Legislature(2021 - 2022)BUTROVICH 205
05/04/2021 03:30 PM Senate STATE AFFAIRS
Note: the audio and video recordings are distinct records and are obtained from different sources. As such there may be key differences between the two. The audio recordings are captured by our records offices as the official record of the meeting and will have more accurate timestamps. Use the icons to switch between them.
Audio | Topic |
---|---|
Start | |
SB126 | |
HB3 | |
SB39 | |
SB118 | |
SB31 | |
SB120 | |
SJR12 | |
Adjourn |
* first hearing in first committee of referral
+ teleconferenced
= bill was previously heard/scheduled
+ teleconferenced
= bill was previously heard/scheduled
+= | SB 39 | TELECONFERENCED | |
+= | SB 118 | TELECONFERENCED | |
+= | SB 120 | TELECONFERENCED | |
+= | SB 31 | TELECONFERENCED | |
*+ | HB 3 | TELECONFERENCED | |
*+ | SB 126 | TELECONFERENCED | |
*+ | SJR 12 | TELECONFERENCED | |
*+ | SB 108 | TELECONFERENCED | |
*+ | SB 109 | TELECONFERENCED | |
+ | TELECONFERENCED |
HB 3-DEFINITION OF "DISASTER": CYBERSECURITY 3:59:42 PM CHAIR SHOWER announced the consideration of CS FOR HOUSE BILL NO. 3(JUD), "An Act relating to the definition of 'disaster.'" 4:00:12 PM REPRESENTATIVE DELENA JOHNSON, Alaska State Legislature, Juneau, Alaska, sponsor of HB 3, stated that the current Alaska statutes are vague regarding whether a cyber attack could elicit an emergency declaration. She cited examples to illustrate that cyber threats are pervasive and should be treated seriously. The Alaska Court System just this week had to disconnect from the internet after a malware attack. Several years ago the Matanuska-Susitna (Mat-Su) Borough shut down after a cyber attack disrupted day-to-day service operations. She noted that the City of Valdez was also the target of a ransomware attack that was costly to resolve. Additionally, she reported that several states declared emergencies after cyber attacks disrupted government operations. Most recently, a water plant was targeted, but the authorities kept it safe. She summarized that by adding cyber security attacks to the definition of disaster, the state would be able to use disaster relief funds, apply for federal funds, and have access to other federal resources that might otherwise not be available for disaster preparedness planning. She advised that her staff would go over the language in the bill and the changes that were made in the House Judiciary Committee. 4:02:51 PM ERIC CORDERRO, Staff, Representative DeLena Johnson, Alaska State Legislature, Juneau, Alaska, stated that HB 3 updates the Alaska Disaster Act by adding "cybersecurity attack" to the definitions in the disaster statutes. He recounted that the three changes to the original bill added "political subdivision" throughout the new subparagraph (F) to make it clear that all political subdivisions of the state are included. The definition of "critical infrastructure" was added because the U.S. Department of Homeland Security and the Alaska Department of Military & Veterans Affairs (DMVA) both use this term. Third, the word "event" replaced the word "vulnerability" because it provides more inclusive coverage of potential issues. MR. CORDERRO reviewed the primary areas of the new subparagraph (F) to [AS 26.23.900(2).] It read as follows: (F) a cyber attack that affects critical infrastructure in the state, an information system owned or operated by the state or a political subdivision of the state, information that is stored on, processed by, or transmitted on an information system owned or operated by the state or a political subdivision of the state, or a credible threat of an imminent cyber attack or cyber event that the commissioner of administration or commissioner's designee certifies to the governor has a high probability of occurring in the near future; the certification must be based on specific information that critical infrastructure in the state, an information system owned or operated by the state or a political subdivision of the state, or information that is stored on, processed by, or transmitted on an information system owned or operated by the state or a political subdivision of the state may be affected; in this subparagraph, "critical infrastructure" means systems and assets, whether physical or virtual, so vital to the state that the incapacity or destruction of the systems and assets would have a