A bill newly passed in the North Dakota state Senate would overhaul the state's cybersecurity strategy, emphasizing unity and greater centralization.
In North Dakota, a state that officials say regularly faces 5.6 million attempted cyberattacks a month, IT centralization has long been viewed as a means to bolster security.
Now, legislation newly passed in the state Senate would create a unified approach to cybersecurity, giving lawmakers a road map to more centralized enforcement.
The new legislation would empower the Information Technology Department (ITD) to define cybersecurity statewide. In so doing, it would create a single strategic framework for public entities, allowing each to approach cybersecurity from a unified posture, said Sean Wiese, the state’s chief information security officer.
The new bill comes amidst a push by the state's executive branch to expand IT investment and standardize its approach. The ITD requested the bill shortly after Gov. Doug Burgum, a former Microsoft executive, filed his 2019-21 fiscal budget proposal, asking for a boost in IT funding as well as a unified cybersecurity strategy.
Burgum asked for an investment of $16.4 million to assist with centralization, as well as $174 million in overall funding to pay for 24 IT projects that focus on improved public safety and government functionality. Burgum has also suggested that 145 employees from 17 different cabinet agencies be realigned into one shared IT organization, to better address the state’s security risks.
If enacted, the new legislation would give ITD the power to oversee and advise on cybersecurity matters for all of the state’s 400 public entities, including state agencies, school districts, institutions for higher education, cities and counties. Additionally, the ITD would assist both the executive and judicial branches with cybersecurity as needed, while also consulting with the attorney general.
Currently many of the state’s entities manage their own cybersecurity independently, a fact often viewed as a potential liability. The new bill would put everybody on the same page, making sure all entities “march to the beat of the same drum, from a strategic perspective,” Wiese said.
In many ways, this push toward unity mirrors national trends. In recent years, states have moved toward greater centralizing of IT and cybersecurity, partially as a means of protecting against the growing prevalence of online attacks. In North Dakota, where centralization has long been a priority, threats from cyberattacks are “growing daily,” according to Burgum’s budget proposal.
The state may be attractive to attackers for a number of reasons, including its strong military presence, its high level of petroleum production, or its involvement with precision agriculture, all systems that have the potential for exploitation, according to officials.
SB 2110 has already gone through a variety of changes and adjustments, said Wiese. During the last month, the bill was reviewed by the Senate Political Subdivisions Committee, and was subsequently amended to shift language from one of regulation to oversight and advisement. During this process, supporters of the bill voiced concerns about cyberattacks, while some critics noted a need to define separation of powers within the legislation.
"We've had a lot of iterations of this bill," the CISO said, adding that the legislation has gone through numerous revisions based on input from a variety of groups. “We’ve reached out to a lot of parties that would be affected by this — your local governments, your schools, your legislative and judicial branch,” he said. "It's gone through the ringer.”
As part of its push for the legislation, the ITD has also made substantial efforts to impress the importance of cybersecurity upon lawmakers. As an example, the state CIO Shawn Riley recently held a two-day hacking demonstration, giving legislators and the public a chance to learn about the dangers posed by malicious cyberactors.
Lawmakers have so far been generally supportive, and officials seem to largely recognize the benefits of many of the new proposals, Wiese said. "We're getting hardly any kickback.”
Ultimately, Wiese said, a common cybersecurity strategy under a single authority would give the state a means by which to identify security gaps while assessing and measuring the effectiveness of current policies. "If you can set up a common strategy ... you can identify holistically where the gaps are and where we can grow," he said.
The long-term goal the new bill lays the groundwork for is enhanced operational security statewide, said Wiese. That goal will take time to achieve, but this new legislation sets the stage for it, he added.