The legislation is part of a larger initiative outlined in a cybersecurity analysis and recommendations report conducted by the state’s Ad Hoc Committee on State and Local Cybersecurity.
According to the bill, the unit would establish specific responsibilities for local entities to report cybersecurity incidents and require the Maryland Joint Operations Center to notify appropriate agencies of cybersecurity incidents.
It would also establish a Cybersecurity Fusion Center within the state’s emergency management department.
The idea for the cyber unit was inspired by previous cyber incidents that impacted the state, according to sponsor Delegate Patrick Young, who noted a cyber incident impacting the Maryland Department of Health that left questions about what information might have been accessed.
Ransomware attacks also affected Baltimore County Public Schools and the city of Baltimore, creating even more of an incentive to address the issue, he added.
An executive order signed by Gov. Larry Hogan in June 2019 created a Maryland chief information security officer position and established the Office of Security Management and the Maryland Cybersecurity Coordinating Council to strengthen the state’s cybersecurity posture.
The new legislation looks to build off of that executive order and codify these cybersecurity efforts.
“We are excited about the future on this,” Young said. “We are considering it a starting point. While I would love for it to be a final step, these things are always a moving target; there are always threats there.”
The report shared 34 other recommendations to bolster the state’s cybersecurity posture, pulling from best practices from the National Institute of Standards and Technology, along with input from cybersecurity officials from other states, the private sector and staff at the Center for Internet Security.
“Our goal was to identify key policy, governance and resource changes for legislative action in 2022 to increase the cybersecurity of the state of Maryland based on the information found by the ad hoc committee,” the authors of the report wrote. “We must adopt a whole of state approach.”
Recommendations listed in the report include partnering with other states to leverage greater buying power for IT and cybersecurity services; allowing the state’s cybersecurity budget to be appropriated instead of using a charge-back model; developing a separate cybersecurity strategic plan to secure cybersecurity budget requests; and creating a baseline report of its IT systems, among others.
