HB 3-DEFINITION OF "DISASTER": CYBERSECURITY  1:56:49 PM CHAIR CLAMAN announced that the final order of business would be HOUSE BILL NO. 3, "An Act relating to the definition of 'disaster.'" [Before the committee was CSHB 3(STA).] 1:57:07 PM The committee took an at-ease from 1:57 p.m. to 2:00 p.m. 2:00:48 PM CHAIR CLAMAN noted that this is the first hearing of CSHB 3(STA) in this committee. 2:01:02 PM ERICK CORDERO-GIORGANA, Staff, Representative DeLena Johnson, Alaska State Legislature, assisted in introducing CSHB 3(STA) on behalf of Representative Johnson, prime sponsor. He stated that Alaska statute is vague about whether a cyberattack or cyberthreat could elicit an emergency declaration. He explained that HB 3 would add cybersecurity to the definition of a disaster to update Alaska's laws, give clarity, and if necessary, use resources to act if there is a widespread and imminent threat. There is an alarming rate of cyberthreat throughout the world and nation, he pointed out. Not long ago the Matanuska-Susitna (Mat-Su) Borough was shut down after a cyberattack, creating severe disruptions in the day-to-day service and operation of the local government. The City of Valdez was the target of a ransomware attack, and many funds were spent to again be able to access the city's information. The states of Louisiana, Florida, and Colorado declared an emergency after a cyberattack disrupted most of their government operations not too long ago. 2:02:35 PM REPRESENTATIVE DELENA JOHNSON, Alaska State Legislature, as the prime sponsor, introduced CSHB 3(STA). She stated that cybersecurity needs to be added to the list of reasons for an emergency declaration. She explained that a disaster declaration would provide for disaster relief funds, to apply for federal funds and resources that might not otherwise be readily available, for disaster preparedness planning, and to provide for intervention when the security of Alaska residents has been compromised. She deferred to Mr. Cordero-Giorgana to continue discussing the bill. 2:03:47 PM MR. CORDERO-GIORGANA reiterated that CSHB 3(STA) would add cybersecurity attacks and threats to the definition of a disaster. He said the bill would add [subparagraph] (F) to AS [26.23.900(2)] within the general provisions of the Alaska Disaster Act. He read from the proposed subparagraph, which read as follows: (F) a cybersecurity attack that affects critical  infrastructure in the state, an information system  owned or operated by the state or a political  subdivision of the state, information that is stored  on, processed by, or transmitted on an information  system owned or operated by the state or a political  subdivision of the state, or a credible threat of an  imminent cybersecurity attack or cybersecurity  vulnerability that the commissioner of administration  or commissioner's designee certifies to the governor  has a high probability of occurring in the near  future; the certification must be based on specific  information that critical infrastructure in the state,  an information system owned or operated by the state  or a political subdivision of the state, or  information that is stored on, processed by, or  transmitted on an information system owned or operated  by the state or a political subdivision of the state  may be affected;  MR. CORDERO-GIORGANA noted that the changes in the committee substitute before the committee, CSHB 3(STA) added the words "political subdivision" to page 2, lines 19 and 21. He explained that this was done for clarity to ensure that boroughs and local governments were not left out. MR. CORDERO-GIORGANA stressed that the bill is necessary given that nowadays it is heard in the news about foreign governments trying to hack U.S. computer systems, which includes U.S. electric grids, hospitals, airports, and services that provide energy or critical infrastructure. He allowed that the meaning of critical infrastructure is currently open to interpretation but advised that the duty to make that definition rests with the Department of Military and Veterans Affairs, but the department was unable to come before the committee today. 2:07:15 PM REPRESENTATIVE EASTMAN requested a definition of "cybersecurity" and noted that the term is not defined here. He further asked whether it is defined elsewhere in statute or whether something would be used to reference the meaning of the term. MR. CORDERO-GIORGANA replied that it would be technical definitions by professionals for cybersecurity and cyberthreat. Usually, he continued, they are defined as events that result in data exposure, data loss, outright alteration, or impact to a service. He stated that there is no exact definition in statute and that cybersecurity, like technology, keeps changing on a day-to-day basis so that today's definition may [be different from a future definition]. 2:08:15 PM REPRESENTATIVE DRUMMOND said she appreciates the bill's intent. She said she understands from Mr. Cordero-Giorgana's testimony that a political subdivision of the state would be a borough or municipality. She noted that school districts and the University of Alaska have massive databases and asked whether they would be considered political subdivisions of the state. REPRESENTATIVE JOHNSON qualified she is speaking from experience and not immediate research, but her understanding is that a school district would fall under a borough. She related that the boroughs in Alaska were originally created in 1964 to oversee and dispense money to the school districts. So, she continued, the political subdivision in that instance would be a borough. The unorganized borough would be under the state and under the state's purview. The University of Alaska is not identified as a political subdivision of the state and it's not an incorporated borough or municipality or city, so her belief is that it would fall under State of Alaska equipment. She offered to get back to the committee with details if requested. 