Legislature(2021 - 2022)GRUENBERG 120

02/23/2021 03:00 PM STATE AFFAIRS

Note: the audio and video recordings are distinct records and are obtained from different sources. As such there may be key differences between the two. The audio recordings are captured by our records offices as the official record of the meeting and will have more accurate timestamps. Use the icons to switch between them.

Download Mp3. <- Right click and save file as

* first hearing in first committee of referral
+ teleconferenced
= bill was previously heard/scheduled
*+ HB 3 DEFINITION OF "DISASTER": CYBERSECURITY TELECONFERENCED
Heard & Held
-- Testimony <Invitation Only> --
*+ HB 32 IMMUNITY FOR RV PARKS, CAMPGROUNDS TELECONFERENCED
Heard & Held
-- Testimony <Invitation Only> --
**Streamed live on AKL.tv**
         HB  3-DEFINITION OF "DISASTER": CYBERSECURITY                                                                      
                                                                                                                                
3:05:43 PM                                                                                                                    
                                                                                                                                
CHAIR KREISS-TOMKINS  announced that the first  order of business                                                               
would be HOUSE BILL NO. 3,  "An Act relating to the definition of                                                               
'disaster.'"                                                                                                                    
                                                                                                                                
3:06:12 PM                                                                                                                    
                                                                                                                                
REPRESENTATIVE  DELENA JOHNSON,  Alaska State  Legislature, prime                                                               
sponsor, introduced HB 3.  She  stated that there are many events                                                               
that elicit  an emergency  declaration; however,  a cybersecurity                                                               
threat  is not  one of  them.   She informed  the committee  that                                                               
current  Alaska statutes  are  vague on  whether  a cyber  attack                                                               
could  qualify for  such  a declaration.   She  said  HB 3  would                                                               
provide   clarity  by   adding  cybersecurity   attacks  to   the                                                               
definition  of disaster,  so  in the  event  it's needed,  action                                                               
could be  taken, and resources could  be used.  She  relayed that                                                               
there is an  alarming rate of cyber threats  throughout the world                                                               
and  referenced a  recent cyber  attack on  the Matanuska-Susitna                                                               
(Mat-Su)  Borough,   which  created  disruptions   in  day-to-day                                                               
service operations.   She noted that the city of  Valdez was also                                                               
the target  of a  ransomware attack that  was costly  to resolve.                                                               
Additionally,  she  reported  that several  state  agencies  were                                                               
target  by cyber  criminals, including  Department of  Health and                                                               
Social  Services  (DHSS)  and  the Division  of  Elections.    To                                                               
conclude, she  asserted that cybersecurity should  qualify for an                                                               
emergency declaration  to allow for  the use of  emergency funds;                                                               
the application  of funds and  other resources that might  not be                                                               
otherwise readily available; and disaster preparation planning.                                                                 
                                                                                                                                
3:08:39 PM                                                                                                                    
                                                                                                                                
ERIC CORDERO, Staff, Representative  DeLena Johnson, Alaska State                                                               
Legislature, on  behalf of  Representative Johnson,  continued to                                                               
present HB 3.  He reiterated  that the bill adds cybersecurity to                                                               
the  definition of  a disaster  -  more specifically,  HB 3  adds                                                               
subsection (F)  to AS  26.20.900, the  general provisions  of the                                                               
Alaska Disaster Act.  Subsection (F) read as follows:                                                                           
                                                                                                                                
     (F)  a  cybersecurity   attack  that  affects  critical                                                                
     infrastructure  in  the  state, an  information  system                                                                
     owned  or operated  by the  state, information  that is                                                                
     stored  on,   processed  by,   or  transmitted   on  an                                                                
     information system  owned or operated by  the state, or                                                                
     a credible  threat of an imminent  cybersecurity attack                                                                
     or  cybersecurity vulnerability  that the  commissioner                                                                
     of administration or  commissioner's designee certifies                                                                
     to the governor has a  high probability of occurring in                                                                
     the  near future;  the certification  must be  based on                                                                
     specific  information that  critical infrastructure  in                                                                
     the state,  an information system owned  or operated by                                                                
     the state, or information  that is stored on, processed                                                                
     by, or  transmitted on an  information system  owned or                                                                
     operated by the state may be affected;                                                                                 
                                                                                                                                
