Legislature(2021 - 2022)GRUENBERG 120

03/10/2021 01:30 PM JUDICIARY

Note: the audio and video recordings are distinct records and are obtained from different sources. As such there may be key differences between the two. The audio recordings are captured by our records offices as the official record of the meeting and will have more accurate timestamps. Use the icons to switch between them.

Download Mp3. <- Right click and save file as

* first hearing in first committee of referral
+ teleconferenced
= bill was previously heard/scheduled
-- Please Note Time Change --
+ HB 3 DEFINITION OF "DISASTER": CYBERSECURITY TELECONFERENCED
Heard & Held
-- Public Testimony --
*+ HB 57 FUNDS SUBJECT TO CBR SWEEP PROVISION TELECONFERENCED
Scheduled but Not Heard
-- Public Testimony --
+ Bills Previously Heard/Scheduled TELECONFERENCED
+= HB 105 DETENTION OF MINORS TELECONFERENCED
Moved CSHB 105(JUD) Out of Committee
          HB 3-DEFINITION OF "DISASTER": CYBERSECURITY                                                                      
                                                                                                                                
1:56:49 PM                                                                                                                    
                                                                                                                                
CHAIR CLAMAN announced that the  final order of business would be                                                               
HOUSE  BILL  NO.  3,  "An  Act  relating  to  the  definition  of                                                               
'disaster.'"  [Before the committee was CSHB 3(STA).]                                                                           
                                                                                                                                
1:57:07 PM                                                                                                                    
                                                                                                                                
The committee took an at-ease from 1:57 p.m. to 2:00 p.m.                                                                       
                                                                                                                                
2:00:48 PM                                                                                                                    
                                                                                                                                
CHAIR CLAMAN noted that this is  the first hearing of CSHB 3(STA)                                                               
in this committee.                                                                                                              
                                                                                                                                
2:01:02 PM                                                                                                                    
                                                                                                                                
ERICK  CORDERO-GIORGANA,  Staff, Representative  DeLena  Johnson,                                                               
Alaska State Legislature, assisted  in introducing CSHB 3(STA) on                                                               
behalf of Representative Johnson, prime  sponsor.  He stated that                                                               
Alaska  statute   is  vague  about   whether  a   cyberattack  or                                                               
cyberthreat could elicit an emergency  declaration.  He explained                                                               
that  HB  3  would  add  cybersecurity to  the  definition  of  a                                                               
disaster  to   update  Alaska's   laws,  give  clarity,   and  if                                                               
necessary,  use resources  to act  if there  is a  widespread and                                                               
imminent  threat.   There  is  an  alarming rate  of  cyberthreat                                                               
throughout the  world and nation, he  pointed out.  Not  long ago                                                               
the  Matanuska-Susitna (Mat-Su)  Borough  was shut  down after  a                                                               
cyberattack,  creating  severe   disruptions  in  the  day-to-day                                                               
service  and operation  of the  local  government.   The City  of                                                               
Valdez  was the  target of  a ransomware  attack, and  many funds                                                               
were spent  to again  be able to  access the  city's information.                                                               
The  states  of  Louisiana,  Florida, and  Colorado  declared  an                                                               
emergency after a cyberattack disrupted  most of their government                                                               
operations not too long ago.                                                                                                    
                                                                                                                                
2:02:35 PM                                                                                                                    
                                                                                                                                
REPRESENTATIVE DELENA  JOHNSON, Alaska State Legislature,  as the                                                               
prime  sponsor,   introduced  CSHB  3(STA).     She  stated  that                                                               
cybersecurity needs  to be added  to the  list of reasons  for an                                                               
emergency   declaration.     She   explained   that  a   disaster                                                               
declaration  would provide  for disaster  relief funds,  to apply                                                               
for  federal funds  and  resources that  might  not otherwise  be                                                               
readily  available, for  disaster preparedness  planning, and  to                                                               
provide for  intervention when the  security of  Alaska residents                                                               
has been  compromised.  She  deferred to Mr.  Cordero-Giorgana to                                                               
continue discussing the bill.                                                                                                   
                                                                                                                                
2:03:47 PM                                                                                                                    
                                                                                                                                
MR.  CORDERO-GIORGANA  reiterated  that  CSHB  3(STA)  would  add                                                               
cybersecurity  attacks  and  threats   to  the  definition  of  a                                                               
disaster.   He said the bill  would add [subparagraph] (F)  to AS                                                               
[26.23.900(2)]  within  the  general  provisions  of  the  Alaska                                                               
Disaster  Act.   He read  from the  proposed subparagraph,  which                                                               
read as follows:                                                                                                                
                                                                                                                                
     (F)  a  cybersecurity   attack  that  affects  critical                                                                
     infrastructure  in  the  state, an  information  system                                                                
     owned  or   operated  by  the  state   or  a  political                                                                
     subdivision of  the state,  information that  is stored                                                                
     on,  processed by,  or  transmitted  on an  information                                                                
     system owned  or operated by  the state or  a political                                                                
     subdivision of  the state, or  a credible threat  of an                                                                
     imminent   cybersecurity    attack   or   cybersecurity                                                                
     vulnerability that  the commissioner  of administration                                                                
     or  commissioner's designee  certifies to  the governor                                                                
     has  a  high  probability  of  occurring  in  the  near                                                                
     future;  the certification  must be  based on  specific                                                                
     information that critical  infrastructure in the state,                                                                
     an information  system owned or  operated by  the state                                                                
     or   a  political   subdivision   of   the  state,   or                                                                
     information  that  is  stored   on,  processed  by,  or                                                                
     transmitted on an information  system owned or operated                                                                
     by the  state or a  political subdivision of  the state                                                                
     may be affected;                                                                                                       
                                                                                                                                
MR.  CORDERO-GIORGANA noted  that  the changes  in the  committee                                                               
substitute  before the  committee,  CSHB 3(STA)  added the  words                                                               
"political  subdivision"  to  page  2,  lines  19  and  21.    He                                                               
explained that this was done  for clarity to ensure that boroughs                                                               
and local governments were not left out.                                                                                        
                                                                                                                                
