With the presidential election months away and ransomware costing state and local governments millions, more than 365 bills dealing with cybersecurity have been heard in 2020 legislative sessions in 35 state capitols, according to the National Council of State Legislatures (NCSL).
State lawmakers have submitted bills requiring government agencies to implement cybersecurity training, policies and practices; increase penalties for computer crime; impose transparency requirements to ensure cyberattacks are reported; and create cybersecurity task forces.
The Florida Legislature has done most of the above, creating the Florida Cybersecurity Task Force in 2019 and unanimously adopting at least two cybersecurity bills in 2020.
House Bill 821, the Information Technology Security Act (ITSA), sponsored by Rep. Jayer Williamson, R-Pace, requires the state’s Department of Management Services (DMS) to develop procedures to secure and policies to protect state IT resources and data from cyberattack.
Under HB 821, the DMS must:
• Designate a state chief information security officer;
• Annually update a statewide IT security strategic plan;
• Collaborate with the Florida Department of Law Enforcement’s Cybercrime Office.
Senate Bill 538, sponsored by Sen. Manny Diaz, R-Hialeah Gardens, requires the Department of Emergency Management (DEM) to create a list of reportable cybersecurity incidents and annually publish that list. Cyberattacks now are classified as “reportable incidents” county and municipal officials must document with DEM’s State Watch Office (SWO).
FBI disclosures that four Florida counties were hacked in 2016 by Russian intelligence operatives continues to court concern about state elections security.
Florida has invested $18 million in federal and state dollars since 2018 in elections security, including a $15.1 million in a federal grant and $2.8 million approved by the Legislature last session. This year, lawmakers have set aside roughly $13.5 million.
Equally as pressing is the emergence of ransomware – cyberattacks against businesses and government agencies that lock up customer, taxpayer or ratepayer data until the victim pays via untraceable Bitcoin for its release.
At least four Florida cities reported 2019 ransomware attacks:
• Pensacola suffered a Dec. 7 attack that disabled its phone systems, email system, 311 customer service line and online payments for Pensacola Energy and the city’s sanitation services;
• Lake City, a city of about 13,000 residents 65 miles west of Jacksonville, paid 42 Bitcoins, between $460,000 and $480,000, to end a June cyber-attack;
• The village of Key Biscayne, a community of 13,000 east of Miami, reported a ransomware “security event” in June;
• Riviera Beach, a city of 35,000 in Palm Beach County, paid 65 Bitcoins – approximately $600,000 – in May to regain access to its computer systems.
In addition, the St. Lucie County Sheriff’s Office revealed in December it lost a week’s worth of evidence after a ransomware infection. In February, the state attorney’s office dropped 11 narcotic cases after evidence was lost in a ransomware attack against the Stuart Police Department.
Florida lawmakers agreed to push back the newly created cybersecurity’s task force’s report by three months to Feb. 1, 2021, and its disbandment by four months to May 1, 2021.
The 15-member Florida Cybersecurity Task Force convened in October to provide ways to improve the state’s cybersecurity infrastructure, governance and operations. Its report will outline technologies, processes and personnel needed to protect Floridians’ data, according to Williamson.
“When you talk about the threat that we can have in the state of Florida, when it comes to our infrastructure and cyber, we need to make sure that we get it right, not that we get this fast,” he said.