MR. CORDERO clarified that the  language, "the certification must                                                               
be based on specific information  that critical infrastructure in                                                               
the state," covers  agencies within the nonprofit  sector and the                                                               
private  sector  that  have  responsibilities  regarding  health,                                                               
energy, telecommunication,  or transportation to the  public.  He                                                               
further  noted  that  the  Department  of  Military  &  Veterans'                                                               
Affairs  (DMVA)  is  responsible   for  planning,  managing,  and                                                               
creating    the   list    of    qualifications   for    "critical                                                               
infrastructure," which Mr.  Cordero could not obtain.   He stated                                                               
that  critical   infrastructure  is  not  defined   under  Alaska                                                               
statutes, adding that  DMVA uses the U.S.  Department of Homeland                                                               
Security's  definition.   He went  on  to add  that according  to                                                               
Legislative  Legal   Services,  the   governor  could,   in  some                                                               
instances,  call  an  emergency  if there  were  a  cybersecurity                                                               
attack or threat;  however, the statutes are vague  because in in                                                               
2000,  the legislature  removed the  words "manmade  causes" from                                                               
the Alaska  Disaster Act.   He noted  that other states  that can                                                               
issue a statewide emergency on  cybersecurity have relied on that                                                               
language.   There is, he  said, a  small provision in  the Alaska                                                               
statute  that  mentions  "equipment," which  arguably,  could  be                                                               
considered  information systems  or  a database.   He  emphasized                                                               
that HB  3 would clarify  and update  the language in  the Alaska                                                               
Disaster Act.                                                                                                                   
                                                                                                                                
3:12:59 PM                                                                                                                    
                                                                                                                                
MR. CORDERO reported per the  Department of Administration (DOA),                                                               
that in  the last 10  years, there have  been as many  as 817,000                                                               
attempted attacks  per year that  are general in nature,  such as                                                               
spam  mail,   viruses,  and  malware,  and   400,000  [attempted]                                                               
directed  attacks per  year, which  are focused  against specific                                                               
individuals,  systems, or  departments.   He noted  that not  all                                                               
attempted  attacks were  successful.   He  stated that  annually,                                                               
there  have been  497 successful  attacks against  the state,  in                                                               
which  systems or  data were  either infiltrated  or compromised.                                                               
He added that historically, the  most targeted state agencies are                                                               
Division  of   Elections,  Division  of  Motor   Vehicles  (DMV),                                                               
Department   of   Revenue   (DOR),  DHSS,   and   Department   of                                                               
Transportation & Public Facilities (DOTPF).                                                                                     
                                                                                                                                
3:14:17 PM                                                                                                                    
                                                                                                                                
CHAIR KREISS-TOMKINS opened invited testimony.                                                                                  
                                                                                                                                
3:15:02 PM                                                                                                                    
                                                                                                                                
MARK  BREUNIG, Chief  Technology Officer,  Office of  Information                                                               
Technology, Department of  Administration, informed the committee                                                               
that states  such as Florida,  Texas, and Washington, as  well as                                                               
the  federal  government,  have been  impacted  by  cybersecurity                                                               
attacks.  He  reported that in July 2018, the  Mat-Su Borough and                                                               
the city  of Valdez were  victims of  cyber attacks, and  in both                                                               
cases, critical  services were disrupted, and  significant damage                                                               
was caused.   Ultimately, emergency relief funding  in the Mat-Su                                                               
Borough  alone exceeded  $2.5 million.    As one  of the  on-site                                                               
volunteers to help restore service,  he recalled asking "where is                                                               
the state?"   Upon joining  DOA, he  realized that the  state was                                                               
not  unsympathetic,   but  the   language  to  address   a  major                                                               
cybersecurity attack was  missing from Alaska statutes.   He said                                                               
HB 3  seeks to remedy that  gap.  He addressed  several instances                                                               
of cybersecurity attacks in other  states, such as Florida, where                                                               
attackers gained access to industrial  control systems at a water                                                               
treatment plant  and attempted to  increase the amount  of sodium                                                               
hydroxide.   He opined that  the additional  language in HB  3 is                                                               
critical  to  support  processes  and  the  success  of  disaster                                                               
remediation in Alaska.                                                                                                          
                                                                                                                                
