HAGÅTÑA (The Guam Daily Post) — Additional funding, along with workforce development and training, appear to be some of the key factors to bolstering cybersecurity capacity on Guam, according to discussions Tuesday at a legislative roundtable hearing on cybersecurity within the government of Guam.
Frank Lujan, the chief technology officer and director of the Office of Technology, said the agency has encountered “tactical pain points” that impact the ability to fulfill its responsibilities. In addition to procurement issues and conflicting law, these include funding concerns.
“Budget constraints limit our capacity to make essential cybersecurity investments and upgrades,” Lujan said Tuesday.
OTECH’s budget has essentially remained stagnant since the tech chief came onboard in 2015. The agency’s funding was $3.5 million at that time. It is now about $3.7 million, according to Lujan. To properly address its responsibilities, consultants estimate that OTECH’s budget should be in the double-digit million-dollar range, Lujan added.
“I think if we enter into what I call the double-digit arena, we would have at least a good foothold on addressing the day-to-day operations, the different types of actions and resources we actually need,” Lujan said.
Moreover, OTECH is grappling with a shortfall in skilled tech professionals on island. Lujan said the shortage not only hinders the office’s ability to counter emerging cyberthreats effectively, but also “underscores the urgent need for strategic investments in education, training and recruitment.”
Later in the hearing, Lujan would say that OTECH can detect physical breaches within its network and stop them, but it can’t perform forensics, “to understand what happened, who actually penetrated our network and why it happened.” This is an example of an overall issue with its workforce, according to Lujan.
“The good news overall is … none of these breaches were able to penetrate any of our data. They were just recognized signatures by our sensors, and we were able to stop it. … But going back to the issue on budget, it is something that needs to be debated and seriously looked at,” Lujan said.
Concerns or issues with workforce capabilities extend to other agencies as well.
GMH
Vincent Quichocho is the administrator of the information technology department at the Guam Memorial Hospital Authority, which detected unauthorized access to its hospital network in March, prompting a network shutdown that lasted more than a week.
Quichocho said his department is trying to create a network infrastructure and cybersecurity section, which will require the creation and recruitment of certain positions, such as a cybersecurity certified director and support staff.
“Currently, we really don’t have cybersecurity certified staff. But we have some cybersecurity-trained staff,” Quichocho said, adding that his department is creating new cybersecurity policies and procedures for GMHA, as well as annual mandatory cybersecurity training for all hospital staff.
GPA
Melvyn Kwek, chief information technology officer for the Guam Power Authority, said the recent increased focus on cybersecurity has come with increased participation from federal partners. But, like other agencies, GPA is challenged with funding for new technologies and the limited skill set available on island.
GPA is working with Guam Community College to bring in computer science students to work at a cybersecurity program at the power utility and build up local talent, Kwek said.
Guam also is dealing with “an advanced adversary” in the cyber realm, Kwek noted.
“North Korea, China, they probably have rooms where they just focus on Guam. Whereas we just have one or two people in our IT department focusing on (cybersecurity). They have unlimited resources, they’re paid to do this. And we’re paid to protect (from) them from 8 a.m. to 5 p.m. only,” Kwek said.
Those sentiments were echoed by Robert Rabago, management information systems administrator at the Judiciary of Guam.
“We need a solid group out there that can just keep their eyes on it 24 hours because you can’t keep up with this,” Rabago said.
Plan
Guam Homeland Security/Office of Civil Defense announced Monday in a press release that Guam’s Cybersecurity Plan had been approved by the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency.
“As the government of Guam provides many critical services, such as health care, utilities, education and public safety, which own or manage sensitive data, the protection of Guam’s information assets from an intentional attack or unintentional misuse is paramount to the government’s ability to continue to provide critical services to the people of Guam,” GHS/OCD said in the release.
“The completion of the cybersecurity plan to protect the island against any cyber-related threats, regardless of their source, include but are not limited to terrorists, nation-states, criminal organizations or enterprises or human error,” the release stated.
The plan was developed among the Office of the Governor, the Office of Technology, the Mariana Regional Fusion Center, GHS/OCD, U.S. Coast Guard Sector Guam and other government of Guam, federal, military and private organizations, according to the release.
