The reason for this, according to the state’s Chief Information Security Officer Hemant Jain, is twofold: “It will allow us to warn local entities of cyber threats so they can take better action, and it will help lawmakers from a policy standpoint in creating new laws based on what’s happening across the state.”
To achieve this end, the bill will require all cybersecurity incidents to be reported within two business days and ask for the name and contact info of a primary reporter of a cybersecurity incident within a subdivision to be submitted before Sept. 1, 2021.
The bill’s sponsor, Rep. Michael Karickhoff, R-30, said several cyber attacks have impacted organizations across the state in recent history; this gave lawmakers the necessary motivation to unanimously pass the bill.
“Kokomo Public Library was attacked and asked to pay a ransom to get its system back online,” Karickhoff said. “The library was only closed for a couple of days, but it set off alarm bells on our end.”
Because of this, he said, “we started doing research and saw that other small political subdivisions were also being hacked.”
As a result, Zoom calls with county and city officials, local universities like Purdue and Indiana University, and the Office of Technology took place to develop a plan to address these issues, leading to the bill's proposal.
However, Karickhoff said, this is only the first step in preventing cyberattacks from affecting the state.
“We believe there are more requirements that need to be considered,” Karickhoff said. “Right now, it’s all about trying to gather data to see where attacks are coming from in every political subdivision and reporting not only successful attacks but attempted attacks too.”
In addition to reporting these attacks, a list of third-party technology providers that work with the Office of Technology will also be provided to small and large state agencies and political subdivisions.
Using these providers would solely be a recommendation and not a requirement, according to Karickhoff. However, each recommendation would focus on meeting the specific needs of each agency or subdivision.
“Let’s say you have five PCs in a rural area that are not hardwired and use satellite,” Karickhoff said. “You are going to need different security than a group that has big server rooms with racks of servers. It’s not going to cost the same or be the right type of security.”
Because of this, he added, the list suggests vendors that have a history of providing protection for different needs.
As for how the bill will impact state agencies and subdivisions moving forward, Jain said, “if we can get visibility of data coming in from a state lens, we can appropriately share data throughout the ecosystem.”
It will also allow the Office of Technology and other state agencies and political subdivisions to create risk assessment plans to make an informed decision, Jain said.
