecurity events. The Cal-CSIC will coordinate information sharing at all levels of government agencies, utilities and other service providers, academic institutions, and nongovernmental organizations.

The Cal-CSIC will publish a statewide cybersecurity strategy. The strategy will take recommendations from the California Task Force on Cybersecurity and follow state and federal requirements. The cybersecurity strategy will improve how cyber threats are found, understood, and shared. The strategy will strengthen cyber emergency preparedness and response, standardize data protection measures, enhance digital forensics, and increase cyber investigative capabilities, supply lessons learned to California’s workforce of cybersecurity professionals, and expand cybersecurity awareness.

The Cal-CSIC will supply a Cyber Incident Response Team to serve as California’s primary unit to lead cyber threat detection, reporting, and response to public and private entities across the state.

The Incident Response Team will aid law enforcement agencies with jurisdiction for cyber-related criminal investigations and work with agencies responsible for advancing information security within state government.

Cal-CSIC information sharing will protect the privacy and civil liberties of individuals and preserve business confidentiality. Cal-CSIC will publish Cyber Threat Alerts and Advisories that will supply cybersecurity threat information between Federal, State, Local, and Tribal government entities. Advisories and Alerts are shared with private sector partners.

Cal-CSIC Analysts will collect and analyze phishing emails to document relevant information about the attacker and the Indicators of Compromise (IOC). These IOCs are added to the California Automated Indicator Exchange and is accessible to all partner entities.

The California Cybersecurity Integration Center is composed of 3 branches that mutually support the Commander’s mission.

Cyber Operations Branch Services

  • Incident Response
    • Reactive
      • Rapid Response
        • Threat Identification
        • Threat Containment
        • Threat Eradication
    • Proactive
      • Security Assessments
        • Network Perimeter Vulnerability Scan
        • Dark Web Review (Credentials & Data Dumps)
        • Net Flow Traffic Analysis
        • Free 30-Day License for an Endpoint Detection and Remediation Tool
  • Digital Forensics
    • Hard Disk Forensics
    • Memory Forensics
    • Network Forensics
    • Malware Analysis

Cyber Threat Intelligence Services

  • Tactical
    • Intelligence Collection and Analysis
      • Intelligence Aggregation
      • Intelligence Origination
      • Cyber Threat Analysis
      • Intelligence Governance
    • Vulnerability Analysis
    • Attack Surface Reduction
      • Network Footprinting
      • Cyber Risk Analysis
      • Prioritized Vulnerability Reporting
      • Critical Vulnerability Patch Validation
  • Strategic
    • Planning and Coordination
      • Dissemination
      • Intelligence Objective Prioritization
      • Intelligence Collection Planning

Mission Support Branch Services

  • Digital Forensics
    • Cyber Policy and Strategy Generation
    • Knowledge Management
  • Vendor Management
    • Product Support
    • Relationship Management
  • Partner Integration
    • Onboarding and Partner Success
  • IT Engineering
    • IT Project Management
    • System Engineering and Development
  • Metrics Collection and Reporting
    • IT/Cyber Investment Management
    • Metrics Reporting and Governance

The purpose of this Emergency Support Function (ESF) #18: Unified Cyber Command Annex is the following:

  • establish a unified understanding of key cyber concepts and terminologies
  • provide a system to evaluate the severity of a cyber incident
  • assign roles and responsibilities to City stakeholders

The plan is specifically focused on priority SEVERE or EMERGENCY cyber incidents, when the City’s Emergency Operations Center (EOC) is activated to coordinate:

  • key processes for sharing threat intelligence
  • develops situational awareness
  • manages operational response in a cyber- disrupted environment

Scope

ESF #18: Unified Cyber Command Annex plan addresses cyber incidents that have or could potentially degrade, damage, or destroy information systems in City Departments, Agencies, Offices, and Commissions. High focus will be given to cyber incidents affecting City government critical functions and infrastructure, including:

  • Medical/Healthcare Services
  • Government/Public Safety Services
  • Financial/Banking Services
  • Transportation/Transit Services
  • City’s Telecommunications Services
  • City’s managed Lifelines – Critical Infrastructure
  • City’s Radio Infrastructure
  • City and Department IT Networks
  • City and Department Enterprise Technology and Applications

Unified Cyber Command Incident Response Process

PhaseObjective
1. PreperationIdentify activity or work that should be completed to make the response successful
2. Reporting and DetectionProvide channel to report suspected incidents and verify that an incident has occured
3. Analysis, Notification and DetectionUnderstand the incident and begin notifications and escalations
4. ContainmentStop the incident from spreading further and eliminate further damage
5. EradicationDetermine the root cause and fully eliminate it as well as the symptoms everywhere
6. Recovery Return to normal operations
7. Post Incident ReviewClose out the incident and determine areas for improvement

Analysis, Notification and Escalation

During the analysis phase, the affected City Department coordinates with the City Cyber Defense team, which involves recording available reporting observations, assessing potential incident severity, and determining the type of incident that has occurred. In general, this phase requires the City Cyber Defense team to review playbooks, collect, analyze information, and decide next steps.

This phase has the following goals:

  • If necessary, confirm the validity of information provided in the initial lead
  • Determine whether the event is a cause for concern or a false positive
  • Determine whether further investigation is warranted
  • Determine priority of the incident
  • Determine need to activate City’s Emergency Operation Center
  • Determine immediate Remediation steps

Cyber incidents may be difficult to identify and their impacts not immediately apparent. As a cyber incident develops, timely and flexible coordination is needed to alert and notify key stakeholders. Based on the information provided, additional stakeholders will be identified, and the DEM Director will determine whether the EOC will be activated to a Level II (Partial). If there isn’t a change in the EOC activation level, the City Cyber Defense Team and DEM will establish a timeframe for further briefings.

 In early October 2021, The California Department of Technology (CDT) announced Cal-Secure. At its core, Cal-Secure is a five-year information security roadmap designed to increase cyber resiliency amongst California State Agencies. It implements a process that results developing a world-class cybersecurity workforce. This effort will bring people, processes, and technologies together in a joint and cohesive effort to increase the cybersecurity protective posture for the State of California.

This chart shows the Cal-SECURE priorities to reduce risk

Cal-CSIC Commander (Vacant)

Current duties of the Cal-CSIC Commander include:

  • Work with multi-jurisdictional stakeholders
  • Manage interdisciplinary teams charged with safeguarding information technology assets and cyber networks.
  • Maintain in-depth knowledge of state-of-the-art cyber defense strategies and mitigation efforts, including hardware and software, and network protection configurations.
  • Maintain knowledge of homeland security strategies, particularly with respect to California, and their interrelationship with cyber security policy
  • Develop and execute Budget Change Proposals

State, local, and tribal governments, non-governmental organizations and the private sector can partner with the Cal-CSIC by registering to receive Alerts and Advisories, sharing IOCs and cyber incident reports, and connecting to the California Automated Indicator Exchange.

Email the Cal-CSIC to learn more about sharing of IOCs and connecting to the California Automated Indicator Exchange at calcsic@caloes.ca.gov.

Report cyber incidents to the Cal-CSIC at (833) REPORT-1 or calcsic@caloes.ca.gov.

Resources