2:10:11 PM REPRESENTATIVE DRUMMOND stated that the computer systems of the Anchorage School District (ASD) are totally separate from those of the Municipality of Anchorage. Given there have been arguments over the last 20 years about whether they should be combined she said she isn't sure the aforementioned would apply to a school district that is ultimately governed by that borough or municipality which used to be a borough and a city. She said she thinks Representative Johnson is covering the regional educational attendance areas (REAAs) in the unorganized borough. She added that the state gives the school districts roughly $1.2 billion to spend, and if [the districts' systems] were breached in a cybersecurity attack, then a lot of services would be at risk. REPRESENTATIVE DRUMMOND, responding to Chair Claman, requested clarity on what is included in the list of political subdivisions. She said if it doesn't cover school districts and the university, she would like to find a way to cover them. 2:12:04 PM REPRESENTATIVE KURKA said he is cautious about increasing emergency powers because he is concerned about abuse. He requested an explanation on how an emergency declaration would help the state or political subdivision resolve the damage of a security breach and how it would be different with an emergency declaration as opposed to how the state operates now. REPRESENTATIVE JOHNSON replied that a widespread and life- threatening example would be a compromise of the power grid during the winter, given the grid is run by computers. This example would be an occasion where additional funds and help from federal experts would potentially be needed for resolution. 2:14:30 PM REPRESENTATIVE CLAMAN opened invited testimony on CSHB 3(STA). 2:14:44 PM ERIC WYATT, Information Technology (IT) Director, Matanuska- Susitna Borough, related that in 2018 the borough was the target of a cyberattack by four different organizations rather than a single attacker. The Federal Bureau of Investigation (FBI) analysis found that the attackers were four nation states by means of some of the worst viruses. In the attack, one of them got in and then sold it to the other organizations. The borough's data was stolen, and its systems disrupted, then one of the groups demanded ransom. The attack brought down all the borough's information systems, completely cutting off the borough from all Internet services and all the data that it continuously used day to day to conduct borough business. MR. WYATT said the effect on operations within the borough was most notably on the borough's fire and emergency medical service (EMS) systems. Also affected were operations and maintenance for taking care of roads and solid waste, as well as finances and legal every aspect of the borough was taken down. When all that was shut off, all the people who used the borough's information system - telephones, computers, and so forth - were dead in the water. The magnitude was that everything was shut down for quite some time. The borough was able to slowly bring back services, getting back to about 95 percent capacity in about 60 days. MR. WYATT explained that to recover at the time without an emergency declaration, the borough had to bring its emergency funds to bear. But what was needed most to recover the systems at the time was additional manpower, so the borough used its emergency funds to hire additional resources to come help, including Peter House of Deeptree, Inc. Several other organizations also volunteered their help, including Mark Breunig, Chief Information Security Officer, Department of Administration. The borough's needs for recovery at the time were monetary resources and skilled manpower to get its operations back online. Mr. Wyatt stressed that the ability to declare a disaster and form a team of experts as volunteers or paid manpower to help recover is absolutely critical. The borough used nearly $2.5 million in emergency funding for its initial recovery and then more was spent on continued recovery. MR. WYATT pointed out that the same week the Mat-Su Borough was hit, the City of Valdez was hit by mostly the same groups, same viruses, and same tactics. It is heard all the time about other states and other cities [being hit] and there have been other attacks in the state of Alaska as well. So, he emphasized, the ability to come to the aid of the organization and plus-up the manpower and resources to recover is absolutely vital, and the borough would like to participate. MR. WYATT further noted that the borough's critical infrastructure its electric grid, telecommunications, gas lines all run on these same kinds of systems. Therefore, the effects from a cyberattack are greatly damaging and include power and gas outages. 2:20:56 PM MARK BREUNIG, Chief Information Security Officer, Department of Administration, stated that the National Guard has a national mandate for cyber-capability to be created in states, but currently, without the language under CSHB 3(STA), there is no legal standing to do it, and the state would not be able to avail itself of the existing resources. 