3:17:23 PM                                                                                                                    
                                                                                                                                
REPRESENTATIVE  EASTMAN   asked  how   far  the   Mat-Su  Borough                                                               
progressed  into  the  disaster declaration  process  before  the                                                               
missing language became an obstacle.                                                                                            
                                                                                                                                
MR.  BREUNIG  reported  that the  Mat-Su  Borough's  request  was                                                               
received, but there was no legally viable recourse.                                                                             
                                                                                                                                
3:18:19 PM                                                                                                                    
                                                                                                                                
REPRESENTATIVE CLAMAN inquired about  the likelihood of receiving                                                               
information  on  a  pending  cybersecurity  attack,  which  could                                                               
result in a disaster declaration, before it happens.                                                                            
                                                                                                                                
MR. BREUNIG  said the time  interval from  receiving intelligence                                                               
before an  attack to the  time of  an actual attack  continues to                                                               
shrink,  which  is why  intelligence  from  federal and  industry                                                               
partners is  greatly valued.   He provided  the example  of solar                                                               
winds, explaining  that the  state received  the update  on solar                                                               
winds hours before it hit  everywhere else allowing Alaska to act                                                               
quickly.  Nonetheless,  he reiterated that the  days of receiving                                                               
advanced notice are disappearing.                                                                                               
                                                                                                                                
REPRESENTATIVE  CLAMAN surmised  that in  terms of  cybersecurity                                                               
attacks pertaining to  critical data, "we're not  talking about a                                                               
disaster  declaration  because   tomorrow  we  think  something's                                                               
coming - it's going  to be ... this just happened  ... and now we                                                               
need help fixing it and it's going to take time and money."                                                                     
                                                                                                                                
MR. BREUNIG replied it  will be a mix.  He  pointed out that [the                                                               
state] received word of "certain  Iranian activities" one week in                                                               
advance.   He emphasized that  typically, the amount  of advanced                                                               
notice varies, if any is received at all.                                                                                       
                                                                                                                                
3:21:26 PM                                                                                                                    
                                                                                                                                
REPRESENTATIVE  KAUFMAN  asked  if  HB   3  goes  far  enough  to                                                               
encompass  the state's  cybersecurity  needs.   Additionally,  he                                                               
asked if Hb 3 is missing any components.                                                                                        
                                                                                                                                
MR. BREUNIG said there is work that  needs to be done, but [HB 3]                                                               
is a significant start.                                                                                                         
                                                                                                                                
3:22:02 PM                                                                                                                    
                                                                                                                                
CHAIR  KREISS-TOMKINS asked  if beyond  the scope  of this  bill,                                                               
there  are recommendations  that the  legislature should  further                                                               
explore or investigate regarding cybersecurity in general.                                                                      
                                                                                                                                
MR. BREUNIG answered yes, adding  that he would welcome a follow-                                                               
up discussion and further investigation.                                                                                        
                                                                                                                                
3:22:48 PM                                                                                                                    
                                                                                                                                
REPRESENTATIVE  VANCE  inquired  about  available  federal  funds                                                               
specific to cyber attacks in a declared emergency.                                                                              
                                                                                                                                
MR.  BREUNIG relayed  that the  state currently  receives funding                                                               
through  the  Federal  Emergency  Management  Agency  (FEMA)  for                                                               
emergency response.  He noted  that recently, CISA [Cybersecurity                                                               
&  Infrastructure Security  Agency]  announced  its intention  to                                                               
contribute additional  funding; however, the amount  and the date                                                               
of availability has not been publicized.                                                                                        
                                                                                                                                