MR. CORDERO-GIORGANA  stressed that  the bill is  necessary given                                                               
that nowadays it  is heard in the news  about foreign governments                                                               
trying  to  hack  U.S.  computer  systems,  which  includes  U.S.                                                               
electric grids,  hospitals, airports,  and services  that provide                                                               
energy or critical  infrastructure.  He allowed  that the meaning                                                               
of critical  infrastructure is  currently open  to interpretation                                                               
but advised that the duty to  make that definition rests with the                                                               
Department of  Military and Veterans Affairs,  but the department                                                               
was unable to come before the committee today.                                                                                  
                                                                                                                                
2:07:15 PM                                                                                                                    
                                                                                                                                
REPRESENTATIVE EASTMAN requested  a definition of "cybersecurity"                                                               
and noted  that the term is  not defined here.   He further asked                                                               
whether it is  defined elsewhere in statute  or whether something                                                               
would be used to reference the meaning of the term.                                                                             
                                                                                                                                
MR.  CORDERO-GIORGANA   replied  that   it  would   be  technical                                                               
definitions by  professionals for cybersecurity  and cyberthreat.                                                               
Usually, he continued, they are  defined as events that result in                                                               
data exposure,  data loss,  outright alteration,  or impact  to a                                                               
service.  He stated that there  is no exact definition in statute                                                               
and  that cybersecurity,  like technology,  keeps  changing on  a                                                               
day-to-day  basis so  that today's  definition may  [be different                                                               
from a future definition].                                                                                                      
                                                                                                                                
2:08:15 PM                                                                                                                    
                                                                                                                                
REPRESENTATIVE DRUMMOND  said she appreciates the  bill's intent.                                                               
She said  she understands  from Mr.  Cordero-Giorgana's testimony                                                               
that a political  subdivision of the state would be  a borough or                                                               
municipality.     She  noted  that   school  districts   and  the                                                               
University  of Alaska  have massive  databases and  asked whether                                                               
they would be considered political subdivisions of the state.                                                                   
                                                                                                                                
REPRESENTATIVE JOHNSON qualified she  is speaking from experience                                                               
and  not immediate  research,  but her  understanding  is that  a                                                               
school district  would fall  under a borough.   She  related that                                                               
the  boroughs  in  Alaska  were originally  created  in  1964  to                                                               
oversee  and dispense  money to  the school  districts.   So, she                                                               
continued, the political subdivision in  that instance would be a                                                               
borough.   The unorganized borough  would be under the  state and                                                               
under  the state's  purview.   The  University of  Alaska is  not                                                               
identified as a  political subdivision of the state  and it's not                                                               
an incorporated  borough or municipality  or city, so  her belief                                                               
is  that it  would fall  under State  of Alaska  equipment.   She                                                               
offered to get back to the committee with details if requested.                                                                 
                                                                                                                                
2:10:11 PM                                                                                                                    
                                                                                                                                
REPRESENTATIVE DRUMMOND  stated that the computer  systems of the                                                               
Anchorage School  District (ASD) are totally  separate from those                                                               
of  the  Municipality  of  Anchorage.    Given  there  have  been                                                               
arguments over  the last  20 years about  whether they  should be                                                               
combined she said  she isn't sure the  aforementioned would apply                                                               
to a school district that  is ultimately governed by that borough                                                               
or municipality which used to be a  borough and a city.  She said                                                               
she  thinks  Representative  Johnson  is  covering  the  regional                                                               
educational attendance areas (REAAs)  in the unorganized borough.                                                               
She added that the state  gives the school districts roughly $1.2                                                               
billion to spend,  and if [the districts'  systems] were breached                                                               
in a  cybersecurity attack, then  a lot  of services would  be at                                                               
risk.                                                                                                                           
                                                                                                                                
REPRESENTATIVE  DRUMMOND, responding  to Chair  Claman, requested                                                               
clarity  on   what  is   included  in   the  list   of  political                                                               
subdivisions.  She said if  it doesn't cover school districts and                                                               
the university, she would like to find a way to cover them.                                                                     
                                                                                                                                
2:12:04 PM                                                                                                                    
                                                                                                                                
REPRESENTATIVE  KURKA  said  he   is  cautious  about  increasing                                                               
emergency  powers  because  he  is concerned  about  abuse.    He                                                               
requested an  explanation on how  an emergency  declaration would                                                               
help the state  or political subdivision resolve the  damage of a                                                               
security breach and  how it would be different  with an emergency                                                               
declaration as opposed to how the state operates now.                                                                           
                                                                                                                                
REPRESENTATIVE  JOHNSON  replied  that  a  widespread  and  life-                                                               
threatening  example would  be  a compromise  of  the power  grid                                                               
during the  winter, given  the grid  is run  by computers.   This                                                               
example  would be  an occasion  where additional  funds and  help                                                               
from federal experts would potentially be needed for resolution.                                                                
                                                                                                                                
2:14:30 PM                                                                                                                    
                                                                                                                                
REPRESENTATIVE CLAMAN opened invited testimony on CSHB 3(STA).                                                                  
                                                                                                                                
2:14:44 PM                                                                                                                    
                                                                                                                                
ERIC  WYATT,  Information  Technology (IT)  Director,  Matanuska-                                                               
Susitna Borough, related that in  2018 the borough was the target                                                               
of a  cyberattack by four  different organizations rather  than a                                                               
single  attacker.   The  Federal  Bureau  of Investigation  (FBI)                                                               
analysis  found that  the attackers  were four  nation states  by                                                               
means of some of  the worst viruses.  In the  attack, one of them                                                               
got  in  and then  sold  it  to  the  other organizations.    The                                                               
borough's data  was stolen, and  its systems disrupted,  then one                                                               
of the groups  demanded ransom.  The attack brought  down all the                                                               
borough's  information   systems,  completely  cutting   off  the                                                               
borough  from all  Internet services  and  all the  data that  it                                                               
continuously used day to day to conduct borough business.                                                                       
                                                                                                                                
MR. WYATT  said the effect  on operations within the  borough was                                                               
most notably on the borough's  fire and emergency medical service                                                               
(EMS)  systems.   Also affected  were operations  and maintenance                                                               
for taking  care of roads  and solid  waste, as well  as finances                                                               
and legal    every aspect  of the borough  was taken down.   When                                                               
all that  was shut  off, all  the people  who used  the borough's                                                               
information system -  telephones, computers, and so  forth - were                                                               
dead in  the water.  The  magnitude was that everything  was shut                                                               
down for quite  some time.  The borough was  able to slowly bring                                                               
back  services, getting  back  to about  95  percent capacity  in                                                               
about 60 days.                                                                                                                  
                                                                                                                                
