Legislature(2021 - 2022)BUTROVICH 205
05/04/2021 03:30 PM Senate STATE AFFAIRS
Note: the audio ![]()
and video ![]()
recordings are distinct records and are obtained from different sources. As such there may be key differences between the two. The audio recordings are captured by our records offices as the official record of the meeting and will have more accurate timestamps. Use the icons to switch between them.
| Audio | Topic |
|---|---|
| Start | |
| SB126 | |
| HB3 | |
| SB39 | |
| SB118 | |
| SB31 | |
| SB120 | |
| SJR12 | |
| Adjourn |
* first hearing in first committee of referral
+ teleconferenced
= bill was previously heard/scheduled
+ teleconferenced
= bill was previously heard/scheduled
| += | SB 39 | TELECONFERENCED | |
| += | SB 118 | TELECONFERENCED | |
| += | SB 120 | TELECONFERENCED | |
| += | SB 31 | TELECONFERENCED | |
| *+ | HB 3 | TELECONFERENCED | |
| *+ | SB 126 | TELECONFERENCED | |
| *+ | SJR 12 | TELECONFERENCED | |
| *+ | SB 108 | TELECONFERENCED | |
| *+ | SB 109 | TELECONFERENCED | |
| + | TELECONFERENCED |
HB 3-DEFINITION OF "DISASTER": CYBERSECURITY
3:59:42 PM
CHAIR SHOWER announced the consideration of CS FOR HOUSE BILL
NO. 3(JUD), "An Act relating to the definition of 'disaster.'"
4:00:12 PM
REPRESENTATIVE DELENA JOHNSON, Alaska State Legislature, Juneau,
Alaska, sponsor of HB 3, stated that the current Alaska statutes
are vague regarding whether a cyber attack could elicit an
emergency declaration. She cited examples to illustrate that
cyber threats are pervasive and should be treated seriously. The
Alaska Court System just this week had to disconnect from the
internet after a malware attack. Several years ago the
Matanuska-Susitna (Mat-Su) Borough shut down after a cyber
attack disrupted day-to-day service operations. She noted that
the City of Valdez was also the target of a ransomware attack
that was costly to resolve. Additionally, she reported that
several states declared emergencies after cyber attacks
disrupted government operations. Most recently, a water plant
was targeted, but the authorities kept it safe. She summarized
that by adding cyber security attacks to the definition of
disaster, the state would be able to use disaster relief funds,
apply for federal funds, and have access to other federal
resources that might otherwise not be available for disaster
preparedness planning.
She advised that her staff would go over the language in the
bill and the changes that were made in the House Judiciary
Committee.
4:02:51 PM
ERIC CORDERRO, Staff, Representative DeLena Johnson, Alaska
State Legislature, Juneau, Alaska, stated that HB 3 updates the
Alaska Disaster Act by adding "cybersecurity attack" to the
definitions in the disaster statutes. He recounted that the
three changes to the original bill added "political subdivision"
throughout the new subparagraph (F) to make it clear that all
political subdivisions of the state are included. The definition
of "critical infrastructure" was added because the U.S.
Department of Homeland Security and the Alaska Department of
Military & Veterans Affairs (DMVA) both use this term. Third,
the word "event" replaced the word "vulnerability" because it
provides more inclusive coverage of potential issues.
MR. CORDERRO reviewed the primary areas of the new subparagraph
(F) to [AS 26.23.900(2).] It read as follows:
(F) a cyber attack that affects critical
infrastructure in the state, an information system
owned or operated by the state or a political
subdivision of the state, information that is stored
on, processed by, or transmitted on an information
system owned or operated by the state or a political
subdivision of the state, or a credible threat of an
imminent cyber attack or cyber event that the
commissioner of administration or commissioner's
designee certifies to the governor has a high
probability of occurring in the near future; the
certification must be based on specific information
that critical infrastructure in the state, an
information system owned or operated by the state or a
political subdivision of the state, or information
that is stored on, processed by, or transmitted on an
information system owned or operated by the state or a
political subdivision of the state may be affected; in
this subparagraph, "critical infrastructure" means
systems and assets, whether physical or virtual, so
vital to the state that the incapacity or destruction
of the systems and assets would have a debilitating
effect on security, state economic security, state
public health or safety, or any combination of those
matters;
4:05:35 PM
SENATOR KAWASAKI mentioned the Alaska Court System and Mat-Su
Borough cyber attacks and asked if passage of HB 3 would qualify
the governor to use subparagraph (F) under the Alaska Disaster
Act.