debilitating effect on security, state economic security, state public health or safety, or any combination of those matters; 4:05:35 PM SENATOR KAWASAKI mentioned the Alaska Court System and Mat-Su Borough cyber attacks and asked if passage of HB 3 would qualify the governor to use subparagraph (F) under the Alaska Disaster Act. MR. CORDERRO answered that the attack would need to be widespread and imminent and meet the other criteria set out in the Alaska Disaster Act. He offered his understanding that the borough was able to declare an emergency, but the statute was too vague for the attack to qualify for a statewide declaration. He deferred further explanation to Mark Breunig. 4:07:09 PM MARK BREUNIG, Chief Technology Officer, Office of Information Technology, Department of Administration, Juneau, Alaska, said the Mat-Su Borough appropriately declared a disaster because the attack presented significant risk to health and safety. He confirmed that attacks that are widespread in scope and severity and present high risk to critical infrastructure meet the benchmarks for the governor to be able to declare a disaster. SENATOR KAWASAKI asked if the data breach the Division of Elections experienced during the last election cycle would allow the governor to implement the Alaska Disaster Act because state economic security was potentially in jeopardy and it is an asset of the state. REPRESENTATIVE JOHNSON read the definition of "disaster" on page 1 of the bill and segued to the Mat-Su Borough cyber attack. She said it took quite a while for the FBI to start a forensic investigation after that attack because the current statute does not cover cyber attacks. She questioned whether that answered the question. 4:10:29 PM CHAIR SHOWER said his reading was that the answer would be "no" because it was not actual damage, injury, death, or the other qualifiers. He called it a priority rather than a disaster. SENATOR KAWASAKI expressed satisfaction with the responses. 4:11:15 PM MR. CORDERO directed attention to the handout in the packet of the list of critical infrastructure, which would be considered in determining whether an event rose to the level of a disaster. He read some of the items on the list. SENATOR REINBOLD stated support for the bill then asked whether the timeframe and intention mattered. She cited a hypothetical example of a cruise ship anchor accidentally severing a communication cable. REPRESENTATIVE JOHNSON replied that would be an accident, not a cyber attack. She said there is a national framework for what constitutes a disaster and it would include things like an attack on the power grid or the Trans Alaska Pipeline. MR. CORDERO added that it depends on the circumstances of each event. As a general rule, he said it is bad actors trying to infiltrate, suspend, or wreak havoc on a system. CHAIR SHOWER commented that the governor always has the ability to declare a disaster and the bill does not change that. HB 3 specifically relates to a disaster stemming from a cyber attack. 4:15:00 PM SENATOR REINBOLD asked the sponsor if she introduced the bill by request. REPRESENTATIVE JOHNSON answered no; she initially filed the bill two years ago after she learned about the Mat-Su Borough attack and the difficulties associated with the clean up after the attack. 4:17:06 PM CHAIR SHOWER opened public testimony on HB 3. 4:17:21 PM PETER HOUSE, representing self, Wasilla, Alaska, stated support for HB 3. He advised that his experience as a cybersecurity professional who worked on the Mat-Su Borough and other such incidents is that the number of attacks are increasing. He reported a 50-70 percent increase in attacks on organizations throughout Alaska in 2020 and the number seems to be even higher so far in 2021. He offered his belief that any effort that supports the ability to respond to attacks that threaten the state's infrastructure is worthy. CHAIR SHOWER asked if he believes the state should focus time and resources on a path to address cyber attacks that include new technologies, consolidation of resources, or engaging outside venders, like the Permanent Fund does, in order to protect the resources in the state. MR. HOUSE agreed and added that a mix if not all those elements are necessary to improve the cybersecurity posture in the state. 4:19:31 PM CHAIR SHOWER closed public testimony on HB 3 and held the bill in committee.