2:22:30 PM NILS ANDREASSEN, Executive Director, Alaska Municipal League, testified in support of CSHB 3(STA) and emphasized the importance of cybersecurity to Alaska's local governments, school districts, and state agencies. He spoke about risks of destabilization and opined that "including this in the definition of state disaster" is imperative. 2:23:47 PM PETER HOUSE, CEO, Deeptree, Inc., said Deeptree, Inc. is a firm that specializes in cybersecurity. He mentioned the zeitgeist and a solar wind attack that resulted in significant consequences for the federal government, fortune 500 companies, and organizations in Alaska. He talked about an attack on e- mail servers that hit approximately 30,000 American organizations and double that worldwide, which has been attributed largely to the Chinese. He said there have been high visibility attacks showing a higher level of aggression, both from criminal organizations and nation state adversaries. He related that in the fourth quarter of 2020, cyber software moved from a soft market to a hard market, which mean that "the portfolio for the insurance company is under pressure," and it usually results in rate increases. He said the attribution by insurance companies for this change is that the number of cyber attacks and the total size of the claim are both increasing substantially, with a 20 to 40 percent rate increase expected across different cyber insurance carriers countrywide. MR. HOUSE stated that in general there is a higher level of aggression. He gave as an example from Yankee Buckshot wherein, using off-the-shelf, publicly downloadable tools, the U.S. Department of Defense "attacked itself" to test its defenses and was able to get onto its classified network. He said there is challenge in working with these complex systems; sometimes attackers can "make it in past the border" and "reap a significant amount of damage." MR. HOUSE addressed Representative Kurka's question regarding the benefit of allowing a declaration of emergency. He gave a scenario wherein assets are required to hold evidence for law enforcement or insurance. That is data or logs that need to be tendered over to the organization from a hard drive. He said those systems cost $20,000 and higher. If the systems are set aside for evidence retention, they cannot be used for the restoration of services or to clean or sanitize the systems. The result is a need for double or triple the amount of storage capacity to run the organization day to day. He explained, "By opening up the degrees of freedom, either through funds or other forms of response, there's an ability for an organization to get back on its feet quicker than if they were to try to ... use a slow methodology of moving a little bit at a time, which then stretches out the rate of recovery to a much longer period of time." MR. HOUSE said Alaska is a smaller state, with fewer than a million people, and "this type of line of work is very specialized and difficult." He estimated there are 50-100 people in Alaska who are qualified to do digital forensics and incident response, and he pointed out that it would be difficult for them to respond [to an emergency situation] because "a lot of them will be fighting their own fires." Therefore, he emphasized that the ability to pull in contractors and resources from Outside is essential. He said he believes the language of CSHB 3(STA) would open up that degree of freedom, "in addition to what Mr. Breunig indicated." He noted that when he worked with Mr. Breunig and Mr. Wyatt on the incident with the Mat-Su Borough, the expansion of capability from the emergency funds had a positive impact; there was a wave of momentum that was beneficial. 2:29:45 PM MR. ANDREASSEN, in response to Chair Claman's request that he address Representative Drummond's question about political subdivisions, offered the definition of political subdivision, which appears under AS 26.23.900(7), as follows: (7) "political subdivision" means (A) a municipality; (B) an unincorporated village; or (C) another unit of local government; MR. ANDREASSEN said it is the understanding of the Alaska Municipal League that school districts would be covered under political subdivision of the state. He said school districts are either a subdivision of a municipality or are the responsibility of the Department of Education and Early Development. He offered his understanding that the University of Alaska is considered a political subdivision, "but separately under state law." 2:31:11 PM REPRESENTATIVE DRUMMOND referenced definitions found under AS 39.90.140, [which states that "public body" includes "an officer or agency of" the federal government, state, and political subdivision - subparagraphs (A), (B), and (C), respectively], and she read that which is included under "political subdivision", in paragraph (4), subparagraph (C), sub- subparagraphs (i), (ii), and (iii), which read: (i) a municipality; (ii) a school district; and (iii) a regional educational attendance area; REPRESENTATIVE DRUMMOND noted that the University of Alaska and the Alaska Railroad are not included under [subparagraph (C)]. [They are listed subsequently in subparagraphs (D) and (E), of paragraph (4), regarding "public body".] 2:33:12 PM MR. BREUNIG, in response to the same question, said it is not a topic he can address. 