Legislature(2021 - 2022)GRUENBERG 120
02/23/2021 03:00 PM House STATE AFFAIRS
Note: the audio ![]()
and video ![]()
recordings are distinct records and are obtained from different sources. As such there may be key differences between the two. The audio recordings are captured by our records offices as the official record of the meeting and will have more accurate timestamps. Use the icons to switch between them.
| Audio | Topic |
|---|---|
| Start | |
| HB3 | |
| HB32 | |
| Adjourn |
* first hearing in first committee of referral
+ teleconferenced
= bill was previously heard/scheduled
+ teleconferenced
= bill was previously heard/scheduled
| *+ | HB 3 | TELECONFERENCED | |
| *+ | HB 32 | TELECONFERENCED | |
HB 3-DEFINITION OF "DISASTER": CYBERSECURITY
3:05:43 PM
CHAIR KREISS-TOMKINS announced that the first order of business
would be HOUSE BILL NO. 3, "An Act relating to the definition of
'disaster.'"
3:06:12 PM
REPRESENTATIVE DELENA JOHNSON, Alaska State Legislature, prime
sponsor, introduced HB 3. She stated that there are many events
that elicit an emergency declaration; however, a cybersecurity
threat is not one of them. She informed the committee that
current Alaska statutes are vague on whether a cyber attack
could qualify for such a declaration. She said HB 3 would
provide clarity by adding cybersecurity attacks to the
definition of disaster, so in the event it's needed, action
could be taken, and resources could be used. She relayed that
there is an alarming rate of cyber threats throughout the world
and referenced a recent cyber attack on the Matanuska-Susitna
(Mat-Su) Borough, which created disruptions in day-to-day
service operations. She noted that the city of Valdez was also
the target of a ransomware attack that was costly to resolve.
Additionally, she reported that several state agencies were
target by cyber criminals, including Department of Health and
Social Services (DHSS) and the Division of Elections. To
conclude, she asserted that cybersecurity should qualify for an
emergency declaration to allow for the use of emergency funds;
the application of funds and other resources that might not be
otherwise readily available; and disaster preparation planning.
3:08:39 PM
ERIC CORDERO, Staff, Representative DeLena Johnson, Alaska State
Legislature, on behalf of Representative Johnson, continued to
present HB 3. He reiterated that the bill adds cybersecurity to
the definition of a disaster - more specifically, HB 3 adds
subsection (F) to AS 26.20.900, the general provisions of the
Alaska Disaster Act. Subsection (F) read as follows:
(F) a cybersecurity attack that affects critical
infrastructure in the state, an information system
owned or operated by the state, information that is
stored on, processed by, or transmitted on an
information system owned or operated by the state, or
a credible threat of an imminent cybersecurity attack
or cybersecurity vulnerability that the commissioner
of administration or commissioner's designee certifies
to the governor has a high probability of occurring in
the near future; the certification must be based on
specific information that critical infrastructure in
the state, an information system owned or operated by
the state, or information that is stored on, processed
by, or transmitted on an information system owned or
operated by the state may be affected;
MR. CORDERO clarified that the language, "the certification must
be based on specific information that critical infrastructure in
the state," covers agencies within the nonprofit sector and the
private sector that have responsibilities regarding health,
energy, telecommunication, or transportation to the public. He
further noted that the Department of Military & Veterans'
Affairs (DMVA) is responsible for planning, managing, and
creating the list of qualifications for "critical
infrastructure," which Mr. Cordero could not obtain. He stated
that critical infrastructure is not defined under Alaska
statutes, adding that DMVA uses the U.S. Department of Homeland
Security's definition. He went on to add that according to
Legislative Legal Services, the governor could, in some
instances, call an emergency if there were a cybersecurity
attack or threat; however, the statutes are vague because in in
2000, the legislature removed the words "manmade causes" from
the Alaska Disaster Act. He noted that other states that can
issue a statewide emergency on cybersecurity have relied on that
language. There is, he said, a small provision in the Alaska
statute that mentions "equipment," which arguably, could be
considered information systems or a database. He emphasized
that HB 3 would clarify and update the language in the Alaska
Disaster Act.
3:12:59 PM
MR. CORDERO reported per the Department of Administration (DOA),
that in the last 10 years, there have been as many as 817,000
attempted attacks per year that are general in nature, such as
spam mail, viruses, and malware, and 400,000 [attempted]
directed attacks per year, which are focused against specific
individuals, systems, or departments. He noted that not all
attempted attacks were successful. He stated that annually,
there have been 497 successful attacks against the state, in
which systems or data were either infiltrated or compromised.
