ALASKA STATE LEGISLATURE  HOUSE JUDICIARY STANDING COMMITTEE  March 10, 2021 1:33 p.m. DRAFT MEMBERS PRESENT Representative Matt Claman, Chair Representative Harriet Drummond Representative Liz Snyder, Vice Chair Representative Jonathan Kreiss-Tomkins Representative David Eastman Representative Christopher Kurka Representative Sarah Vance MEMBERS ABSENT  All members present COMMITTEE CALENDAR  HOUSE BILL NO. 105 "An Act relating to the duties of the commissioner of corrections; relating to the detention of minors; relating to minors subject to adult courts; relating to the placement of minors in adult correctional facilities; and providing for an effective date." - MOVED CSHB 105(JUD) OUT OF COMMITTEE HOUSE BILL NO. 3 "An Act relating to the definition of 'disaster.'" - HEARD & HELD PREVIOUS COMMITTEE ACTION  BILL: HB 105 SHORT TITLE: DETENTION OF MINORS SPONSOR(s): RULES BY REQUEST OF THE GOVERNOR 02/19/21 (H) READ THE FIRST TIME - REFERRALS 02/19/21 (H) JUD, HSS 03/05/21 (H) JUD AT 1:30 PM GRUENBERG 120 03/05/21 (H) Heard & Held 03/05/21 (H) MINUTE(JUD) 03/08/21 (H) JUD AT 1:30 PM GRUENBERG 120 03/08/21 (H) 03/10/21 (H) JUD AT 1:30 PM GRUENBERG 120 BILL: HB 3 SHORT TITLE: DEFINITION OF "DISASTER": CYBERSECURITY SPONSOR(s): JOHNSON 02/18/21 (H) PREFILE RELEASED 1/8/21 02/18/21 (H) READ THE FIRST TIME - REFERRALS 02/18/21 (H) STA, JUD 02/23/21 (H) STA AT 3:00 PM GRUENBERG 120 02/23/21 (H) Heard & Held 02/23/21 (H) MINUTE(STA) 03/02/21 (H) STA AT 3:00 PM GRUENBERG 120 03/02/21 (H) Moved CSHB 3(STA) Out of Committee 03/02/21 (H) MINUTE(STA) 03/08/21 (H) STA RPT CS(STA) 1DP 1NR 5AM 03/08/21 (H) DP: KREISS-TOMKINS 03/08/21 (H) NR: TARR 03/08/21 (H) AM: CLAMAN, STORY, EASTMAN, VANCE, KAUFMAN 03/10/21 (H) JUD AT 1:30 PM GRUENBERG 120 WITNESS REGISTER SAMANTHA CHEROT, Esq., Public Defender Public Defender Agency Department of Administration Anchorage, Alaska POSITION STATEMENT: On behalf of the administration, provided invited testimony in support of HB 105. MATT DAVIDSON, Social Services Program Officer Division of Juvenile Justice (DJJ) Department of Health and Social Services Juneau, Alaska POSITION STATEMENT: On behalf of the administration provided explanations of proposed amendments to HB 105. ERICK CORDERO-GIORGANA, Staff Representative DeLena Johnson Alaska State Legislature Juneau, Alaska POSITION STATEMENT: Assisted in introducing CSHB 3(STA) on behalf of Representative Johnson, prime sponsor. REPRESENTATIVE DELENA JOHNSON Alaska State Legislature Juneau, Alaska POSITION STATEMENT: As the prime sponsor, introduced CSHB 3(STA). ERIC WYATT, Information Technology (IT) Director Matanuska-Susitna Borough Palmer, Alaska POSITION STATEMENT: Provided information about a cyberattack in 2018 and how CSHB 3(STA) may help. MARK BREUNIG, Chief Information Security Officer Department of Administration Palmer, Alaska POSITION STATEMENT: Offered testimony pertaining to CSHB 3(STA). NILS ANDREASSEN, Executive Director Alaska Municipal League Juneau, Alaska POSITION STATEMENT: Testified in support of CSHB 3(STA). PETER HOUSE, CEO Deeptree, Inc. Wasilla, Alaska POSITION STATEMENT: Offered testimony pertaining to CSHB 3(STA). ACTION NARRATIVE 1:33:57 PM CHAIR MATT CLAMAN called the House Judiciary Standing Committee meeting to order at 1:33 p.m. Representatives Kreiss-Tomkins, Drummond, Snyder, and Claman were present at the call to order. Representatives Eastman, Kurka, and Vance arrived as the meeting was in progress. HB 105-DETENTION OF MINORS  1:34:31 PM CHAIR CLAMAN announced that the first order of business would be HOUSE BILL NO. 105, "An Act relating to the duties of the commissioner of corrections; relating to the detention of minors; relating to minors subject to adult courts; relating to the placement of minors in adult correctional facilities; and providing for an effective date." CHAIR CLAMAN noted that HB 105 is sponsored by the House Rules Committee by request of the governor and that this is the bill's second hearing before the committee. 1:34:58 PM CHAIR CLAMAN opened invited testimony on HB 105. He asked Ms. Samantha Cherot, Public Defender Agency, to provide perspective on the bill. 1:35:32 PM SAMANTHA CHEROT, Esq., Public Defender, Public Defender Agency, Department of Administration, on behalf of the administration, provided invited testimony in support of HB 105. She stated that keeping children subject to the auto waiver or discretionary waiver in Division of Juvenile Justice (DJJ) facilities until they reach age 18 should result in better conditions for the impacted children as long as DJJ has the necessary resources for programming and to care for them. It should eliminate children being held in segregation while incarcerated and it should ensure their continued access to necessary educational services and programming in DJJ's facilities focused on rehabilitation and which will better enable these children to develop the necessary skill sets to reduce recidivism and to foster their continued cognitive development. This is critical given the fundamental differences between juvenile and adult minds and that the brain is not fully formed until one's mid-twenties. 