MR.  WYATT explained  that  to  recover at  the  time without  an                                                               
emergency  declaration, the  borough had  to bring  its emergency                                                               
funds to bear.   But what was needed most  to recover the systems                                                               
at  the time  was additional  manpower, so  the borough  used its                                                               
emergency  funds  to  hire additional  resources  to  come  help,                                                               
including  Peter   House  of  Deeptree,   Inc.     Several  other                                                               
organizations  also   volunteered  their  help,   including  Mark                                                               
Breunig,  Chief  Information   Security  Officer,  Department  of                                                               
Administration.   The borough's  needs for  recovery at  the time                                                               
were  monetary   resources  and  skilled  manpower   to  get  its                                                               
operations back online.   Mr. Wyatt stressed that  the ability to                                                               
declare a  disaster and form a  team of experts as  volunteers or                                                               
paid  manpower  to help  recover  is  absolutely critical.    The                                                               
borough used  nearly $2.5  million in  emergency funding  for its                                                               
initial recovery and then more was spent on continued recovery.                                                                 
                                                                                                                                
MR. WYATT pointed  out that the same week the  Mat-Su Borough was                                                               
hit, the City  of Valdez was hit by mostly  the same groups, same                                                               
viruses, and same tactics.  It  is heard all the time about other                                                               
states and  other cities  [being hit] and  there have  been other                                                               
attacks in the  state of Alaska as well.   So, he emphasized, the                                                               
ability to  come to the aid  of the organization and  plus-up the                                                               
manpower and  resources to recover  is absolutely vital,  and the                                                               
borough would like to participate.                                                                                              
                                                                                                                                
MR.   WYATT   further   noted   that   the   borough's   critical                                                               
infrastructure     its  electric  grid,  telecommunications,  gas                                                               
lines   all  run on these same kinds of  systems.  Therefore, the                                                               
effects  from  a cyberattack  are  greatly  damaging and  include                                                               
power and gas outages.                                                                                                          
                                                                                                                                
2:20:56 PM                                                                                                                    
                                                                                                                                
MARK BREUNIG,  Chief Information Security Officer,  Department of                                                               
Administration,  stated that  the National  Guard has  a national                                                               
mandate  for  cyber-capability  to  be  created  in  states,  but                                                               
currently, without  the language under  CSHB 3(STA), there  is no                                                               
legal  standing to  do it,  and the  state would  not be  able to                                                               
avail itself of the existing resources.                                                                                         
                                                                                                                                
2:22:30 PM                                                                                                                    
                                                                                                                                
NILS  ANDREASSEN, Executive  Director,  Alaska Municipal  League,                                                               
testified  in   support  of  CSHB   3(STA)  and   emphasized  the                                                               
importance  of  cybersecurity   to  Alaska's  local  governments,                                                               
school districts,  and state agencies.   He spoke about  risks of                                                               
destabilization   and  opined   that  "including   this  in   the                                                               
definition of state disaster" is imperative.                                                                                    
                                                                                                                                
2:23:47 PM                                                                                                                    
                                                                                                                                
PETER HOUSE, CEO,  Deeptree, Inc., said Deeptree, Inc.  is a firm                                                               
that specializes  in cybersecurity.   He mentioned  the zeitgeist                                                               
and   a  solar   wind   attack  that   resulted  in   significant                                                               
consequences for  the federal government, fortune  500 companies,                                                               
and organizations  in Alaska.   He talked  about an attack  on e-                                                               
mail   servers    that   hit   approximately    30,000   American                                                               
organizations  and   double  that   worldwide,  which   has  been                                                               
attributed largely to the Chinese.   He said there have been high                                                               
visibility  attacks showing  a higher  level of  aggression, both                                                               
from  criminal organizations  and nation  state adversaries.   He                                                               
related that in the fourth  quarter of 2020, cyber software moved                                                               
from  a soft  market  to  a hard  market,  which  mean that  "the                                                               
portfolio for  the insurance company  is under pressure,"  and it                                                               
usually results  in rate increases.   He said the  attribution by                                                               
insurance companies for  this change is that the  number of cyber                                                               
attacks  and the  total size  of  the claim  are both  increasing                                                               
substantially, with  a 20  to 40  percent rate  increase expected                                                               
across different cyber insurance carriers countrywide.                                                                          
                                                                                                                                
MR.  HOUSE stated  that in  general there  is a  higher level  of                                                               
aggression.  He gave as  an example from Yankee Buckshot wherein,                                                               
using  off-the-shelf,  publicly   downloadable  tools,  the  U.S.                                                               
Department of Defense "attacked itself"  to test its defenses and                                                               
was able  to get onto its  classified network.  He  said there is                                                               
challenge  in  working  with  these  complex  systems;  sometimes                                                               
attackers  can  "make  it  in   past  the  border"  and  "reap  a                                                               
significant amount of damage."                                                                                                  
                                                                                                                                
MR.  HOUSE addressed  Representative  Kurka's question  regarding                                                               
the benefit  of allowing a declaration  of emergency.  He  gave a                                                               
scenario wherein  assets are  required to  hold evidence  for law                                                               
enforcement or insurance.   That is data or logs  that need to be                                                               
tendered over  to the organization  from a  hard drive.   He said                                                               
those systems  cost $20,000 and higher.   If the systems  are set                                                               
aside  for  evidence  retention,  they cannot  be  used  for  the                                                               
restoration  of services  or to  clean or  sanitize the  systems.                                                               
The result is  a need for double or triple  the amount of storage                                                               
capacity to run  the organization day to day.   He explained, "By                                                               
opening up the degrees of  freedom, either through funds or other                                                               
forms of response, there's an  ability for an organization to get                                                               
back on its  feet quicker than if  they were to try to  ... use a                                                               
slow methodology  of moving a  little bit  at a time,  which then                                                               
stretches out  the rate of  recovery to  a much longer  period of                                                               
time."                                                                                                                          
                                                                                                                                