2:33:34 PM REPRESENTATIVE VANCE noted that during a recent Finance subcommittee meeting, Mr. Breunig had spoken about a recent cyberattack and mentioned a type of incident command being established under the Department of Administration for quick response. She referenced language in CSHB 3(STA), on page 2, [on lines 5 and 6], regarding "consultation with the commissioner of public safety or a designee of the commissioner of public safety", and she asked whether that wording fits the organized structure Mr. Breunig is establishing within the Department of Administration regarding cybersecurity and meets the requires of statute. 2:34:46 PM MR. BREUNIG responded that the "incident command structure" (ICS) put out through the Federal Emergency Management Agency (FEMA), is part of an emergency management program and a standard framework that all federal agencies use. The language in the bill would not change that, he indicated. In response to a request from Representative Vance, he spoke about work with the Department of Military & Veterans' Affairs on an [incident response] structure, which currently is not capable of handling a large-scale incident. REPRESENTATIVE VANCE said CSHB 3(STA) speaks to this issue, and she encouraged efforts to speed up response to an incident. 2:38:36 PM MR. BREUNIG recalled he had been talking about a solar wind incident during the Finance subcommittee testimony and how speed is of the essence when responding. He said it took departments 24 hours to report back whether they had vulnerable software, at which point security was able to "lock that down" and determine there had been no compromise. However, he emphasized that in cyber terms, "24 hours is an eternity." He posited that CSHB 3(STA) is critical, because it would bring the right people together to build the "speed to response." 2:39:57 PM REPRESENTATIVE KURKA asked for a definition of "imminent cybersecurity attack" and whether there exists a metric of probably of attack. 2:40:54 PM MR. BREUNIG replied that when there is imminent threat, there would be an alert from the federal Cybersecurity Infrastructure Security Agency (CISA) regarding a known attack. State security would watch out for it. That in itself is not a disaster, but if the threat "got in" and caused damage, then it would be a disaster. Regarding Microsoft, he said security knew early on that it was coming and was "able to take practice steps" to mitigate the risk, which he said is another example of imminent threat. In response to a follow-up question, he mentioned a "denial of service" attack in which someone floods a state network segment with malicious traffic "in an attempt to overwhelm it and take it down." 2:42:34 PM REPRESENTATIVE KURKA said it sounds like cybersecurity attacks are happening all the time in various degrees. He directed attention to language in Section 1 of CSHB 3(STA), on page 1, line 4, which gives a definition of disaster, including its causes. He offered his understanding that "we're talking about widespread damage of property," not just "one department had some computers fried." 2:44:55 PM REPRESENTATIVE JOHNSON offered her understanding that the concern is that there could be ongoing declarations of disaster. She deferred to her staff to address the topic further. 2:45:23 PM MR. CORDERO-GIORGANA proffered that "imminent" is a matter of timing and "widespread" is a matter of geography and whether an issue can be contained. When talking about a fire, earthquake, or flood, the consideration is "the amount of resources that would need to be used to be able to achieve the containment goal." He said DMVA will create emergency plans for each category listed in the Act and make recommendations as to what would be considered widespread and imminent. 2:47:31 PM REPRESENTATIVE KURKA indicated that the language in the proposed legislation should be added, but observed that "a lot of the context in which we're talking about this" is found in subparagraph (D), [on page 2], regarding "enemy or terrorist attack or a credible threat of imminent enemy or terrorist attack in or against the state". He offered his understanding that there had been a legal opinion as to "why this wouldn't apply under (D)." He remarked that "all these examples we're talking about ... seem to be foreign actors." 2:48:40 PM CHAIR CLAMAN, in response to Representative Johnson, offered his interpretation that Representative Kurka was reflecting that subparagraph (D) doesn't seem to be cybersecurity-related and perhaps wanted to know how the two issues are addressed when determining whether an emergency has occurred. 2:49:21 PM MR. CORDERO-GIORGANA, at the request of the bill sponsor, addressed the question. He said the separation was done at the recommendation of the bill drafter in Legislative Legal Services to avoid confusion. 2:49:55 PM REPRESENTATIVE VANCE pointed out that CSHB 3(STA) speaks specifically to disaster; "emergency" is not addressed. She gave an example of a disaster being the landslide that recently occurred in Haines, Alaska. She said the governor declared a disaster in the Haines area, but it was not a statewide emergency. 2:50:53 PM REPRESENTATIVE EASTMAN asked for the definition of cybersecurity. 2:51:20 PM MR. CORDERO-GIORGANA said he did not have a definition and deferred to Mr. Breunig. CHAIR CLAMAN noted that it is common for courts to use the dictionary for commonly used terms if those terms are not defined in statute. 