He added that historically, the most targeted state agencies are
Division of Elections, Division of Motor Vehicles (DMV),
Department of Revenue (DOR), DHSS, and Department of
Transportation & Public Facilities (DOTPF).
3:14:17 PM
CHAIR KREISS-TOMKINS opened invited testimony.
3:15:02 PM
MARK BREUNIG, Chief Technology Officer, Office of Information
Technology, Department of Administration, informed the committee
that states such as Florida, Texas, and Washington, as well as
the federal government, have been impacted by cybersecurity
attacks. He reported that in July 2018, the Mat-Su Borough and
the city of Valdez were victims of cyber attacks, and in both
cases, critical services were disrupted, and significant damage
was caused. Ultimately, emergency relief funding in the Mat-Su
Borough alone exceeded $2.5 million. As one of the on-site
volunteers to help restore service, he recalled asking "where is
the state?" Upon joining DOA, he realized that the state was
not unsympathetic, but the language to address a major
cybersecurity attack was missing from Alaska statutes. He said
HB 3 seeks to remedy that gap. He addressed several instances
of cybersecurity attacks in other states, such as Florida, where
attackers gained access to industrial control systems at a water
treatment plant and attempted to increase the amount of sodium
hydroxide. He opined that the additional language in HB 3 is
critical to support processes and the success of disaster
remediation in Alaska.
3:17:23 PM
REPRESENTATIVE EASTMAN asked how far the Mat-Su Borough
progressed into the disaster declaration process before the
missing language became an obstacle.
MR. BREUNIG reported that the Mat-Su Borough's request was
received, but there was no legally viable recourse.
3:18:19 PM
REPRESENTATIVE CLAMAN inquired about the likelihood of receiving
information on a pending cybersecurity attack, which could
result in a disaster declaration, before it happens.
MR. BREUNIG said the time interval from receiving intelligence
before an attack to the time of an actual attack continues to
shrink, which is why intelligence from federal and industry
partners is greatly valued. He provided the example of solar
winds, explaining that the state received the update on solar
winds hours before it hit everywhere else allowing Alaska to act
quickly. Nonetheless, he reiterated that the days of receiving
advanced notice are disappearing.
REPRESENTATIVE CLAMAN surmised that in terms of cybersecurity
attacks pertaining to critical data, "we're not talking about a
disaster declaration because tomorrow we think something's
coming - it's going to be ... this just happened ... and now we
need help fixing it and it's going to take time and money."
MR. BREUNIG replied it will be a mix. He pointed out that [the
state] received word of "certain Iranian activities" one week in
advance. He emphasized that typically, the amount of advanced
notice varies, if any is received at all.
3:21:26 PM
REPRESENTATIVE KAUFMAN asked if HB 3 goes far enough to
encompass the state's cybersecurity needs. Additionally, he
asked if Hb 3 is missing any components.
MR. BREUNIG said there is work that needs to be done, but [HB 3]
is a significant start.
3:22:02 PM
CHAIR KREISS-TOMKINS asked if beyond the scope of this bill,
there are recommendations that the legislature should further
explore or investigate regarding cybersecurity in general.
MR. BREUNIG answered yes, adding that he would welcome a follow-
up discussion and further investigation.
3:22:48 PM
REPRESENTATIVE VANCE inquired about available federal funds
specific to cyber attacks in a declared emergency.
MR. BREUNIG relayed that the state currently receives funding
through the Federal Emergency Management Agency (FEMA) for
emergency response. He noted that recently, CISA [Cybersecurity
& Infrastructure Security Agency] announced its intention to
contribute additional funding; however, the amount and the date
of availability has not been publicized.
CHAIR KREISS-TOMKINS asked what the acronym "CISA" stands for.
MR. BREUNIG answered Cybersecurity & Infrastructure Security
Agency.
3:24:27 PM
REPRESENTATIVE STORY asked if qualifying for assistance requires
reaching a certain level of disaster.
MR. BREUNIG said there is a framework and different criteria for
determining the level of attack and disaster.
REPRESENTATIVE STORY requested that a description of the
criteria be provided to the committee.
MR. BREUNIG offered to follow up with the requested information.
3:25:52 PM
PAUL NELSON, Director, Division of Homeland Security & Emergency
Management, Department of Military & Veterans' Affairs (DMVA),
said he has no official testimony prepared at this time;
however, he is available for questions from the committee.
