Information security is woven into the fabric of public trust. As public servants and custodians of public data, my teams owe Oregonians a duty to protect their personal information.
Citizen expectations of privacy should not hinge on the agency with whom they are transacting — be it the Department of Motor Vehicles or Fish and Wildlife. Regardless of agency mission or size, citizens rightfully expect that their government will use technology to improve customer service while ensuring system security and consistent protection of personal information. Cyber Oregon, a newly launched effort in our state, aims to ensure just that. Given our growing interdependence, the vulnerabilities of smaller and under-resourced agencies increasingly put larger agencies and local government partners at risk of breaking that trust.
Last year, a breach at the Construction Contractors Board compromised log-in credentials for the Oregon Department of Transportation and several local governments — including Multnomah County, the state’s most populous county. The incident reaffirms the well-known adage, that “we are only as strong as our weakest link.”
While community institutions may fall outside the traditional ambit of state cybersecurity policy, our interdependence and shared information systems render individual and isolated interventions insufficient.
A long-term, unified and collaborative approach to information security is required — state agencies, local governments, schools and the private sector can no longer afford to go it alone. Cyberthreats neither respect nor acknowledge the jurisdictional boundaries separating the bodies that constitute our cybersecurity ecosystem.
Since coming into office in February 2015, Gov. Kate Brown has brought renewed focus to IT security, signing Executive Order 16-13, “Unifying Cyber Security in Oregon,” and introducing Senate Bill 90 (2017). EO 16-13 was a critical first step in addressing persistent IT security vulnerabilities and unifying IT security within the executive branch. Senate Bill 90 seeks to permanently extend this unification and establish a Cybersecurity Center of Excellence — Cyber Oregon.
Currently, Oregon lacks a state-civilian interface for coordinating cybersecurity information sharing and cross-sector incident response; performing cybersecurity threat analysis and remediation; and promoting shared and real-time situational awareness between and among the public and private sectors. Cyber Oregon would allow the state to draw on the expertise and capabilities of the private sector to develop a long-term, multisector strategy for preventing future threats.
In February, our office convened a second Cybersecurity Policy Summit, bringing together 30 participants across various sectors, including the Office of the Governor, Oregon State University, the Oregon Institute of Technology, Mt. Hood Community College, Clackamas Community College, the Oregon Association of Government IT Management, several technology vendors and the Technology Association of Oregon. Beyond participation in the summit, our partners established work groups to lay the foundation for Cyber Oregon, and are working to ensure passage of SB 90.
Our office embraced a model of collective impact that draws on a public health framework and the creation of shared value.
Cyber Oregon will provide backbone support, act in a convening role to continue refining our common agenda, establish shared metrics to measure progress and coordinate mutually reinforcing activities among our higher education, private and public sector partners.
The recognition that no one should be left behind, and a firm resolve toward action, set Cyber Oregon apart from similar state initiatives.
Recognizing that we are all in this together, we can execute a coordinated multisector approach that recognizes cybersecurity as a public good. Ultimately, we are more resilient when we stand together.