CHAIR KREISS-TOMKINS asked what the acronym "CISA" stands for.                                                                  
                                                                                                                                
MR.  BREUNIG  answered  Cybersecurity &  Infrastructure  Security                                                               
Agency.                                                                                                                         
                                                                                                                                
3:24:27 PM                                                                                                                    
                                                                                                                                
REPRESENTATIVE STORY asked if  qualifying for assistance requires                                                               
reaching a certain level of disaster.                                                                                           
                                                                                                                                
MR. BREUNIG said there is  a framework and different criteria for                                                               
determining the level of attack and disaster.                                                                                   
                                                                                                                                
REPRESENTATIVE  STORY   requested  that  a  description   of  the                                                               
criteria be provided to the committee.                                                                                          
                                                                                                                                
MR. BREUNIG offered to follow up with the requested information.                                                                
                                                                                                                                
3:25:52 PM                                                                                                                    
                                                                                                                                
PAUL NELSON, Director, Division  of Homeland Security & Emergency                                                               
Management, Department  of Military  & Veterans'  Affairs (DMVA),                                                               
said  he  has  no  official  testimony  prepared  at  this  time;                                                               
however, he is available for questions from the committee.                                                                      
                                                                                                                                
3:26:26 PM                                                                                                                    
                                                                                                                                
REPRESENTATIVE  EASTMAN offered  his understanding  that DMVA  is                                                               
involved in  the process  of declaring  a disaster.   Referencing                                                               
Page  2  of the  bill,  he  asked  if  the Division  of  Homeland                                                               
Security  and   Emergency  Management  helps   determine  whether                                                               
something is a cybersecurity vulnerability.                                                                                     
                                                                                                                                
MR. NELSON  acknowledged that the  division has a minor  role and                                                               
follows the  lead of  OIT [Office  of Information  Technology] to                                                               
identify  cybersecurity  vulnerabilities.    He  added  that  the                                                               
division  and  OIT work  with  other  federal and  infrastructure                                                               
partners - both public utility  and private sector - to determine                                                               
the  vulnerabilities in  the cybersecurity  domain and,  ideally,                                                               
mitigate and eliminate them.                                                                                                    
                                                                                                                                
3:27:50 PM                                                                                                                    
                                                                                                                                
REPRESENTATIVE KAUFMAN  asked where Alaska stands  in relation to                                                               
others.                                                                                                                         
                                                                                                                                
MR. NELSON replied from the  perspective of emergency management,                                                               
Alaska seems to  be okay, but there's more work  to be done going                                                               
forward.   He opined  that HB  3 is a  great start,  later noting                                                               
that  there is  no  indication that  [cybersecurity attacks]  are                                                               
going to stop, they will only grow more advanced.                                                                               
                                                                                                                                
3:29:31 PM                                                                                                                    
                                                                                                                                
CHAIR KREISS-TOMKINS  asked if HB 3  were to pass, how  the state                                                               
would  evaluate the  impact of  the cybersecurity  attack on  the                                                               
Mat-Su Borough.   He asked  whether it would reach  the threshold                                                               
of warranting a disaster declaration.                                                                                           
                                                                                                                                
MR.  NELSON  explained  that  Division  of  Homeland  Security  &                                                               
Emergency Management would set up  the state emergency operations                                                               
center wherever the intrusion occurred  and evaluate the response                                                               
and  immediate needs  while following  OIT's lead,  which is  the                                                               
standard foundation for any type  of response, be it flooding, an                                                               
earthquake, or  a cybersecurity attack.   He said the  absence of                                                               
cybersecurity attack  from the definition  of disaster  within AS                                                               
26.23.900 "makes it  more obscure," whereas the language  in HB 3                                                               
would help improve the state emergency operations plan.                                                                         
                                                                                                                                
MR. BREUNIG expanded on Mr.  Nelson's comments by noting that the                                                               
National  Guard is  building cyber  capability through  their own                                                               
mandate.  He explained that  identifying this as a leverage point                                                               
for  declaring a  disaster  would enable  the  National Guard  to                                                               
provide cyber support throughout the state.                                                                                     
                                                                                                                                