3:26:26 PM
REPRESENTATIVE EASTMAN offered his understanding that DMVA is
involved in the process of declaring a disaster. Referencing
Page 2 of the bill, he asked if the Division of Homeland
Security and Emergency Management helps determine whether
something is a cybersecurity vulnerability.
MR. NELSON acknowledged that the division has a minor role and
follows the lead of OIT [Office of Information Technology] to
identify cybersecurity vulnerabilities. He added that the
division and OIT work with other federal and infrastructure
partners - both public utility and private sector - to determine
the vulnerabilities in the cybersecurity domain and, ideally,
mitigate and eliminate them.
3:27:50 PM
REPRESENTATIVE KAUFMAN asked where Alaska stands in relation to
others.
MR. NELSON replied from the perspective of emergency management,
Alaska seems to be okay, but there's more work to be done going
forward. He opined that HB 3 is a great start, later noting
that there is no indication that [cybersecurity attacks] are
going to stop, they will only grow more advanced.
3:29:31 PM
CHAIR KREISS-TOMKINS asked if HB 3 were to pass, how the state
would evaluate the impact of the cybersecurity attack on the
Mat-Su Borough. He asked whether it would reach the threshold
of warranting a disaster declaration.
MR. NELSON explained that Division of Homeland Security &
Emergency Management would set up the state emergency operations
center wherever the intrusion occurred and evaluate the response
and immediate needs while following OIT's lead, which is the
standard foundation for any type of response, be it flooding, an
earthquake, or a cybersecurity attack. He said the absence of
cybersecurity attack from the definition of disaster within AS
26.23.900 "makes it more obscure," whereas the language in HB 3
would help improve the state emergency operations plan.
MR. BREUNIG expanded on Mr. Nelson's comments by noting that the
National Guard is building cyber capability through their own
mandate. He explained that identifying this as a leverage point
for declaring a disaster would enable the National Guard to
provide cyber support throughout the state.
3:32:57 PM
PETER HOUSE, CEO, Deeptree, Inc., informed the committee that
his business is an IT firm that specializes in risk management
with a particular emphasis on cybersecurity. He provided
several personal anecdotes, one which highlighted his work on
the Mat-Su Borough attack. He said he saw firsthand the scope
of the incident and the impact on Alaskans. He added that
whether in the scope of losing access to essential services or
disruptions to business, the [cybersecurity] attack was
functionally equivalent to the organization being impacted by a
traditionally defined disaster. As a responder, he said, the
level of responsibility was significant because citizen lives
were impacted by the lack of digital infrastructure support. He
explained that the responders had two tasks on hand: restore
services as quickly as possible and ensure that the evidence
required by law enforcement and insurance was retained. He
noted that sometimes, it felt like those tasks were at odds with
each other when it came to resources and staffing. He recounted
that due to the depth of the attack, a large number of
specialists and generalists was required; further, for the first
few months, the daily briefings were at capacity. He offered
his belief that the Borough's declaration of a state of
emergency was essential because of those operational factors.
He pointed out the extra support that resulted from the disaster
declaration made a significant impact on the time it took to
restore services; additionally, they received improved
operational agility and response capabilities. He went on to
convey that that because Alaska is sparsely populated and spread
out over thousands of miles, the state has a unique profile,
which makes digital technology not only a nicety but a
necessity. Furthermore, it places the digital systems on which
Alaska relies in a state of operational significance. He
pointed out that sometimes the replacements for that equipment
are thousands of miles away.
MR. HOUSE continued by addressing the 2013 attack on Target. He
said it's not widely known that the attack had an initial point
of entry through an HVAC vendor. The criminal actors identified
a third-party vendor, sent a phishing email, compromised the
systems, and rode an engineer's laptop onto the networks when
the engineer went on site. He emphasized the importance of that
story because Alaska is very connected. He opined that when
considering the threat of exposure that could come from a
similar situation, Alaska compared to other states has a mildly
higher threat profile given the state's geographic location and
economy. He added that Alaska does not have many economic
"crown jewels," but the few that exist are very important. He
concluded by opining that knowing the State of Alaska has a
strong security posture and the ability to respond to an
emergency enhances the state's overall defensive position.
3:38:21 PM
REPRESENTATIVE EASTMAN pointed out that HB 3 speaks to the
credible threat of an attack or a cybersecurity vulnerability
that has a high probability of occurring in the future. He
questioned whether the language opens the door for a situation
in which Alaska would be eligible for a disaster for the
foreseeable future. He remarked:
Or maybe, based on your experience, you would expect
that [the] window would close. If so, when would we
no longer be in the situation where there is a
vulnerability that exists that could trigger this
disaster.