MR.  HOUSE said  Alaska is  a smaller  state, with  fewer than  a                                                               
million  people,  and  "this  type   of  line  of  work  is  very                                                               
specialized  and  difficult."    He estimated  there  are  50-100                                                               
people in  Alaska who are  qualified to do digital  forensics and                                                               
incident response, and he pointed  out that it would be difficult                                                               
for them  to respond [to  an emergency situation] because  "a lot                                                               
of  them  will be  fighting  their  own  fires."   Therefore,  he                                                               
emphasized that the ability to  pull in contractors and resources                                                               
from Outside is  essential.  He said he believes  the language of                                                               
CSHB 3(STA)  would open up  that degree of freedom,  "in addition                                                               
to what  Mr. Breunig indicated."   He  noted that when  he worked                                                               
with Mr.  Breunig and Mr. Wyatt  on the incident with  the Mat-Su                                                               
Borough,  the expansion  of capability  from the  emergency funds                                                               
had a  positive impact;  there was  a wave  of momentum  that was                                                               
beneficial.                                                                                                                     
                                                                                                                                
2:29:45 PM                                                                                                                    
                                                                                                                                
MR. ANDREASSEN,  in response  to Chair  Claman's request  that he                                                               
address  Representative   Drummond's  question   about  political                                                               
subdivisions,  offered the  definition of  political subdivision,                                                               
which appears under AS 26.23.900(7), as follows:                                                                                
                                                                                                                                
          (7) "political subdivision" means                                                                                     
          (A) a municipality;                                                                                                   
          (B) an unincorporated village; or                                                                                     
          (C) another unit of local government;                                                                                 
                                                                                                                                
MR.  ANDREASSEN  said  it  is the  understanding  of  the  Alaska                                                               
Municipal  League that  school districts  would be  covered under                                                               
political subdivision  of the  state.   He said  school districts                                                               
are  either   a  subdivision  of   a  municipality  or   are  the                                                               
responsibility  of   the  Department   of  Education   and  Early                                                               
Development.   He offered his  understanding that  the University                                                               
of Alaska is considered a  political subdivision, "but separately                                                               
under state law."                                                                                                               
                                                                                                                                
2:31:11 PM                                                                                                                    
                                                                                                                                
REPRESENTATIVE  DRUMMOND referenced  definitions  found under  AS                                                               
39.90.140, [which states that "public  body" includes "an officer                                                               
or  agency  of"  the  federal government,  state,  and  political                                                               
subdivision  - subparagraphs  (A), (B),  and (C),  respectively],                                                               
and   she  read   that  which   is   included  under   "political                                                               
subdivision",   in   paragraph   (4),  subparagraph   (C),   sub-                                                               
subparagraphs (i), (ii), and (iii), which read:                                                                                 
                                                                                                                                
          (i) a municipality;                                                                                                   
          (ii) a school district; and                                                                                           
          (iii) a regional educational attendance area;                                                                         
                                                                                                                                
REPRESENTATIVE DRUMMOND  noted that the University  of Alaska and                                                               
the Alaska  Railroad are not  included under  [subparagraph (C)].                                                               
[They are  listed subsequently in  subparagraphs (D) and  (E), of                                                               
paragraph (4), regarding "public body".]                                                                                        
                                                                                                                                
2:33:12 PM                                                                                                                    
                                                                                                                                
MR. BREUNIG, in  response to the same question, said  it is not a                                                               
topic he can address.                                                                                                           
                                                                                                                                
2:33:34 PM                                                                                                                    
                                                                                                                                
REPRESENTATIVE  VANCE   noted  that   during  a   recent  Finance                                                               
subcommittee  meeting,  Mr. Breunig  had  spoken  about a  recent                                                               
cyberattack  and  mentioned  a  type of  incident  command  being                                                               
established  under the  Department  of  Administration for  quick                                                               
response.   She referenced  language in CSHB  3(STA), on  page 2,                                                               
[on   lines  5   and   6],  regarding   "consultation  with   the                                                               
commissioner of public  safety or a designee  of the commissioner                                                               
of public  safety", and she  asked whether that wording  fits the                                                               
organized  structure  Mr.  Breunig  is  establishing  within  the                                                               
Department  of Administration  regarding cybersecurity  and meets                                                               
the requires of statute.                                                                                                        
                                                                                                                                
2:34:46 PM                                                                                                                    
                                                                                                                                
MR.  BREUNIG  responded  that the  "incident  command  structure"                                                               
(ICS)  put out  through the  Federal Emergency  Management Agency                                                               
(FEMA),  is  part  of  an  emergency  management  program  and  a                                                               
standard framework that  all federal agencies use.   The language                                                               
in the bill would not change  that, he indicated.  In response to                                                               
a request  from Representative  Vance, he  spoke about  work with                                                               
the Department  of Military &  Veterans' Affairs on  an [incident                                                               
response] structure,  which currently is not  capable of handling                                                               
a large-scale incident.                                                                                                         
                                                                                                                                
REPRESENTATIVE VANCE said  CSHB 3(STA) speaks to  this issue, and                                                               
she encouraged efforts to speed up response to an incident.                                                                     
                                                                                                                                
2:38:36 PM                                                                                                                    
                                                                                                                                
MR.  BREUNIG recalled  he had  been  talking about  a solar  wind                                                               
incident during the Finance subcommittee  testimony and how speed                                                               
is of the  essence when responding.  He said  it took departments                                                               
24 hours to report back  whether they had vulnerable software, at                                                               
which point security  was able to "lock that  down" and determine                                                               
there had  been no  compromise.  However,  he emphasized  that in                                                               
cyber terms,  "24 hours is  an eternity."   He posited  that CSHB
3(STA)  is critical,  because  it would  bring  the right  people                                                               
together to build the "speed to response."                                                                                      
                                                                                                                                
2:39:57 PM                                                                                                                    
                                                                                                                                
REPRESENTATIVE  KURKA   asked  for  a  definition   of  "imminent                                                               
cybersecurity  attack"  and  whether  there exists  a  metric  of                                                               
probably of attack.                                                                                                             
                                                                                                                                