3:32:57 PM                                                                                                                    
                                                                                                                                
PETER  HOUSE, CEO,  Deeptree, Inc.,  informed the  committee that                                                               
his business  is an IT  firm that specializes in  risk management                                                               
with  a  particular  emphasis  on  cybersecurity.    He  provided                                                               
several  personal anecdotes,  one which  highlighted his  work on                                                               
the Mat-Su  Borough attack.  He  said he saw firsthand  the scope                                                               
of  the incident  and  the impact  on Alaskans.    He added  that                                                               
whether in  the scope of  losing access to essential  services or                                                               
disruptions   to  business,   the   [cybersecurity]  attack   was                                                               
functionally equivalent  to the organization being  impacted by a                                                               
traditionally defined  disaster.   As a  responder, he  said, the                                                               
level  of responsibility  was significant  because citizen  lives                                                               
were impacted by the lack  of digital infrastructure support.  He                                                               
explained  that the  responders had  two tasks  on hand:  restore                                                               
services  as quickly  as possible  and ensure  that the  evidence                                                               
required  by law  enforcement  and insurance  was  retained.   He                                                               
noted that sometimes, it felt like  those tasks were at odds with                                                               
each other when it came to  resources and staffing.  He recounted                                                               
that  due  to  the  depth  of  the  attack,  a  large  number  of                                                               
specialists and generalists was  required; further, for the first                                                               
few months,  the daily  briefings were at  capacity.   He offered                                                               
his  belief  that  the  Borough's   declaration  of  a  state  of                                                               
emergency  was essential  because of  those operational  factors.                                                               
He pointed out the extra  support that resulted from the disaster                                                               
declaration  made a  significant impact  on the  time it  took to                                                               
restore   services;   additionally,    they   received   improved                                                               
operational agility  and response  capabilities.   He went  on to                                                               
convey that that because Alaska  is sparsely populated and spread                                                               
out  over thousands  of miles,  the state  has a  unique profile,                                                               
which  makes  digital   technology  not  only  a   nicety  but  a                                                               
necessity.  Furthermore,  it places the digital  systems on which                                                               
Alaska  relies  in  a  state of  operational  significance.    He                                                               
pointed out  that sometimes the  replacements for  that equipment                                                               
are thousands of miles away.                                                                                                    
                                                                                                                                
MR. HOUSE continued by addressing the  2013 attack on Target.  He                                                               
said it's not  widely known that the attack had  an initial point                                                               
of entry through an HVAC  vendor.  The criminal actors identified                                                               
a  third-party vendor,  sent a  phishing  email, compromised  the                                                               
systems, and  rode an  engineer's laptop  onto the  networks when                                                               
the engineer went on site.   He emphasized the importance of that                                                               
story  because Alaska  is very  connected.   He opined  that when                                                               
considering  the  threat  of  exposure that  could  come  from  a                                                               
similar situation, Alaska  compared to other states  has a mildly                                                               
higher threat  profile given the state's  geographic location and                                                               
economy.   He  added  that  Alaska does  not  have many  economic                                                               
"crown jewels,"  but the few that  exist are very important.   He                                                               
concluded  by opining  that knowing  the  State of  Alaska has  a                                                               
strong  security  posture  and  the  ability  to  respond  to  an                                                               
emergency enhances the state's overall defensive position.                                                                      
                                                                                                                                
3:38:21 PM                                                                                                                    
                                                                                                                                
REPRESENTATIVE  EASTMAN  pointed out  that  HB  3 speaks  to  the                                                               
credible  threat of  an attack  or a  cybersecurity vulnerability                                                               
that  has a  high probability  of occurring  in the  future.   He                                                               
questioned whether  the language opens  the door for  a situation                                                               
in  which  Alaska  would  be  eligible for  a  disaster  for  the                                                               
foreseeable future.  He remarked:                                                                                               
                                                                                                                                
