Texas Cyber Command will mean ‘expanding’ cybersecurity help, state official says
Dragos Condrea via Getty Images
By
Chris Teale
A bill to create the command is being pushed by Gov. Greg Abbott, and a Texas tech leader said it will help the state better achieve its cyber goals.
A major initiative for Texas cybersecurity took a big step forward last month after the House and Senate passed legislation to create the Texas Cyber Command.
Gov. Greg Abbott, a Republican, pushed the initiative as an emergency item earlier this year, which would take much of the state’s cybersecurity responsibilities from the Department of Information Resources and move them to a system at the University of Texas.
The effort comes as the state faces numerous cybersecurity challenges and has seen municipalities and critical infrastructure targeted repeatedly by hackers and cybercriminals backed by or linked to hostile nation-states. While details are still being ironed out, the new Texas Cyber Command could look after security operations, endpoint detection, incident response, cloud security certification and other functions currently handled by DIR.
For cybersecurity professionals in state government, that could be a good change. DIR as it currently exists is primarily a purchasing organization and is funded on a cost recovery basis, so it receives an administrative fee on every dollar spent. Having more separation between purchasing and cyber operations removes what has turned into a “little bit of a conflict of interest,” said Joshua Kuntz, chief information security officer at the Texas Department of Licensing and Regulation.
“Giving that separation gives a lot more legitimacy and trust in those processes,” Kuntz said during the Nextgov/FCW and Route Fifty Cyber Summit last week. “It's not just what's going to make the money. This is going to be best for the state in really achieving these cybersecurity goals that we have.”
The effort also presents an interesting opportunity for more collaboration with the University of Texas, whose San Antonio campus already offers one of the state’s most robust and well-regarded cybersecurity qualifications. Texas already makes use of several academic institutions, such as Angelo State University, to provide regional cyber support for its local governments, utilities and others through a security operations center.
Having a cyber command based in its flagship university system will mean even more synergy and employment opportunities for students, Kuntz said.
“It's an interesting concept as a different type of entity,” he said. “It's not necessarily a state agency, but it's not necessarily an institute of higher education program. It's this in-between layer.”
With numerous cybersecurity threats and state agencies and governments struggling to deal with them, a cyber command could be a way of reducing risk. Cities including Abilene and Mission have been hit in recent times, while Dallas struggled in the face of a high-profile cyberattack two years ago.
“In recent years, Texas has seen a marked uptick in costly cybersecurity attacks from hostile foreign nations, targeting our precious water supply,” David Dunmoyer, director for the Texas Public Policy Foundation think tank’s Better Tech for Tomorrow campaign, said in a statement. “The House passing HB 150 sends a strong signal to the world: don’t mess with Texas.”
Cyber command and the regional security operation centers are part of Texas’ whole-of-state approach to cybersecurity, which centers around sharing threat information between different levels of government and partnering with the private sector. Kuntz said everything together will help as the state carries on “expanding” its cybersecurity efforts.
Now, agencies are assessed every two years on the maturity of their cybersecurity programs, with low-scoring agencies being mandated to remediate them in a bid to reduce risk to the state. Meanwhile, cybersecurity awareness training has been made mandatory for state agencies and municipalities, which are also required to report cyber incidents within 48 hours.
“It's been a long journey,” Kuntz said. “Probably 15 years ago is when the state really started saying, ‘Hey, this information security thing is important, and we need to do something about it.’”
Getting lawmakers to understand the need to invest in cybersecurity has traditionally been tricky in virtually every jurisdiction. And that gets even more difficult given the near constant turnover in the top state technology and cybersecurity roles. But Texas is different, Kuntz said, as legislators understand the importance of investing in cyber and impress that on agency heads.
Expenditures are separate line items in an agency’s budget, while ultimate responsibility for cybersecurity rests not with an agency’s technology arm, but with its head. That keeps everyone aware of how important cybersecurity is, from the top of an organization on down.
“While you can delegate the day to day running of a security program, and you can delegate how that's done, you cannot delegate the responsibility,” Kuntz said. “It has to go all the way up to the top, because they're ultimately responsible.”