3:39:29 PM
MR. HOUSE said typically, the software developer - or whoever is
responsible for managing the solution - eliminates the
vulnerability by patching the system. He noted that in his
professional experience, he has never seen a nonterminated
vulnerability; further adding that in terms of mainline critical
infrastructure vulnerabilities, there is a low probability of a
vulnerability persisting for an interminable amount of time.
REPRESENTATIVE EASTMAN questioned whether Mr. House is referring
to an existing vulnerability or, as the bill expresses, one that
has a high probability of occurring in the future.
MR. HOUSE said he could not speak to that specific passage;
however, he offered his understanding that when something is
specifically classified as a vulnerability, it is a "technical
exercise" that wouldn't leave room for interpretation. He
opined that the legislation as it's currently written, would not
allow a state of emergency to continue for an unlimited amount
of time.
3:41:41 PM
REPRESENTATIVE STORY expressed her concern that people do not
have basic protections in place to [protect] them from a
cybersecurity [attack]. She asked if municipalities and state
agencies are taking adequate precaution.
MR. HOUSE recalled seeing higher levels of information sharing
and security, as well as an uptick in security operation centers
(SOCs), since the Mat-Su Borough event. He provided an example
of an institution that provides threat and vulnerability
information sharing, which local jurisdictions are partaking in.
Furthermore, He said more professionals are undertaking advanced
education and training. He noted his specialization in memory
forensics, a specialized portion of incident response to
cybersecurity events, in which the level of interest has risen.
3:44:36 PM
REPRESENTATIVE TARR inquired about the perpetrator's motivation
to carry out these attacks.
MR. HOUSE said motivations vary. He explained that criminal
actors are interested in auctioning off the stolen information
on the dark web. Additionally, when the network is compromised,
he recalled a growing practice where the network itself is
auctioned off for criminal actors to pull the data from, ransom
the network, or both. He added that the motivation for nation
state actors also varies - in general, they are looking to
monetize the networks or gain geopolitical influence.
3:46:36 PM
REPRESENTATIVE TARR questioned whether the bill language
pertaining to the commissioner designee should be more specific.
MR. CORDERO explained that typically, each department determines
a plan they want to submit to DMVA and DMVA develops the
mitigation and response. He noted that DOA is included in the
bill language because it houses the Office of Information
Technology. He added that the language regarding the
commissioner designee is for the committee to consider at their
discretion.
3:48:33 PM
REPRESENTATIVE CLAMAN expressed his interest in clarifying the
definition of critical infrastructure and what constitutes it.
3:49:25 PM
MR. CORDERO read from the document, titled "From the
Cybersecurity & Infrastructure Security Agency" [included in the
committee packet], as follows:
There are 16 critical infrastructure sectors whose
assets, systems, and networks, whether physical or
virtual, are considered so vital to the United States
that their incapacitation or destruction would have a
debilitating effect on security, national economic
security, national public health or safety, or any
combination thereof.
MR. CORDERO acknowledged that "critical infrastructure" is not
defined in Alaska statutes. He added that the duty to make that
determination was given to [DMVA].
3:50:27 PM
REPRESENTATIVE CLAMAN sought to clarify whether that is the
federal definition.
MR. CORDERO answered yes.
REPRESENTATIVE CLAMAN pointed out that there are other sections
in statute that reference federal authority or federal
regulation. He suggested including a reference to the federal
regulations or federal statutory authority in HB 3 to avoid
writing a definition that changes every two years. He opined
that the reference would strengthen the bill because it would
align the state and federal definition of what constitutes
critical infrastructure.
MR. CORDERO agreed that it could help clarify critical
infrastructure.
3:51:29 PM
REPRESENTATIVE EASTMAN asked if there is a definition of
cybersecurity that the bill refers to.
MR. CORDERO deferred to Mr. Breunig.
3:52:20 PM
REPRESENTATIVE VANCE asked if the state has insurance that
covers cybersecurity attacks and if so, what criteria must be
met to access it or other federal funding.
MR. CORDERO offered to follow up with the requested information.
3:53:42 PM
CHAIR KREISS-TOMKINS shared his understanding that there was
similar, or possibly identical, legislation in the last
legislative session. He asked if there are substantive
differences between the previous legislation and HB 3.
REPRESENTATIVE JOHNSON answered no and explained that that HB 3
is a continuation of the same bill from last session.
CHAIR KREISS-TOMKINS advised that there might be a committee
substitute with a title change pending further discussions with
the sponsor's office.
