The legislation will also update the state’s cyber operation center to establish protocols for sharing information with state and federal law enforcement and intelligence agencies to investigate and collect information associated with cyber-based criminal and national threats.
“About four governments ago, the initial creation of the Office of Information Technology went by the Office of Innovation Technology,” Rep. Mark Baisley, R-039, said. “Four or five years ago, it was decided jointly by the Legislature and the governor to centralize the information technology office, so IT professionals dispersed across state agencies organizationally came under one umbrella under the director of IT office.”
As a result, Baisley said the office went from less than 100 to 1,000 employees, the difference being that now the reporting line has been moved from agency leadership to a centralized IT group.
Other changes, such as creating a cybersecurity council, will focus on developing cybersecurity policy guidance for the governor; comprehensive sets of prioritized goals, requirements, initiatives and milestones; and coordinating with the general assembly and the judicial branch regarding cybersecurity.
Council members will include the director of Homeland Security and Emergency Management, a representative of an organization representing Colorado municipal governments, the secretary of state and two representatives from county government — one of whom must represent a rural county.
As for updating the state’s cyber operation center, the bill states that the center will do two things: 1) support state and federal law enforcement agencies with their responsibilities to investigate and prosecute threats and attacks against critical infrastructure, and 2) ensure the coordination of cybersecurity threat information sharing among the Colorado Bureau of Investigation, the office of prevention and security, the IT office and participating members of the FBI’s cybersecurity task force.
“These changes caused a moment of reflection of how statute dictates how everything is organized and structured,” Baisley said. “It was time to modernize the language to catch up statutes to reflect how organizations have evolved, and make tweaks reflecting the law that drives these departments and sub-departments.”
Another factor that prompted the bill, Baisley said, is prior cybersecurity threats and risks that have impacted the state.
“We suffered a very significant cyberattack, where the Department of Transportation was at a standstill for quite some time,” Baisley said.
The attack resulted from malware that spread rapidly throughout the Colorado Department of Transportation’s computer network. “When employees turned on their computers on Feb. 21, 2018, messages popped up on screens that said files had been taken hostage and if users wanted them back, they would have to pay — in bitcoin,” according to an article by the Colorado Sun.
The hack, according to the article, was initiated by SamSam ransomware.
At the time, an employee from CISO Debbi Blyth’s office, set up a temporary server for testing.
“Because it was only going to be a temporary server and only up for a couple of weeks,” Blyth told the Colorado Sun, “the system administrator who created this did not apply any of our standard security controls to it.”
As a result, the server was quickly discovered by attackers.
Because of attacks like these, Baisley said this bill is more important than ever to prevent future attacks from happening.
“We’ve got to stay on top of current threats and viruses to prevent cyberattacks from impacting the state,” Baisley said. “That’s what this bill does.”