     Or maybe,  based on your  experience, you  would expect                                                                    
     that [the]  window would close.   If so, when  would we                                                                    
     no  longer  be  in  the  situation  where  there  is  a                                                                    
     vulnerability  that  exists  that  could  trigger  this                                                                    
     disaster.                                                                                                                  
                                                                                                                                
3:39:29 PM                                                                                                                    
                                                                                                                                
MR. HOUSE said typically, the  software developer - or whoever is                                                               
responsible   for  managing   the  solution   -  eliminates   the                                                               
vulnerability  by patching  the system.    He noted  that in  his                                                               
professional  experience,  he  has  never  seen  a  nonterminated                                                               
vulnerability; further adding that  in terms of mainline critical                                                               
infrastructure vulnerabilities,  there is a low  probability of a                                                               
vulnerability persisting for an interminable amount of time.                                                                    
                                                                                                                                
REPRESENTATIVE EASTMAN questioned whether  Mr. House is referring                                                               
to an existing vulnerability or,  as the bill expresses, one that                                                               
has a high probability of occurring in the future.                                                                              
                                                                                                                                
MR.  HOUSE said  he could  not  speak to  that specific  passage;                                                               
however,  he offered  his understanding  that  when something  is                                                               
specifically classified  as a vulnerability,  it is  a "technical                                                               
exercise"  that  wouldn't  leave  room for  interpretation.    He                                                               
opined that the legislation as  it's currently written, would not                                                               
allow a  state of emergency  to continue for an  unlimited amount                                                               
of time.                                                                                                                        
                                                                                                                                
3:41:41 PM                                                                                                                    
                                                                                                                                
REPRESENTATIVE  STORY expressed  her concern  that people  do not                                                               
have  basic  protections  in  place  to  [protect]  them  from  a                                                               
cybersecurity [attack].   She asked  if municipalities  and state                                                               
agencies are taking adequate precaution.                                                                                        
                                                                                                                                
MR. HOUSE  recalled seeing higher  levels of  information sharing                                                               
and security, as well as  an uptick in security operation centers                                                               
(SOCs), since the  Mat-Su Borough event.  He  provided an example                                                               
of  an   institution  that  provides  threat   and  vulnerability                                                               
information sharing, which local  jurisdictions are partaking in.                                                               
Furthermore, He said more  professionals are undertaking advanced                                                               
education and  training.  He  noted his specialization  in memory                                                               
forensics,  a   specialized  portion  of  incident   response  to                                                               
cybersecurity events, in which the level of interest has risen.                                                                 
                                                                                                                                
3:44:36 PM                                                                                                                    
                                                                                                                                
REPRESENTATIVE TARR  inquired about the  perpetrator's motivation                                                               
to carry out these attacks.                                                                                                     
                                                                                                                                
MR.  HOUSE said  motivations vary.   He  explained that  criminal                                                               
actors are  interested in auctioning  off the  stolen information                                                               
on the dark web.   Additionally, when the network is compromised,                                                               
he  recalled  a growing  practice  where  the network  itself  is                                                               
auctioned off for  criminal actors to pull the  data from, ransom                                                               
the network,  or both.  He  added that the motivation  for nation                                                               
state  actors also  varies  -  in general,  they  are looking  to                                                               
monetize the networks or gain geopolitical influence.                                                                           
                                                                                                                                
3:46:36 PM                                                                                                                    
                                                                                                                                
REPRESENTATIVE   TARR  questioned   whether  the   bill  language                                                               
pertaining to the commissioner designee should be more specific.                                                                
                                                                                                                                
MR. CORDERO explained that  typically, each department determines                                                               
a  plan  they want  to  submit  to  DMVA  and DMVA  develops  the                                                               
mitigation and  response.  He noted  that DOA is included  in the                                                               
bill  language  because  it  houses  the  Office  of  Information                                                               
Technology.     He   added  that   the  language   regarding  the                                                               
commissioner designee is  for the committee to  consider at their                                                               
discretion.                                                                                                                     
                                                                                                                                
