The center comes after the governor signed a bill that will bring three major universities together to get the center up and running, at least at some capacity, by Oct 1.
The center of excellence (COE) is intended to supplement the state CIO’s work, per the bill. It’s tasked with responsibilities like developing the state’s cyber workforce, conducting research and development, coordinating information sharing and pursuing federal cyber funding. It will also provide cybersecurity services to local governments, libraries and school districts, and it will advise the governor, CIO and Legislature on cyber matters.
Portland State University (PSU) will host the center and operate it jointly with Oregon State University (OSU) and the University of Oregon. While the bill calls for a sweeping array of cybersecurity initiatives, the center’s first efforts will likely focus on building a community of stakeholders and on workforce development.
The universities also aren’t starting from scratch.
With the bill’s passage, “we’re very excited to be able to formally do a lot of these things we were already doing at some level, but without a lot of resources,” said Rakesh Bobba, an associate professor at OSU’s School of Electrical Engineering and Computer Science.
Expanding OSU’s existing Research and Teaching Security Operations Center (ORTSOC) will be one essential piece, said Birol Yeşilada, who is expected to become director of the cyber COE. Yeşilada is a PSU professor, endowed chair and former director of its Hatfield Cybersecurity and Cyber Defense Policy Center. He is now stepping down from his various responsibilities to focus full time on the cyber COE.
Bobba said the ORTSOC gives students hands-on training while providing cyber services like network intrusion monitoring to a few entities, including a small city and a nonprofit. State funding provided under the new legislation — along with monies from other sources — will allow the teams to scale up and serve more entities. Even so, Bobba expects the ORTSOC will need to start charging a small fee for its cyber services, to become “self-sustaining.” The ORTSOC also must prioritize helping entities that have IT staff and are able to work with them to receive services.
Other education institutions are involved in the COE, too, beyond the three lead universities. The new legislation also contributes funding toward various cyber programs, including cyber degree and certification programs at a few higher education institutions as well as the NW Cyber Camp, which serves high school students and has often had to rely on an unsteady stream of private donations.
Bobba said there have been ongoing efforts to better align cyber curriculums across higher ed institutions and to make the landscape easier for students to navigate. The state funding paves the way to advancing some of these goals, including creating a single website where Oregon students interested in cyber can view the available program options in the state.
Still, the designated monies don’t address all the COE’s needs, which is perhaps unsurprising in a year when the Legislature considered bills with collective funding asks that far outstripped the budget. Bobba said financial constraints necessitated axing a measure from the final legislation that would’ve required the COE to update the Legislature every two years with a report about the cybersecurity resilience of non-state public entities. But Yeşilada said that’s an important activity he hopes can be achieved later. He also said the center received less than half of the requested operations funding and expects to return to the Legislature midyear for additional requests.
To raise public cyber awareness, Yeşilada said the center intends to hold online discussions with expert speakers, and it will also convene regularly with stakeholders to discuss gaps and needs. One key role of the center will be to foster a community of stakeholders that reaches beyond state government, and which can work together to address cyber problems as well as support each other should they suffer a cyber attack, Bobba said.
The community voice will also come via a to-be-formed Cybersecurity Advisory Council. A previous version of such a council had fallen inactive and this will relaunch and expand, Bobba said. The new advisory council will include 15 governor-appointed voting members reflecting tribes, counties, education service districts and others, as well as six nonvoting members appointed by other state officials.
Plenty of practical work lies ahead before the COE’s October launch. The team needs to establish an operating agreement among the universities and a charter for the center and hire and appoint to fill key administrative positions. Yeşilada’s confirmation to the top post — anticipated, but unfulfilled as of Monday — is another key step and will allow the state to transfer over files to him.