Close this search box.

We are creating some awesome events for you. Kindly bear with us.

EXCLUSIVE – Defending the City of LA’s cyberspace through an integrated, partnership-driven approach

EXCLUSIVE - Defending the City of LA’s cyberspace through an integrated

As cities get more and more connected, they are becoming more exposed, more vulnerable to cyberthreats. A cyberattack can cripple a city’s infrastructure, causing enormous damage. Hence, cybersecurity will be critical to successfully building the smart cities of the future.

OpenGov had the opportunity to speak to Mr. Timothy Lee, the Chief Information Security Officer (CISO) of the City of Los Angeles (LA). He is the first CISO for the city government, appointed to the post in September 2014. Previously, he was the CISO for the Port of LA for nearly 14 years.

LA is the second largest city in the United States, with a population of around 4 million and infrastructure supporting those residents. The city has world’s sixth busiest airport (LAX) and America’s largest container port, the port of LA. In addition, LA has a high-profile police department, the LAPD. Full time city employees number 48,000. Mr. Lee is responsible for ensuring cyber security of this extensive domain.

Top cybersecurity concerns for the City
Mr. Lee listed four major areas of concern for the City at the moment, ransomware, targeted social engineering, coordinated attacks and advanced persistent threats (APTs). These threaten critical assets, the control systems for some of which were not always designed with cybersecurity in mind.

Human errors contribute to around 95% of cybersecurity breeches. So, human security is the most important issue. The City of LA has a layered approach for this, for tackling threats like targeted social engineering and spear phishing.

The first layer is the scanning of email for malicious content before it reaches the user. A certain percentage of ransom ware attacks breach the email scan. So, there is a second layer in the form of awareness training or education programmes to teach users not to open these malicious emails.

About 30% of users still open these malicious emails, for which there is the need to have end-point security, the third layer. In the end-point security, the City of LA follows two approaches. One is the traditional anti-virus which is signature-based. Signature-based anti-virus software is not effective for detecting zero-day threats (a zero-day threat is a threat that exploits an unknown computer security vulnerability). Around 40 ransomware attacks were stopped last year, of which around 10 were zero day. So, to deal with these there is a need for data and behaviour based end-point detection and response.

Setting up an Integrated Security Operations Centre (ISOC)

When Mr. Lee joined the city had 40 departments, and each department had its own IT and its own security teams. The entire city had four major SOCs.

The problem was silos. There was no single dashboard or metric that could provide a picture of the cybersecurity posture.

“So, if the executive office wanted to know what’s going on in the city in the cybersecurity area, there was no way we could tell right away. That was the challenge,” Mr. Lee said.

Mr. Lee proposed a design for an integrated SOC. He said that the philosophy behind it was drawn from Sun Tzu’s classic text, the Art of War, which says that to win battles, you need to know yourself and you need to know your enemies.

How can that concept be applied to cybersecurity? ‘To know yourself’ means situational awareness here. ‘Know your enemies’ is accomplished by threat intelligence sharing.

Principally funded by the FY 2013 Urban Area Security Initiative Grant, ISOC is housed in the offices of the LAPD Real Time Analysis and Critical Response (RACR) unit.

The ISOC was designed with two clear objectives. “One is to provide real-time situational awareness dashboard to our stakeholders, so that they know what’s going on in the city as a whole. The second is to share the threat intelligence among stakeholders so that we can use that intelligence for prevention and detection,” Mr. Lee explained.

So, the ISOC is a platform where the citywide security events are aggregated onto one platform and translated into two things: the real-time cybersecurity dashboard and the threat intelligence sharing. The electronic dashboards can be viewed in person at the ISOC or remotely from any computer on the City’s network.

ISOC has two major categories of stakeholders, internal and external. Internal stakeholders include the police department, LAPD. The external stakeholders are federal partners, such as FBI and Secret Service. There is also have a third-party threat intelligence that is subscribed to. All the information is collected into the ISOC platform, translated into the situational awareness dashboard and then shared. 

Mr. Lee said, “The ISOC is a platform for not just collecting information. We also provide the information back to our stakeholders.”

When the ISOC was started, around 3 million citywide security events were being fed in per week. Today around 1 billion security records are added per day for correlation and extraction to the threat intelligence dashboard.

Mr. Lee gave a few examples of the effectiveness of ISOC, “Last year, we blocked about 40 ransomware attacks through ISOC. Right now, on an average, we are blocking 8 million intrusion attempts per day. In 2016, we stopped about 49,000 botnets.”

ISOC also discovered threats that were targeted at the finance sector. That information was shared with the financial institutions through our federal law enforcement partners.

Current initiatives – Cybersecurity awareness, Critical asset protection and Cyber Lab

Mr. Lee talked about three programmes, which build on the integrated SOC. The first, a short-term initiative, is to conduct a citywide security awareness campaign. All city employees will have to complete a mandatory cybersecurity awareness training.

Another initiative, a mid-term one, is critical asset protection. The critical digital assets will be identified and using the NIST cybersecurity framework, strategies will be built to Protect, Detect, Respond, and Recover from cyberattacks for each of them.