2:52:08 PM MR. BREUNIG defined cybersecurity as "any protection used to prevent cyber-attacks." REPRESENTATIVE EASTMAN said he is familiar with definition, and it makes sense to him. He continued: But in this case we're talking about a cybersecurity attack, and so if we're using tools to prevent attacks, but then we're ... adding the word "attack" on them, I'm a little confused as what that [emphasis on "that"] means. MR. BREUNIG responded he thinks the intent is that it would be an attack against [Alaska's] cybersecurity - against the systems and tools that the state has to protect itself. REPRESENTATIVE EASTMAN asked for confirmation that what is being discussed is an attack where "someone's trying to overcome some type of security" as opposed to "a run-of-the-mill fiber attack." MR. BREUNIG answered, "Yes, I would agree." REPRESENTATIVE EASTMAN noted that the previously discussed subparagraph (D), which addresses enemy or terrorist attack, points to a definition of "attack" existing in [AS 26.20.200], and since that definition does not fit what is being discussed in the cyber realm, he suggested a definition may be necessary in subparagraph (F). MR. BREUNIG said he concurs with the bill sponsor and her staff that the intent is to clarify. In subparagraph (D), "enemy" and "terrorist attack" traditionally relate to military-related attacks, not cyber-attacks, which are specifically addressed under subparagraph (F), which allows the emergency operation center to bring resources to bear in regard to cyberattacks rather than other "traditional forms of disaster or emergency attack that are already identified." REPRESENTATIVE CLAMAN noted that subparagraph (F) is proposed new language. He said a cyberattack would be, for example, somebody getting into his home computer; a cybersecurity attack would be on a larger scale. MR. BREUNIG concurred. 2:56:12 PM REPRESENTATIVE EASTMAN referenced a memorandum ("memo") from [Megan Wallace of] Legislative Legal Services [to the bill sponsor and staff, dated 2/10/20 and included in the committee packet], to [subparagraph (C), which lists equipment failure as one of the causes of a "disaster" and read as follows]: (C) equipment failure, if the failure is not a predictably frequent or recurring event or preventable by adequate equipment maintenance or operation; REPRESENTATIVE EASTMAN offered his understanding that the memo talks about "why ... [subparagraph] (C), equipment failure, ... may not be adequate, and why this bill might be needed for that reason." He asked to what extent it is the sponsor's intent "to predicate the cybersecurity attacks we're talking about on intentionality." He continued: Because certainly, ... if we're focusing on intentionality, then an IT tech who spills coffee and destroys a server probably wouldn't be captured in the intent that we're talking about here. 2:57:18 PM REPRESENTATIVE JOHNSON explained that intentionality must have credible background. If [the attack] is imminent and widespread, as determined by the commissioner or commissioner's designee, he/she would determine that it was a credible threat. She added, "The intentionality of maybe mindreading some would not fall into that category." 2:58:13 PM MR. CORDERO-GIORGANA said he was not sure he understood Representative Eastman's question. REPRESENTATIVE EASTMAN indicated that [subparagraphs] (A), (B), (C), and (E) address disasters that are not man-made and intentional. He questioned whether it is important to "tie it to that intentionality," as is being done in [subparagraph] (F) or to be more focused on the impact. He asked, "Is there a reason that we're making it narrower than ... just a larger impact type of definition?" 2:59:52 PM MR. CORDERO-GIORGANA noted that the legislature removed "manmade" from the disaster Act, which caused ambiguity as to whether cybersecurity qualified under the Act. He continued: If a widespread system failure is the result of another cause that is not manmade, or in this case an attack or a threat, it actually would probably fall into one of the other categories. So, in the case, for example, of an earthquake: a system goes down, but it's really the result of an earthquake, not necessarily a cybersecurity attack. And so, if I'm understanding correctly, this would actually clear authority specifically to those type of items." REPRESENTATIVE EASTMAN asked whether it is important to make a distinction between "those manmade actions which are intentional and which are accidental." For example, he said an installation of "a security patch" that cause a major outage "wouldn't qualify here" because it is not a cybersecurity attack, even though it may have the same result if someone had done it intentionally. MR. CORDERO responded that that would be a cyber vulnerability, and he indicated that was addressed in another part of [subparagraph] (F). He said there are so many definitions that could be included in the bill that would make it lengthy, for example, for the following terms: cyberattacks, cyber incidents, cyberthreats, major threats, minor threats, and primary targets. He stated, "We're just trying to make it clear that cybersecurity counts; give it an overview, and then it's up to the Department of Military & Veterans' Affairs to come up with ... plans." 3:02:22 PM CHAIR CLAMAN remarked that a lot of this comes back to the size and cost of what has happened. CHAIR CLAMAN announced that CSHB 3(STA) was held over.