3:48:33 PM                                                                                                                    
                                                                                                                                
REPRESENTATIVE CLAMAN  expressed his  interest in  clarifying the                                                               
definition of critical infrastructure and what constitutes it.                                                                  
                                                                                                                                
3:49:25 PM                                                                                                                    
                                                                                                                                
MR.   CORDERO  read   from  the   document,   titled  "From   the                                                               
Cybersecurity & Infrastructure Security  Agency" [included in the                                                               
committee packet], as follows:                                                                                                  
                                                                                                                                
     There  are  16  critical infrastructure  sectors  whose                                                                    
     assets,  systems,  and  networks, whether  physical  or                                                                    
     virtual, are  considered so vital to  the United States                                                                    
     that their  incapacitation or destruction would  have a                                                                    
     debilitating  effect  on  security,  national  economic                                                                    
     security,  national public  health  or  safety, or  any                                                                    
     combination thereof.                                                                                                       
                                                                                                                                
MR. CORDERO  acknowledged that  "critical infrastructure"  is not                                                               
defined in Alaska statutes.  He  added that the duty to make that                                                               
determination was given to [DMVA].                                                                                              
                                                                                                                                
3:50:27 PM                                                                                                                    
                                                                                                                                
REPRESENTATIVE  CLAMAN  sought to  clarify  whether  that is  the                                                               
federal definition.                                                                                                             
                                                                                                                                
MR. CORDERO answered yes.                                                                                                       
                                                                                                                                
REPRESENTATIVE CLAMAN  pointed out that there  are other sections                                                               
in   statute  that   reference  federal   authority  or   federal                                                               
regulation.   He suggested including  a reference to  the federal                                                               
regulations  or federal  statutory  authority in  HB  3 to  avoid                                                               
writing a  definition that  changes every two  years.   He opined                                                               
that the  reference would  strengthen the  bill because  it would                                                               
align  the  state  and federal  definition  of  what  constitutes                                                               
critical infrastructure.                                                                                                        
                                                                                                                                
MR.  CORDERO   agreed  that  it   could  help   clarify  critical                                                               
infrastructure.                                                                                                                 
                                                                                                                                
3:51:29 PM                                                                                                                    
                                                                                                                                
REPRESENTATIVE  EASTMAN  asked  if   there  is  a  definition  of                                                               
cybersecurity that the bill refers to.                                                                                          
                                                                                                                                
MR. CORDERO deferred to Mr. Breunig.                                                                                            
                                                                                                                                
3:52:20 PM                                                                                                                    
                                                                                                                                
REPRESENTATIVE  VANCE  asked  if  the state  has  insurance  that                                                               
covers cybersecurity  attacks and  if so,  what criteria  must be                                                               
met to access it or other federal funding.                                                                                      
                                                                                                                                
MR. CORDERO offered to follow up with the requested information.                                                                
                                                                                                                                
3:53:42 PM                                                                                                                    
                                                                                                                                
CHAIR  KREISS-TOMKINS shared  his  understanding  that there  was                                                               
similar,  or   possibly  identical,   legislation  in   the  last                                                               
legislative  session.     He  asked  if   there  are  substantive                                                               
differences between the previous legislation and HB 3.                                                                          
                                                                                                                                
REPRESENTATIVE JOHNSON answered  no and explained that  that HB 3                                                               
is a continuation of the same bill from last session.                                                                           
                                                                                                                                
CHAIR  KREISS-TOMKINS advised  that  there might  be a  committee                                                               
substitute with  a title change pending  further discussions with                                                               
the sponsor's office.                                                                                                           
                                                                                                                                
3:54:55 PM                                                                                                                    
                                                                                                                                
REPRESENTATIVE   CLAMAN   asked   who  sponsored   the   previous                                                               
legislation.                                                                                                                    
                                                                                                                                
CHAIR KREISS-TOMKINS answered Representative Johnson.                                                                           
                                                                                                                                
[HB 3 was held over.]                                                                                                           
                                                                                                                                