2:40:54 PM                                                                                                                    
                                                                                                                                
MR. BREUNIG  replied that  when there  is imminent  threat, there                                                               
would be  an alert from the  federal Cybersecurity Infrastructure                                                               
Security Agency (CISA) regarding a  known attack.  State security                                                               
would watch out  for it.  That  in itself is not  a disaster, but                                                               
if the  threat "got  in" and  caused damage, then  it would  be a                                                               
disaster.   Regarding Microsoft, he  said security knew  early on                                                               
that  it was  coming and  was "able  to take  practice steps"  to                                                               
mitigate the risk,  which he said is another  example of imminent                                                               
threat.   In  response to  a follow-up  question, he  mentioned a                                                               
"denial  of  service" attack  in  which  someone floods  a  state                                                               
network  segment  with  malicious   traffic  "in  an  attempt  to                                                               
overwhelm it and take it down."                                                                                                 
                                                                                                                                
2:42:34 PM                                                                                                                    
                                                                                                                                
REPRESENTATIVE KURKA  said it  sounds like  cybersecurity attacks                                                               
are  happening all  the time  in  various degrees.   He  directed                                                               
attention to  language in Section  1 of  CSHB 3(STA), on  page 1,                                                               
line  4, which  gives  a definition  of  disaster, including  its                                                               
causes.  He  offered his understanding that  "we're talking about                                                               
widespread  damage of  property,"  not just  "one department  had                                                               
some computers fried."                                                                                                          
                                                                                                                                
2:44:55 PM                                                                                                                    
                                                                                                                                
REPRESENTATIVE  JOHNSON   offered  her  understanding   that  the                                                               
concern is that there could  be ongoing declarations of disaster.                                                               
She deferred to her staff to address the topic further.                                                                         
                                                                                                                                
2:45:23 PM                                                                                                                    
                                                                                                                                
MR.  CORDERO-GIORGANA proffered  that "imminent"  is a  matter of                                                               
timing and "widespread"  is a matter of geography  and whether an                                                               
issue can be  contained.  When talking about  a fire, earthquake,                                                               
or  flood, the  consideration is  "the amount  of resources  that                                                               
would  need to  be used  to be  able to  achieve the  containment                                                               
goal."    He said  DMVA  will  create  emergency plans  for  each                                                               
category listed  in the Act  and make recommendations as  to what                                                               
would be considered widespread and imminent.                                                                                    
                                                                                                                                
2:47:31 PM                                                                                                                    
                                                                                                                                
REPRESENTATIVE KURKA indicated that  the language in the proposed                                                               
legislation  should be  added, but  observed that  "a lot  of the                                                               
context  in  which   we're  talking  about  this"   is  found  in                                                               
subparagraph  (D), [on  page 2],  regarding  "enemy or  terrorist                                                               
attack  or  a credible  threat  of  imminent enemy  or  terrorist                                                               
attack in  or against the  state".  He offered  his understanding                                                               
that there  had been  a legal  opinion as  to "why  this wouldn't                                                               
apply under  (D)."   He remarked that  "all these  examples we're                                                               
talking about ... seem to be foreign actors."                                                                                   
                                                                                                                                
2:48:40 PM                                                                                                                    
                                                                                                                                
CHAIR CLAMAN, in response to  Representative Johnson, offered his                                                               
interpretation  that  Representative  Kurka was  reflecting  that                                                               
subparagraph  (D) doesn't  seem to  be cybersecurity-related  and                                                               
perhaps  wanted to  know how  the two  issues are  addressed when                                                               
determining whether an emergency has occurred.                                                                                  
                                                                                                                                
2:49:21 PM                                                                                                                    
                                                                                                                                
MR.  CORDERO-GIORGANA,  at  the  request  of  the  bill  sponsor,                                                               
addressed the question.   He said the separation was  done at the                                                               
recommendation of the bill drafter  in Legislative Legal Services                                                               
to avoid confusion.                                                                                                             
                                                                                                                                
2:49:55 PM                                                                                                                    
                                                                                                                                
REPRESENTATIVE  VANCE   pointed  out  that  CSHB   3(STA)  speaks                                                               
specifically  to disaster;  "emergency"  is not  addressed.   She                                                               
gave an example  of a disaster being the  landslide that recently                                                               
occurred in  Haines, Alaska.   She said  the governor  declared a                                                               
disaster  in  the  Haines  area,  but  it  was  not  a  statewide                                                               
emergency.                                                                                                                      
                                                                                                                                
2:50:53 PM                                                                                                                    
                                                                                                                                
REPRESENTATIVE    EASTMAN   asked    for   the    definition   of                                                               
cybersecurity.                                                                                                                  
                                                                                                                                
2:51:20 PM                                                                                                                    
                                                                                                                                
MR.  CORDERO-GIORGANA  said he  did  not  have a  definition  and                                                               
deferred to Mr. Breunig.                                                                                                        
                                                                                                                                
CHAIR  CLAMAN noted  that  it is  common for  courts  to use  the                                                               
dictionary  for  commonly  used  terms if  those  terms  are  not                                                               
defined in statute.                                                                                                             
                                                                                                                                
2:52:08 PM                                                                                                                    
                                                                                                                                
MR.  BREUNIG defined  cybersecurity  as "any  protection used  to                                                               
prevent cyber-attacks."                                                                                                         
                                                                                                                                
REPRESENTATIVE EASTMAN  said he is familiar  with definition, and                                                               
it makes sense to him.  He continued:                                                                                           
                                                                                                                                
     But in  this case  we're talking about  a cybersecurity                                                                    
     attack,  and  so  if  we're   using  tools  to  prevent                                                                    
     attacks, but  then we're ...  adding the  word "attack"                                                                    
     on them, I'm  a little confused as  what that [emphasis                                                                    
     on "that"] means.                                                                                                          
                                                                                                                                
MR. BREUNIG  responded he thinks the  intent is that it  would be                                                               
an attack against [Alaska's] cybersecurity  - against the systems                                                               
and tools that the state has to protect itself.                                                                                 
                                                                                                                                
REPRESENTATIVE EASTMAN asked for  confirmation that what is being                                                               
discussed is an  attack where "someone's trying  to overcome some                                                               
type  of  security"  as  opposed   to  "a  run-of-the-mill  fiber                                                               
attack."                                                                                                                        
                                                                                                                                
MR. BREUNIG answered, "Yes, I would agree."                                                                                     
                                                                                                                                
REPRESENTATIVE  EASTMAN  noted   that  the  previously  discussed                                                               
subparagraph  (D), which  addresses  enemy  or terrorist  attack,                                                               
points to  a definition of  "attack" existing in  [AS 26.20.200],                                                               
and since  that definition does  not fit what is  being discussed                                                               
in the  cyber realm, he  suggested a definition may  be necessary                                                               
in subparagraph (F).                                                                                                            
                                                                                                                                