3:54:55 PM
REPRESENTATIVE CLAMAN asked who sponsored the previous
legislation.
CHAIR KREISS-TOMKINS answered Representative Johnson.
[HB 3 was held over.]
| Document Name | Date/Time | Subjects |
|---|---|---|
| HB 32 Sponsor Statement 2.19.2021.pdf |
HSTA 2/23/2021 3:00:00 PM |
HB 32 |
| HB 32 Testimony Received as of 2.22.2021.pdf |
HSTA 2/23/2021 3:00:00 PM |
HB 32 |
| HB 3 Sponsor Statement 2.18.2021.pdf |
HJUD 3/10/2021 1:30:00 PM HJUD 3/15/2021 1:30:00 PM HJUD 3/17/2021 1:30:00 PM HSTA 2/23/2021 3:00:00 PM |
HB 3 |
| HB 3 Supporting Document - Alaska Health Department Reports Data Breach The Seattle Times 6.28.2018.pdf |
HJUD 3/10/2021 1:30:00 PM HJUD 3/15/2021 1:30:00 PM HJUD 3/17/2021 1:30:00 PM HSTA 2/23/2021 3:00:00 PM |
HB 3 |
| HB 3 Supporting Document - DHSS Cyber Attack Impacts More Than 100,000 Alaska Households 1.23.2019.pdf |
HJUD 3/10/2021 1:30:00 PM HJUD 3/15/2021 1:30:00 PM HJUD 3/17/2021 1:30:00 PM HSTA 2/23/2021 3:00:00 PM |
HB 3 |
| HB 3 Supporting Document - How One Alaskan Borough Survived A Cyber Attack CitiesSpeak 10.1.2019.pdf |
HJUD 3/10/2021 1:30:00 PM HJUD 3/15/2021 1:30:00 PM HJUD 3/17/2021 1:30:00 PM HSTA 2/23/2021 3:00:00 PM |
HB 3 |
| HB 3 Supporting Document - MSBD Press Release Mat-Su Declares Disaster for Cyber Attack 7.31.2018.pdf |
HJUD 3/10/2021 1:30:00 PM HJUD 3/15/2021 1:30:00 PM HJUD 3/17/2021 1:30:00 PM HSTA 2/23/2021 3:00:00 PM |
HB 3 |
| HB 3 Supporting Document - Pipeline Article Alaska Public Media 3.14.2018.pdf |
HJUD 3/10/2021 1:30:00 PM HJUD 3/15/2021 1:30:00 PM HJUD 3/17/2021 1:30:00 PM HSTA 2/23/2021 3:00:00 PM |
HB 3 |
| HB 3 Legal Memo 2.10.2020.pdf |
HJUD 3/10/2021 1:30:00 PM HJUD 3/15/2021 1:30:00 PM HJUD 3/17/2021 1:30:00 PM HSTA 2/23/2021 3:00:00 PM |
HB 3 |
| HB 3 Supporting Document - CISA Critical Infrastructure 2.23.2021.pdf |
HJUD 3/10/2021 1:30:00 PM HJUD 3/15/2021 1:30:00 PM HJUD 3/17/2021 1:30:00 PM HSTA 2/23/2021 3:00:00 PM |
HB 3 |
| HB 3 Testimony - Received as of 2.22.2021.pdf |
HSTA 2/23/2021 3:00:00 PM |
|
| HB 32 Testimony Received as of 2.22.21 Additional - Chicken Gold Camp.pdf |
HSTA 2/23/2021 3:00:00 PM |
HB 32 |
| HB 32 FN LAW CIV TWC 2.9.21.pdf |
HSTA 2/23/2021 3:00:00 PM |
HB 32 |
| HB 3 Fiscal Note DOA-OIT 2.21.2021 (Printed 2.22.2021).pdf |
HSTA 2/23/2021 3:00:00 PM |
HB 3 |
| HB 32 Letters in Support 2.23.2021.pdf |
HSTA 2/23/2021 3:00:00 PM |
HB 32 |
| HB 32 Research Alaska Annual Ecomoic Impact Fact Sheet.pdf |
HSTA 2/23/2021 3:00:00 PM |
HB 32 |
| HB 32 Research Alaska State Economic Impact Table.pdf |
HSTA 2/23/2021 3:00:00 PM |
HB 32 |
| HB 32 Reseach Examples of Inherent Risk Lawsuits.pdf |
HSTA 2/23/2021 3:00:00 PM |
HB 32 |