Nevada lawmakers may end up requiring cybersecurity plans for critical infrastructure.
Senate Bill 395 would require a cybersecurity plan for government and privately owned systems and facilities in Nevada; examples could be utilities and telecommunications systems.
Under the bill, the plan would be provided to the Nevada Commission on Homeland Security and owners of critical infrastructure would need to disclose significant cybersecurity incidents to homeland security officials. The proposal comes amid an increased awareness of cyberthreats in Nevada and nationwide.
“This bill is really about starting the conversation to help us recognize cybersecurity risks,” a bill sponsor, state Sen. Pat Spearman, D-North Las Vegas, told the Senate Government Affairs Committee on Wednesday.
Under the legislation, a critical infrastructure system would be designated as such by state homeland security officials.
Reggie Richardson, president of Sapphire Innovative Solutions, presented the bill with Spearman. Threats are real and serious and the “bad guys” are organized, said Richardson, whose company is a defense contractor.
“We can’t just walk away because I don’t think that’s the answer,” he said.
The bill has safeguards intended to prevent the state from disclosing proprietary and confidential information about a critical infrastructure system that hackers could exploit.
Nevertheless, telecommunication companies testified in opposition to the bill, citing concerns about their cybersecurity plans being in a third party’s hands.
“As a company, we shouldn’t have to turn over our proprietary information to a third party we know nothing about,” said John Lopez, a lobbyist with Cox Communications.
He stressed the company takes privacy and cybersecurity seriously. He also suggested lawmakers look at a way to change the composition of the homeland security commission so it has someone representing the cable industry.
Randy Robison, a lobbyist with CenturyLink, raised concerns about a bill provision that allows the commission to issue a “public statement” if a critical infrastructure is at risk of a successful cyberattack. He said that puts a target on a system’s back.
“Let that sink in for a minute,” he said. “You can guess some of the security implications of that.”
Spearman has proposed an amendment to the bill intended to address some of those concerns. It makes all cybersecurity plans confidential, while the original bill makes public summaries of plans.
The committee took no action on the bill Wednesday.