MR. BREUNIG said  he concurs with the bill sponsor  and her staff                                                               
that the intent is to clarify.   In subparagraph (D), "enemy" and                                                               
"terrorist  attack"  traditionally   relate  to  military-related                                                               
attacks,  not  cyber-attacks,  which are  specifically  addressed                                                               
under  subparagraph (F),  which  allows  the emergency  operation                                                               
center  to bring  resources  to bear  in  regard to  cyberattacks                                                               
rather  than other  "traditional forms  of disaster  or emergency                                                               
attack that are already identified."                                                                                            
                                                                                                                                
REPRESENTATIVE  CLAMAN noted  that subparagraph  (F) is  proposed                                                               
new  language.   He said  a  cyberattack would  be, for  example,                                                               
somebody getting  into his home computer;  a cybersecurity attack                                                               
would be on a larger scale.                                                                                                     
                                                                                                                                
MR. BREUNIG concurred.                                                                                                          
                                                                                                                                
2:56:12 PM                                                                                                                    
                                                                                                                                
REPRESENTATIVE  EASTMAN  referenced  a memorandum  ("memo")  from                                                               
[Megan  Wallace  of]  Legislative  Legal Services  [to  the  bill                                                               
sponsor and  staff, dated 2/10/20  and included in  the committee                                                               
packet], to  [subparagraph (C), which lists  equipment failure as                                                               
one of the causes of a "disaster" and read as follows]:                                                                         
                                                                                                                                
               (C) equipment failure, if  the failure is not                                                                    
     a   predictably   frequent   or  recurring   event   or                                                                    
     preventable  by   adequate  equipment   maintenance  or                                                                    
     operation;                                                                                                                 
                                                                                                                                
REPRESENTATIVE EASTMAN  offered his  understanding that  the memo                                                               
talks about  "why ... [subparagraph] (C),  equipment failure, ...                                                               
may not be  adequate, and why this bill might  be needed for that                                                               
reason."  He asked to what  extent it is the sponsor's intent "to                                                               
predicate  the  cybersecurity  attacks  we're  talking  about  on                                                               
intentionality."  He continued:                                                                                                 
                                                                                                                                
     Because   certainly,   ...   if   we're   focusing   on                                                                    
     intentionality, then  an IT tech who  spills coffee and                                                                    
     destroys a server probably wouldn't  be captured in the                                                                    
     intent that we're talking about here.                                                                                      
                                                                                                                                
2:57:18 PM                                                                                                                    
                                                                                                                                
REPRESENTATIVE  JOHNSON explained  that intentionality  must have                                                               
credible   background.     If  [the   attack]  is   imminent  and                                                               
widespread, as  determined by the commissioner  or commissioner's                                                               
designee, he/she would  determine that it was  a credible threat.                                                               
She added,  "The intentionality  of maybe mindreading  some would                                                               
not fall into that category."                                                                                                   
                                                                                                                                
2:58:13 PM                                                                                                                    
                                                                                                                                
MR.  CORDERO-GIORGANA   said  he  was  not   sure  he  understood                                                               
Representative Eastman's question.                                                                                              
                                                                                                                                
REPRESENTATIVE EASTMAN  indicated that [subparagraphs]  (A), (B),                                                               
(C),  and  (E)  address  disasters  that  are  not  man-made  and                                                               
intentional.   He questioned whether  it is important to  "tie it                                                               
to that intentionality,"  as is being done  in [subparagraph] (F)                                                               
or to  be more  focused on  the impact.   He  asked, "Is  there a                                                               
reason  that we're  making it  narrower  than ...  just a  larger                                                               
impact type of definition?"                                                                                                     
                                                                                                                                
2:59:52 PM                                                                                                                    
                                                                                                                                
MR.   CORDERO-GIORGANA  noted   that   the  legislature   removed                                                               
"manmade" from  the disaster  Act, which  caused ambiguity  as to                                                               
whether cybersecurity qualified under the Act.  He continued:                                                                   
                                                                                                                                
     If  a  widespread  system  failure  is  the  result  of                                                                    
     another cause that  is not manmade, or in  this case an                                                                    
     attack  or a  threat, it  actually would  probably fall                                                                    
     into one  of the  other categories.   So, in  the case,                                                                    
     for example,  of an  earthquake:   a system  goes down,                                                                    
     but  it's  really  the result  of  an  earthquake,  not                                                                    
     necessarily  a cybersecurity  attack.   And so,  if I'm                                                                    
     understanding  correctly,  this  would  actually  clear                                                                    
     authority specifically to those type of items."                                                                            
                                                                                                                                
REPRESENTATIVE EASTMAN  asked whether it  is important to  make a                                                               
distinction between "those manmade  actions which are intentional                                                               
and which are accidental."   For example, he said an installation                                                               
of  "a  security  patch"  that cause  a  major  outage  "wouldn't                                                               
qualify  here" because  it is  not a  cybersecurity attack,  even                                                               
though  it may  have  the  same result  if  someone  had done  it                                                               
intentionally.                                                                                                                  
                                                                                                                                
MR. CORDERO responded  that that would be  a cyber vulnerability,                                                               
and  he  indicated   that  was  addressed  in   another  part  of                                                               
[subparagraph] (F).   He said there are so  many definitions that                                                               
could be  included in the  bill that  would make it  lengthy, for                                                               
example,   for  the   following  terms:     cyberattacks,   cyber                                                               
incidents,  cyberthreats,  major   threats,  minor  threats,  and                                                               
primary targets.  He stated, "We're  just trying to make it clear                                                               
that cybersecurity counts; give it an overview, and then it's up                                                                
to the Department of Military & Veterans' Affairs to come up                                                                    
with ... plans."                                                                                                                
                                                                                                                                
3:02:22 PM                                                                                                                    
                                                                                                                                
CHAIR CLAMAN remarked that a lot of this comes back to the size                                                                 
and cost of what has happened.                                                                                                  
                                                                                                                                
CHAIR CLAMAN announced that CSHB 3(STA) was held over.                                                                          