The third initiative was the launch of the LA Cyber Lab, announced on August 16, 2017. Mr. Lee described the Cyber Lab as a prevention-focused public-private partnership in the area of cybersecurity.

“From the public side, we have the city government and the federal government, law enforcement, and also institutes of higher education. From the private side, we have two major stakeholders, the LA business community and the security vendors or security solution providers,” Mr. Lee said.  

The City is facilitating this collaboration. A three-phase approach is being adopted. The first phase is about threat intelligence sharing. Cybersecurity threat intelligence will be shared with LA business communities and also residents. The lab will share threat information and indicators of compromise (IOC) to members for prevention and detection of attacks. Members can also receive automated updates of IOC to their own cyber defence systems. There is no cost or obligation of membership.

We asked Mr. Lee if the City would go beyond intelligence sharing and help the business community to tackle the threats. He replied that the businesses have their own IT and security teams. But the City government can be a bridge between business and law enforcement. If a LA business suffers from a cybersecurity incident, and they need help from federal or local law enforcement, the City government can provide the required communication channel.

Earlier businesses didn’t know who to call, especially with the many different agencies dealing with cybersecurity issues. For instance, Homeland Security has a cybersecurity team, there is US-CERT, the FBI has a cyber division and so on. In this scenario, the City government can serve as a single point of contact and help the businesses to communicate with law enforcement in responding to critical cyber incidents.

In Phase 2, there will be mutual threat intelligence sharing between the security companies, federal nad local law enforcement through machine-to-machine communication.

In phase 3, the goal is to turn the cyber lab into an innovation incubator. From the private side, solution providers can use the cyber lab to introduce and test new technologies. At the same time, higher educational institutions would be able to use the cyber lab as a platform to conduct research. Student can obtain hands-on experience of cyberattacks and cyber defence, thereby helping train the next generation of cybersecurity professionals.


Qlik’s vision is a data-literate world, where everyone can use data and analytics to improve decision-making and solve their most challenging problems. A private company, Qlik offers real-time data integration and analytics solutions, powered by Qlik Cloud, to close the gaps between data, insights and action. By transforming data into Active Intelligence, businesses can drive better decisions, improve revenue and profitability, and optimize customer relationships. Qlik serves more than 38,000 active customers in over 100 countries.


CTC Global Singapore, a premier end-to-end IT solutions provider, is a fully owned subsidiary of ITOCHU Techno-Solutions Corporation (CTC) and ITOCHU Corporation.

Since 1972, CTC has established itself as one of the country’s top IT solutions providers. With 50 years of experience, headed by an experienced management team and staffed by over 200 qualified IT professionals, we support organizations with integrated IT solutions expertise in Autonomous IT, Cyber Security, Digital Transformation, Enterprise Cloud Infrastructure, Workplace Modernization and Professional Services.

Well-known for our strengths in system integration and consultation, CTC Global proves to be the preferred IT outsourcing destination for organizations all over Singapore today.


Planview has one mission: to build the future of connected work. Our solutions enable organizations to connect the business from ideas to impact, empowering companies to accelerate the achievement of what matters most. Planview’s full spectrum of Portfolio Management and Work Management solutions creates an organizational focus on the strategic outcomes that matter and empowers teams to deliver their best work, no matter how they work. The comprehensive Planview platform and enterprise success model enables customers to deliver innovative, competitive products, services, and customer experiences. Headquartered in Austin, Texas, with locations around the world, Planview has more than 1,300 employees supporting 4,500 customers and 2.6 million users worldwide. For more information, visit


SIRIM is a premier industrial research and technology organisation in Malaysia, wholly-owned by the Minister​ of Finance Incorporated. With over forty years of experience and expertise, SIRIM is mandated as the machinery for research and technology development, and the national champion of quality. SIRIM has always played a major role in the development of the country’s private sector. By tapping into our expertise and knowledge base, we focus on developing new technologies and improvements in the manufacturing, technology and services sectors. We nurture Small Medium Enterprises (SME) growth with solutions for technology penetration and upgrading, making it an ideal technology partner for SMEs.


HashiCorp provides infrastructure automation software for multi-cloud environments, enabling enterprises to unlock a common cloud operating model to provision, secure, connect, and run any application on any infrastructure. HashiCorp tools allow organizations to deliver applications faster by helping enterprises transition from manual processes and ITIL practices to self-service automation and DevOps practices. 


IBM is a leading global hybrid cloud and AI, and business services provider. We help clients in more than 175 countries capitalize on insights from their data, streamline business processes, reduce costs and gain the competitive edge in their industries. Nearly 3,000 government and corporate entities in critical infrastructure areas such as financial services, telecommunications and healthcare rely on IBM’s hybrid cloud platform and Red Hat OpenShift to affect their digital transformations quickly, efficiently and securely. IBM’s breakthrough innovations in AI, quantum computing, industry-specific cloud solutions and business services deliver open and flexible options to our clients. All of this is backed by IBM’s legendary commitment to trust, transparency, responsibility, inclusivity and service.