California’s outgoing cybersecurity commander says the state is mismanaging its limited cybersecurity resources by letting unqualified officials set priorities.
In an exclusive interview with CalMatters, the commander, Edward Bómbita, said the agency should become independent.
Bómbita was terminated from the state’s top cybersecurity post in a phone call from the governor’s office Sept. 23; his last day is Friday. He had been on the job less than a year but repeatedly found himself at odds, he said, with officials at the Office of Emergency Services. That agency oversees the one Bómbita ran, the Cybersecurity Integration Center, through its Homeland Security division.
In Bómbita’s telling, he wanted to focus on protecting critical water and electrical infrastructure and helping small cities and schools protect themselves online; the Office of Emergency Services wanted him to focus on threats that had not yet impacted state networks, such as North Korean scammers seeking remote jobs or online threats against health care executives following the killing of UnitedHealthcare Chief Executive Brian Thompson.
Bómbita argues that the 80-person cybersecurity center should be independent in order to better prioritize limited resources and to avoid interference from emergency services leadership that “don’t understand cyber well enough to lead this effort.”
“In an ideal world, we would have a cybersecurity agency for the state that was an independent agency that didn’t answer to the governor or the Legislature, just answer to the people,” he said. “It’s an amazing organization, it’s just in the wrong agency and should be its own thing.”
The governor’s office did not respond to multiple requests for comment.
Office of Emergency Services spokesperson Anita Gore did not respond when asked about Bómbita’s remarks, saying only that protecting Californians from cyber threats remains a top priority for her agency.
Bómbita began his job after the state left the post vacant for more than two years.
The cybersecurity commander is in charge of protecting California’s infrastructure and economy, communicating threats to public and private partners, and assisting law enforcement agencies with investigations. Bómbita’s departure comes as the federal government’s Cybersecurity and Infrastructure Security Agency is faltering, having reportedly lost roughly one-third of its workforce since the start of the Trump administration. It is now caught up in an ongoing government shutdown with most of its employees furloughed and the rest working without pay.
Bómbita, who previously served in the California National Guard and the U.S. Navy’s Fleet Cyber Command, said he was told he was dismissed for not supporting the governor’s priorities. But he thinks he was actually fired for pushing back on decisions about how to run the cybersecurity center.
Assemblymember Jacqui Irwin, a Democrat from Thousand Oaks, authored legislation that helped create the cybersecurity center. She said it might be a good idea to consider the structure and placement of the center now that it is over a decade old. She said she’d like to work with the governor next year “to identify and hopefully adopt any recommendations for improving its outcomes for Californians.”
Irwin, who chairs the Assembly select committee on cybersecurity, called cyber attacks one of the greatest threats California faces and urged the governor to fill the commander vacancy.
A former California cybersecurity commander, speaking anonymously because of fear of professional retaliation, agreed that the Cybersecurity Integration Center should become an independent agency. The person told CalMatters the governor should make the commander position capable of carrying out independent audits of state agencies or abolish the center entirely.
“Until or unless the governor forces agencies to abide by what Cal-CSIC does and to support them, it’s going to be what it always has been, a great idea on paper,” they said.
Several Office of Emergency Services Homeland Security division employees, speaking on condition of anonymity for fear of reprisal, told CalMatters they believe it’s time to consider moving the center into a different department or making it an independent agency reporting to the governor.
“What we’ve been doing for 10 years isn’t working and the common denominator is OES so maybe we should be looking elsewhere,” one of them said.
The Office of Emergency Services coordinates state disaster responses, such as to wildfires, earthquakes and floods. Another cybersecurity employee said it is “completely out of their depth when it comes to cyber. You wouldn’t let your plumber perform surgery on you. How does it make any sense for someone who has no basis in the reality of the cyber world to dictate policy?”
These people also said that morale among cybersecurity center employees is down following Bómbita’s termination and an all-hands meeting last month where emergency services leadership declined to share a clear explanation for why he was let go. A cybersecurity center employee told CalMatters that many of their colleagues choose to work there for stability and because they believe in the mission, but following that meeting a number of people are looking for jobs elsewhere.
“Most of these jobs get paid multiple times [more] in the private sector, so I think we all believe in the mission, and so it’s very disheartening having this happen,” one said.
Bómbita was the third person appointed by a governor to serve as cybersecurity commander since the center was created a decade ago. Former state cybersecurity employees told CalMatters they think it’s difficult for the cybersecurity center to keep commanders because the pay is less than for similar jobs in the private sector and that state employees may treat an acting commander — who will be in the job temporarily — differently than a commander appointed by Gov. Gavin Newsom.
California faces a number of ongoing cybersecurity threats, ranging from malicious QR codes spread to exploit Los Angeles wildfire victims to ransomware attacks that shut down cities or compromise the personal information of millions of children nationwide.
In addition to ransomware and phishing attacks, Bómbita said California’s top cyber threats are nation-states that attempt to worm their way into U.S. networks, such as the “Salt Typhoon” attacks attributed to China, and new threat vectors posed by artificial intelligence. Last week, the cybersecurity center was tasked with compiling an AI Cybersecurity Collaboration Playbook after Newsom signed a bill into law ordering them to do so.
But perhaps the biggest threat facing California today, Bómbita said, are vulnerabilities at small public-facing institutions like cities and schools. Big cities like Los Angeles are relatively well equipped to weather attacks on their systems, but smaller entities lack the training and personnel to defend themselves, and that poses a threat to state agencies tied to them.
“The fact that state, local, tribal, and territorial organizations and critical infrastructure organizations are so underfunded, undermanned and under-experienced is something that’s really concerning to me,” he said. “It’s going to lead to major, serious issues if a significant threat actor pounces on those vulnerabilities and risks.”