1:36:57 PM CHAIR CLAMAN closed invited testimony. CHAIR CLAMAN announced he would entertain amendments and stated for the record that Legislative Legal Services has permission to make any technical and conforming changes to the bill. CHAIR CLAMAN handed the gavel to Vice Chair Snyder. 1:37:54 PM CHAIR CLAMAN moved to adopt Amendment 1 to HB 105, labeled 32- GH1576\A.1, Radford, 3/8/21, which read: Page 5, line 7: Delete "AS 47.12.250" Insert "(k) of this section" REPRESENTATIVE DRUMMOND objected. 1:38:04 PM CHAIR CLAMAN stated that the Division of Juvenile Justice would explain Amendment 1 given the division requested that he offer this amendment and a second amendment in coordination with DJJ's discussions with the court system. 1:38:27 PM MATT DAVIDSON, Social Services Program Officer, Division of Juvenile Justice (DJJ), Department of Health and Social Services (DHSS), on behalf of the administration, said Amendment 1 would correct a drafting error in HB 105. He drew attention to Section 2 of the proposed bill, page 4, line 30, which removes an existing reference in state statute to the holding of nondelinquent minors under AS 247.12.120 and 247.12.250. He explained that Amendment 1 would remove another reference to 247.12.250 [on page 5, line 7] in Section 2, and would add a reference to the process delineated in Section 3, the new subsection (k) [that would be added to AS 47.10.141]. He further explained that existing statute mistakenly contains a reference to how delinquent minors would be held in a process to hold nondelinquent minors. So, it is circular, and this was recognized during drafting of the bill. This correction would just carry on that correction to remove the reference to delinquency statute for secure holds for nondelinquent minors. 1:40:24 PM REPRESENTATIVE DRUMMOND asked where the new subsection (k) is located within the bill. MR. DAVIDSON replied that Section 3 [on page 5] is the new subsection (k) that describes the process under which a court must go and consider and the process for the process of holding nondelinquents temporarily in juvenile justice facilities. REPRESENTATIVE DRUMMOND requested further clarification on where in the bill the [new subsection (k)] is located. CHAIR CLAMAN brought attention to Section 2, [page 4, line 24], which states AS 47.10.141(c). He explained that when it later says on page 5 "under subsection (k)" it is referencing 47.10.141. He then directed attention to Section 3 [on line 12 of page 5], which states AS 47.10.141, and pointed out that subsection (k) is right below [beginning on line 13]. 1:41:52 PM REPRESENTATIVE EASTMAN asked what the practical effect would be if Amendment 1 failed. MR. DAVIDSON answered that the practical effect is not great, but that it is an opportunity to clean up this statute. He said delinquents are not held under this process - delinquency statute contains all the process needed for holding delinquent minors in secure facilities - but it could lead to confusion, and this is an opportunity to clean it up. 1:42:47 PM REPRESENTATIVE DRUMMOND removed her objection to Amendment 1. [There being no further objection, Amendment 1 was adopted.] 1:43:05 PM The committee took a brief at-ease. 1:43:11 PM REPRESENTATIVE CLAMAN moved to adopt Amendment 2 to HB 105, labeled 32-GH1576\A.3, Radford, 3/9/21, which read: Page 7, line 22: Delete "A minor shall be transferred" Insert "The department shall transfer a minor subject to the provisions of AS 47.12.030(a) or 47.12.100" Page 7, lines 27 - 30: Delete all material and insert: "(c) If there is no available juvenile detention facility in a community where a trial is being held or if a juvenile facility is inappropriate for a minor, the department may request that the court order, in the interest of justice, that a minor be held in an adult correctional facility with or without sight and sound separation from adult offenders. In making this decision, the court shall consider" Page 8, line 12: Delete "court shall hold" Insert "department shall request" REPRESENTATIVE DRUMMOND objected for discussion purposes. 