Document Name Date/Time Subjects
HB 105 v. A 2.19.2021.PDF HHSS 4/15/2021 3:00:00 PM
HHSS 4/17/2021 3:00:00 PM
HHSS 4/27/2021 3:00:00 PM
HHSS 4/29/2021 3:00:00 PM
HJUD 3/5/2021 1:30:00 PM
HJUD 3/10/2021 1:30:00 PM
HB 105
HB 105 Transmittal Letter 2.18.2021.pdf HHSS 4/15/2021 3:00:00 PM
HHSS 4/17/2021 3:00:00 PM
HHSS 4/27/2021 3:00:00 PM
HHSS 4/29/2021 3:00:00 PM
HJUD 3/5/2021 1:30:00 PM
HJUD 3/10/2021 1:30:00 PM
HB 105
HB 105 Sectional Analysis v. A 2.23.2021.pdf HHSS 4/17/2021 3:00:00 PM
HHSS 4/27/2021 3:00:00 PM
HJUD 3/5/2021 1:30:00 PM
HJUD 3/10/2021 1:30:00 PM
HB 105
HB 105 Supporting Document - ABADA & AMHB Letter 3.5.2021.pdf HHSS 4/15/2021 3:00:00 PM
HHSS 4/17/2021 3:00:00 PM
HHSS 4/27/2021 3:00:00 PM
HHSS 4/29/2021 3:00:00 PM
HJUD 3/10/2021 1:30:00 PM
HB 105
HB 105 Testimony - Received as of 3.8.2021.pdf HHSS 4/15/2021 3:00:00 PM
HHSS 4/17/2021 3:00:00 PM
HHSS 4/27/2021 3:00:00 PM
HHSS 4/29/2021 3:00:00 PM
HJUD 3/10/2021 1:30:00 PM
HB 105
HB 105 Additional Document - Memo from DJJ to HJUD 3.9.2021.pdf HHSS 4/15/2021 3:00:00 PM
HHSS 4/17/2021 3:00:00 PM
HHSS 4/27/2021 3:00:00 PM
HHSS 4/29/2021 3:00:00 PM
HJUD 3/10/2021 1:30:00 PM
HB 105
HB 105 v. A Amendments #1-2 HJUD 3.10.2021.pdf HHSS 4/15/2021 3:00:00 PM
HHSS 4/17/2021 3:00:00 PM
HHSS 4/29/2021 3:00:00 PM
HJUD 3/10/2021 1:30:00 PM
HB 105
HB 105 v. A Amendments #1-2 HJUD Final Votes 3.10.2021.pdf HHSS 4/15/2021 3:00:00 PM
HHSS 4/17/2021 3:00:00 PM
HHSS 4/27/2021 3:00:00 PM
HHSS 4/29/2021 3:00:00 PM
HJUD 3/10/2021 1:30:00 PM
HB 105
HB 105 Fiscal Note DOC-IDO 2.8.2021.pdf HHSS 4/15/2021 3:00:00 PM
HHSS 4/17/2021 3:00:00 PM
HHSS 4/27/2021 3:00:00 PM
HJUD 3/5/2021 1:30:00 PM
HJUD 3/10/2021 1:30:00 PM
HB 105
HB 105 Fiscal Note DHSS-PS 2.10.2021.pdf HHSS 4/15/2021 3:00:00 PM
HHSS 4/17/2021 3:00:00 PM
HHSS 4/27/2021 3:00:00 PM
HJUD 3/5/2021 1:30:00 PM
HJUD 3/10/2021 1:30:00 PM
HB 105
HB 105 Fiscal Note DPS-AST 2.12.2021.pdf HHSS 4/15/2021 3:00:00 PM
HHSS 4/17/2021 3:00:00 PM
HHSS 4/27/2021 3:00:00 PM
HHSS 4/29/2021 3:00:00 PM
HJUD 3/5/2021 1:30:00 PM
HJUD 3/10/2021 1:30:00 PM
HB 105
HB 105 Fiscal Note JUD-ACS 3.4.2021.pdf HHSS 4/15/2021 3:00:00 PM
HHSS 4/17/2021 3:00:00 PM
HHSS 4/27/2021 3:00:00 PM
HJUD 3/5/2021 1:30:00 PM
HJUD 3/10/2021 1:30:00 PM
HB 105
HB 3 v. G 3.8.2021.PDF HJUD 3/10/2021 1:30:00 PM
HJUD 3/15/2021 1:30:00 PM
HJUD 3/17/2021 1:30:00 PM
HB 3
HB 3 Sponsor Statement 2.18.2021.pdf HJUD 3/10/2021 1:30:00 PM
HJUD 3/15/2021 1:30:00 PM
HJUD 3/17/2021 1:30:00 PM
HSTA 2/23/2021 3:00:00 PM
HB 3
HB 3 Legal Memo 2.10.2020.pdf HJUD 3/10/2021 1:30:00 PM
HJUD 3/15/2021 1:30:00 PM
HJUD 3/17/2021 1:30:00 PM
HSTA 2/23/2021 3:00:00 PM
HB 3
HB 3 Supporting Document - Alaska Health Department Reports Data Breach The Seattle Times 6.28.2018.pdf HJUD 3/10/2021 1:30:00 PM
HJUD 3/15/2021 1:30:00 PM
HJUD 3/17/2021 1:30:00 PM
HSTA 2/23/2021 3:00:00 PM
HB 3
HB 3 Supporting Document - DHSS Cyber Attack Impacts More Than 100,000 Alaska Households 1.23.2019.pdf HJUD 3/10/2021 1:30:00 PM
HJUD 3/15/2021 1:30:00 PM
HJUD 3/17/2021 1:30:00 PM
HSTA 2/23/2021 3:00:00 PM
HB 3
HB 3 Supporting Document - How One Alaskan Borough Survived A Cyber Attack CitiesSpeak 10.1.2019.pdf HJUD 3/10/2021 1:30:00 PM
HJUD 3/15/2021 1:30:00 PM
HJUD 3/17/2021 1:30:00 PM
HSTA 2/23/2021 3:00:00 PM
HB 3
HB 3 Supporting Document - MSBD Press Release Mat-Su Declares Disaster for Cyber Attack 7.31.2018.pdf HJUD 3/10/2021 1:30:00 PM
HJUD 3/15/2021 1:30:00 PM