MR. CORDERRO answered that the attack would need to be
widespread and imminent and meet the other criteria set out in
the Alaska Disaster Act. He offered his understanding that the
borough was able to declare an emergency, but the statute was
too vague for the attack to qualify for a statewide declaration.
He deferred further explanation to Mark Breunig.
4:07:09 PM
MARK BREUNIG, Chief Technology Officer, Office of Information
Technology, Department of Administration, Juneau, Alaska, said
the Mat-Su Borough appropriately declared a disaster because the
attack presented significant risk to health and safety. He
confirmed that attacks that are widespread in scope and severity
and present high risk to critical infrastructure meet the
benchmarks for the governor to be able to declare a disaster.
SENATOR KAWASAKI asked if the data breach the Division of
Elections experienced during the last election cycle would allow
the governor to implement the Alaska Disaster Act because state
economic security was potentially in jeopardy and it is an asset
of the state.
REPRESENTATIVE JOHNSON read the definition of "disaster" on page
1 of the bill and segued to the Mat-Su Borough cyber attack. She
said it took quite a while for the FBI to start a forensic
investigation after that attack because the current statute does
not cover cyber attacks. She questioned whether that answered
the question.
4:10:29 PM
CHAIR SHOWER said his reading was that the answer would be "no"
because it was not actual damage, injury, death, or the other
qualifiers. He called it a priority rather than a disaster.
SENATOR KAWASAKI expressed satisfaction with the responses.
4:11:15 PM
MR. CORDERO directed attention to the handout in the packet of
the list of critical infrastructure, which would be considered
in determining whether an event rose to the level of a disaster.
He read some of the items on the list.
SENATOR REINBOLD stated support for the bill then asked whether
the timeframe and intention mattered. She cited a hypothetical
example of a cruise ship anchor accidentally severing a
communication cable.
REPRESENTATIVE JOHNSON replied that would be an accident, not a
cyber attack. She said there is a national framework for what
constitutes a disaster and it would include things like an
attack on the power grid or the Trans Alaska Pipeline.
MR. CORDERO added that it depends on the circumstances of each
event. As a general rule, he said it is bad actors trying to
infiltrate, suspend, or wreak havoc on a system.
CHAIR SHOWER commented that the governor always has the ability
to declare a disaster and the bill does not change that. HB 3
specifically relates to a disaster stemming from a cyber attack.
4:15:00 PM
SENATOR REINBOLD asked the sponsor if she introduced the bill by
request.
REPRESENTATIVE JOHNSON answered no; she initially filed the bill
two years ago after she learned about the Mat-Su Borough attack
and the difficulties associated with the clean up after the
attack.
4:17:06 PM
CHAIR SHOWER opened public testimony on HB 3.
4:17:21 PM
PETER HOUSE, representing self, Wasilla, Alaska, stated support
for HB 3. He advised that his experience as a cybersecurity
professional who worked on the Mat-Su Borough and other such
incidents is that the number of attacks are increasing. He
reported a 50-70 percent increase in attacks on organizations
throughout Alaska in 2020 and the number seems to be even higher
so far in 2021. He offered his belief that any effort that
supports the ability to respond to attacks that threaten the
state's infrastructure is worthy.
CHAIR SHOWER asked if he believes the state should focus time
and resources on a path to address cyber attacks that include
new technologies, consolidation of resources, or engaging
outside venders, like the Permanent Fund does, in order to
protect the resources in the state.
MR. HOUSE agreed and added that a mix if not all those elements
are necessary to improve the cybersecurity posture in the state.
4:19:31 PM
CHAIR SHOWER closed public testimony on HB 3 and held the bill
in committee.