While the 2017 regular legislative session wrestled with many contentious issues, from sanctuary cities to plastic bag bans, members from both sides of the aisle united to pass cybersecurity legislation for Texas state agencies and institutions of higher education.
The need for tougher cybersecurity measures for state systems was obvious, says Texas Rep. Giovanni Capriglione, noting the state’s reliance on legacy hardware and software systems dating back to the 1980s.
“As the use of technology increases in our daily lives, it’s more important than ever that private citizen data held by the state is protected,” Capriglione says.
Governmental agencies, increasingly reliant on aging computer systems and the internet, are prime targets for cybercrime; a 2018 national survey of state chief information officers noted dozens of security breaches in the preceding 12 months (Exhibit 1). And more than the agencies themselves are at risk. Government systems store confidential personal and business data including Social Security numbers, federal tax IDs, employer identification numbers and more — all cybercriminals need to commit identity theft and credit fraud.
|Type of Breach||Number Reported|
|Malicious Code (e.g., viruses, worms, spyware, malware, ransomware)||28|
|Electronic Attack (hacking)||16|
|Physical Attack (e.g., stolen computer systems)||14|
Source: 2018 Deloitte-NASCIO Cybersecurity Study
After becoming aware of the need to upgrade Texas’ cybersecurity systems, Capriglione filed House Bill (HB) 8 and HB 9 in the 2017 regular legislative session and saw both become law.
HB 8, the Texas Cybersecurity Act, provides specific measures to protect sensitive and confidential data and maintain cyberattack readiness. HB 9, the Texas Cybercrime Act, updates the Texas Penal Code to recognize several new types of cybercrime and their punishments. Both acts took effect on Sept. 1, 2017. Together, they’re intended to deliver a one-two punch against cybercrime.
“HB 8 and HB 9 were both born through discussions with technology industry experts from my district and stakeholders in Austin,” Capriglione says. “We ended up having input from more than 50 different individuals, trade organizations, private companies, cities, counties, universities and law enforcement.”
According to Capriglione’s office, the 2017 Legislature also budgeted $30.6 million for system upgrades at state agencies to protect against the loss of sensitive data due to cyberattacks (Exhibit 2). While he’s pleased with this support, he notes Texas government still has much work to do to keep up with cyber threats.
|Texas Ethics Commission||$45,780||Disclosure database system|
|Texas Facilities Commission||$187,900||Information security officer|
|Texas Education Agency||$5,968,000||Implementation of the Texas Student Data System (TSDS) and ensuring student and teacher data privacy|
|Higher Education Coordinating Board||$215,000||Security upgrades to the agency’s identity and access management services|
|Higher Education Coordinating Board||$225,000||Cybersecurity improvements|
|Juvenile Justice Department||$6,821,007||Infrastructure refresh|
|Juvenile Justice Department||$715,606||Cybersecurity improvements|
|Department of Public Safety||$2,240,000||Data loss prevention system|
|Department of Public Safety||$2,200,000||Intrusion prevention system|
|Department of Public Safety||$1,216,000||Security system vulnerability management system|
|General Land Office||$40,000||Data loss prevention system|
|General Land Office||$40,000||Vulnerability management|
|Department of Motor Vehicles||$400,000||Management systems security provider|
|State Board of Dental Examiners||$50,000||Information technology|
|State Board of Pharmacy||$200,000||Acquisition of information technology|
Source: Office of Texas Rep. Giovanni Capriglione
The Department of Information Resources’ (DIR’s) Network Security Operations Center “blocked 2.46 billion communication attempts from known bad actors against state agencies in just a matter of a few months,” he says. “It’s no secret that technology in government doesn’t progress as quickly as the business world around us, but for the state to still be operating systems on ‘green screens’ and computer systems that truly don’t exist anymore today is mindboggling.”
The Texas Cybersecurity Act provided Texas state agencies and higher education institutions with a wide array of new tools to help them ready themselves for cyberattack. DIR plays a pivotal role in implementing the act.
To meet its requirements, the agency was required to provide guidelines for cybersecurity training and continuing education for all state employees who deal with information resources. A guidebook, Information Resources Employees Continuing Education Guidelines for Cybersecurity (PDF), was made available to state agencies in July 2018.
DIR also has established requirements for a biennial information security assessment and report to be completed by all state agencies. DIR compiled the results of the first round of these assessments into a report submitted to the Legislature on Jan. 11, 2019.
In addition, state agencies and institutions of higher education now must perform vulnerability and penetration testing of their websites and any mobile applications that process confidential information.
Before the Texas Cybersecurity Act, state agencies were required only to generally identify data security issues and create a broad plan to reduce risk. Now, agencies must develop and implement specific procedures, analyses and strategies into these plans. The act also requires state agencies that experience a breach or suspected breach of confidential information to notify DIR officials and, if election data have been compromised, the Texas Secretary of State, within 48 hours.
