One thing that tends to get legislators’ attention is a high-profile data breach. “My philosophy is, never waste a data breach, and hopefully, it is not one of ours,” said Washington CISO Agnes Kirk. “You always want to take advantage of somebody else’s breach to educate. It does bring home the fact that you either invest in front of the problem or you are investing by trying to clean up at the back end of the problem. It is a tough job to find out where that balance is. It is important to me that we don’t spend our tax dollars cleaning up something that could have been avoided.”
In fact, it often takes a data breach for lawmakers to pass significant legislation around cybersecurity, said Doug Robinson, NASCIO’s executive director. For instance, after a high-profile breach in 2012, the South Carolina Legislature passed a bill that made the CISO and chief privacy officer positions a legislative requirement. The number of conversations between state CIOs and legislators is increasing, said Robinson, “but there is so much more for CIOs to do in terms of communicating to stakeholders, including legislators. Too much of that is ad hoc and not formalized.” NASCIO’s research notes an increase in the level of communication on cybersecurity with policymakers, but also that less than half of states are engaged in the conversation.
CIOs and CISOs need to communicate with legislators in terms of business risk to state government, Robinson stressed. Unfortunately in many states, it is seen as being all about technology, so legislators defer to the CIO. “When I talk to legislators I try to characterize this as just another business risk that the state has to address. The digital world is now part of the fabric of government, and risks are associated with that. It is not a project or an initiative. It is not going to end. They have to become comfortable with that, and it is very new to them.”
Francesca Spidalieri, a senior fellow for cyberleadership at the Pell Center for International Relations and Public Policy, a think tank at Salve Regina University in Newport, R.I., authored a 2015 report called State of the States on Cybersecurity, which found that most states lack strong cybersecurity measures, leaving themselves largely unprepared to respond to cyberthreats. (Her report identified eight states with strong approaches to cybersecurity, including Virginia.) “Few states are considering the exposure and costs of less resilient critical services, data breaches, theft of intellectual property and sensitive information, and the impact of e-fraud and e-crime, all of which lead to a weaker economy and unstable national security,” her report noted.
“Most legislators are poorly educated on these issues and very few have taken the time to understand how this helps a state economically or from a security standpoint,” she said. “We see the same issues in state legislatures that we see in the U.S. Congress. Although it is a bipartisan issue, the reason so many cybersecurity bills are stalling in Congress comes down to those who have taken the time to educate themselves and those who haven’t.”
Legislators want to promote digital connectivity and extend broadband capability to remote areas of their state, Spidalieri noted. “What they don’t understand is that cybersecurity is the other side of the same coin. If you encourage people to connect more of their sensitive information to services and you don’t protect it, you are actually making your state more vulnerable.”
In her own state of Rhode Island, Spidalieri noticed that the data breach laws had not been updated since 2005, and she reached out to two legislators she knew had an interest in the topic, state Sen. Louis DiPalma, D-District 12, and state Rep. Stephen Ucci, D-42nd District. Both had an interest in cybersecurity because of their day jobs: DiPalma works as a technical director at Raytheon, and Ucci is an attorney who works on privacy issues.
Spidalieri brought them together with executives from law enforcement, the health-care and financial sectors, and other stakeholders. “Together, in a few weeks of hard work, we came up with a new draft of the legislation that was not only updating the old law, but offering a clear course of action for businesses and agencies that might get breached.”
Ucci said it was tough to get consensus on the bill. “I have been in the Legislature for 12 years, and there is a difference of opinion on everything, but with this particular piece of legislation, every piece of the bill was a bone of contention,” he said. “There were some folks who thought every single possible breach should immediately be reported to the police, whereas others said you should have a very high threshold. We had businesspeople who saw it as a burden on them. It was a tug of war around what you disclose, how you disclose it, and to whom and in what form.”
The bill passed because they brought the stakeholders together with the legislators upfront to address issues and reach compromise, Spidalieri said. “That same year 31 states proposed updates to the data breach notification law, and only two passed.”
Although she is new to the Legislature in Connecticut, Rep. Caroline Simmons, D-Stamford, took the lead in co-introducing cybersecurity legislation. “I have some experience working at the federal level on this issue at the Department of Homeland Security,” she said. “That is what first got me interested in it and I think that having strong cybersecurity laws at the state level is critical to our national security fabric, and this is one of the most dangerous and difficult national security threats we face. States have an increasing role to play, given the sophistication and evolving nature of the threat.”
With two colleagues, Simmons introduced a bill that became law, directing the creation of a state cybersecurity task force co-chaired by the Department of Administrative Services and the Department of Emergency Services and Public Protection to conduct an in-depth study and assessment to identify the main cybersecurity issues facing Connecticut and to develop specific actions the state can take to improve its defenses and better protect state infrastructure, utilities, businesses and the public from cyberattacks.
The administration’s department heads were supportive about the creation of the task force, she said, but the legislation couldn’t call for a big investment. “There is a difficult fiscal environment here in Connecticut because we were facing a deficit going into the 2015 session,” she said. “The only difficulty I faced was that it couldn’t have a large fiscal note on the bill, so we decided to start with an assessment.”
Simmons said she believes other legislators are grasping the importance of cybersecurity, because of high-profile incidents, particularly the Anthem breach, which happened in Connecticut while they were debating this legislation. “None of us is an expert on the technology, but I think all of us recognize the increasing threat we are facing.”