The Cyber Intrusion Command Center was born out of an executive directive by Mayor Eric Garcetti that called for a 24-hour operations center to monitor cyberthreats facing the Los Angeles area. The center is operated by the Los Angeles Police Department, but administrative members come from across city and federal agencies. The center, which launched in November 2013, isn’t just technology used to scan for threats, but is a way for city government to establish a more mature model for cybersecurity governance.
The command center concept began in October as weekly meetings between the chief information security officers of all the city’s departments. Cooperating with their counterparts from the U.S. Secret Service and FBI, the group gathers to discuss common threats, strategies and methods of neutralizing cybersecurity threats. The idea, CIO Steve Reneker said, is to make better use of the city's staff and tools as it faces a growing number of cyberattacks.
Statistics on the number of cyberattacks aimed at Los Angeles were not available, but reports in recent years have shown an increase in the number of attacks facing the United States overall. IBMreported in April 2014 that 2013 saw a 12 percent increase in security events over the previous year, tallying more than 91 million events. The Verizon 2014 Data Breach Investigations Report analyzedmore than 63,000 security incidents in 2013, an increase from 47,000 incidents reported the previous year.
“We’ve now inventoried all our systems; we now have discussed how we’re patching and hardening our infrastructure,” Reneker said. “The next step is following the NIST framework as our bible, if you will, on how we’re going to structure and making sure we’ve implemented those best policies and procedures to build our centralized security operation center.” In February, the National Institute of Standards and Technology released its Framework for Improving Critical Infrastructure Cybersecurity, a 39-page guidebook that Los Angeles will use to govern its cybersecurity.
The 24-hour center also actively monitors all physical police events happening around the city, allowing officials to ensure that those incidents are being managed properly. But it’s an overall improved governance of operations that the organization really hopes to achieve, Reneker said. If something happens in one of the city’s airports, for instance, officials don’t want to handle the situation and forget about it — the information is to be shared with all other agencies and relevant federal counterparts to ensure everyone is aware of what’s happening and also the best way to handle the situation.
The first event the command center was faced with came in December, Reneker recalled. An infection of the ransomware trojan horse CryptoLocker was identified on one of Los Angeles' computers. CryptoLocker encrypts the data on local or network drives on the infected Windows operating system and demands a ransom from the user in exchange for getting the files back. The city solved the problem, Reneker said, and didn’t have to pay any ransom.
“We are able to identify the source, we were able to block that from occurring on any other site, and then we also worked with the individuals to find the level of problems that came across,” he said. “We also worked with our federal counterparts to find out, ‘Is this a hoax? Is this for real and how should we take a look at investigating that particular event?’ That’s one example of how we’d handle a particular event to ensure it didn’t spread throughout the city, and to make sure that we capture the evidence that was there and available rather than just blow it away, put in a new desktop and pretend the event never occurred.”
So far, the main focus of the organization has been to get better organized with the city's intelligence, but over the next 12 months, Reneker said the focus will also shift heavier toward technology. The group will try to integrate its tools either into a single security operations center at the LAPD or search for a way to standardize around a smaller set of common tools so multiple agencies can be sure they are looking at a common operating picture.