Yet another new provision requires an agency’s cybersecurity assessments and related data to be considered in the Sunset Review process. The Texas Sunset Advisory Commission works with DIR to determine the criteria and information to be collected and ascertain whether the agency under review is complying with best cybersecurity practices.
Under the act, DIR also developed a plan addressing state cybersecurity risks and incidents that was implemented during fiscal 2018. The plan included cybersecurity certification testing for state security personnel through the agency’s InfoSec Academy, which provides industry-standard certification courses; online end-user training to state agencies; monthly exercises for agency security staff; and updates to the statewide cybersecurity portion of the state’s emergency plan.
Finally, DIR has completed a comprehensive managed security services (MSS) contract with AT&T, giving state agencies, local governments and other public entities cost-effective access to security monitoring, device management, network and web application firewalls and intrusion detection and prevention. To access these services, agencies go to the DIR portal, identify their needs and place an order. DIR also vets and monitors vendor performance and ensures contract compliance.
In a 2018 nationwide survey of state chief information officers, respondents cited the following as the most common barriers to greater cybersecurity:
To keep state security strategies confidential, the Texas Cybersecurity Act made some key changes to the Texas Open Meetings Act and Public Information Act. Governmental bodies are no longer required to hold open meetings to deliberate information security assessments or deployments, network security information or the deployment of security personnel, critical infrastructure or security devices. Also, prior to posting information regarding contracts for the purchase of goods and services on the internet, state agencies now must redact information related to computer network security deemed confidential under HB 8.
The act also created select committees on cybersecurity in both the Texas House and Senate. These committees were directed to either jointly or separately study state agency cybersecurity plans and cybersecurity issues and report their findings and jointly adopted recommendations to the Legislature by Jan. 13, 2019. Both House and Senate reports have been submitted and are currently under review.
The Texas Secretary of State was tasked with conducting a study on election cyberattacks to preserve election integrity, including the investigation of vulnerabilities such as attempted cyberattacks on voting machines and registered voter lists. The study assessed the security procedures of several counties in central Texas that use a variety of voting systems. It concluded “the statewide electronic voter registration database is as secure as currently possible,” but recommended additional funding be allocated to support it in providing additional on-site assistance and advice to county election officials regarding security measures.
The Cybersecurity Act also affected the responsibilities of the Texas Cybersecurity Council, a group of private- and public-sector leaders who collaborate to develop strategies to protect critical infrastructure and sensitive information. Thanks to the act, the council’s duties now include a cost-benefit analysis of potential ways in which to mitigate and respond to cyberthreats. The first of these reports has been submitted to the council leadership, and a committee chaired by Capriglione is preparing legislative recommendations.
The other half of the 2017 cybersecurity package, the Texas Cybercrime Act, provides Texas law enforcement agencies with more robust tools for fighting cybercrimes. The act was a first step toward modernizing the Texas legal system to keep up with today’s high-tech criminal, says Capriglione.
The act amends the Texas Penal Code to include the third-degree felony offense of “electronic access interference,” in which a person intentionally interrupts or suspends access to a computer system or network without the owner’s consent. It also adds the offense of “electronic data tampering,” the intentional alteration of computer data and the introduction of malicious code such as ransomware, and “unlawful decryption,” covering the intentional decryption of encrypted private information. Penalties for both offenses (including enhancements) range from a Class C misdemeanor to a first-degree felony, depending on the aggregate dollar amount involved and whether a client or patient of a victim suffered bodily injury or death attributable to the offense.
Legitimate law enforcement and business activities, such as “white hat” internal network testing operations, are not targeted by the Texas Cybercrime Act. Capriglione says the new law is designed to encourage more law enforcement agencies, particularly at the state level, to pursue cybercrime investigations.
The Texas Cybersecurity Act and the Texas Cybercrime Act work together to give Texas government and law enforcement a much-needed boost in providing cybersecurity. As an example of how much more needs to be accomplished, Capriglione points to a malicious hacking incident of a Texas county emergency system that had serious repercussions.
“Tarrant County’s 911 system was hacked in October 2016, when an 18-year-old college student posted a Twitter link that, when clicked on, caused users to dial into the 911 network,” Capriglione says. “The Tarrant County 911 District estimates it had at least 850 hang-up calls during the attack, severely crippling response times for those who were having an actual emergency.
“While we’ve been focused on our state cybersecurity, I have been working with cities and counties to provide assistance to our local government entities and provide resources for making sure data is protected at all levels of government, like requiring local government entities to participate in regional Information Sharing and Analysis Centers to communicate with other local entities about similar cyber threats they are facing,” he says.
More legislation to further improve cybersecurity is being considered in the 2019 session. FN
Look for our Fiscal Notes Legislative Wrap-Up Issue later this year to stay up to date about new laws that will affect state government and the Texas economy.