HJUD 3/17/2021 1:30:00 PM
HSTA 2/23/2021 3:00:00 PM
HB 3
HB 3 Supporting Document - Pipeline Article Alaska Public Media 3.14.2018.pdf HJUD 3/10/2021 1:30:00 PM
HJUD 3/15/2021 1:30:00 PM
HJUD 3/17/2021 1:30:00 PM
HSTA 2/23/2021 3:00:00 PM
HB 3
HB 3 Supporting Document - CISA Critical Infrastructure 2.23.2021.pdf HJUD 3/10/2021 1:30:00 PM
HJUD 3/15/2021 1:30:00 PM
HJUD 3/17/2021 1:30:00 PM
HSTA 2/23/2021 3:00:00 PM
HB 3
HB 3 Testimony - Received as of 2.22.2021.pdf HJUD 3/10/2021 1:30:00 PM
HJUD 3/15/2021 1:30:00 PM
HJUD 3/17/2021 1:30:00 PM
HSTA 2/23/2021 3:00:00 PM
HB 3
HB 3 Fiscal Note DOA-OIT 2.21.2021.pdf HJUD 3/10/2021 1:30:00 PM
HJUD 3/15/2021 1:30:00 PM
HJUD 3/17/2021 1:30:00 PM
HB 3
HB 57 v. B 2.18.2021.PDF HJUD 3/10/2021 1:30:00 PM
HJUD 3/17/2021 1:30:00 PM
HJUD 3/19/2021 1:30:00 PM
HJUD 3/24/2021 1:30:00 PM
HJUD 3/29/2021 1:00:00 PM
HJUD 4/5/2021 1:00:00 PM
HB 57
HB 57 Sponsor Statement 3.8.2021.pdf HJUD 3/10/2021 1:30:00 PM
HJUD 3/17/2021 1:30:00 PM
HJUD 3/19/2021 1:30:00 PM
HJUD 3/24/2021 1:30:00 PM
HJUD 3/29/2021 1:00:00 PM
HJUD 4/5/2021 1:00:00 PM
HB 57
HB 57 Sectional Analysis v. B 3.8.2021.pdf HJUD 3/10/2021 1:30:00 PM
HJUD 3/17/2021 1:30:00 PM
HJUD 3/19/2021 1:30:00 PM
HJUD 3/24/2021 1:30:00 PM
HJUD 3/29/2021 1:00:00 PM
HJUD 4/5/2021 1:00:00 PM
HB 57
HB 57 Additional Document - OMB Letter 7.12.2019.pdf HJUD 3/10/2021 1:30:00 PM
HJUD 3/17/2021 1:30:00 PM
HJUD 3/19/2021 1:30:00 PM
HJUD 3/24/2021 1:30:00 PM
HJUD 3/29/2021 1:00:00 PM
HJUD 4/5/2021 1:00:00 PM
HB 57
HB 57 Additional Document - CBR Sweep Breakdown by Fund - LFD March 2020 3.8.2021.pdf HJUD 3/10/2021 1:30:00 PM
HJUD 3/17/2021 1:30:00 PM
HJUD 3/19/2021 1:30:00 PM
HJUD 3/24/2021 1:30:00 PM
HJUD 3/29/2021 1:00:00 PM
HJUD 4/5/2021 1:00:00 PM
HB 57
HB 57 Additional Document - AEA Memo on PCE Sweep 8.24.2019.pdf HJUD 3/10/2021 1:30:00 PM
HJUD 3/17/2021 1:30:00 PM
HJUD 3/19/2021 1:30:00 PM
HJUD 3/24/2021 1:30:00 PM
HJUD 3/29/2021 1:00:00 PM
HJUD 4/5/2021 1:00:00 PM
HB 57
HB 57 Additional Document - Hickel v. Cowper May 27, 1994 3.8.2021.pdf HJUD 3/10/2021 1:30:00 PM
HJUD 3/17/2021 1:30:00 PM
HJUD 3/19/2021 1:30:00 PM
HJUD 3/24/2021 1:30:00 PM
HJUD 3/29/2021 1:00:00 PM
HJUD 4/5/2021 1:00:00 PM
HB 57
HB 57 Additional Document - Legislative Finance Outline of AS 37.10.420 3.8.2021.pdf HJUD 3/10/2021 1:30:00 PM
HJUD 3/17/2021 1:30:00 PM
HJUD 3/19/2021 1:30:00 PM
HJUD 3/24/2021 1:30:00 PM
HJUD 3/29/2021 1:00:00 PM
HJUD 4/5/2021 1:00:00 PM
HB 57
HB 57 Additional Document - Legislative Research Memo GF Definitions 9.1.2020.pdf HJUD 3/10/2021 1:30:00 PM
HJUD 3/17/2021 1:30:00 PM
HJUD 3/19/2021 1:30:00 PM
HJUD 3/24/2021 1:30:00 PM
HJUD 3/29/2021 1:00:00 PM
HJUD 4/5/2021 1:00:00 PM
HB 57
HB 57 Additional Document - FY19 Single Audit - Finding No. 2019-089 3.8.2021.pdf HJUD 3/10/2021 1:30:00 PM
HJUD 3/17/2021 1:30:00 PM
HJUD 3/19/2021 1:30:00 PM
HJUD 3/24/2021 1:30:00 PM
HJUD 3/29/2021 1:00:00 PM
HJUD 4/5/2021 1:00:00 PM
HB 57
HB 57 Additional Document - FY20 CAFR General Fund Accounts 3.8.2021.pdf HJUD 3/10/2021 1:30:00 PM
HJUD 3/17/2021 1:30:00 PM
HJUD 3/19/2021 1:30:00 PM
HJUD 3/24/2021 1:30:00 PM
HJUD 3/29/2021 1:00:00 PM
HJUD 4/5/2021 1:00:00 PM
HB 57
HB 57 PowerPoint Presentation 3.10.2021.pdf HJUD 3/10/2021 1:30:00 PM
HJUD 3/17/2021 1:30:00 PM
HJUD 3/19/2021 1:30:00 PM
HJUD 3/24/2021 1:30:00 PM
HJUD 3/29/2021 1:00:00 PM
HJUD 4/5/2021 1:00:00 PM
HB 57
HB 57 Fiscal Note GOV-OMB 3.6.2021.pdf HJUD 3/10/2021 1:30:00 PM