Document Name Date/Time Subjects
HB 32 Sponsor Statement 2.19.2021.pdf HSTA 2/23/2021 3:00:00 PM
HB 32
HB 32 Testimony Received as of 2.22.2021.pdf HSTA 2/23/2021 3:00:00 PM
HB 32
HB 3 Sponsor Statement 2.18.2021.pdf HJUD 3/10/2021 1:30:00 PM
HJUD 3/15/2021 1:30:00 PM
HJUD 3/17/2021 1:30:00 PM
HSTA 2/23/2021 3:00:00 PM
HB 3
HB 3 Supporting Document - Alaska Health Department Reports Data Breach The Seattle Times 6.28.2018.pdf HJUD 3/10/2021 1:30:00 PM
HJUD 3/15/2021 1:30:00 PM
HJUD 3/17/2021 1:30:00 PM
HSTA 2/23/2021 3:00:00 PM
HB 3
HB 3 Supporting Document - DHSS Cyber Attack Impacts More Than 100,000 Alaska Households 1.23.2019.pdf HJUD 3/10/2021 1:30:00 PM
HJUD 3/15/2021 1:30:00 PM
HJUD 3/17/2021 1:30:00 PM
HSTA 2/23/2021 3:00:00 PM
HB 3
HB 3 Supporting Document - How One Alaskan Borough Survived A Cyber Attack CitiesSpeak 10.1.2019.pdf HJUD 3/10/2021 1:30:00 PM
HJUD 3/15/2021 1:30:00 PM
HJUD 3/17/2021 1:30:00 PM
HSTA 2/23/2021 3:00:00 PM
HB 3
HB 3 Supporting Document - MSBD Press Release Mat-Su Declares Disaster for Cyber Attack 7.31.2018.pdf HJUD 3/10/2021 1:30:00 PM
HJUD 3/15/2021 1:30:00 PM
HJUD 3/17/2021 1:30:00 PM
HSTA 2/23/2021 3:00:00 PM
HB 3
HB 3 Supporting Document - Pipeline Article Alaska Public Media 3.14.2018.pdf HJUD 3/10/2021 1:30:00 PM
HJUD 3/15/2021 1:30:00 PM
HJUD 3/17/2021 1:30:00 PM
HSTA 2/23/2021 3:00:00 PM
HB 3
HB 3 Legal Memo 2.10.2020.pdf HJUD 3/10/2021 1:30:00 PM
HJUD 3/15/2021 1:30:00 PM
HJUD 3/17/2021 1:30:00 PM
HSTA 2/23/2021 3:00:00 PM
HB 3
HB 3 Supporting Document - CISA Critical Infrastructure 2.23.2021.pdf HJUD 3/10/2021 1:30:00 PM
HJUD 3/15/2021 1:30:00 PM
HJUD 3/17/2021 1:30:00 PM
HSTA 2/23/2021 3:00:00 PM
HB 3
HB 3 Testimony - Received as of 2.22.2021.pdf HJUD 3/10/2021 1:30:00 PM
HJUD 3/15/2021 1:30:00 PM
HJUD 3/17/2021 1:30:00 PM
HSTA 2/23/2021 3:00:00 PM
HB 3
HB 32 Testimony Received as of 2.22.21 Additional - Chicken Gold Camp.pdf HSTA 2/23/2021 3:00:00 PM
HB 32
HB 32 FN LAW CIV TWC 2.9.21.pdf HSTA 2/23/2021 3:00:00 PM
HB 32
HB 3 Fiscal Note DOA-OIT 2.21.2021 (Printed 2.22.2021).pdf HSTA 2/23/2021 3:00:00 PM
HB 3
HB 32 Letters in Support 2.23.2021.pdf HSTA 2/23/2021 3:00:00 PM
HB 32
HB 32 Research Alaska Annual Ecomoic Impact Fact Sheet.pdf HSTA 2/23/2021 3:00:00 PM
HB 32
HB 32 Research Alaska State Economic Impact Table.pdf HSTA 2/23/2021 3:00:00 PM
HB 32
HB 32 Reseach Examples of Inherent Risk Lawsuits.pdf HSTA 2/23/2021 3:00:00 PM
HB 32