1:43:30 PM CHAIR CLAMAN requested Mr. Davidson explain Amendment 2. MR. DAVIDSON explained Amendment 2 would add substantive clarifications that were identified in the review process. He said the first of the three changes proposed in Amendment 2 is on page 7, line 22, and clarifies that when the bill says at age 18 minors will be transferred to Department of Corrections (DOC) custody, it is talking about only the minors that are part of this section, which are the auto waiver minors and discretionary waiver minors, not delinquent minors. This part of Amendment 2 clarifies that minors who are in DJJ facilities as part of this new program, but they are considered adults as part of the adult court system, will be transferred to DOC custody at age 18. It does not apply to delinquent minors. Most DJJ jurisdiction ends at age 18. In some cases, a court can extend that jurisdiction to age 19 with another court finding, and in some very rare cases if the minor consents to it, a minor can stay in DJJ jurisdiction until age 20. This would not apply to minors who are subject to the auto waiver or discretionary waiver; they would be transferred to DOC facilities at age 18. 1:45:37 PM REPRESENTATIVE DRUMMOND noted that if "A minor shall be transferred" is deleted and insert "The department shall transfer a minor subject to the provisions of AS 47.12.030(a) or 47.12.100", the sentence would then read, "The department shall transfer a minor subject to the provisions of AS 47.12.030(a) or 47.12.100 to a facility operated by the Department of Corrections when the minor turns 18 years of age." She said this sentence does not make sense and asked whether this is the intention for how the language would read. CHAIR CLAMAN answered that the initial draft of the amendment used the passive voice and Legislative Legal Services provided a reminder that an active voice needed to be used. MR. DAVIDSON stated that the new language would be in the active voice and, in his opinion, reads as a complete sentence. REPRESENTATIVE DRUMMOND said it is confusing and suggested the addition of commas, so that the sentence would read, "The department shall transfer a minor, subject to the provisions of AS 47.12.030(a) or 47.12.100, to a facility operated by the Department of Corrections when the minor turns 18 years of age." 1:47:39 PM REPRESENTATIVE EASTMAN asked what would be the worst thing that would happen if this amendment were not to pass. MR. DAVIDSON advised that this amendment is necessary for the bill to move forward. He related that several parties said it was confusing, including DOC that initially wondered how many minors DJJ would be transferring at age 18 if this bill passed. He said the intent is only minors that DJJ is holding on behalf of DOC, not minors that DJJ is holding under delinquency statute who may be 18 or 19 years old in some cases. CHAIR CLAMAN added that [the third of the three proposed changes in Amendment 2] is [to delete] "court shall hold" [and insert] "department shall request". He said this change recognizes that generally the court doesn't take these things up on its own, but they come up when somebody makes a motion. So, this change would put the responsibility on the department to make the motion for the court to review the status rather than the court scheduling a hearing on its own. 1:49:11 PM REPRESENTATIVE EASTMAN inquired whether he is correct in understanding that as currently drafted, HB 105, Version A, allows the court to intervene and gives that judge discretion, but Amendment 2 would remove this discretion. MR. DAVIDSON replied, "No." He explained that the first change on page 7, line 22, just clarifies that when talking about transferring custody to DOC, it is only talking about the waived youths, not the delinquent youths. 1:50:07 PM MR. DAVIDSON continued explaining Amendment 2. He said the second of the three changes is on page 7, lines 27-30. He said this change clarifies the circumstances that the department would request the court consider variance from this new requirement that auto waived minors be held in DJJ facilities. It is two parts. It currently reads that if there is no juvenile facility available, which is unclear because there are juvenile facilities in six communities around the state; but if a trial is being held in Dillingham, for example, it is wanted for the court to have the option to choose to have a waived minor held in the community where the trial is being held. [The Department of Juvenile Justice] wants to be very specific about that circumstance. The second circumstance is when a minor is inappropriate for a juvenile facility and the court must take into consideration the different circumstances of that minor, such as age and behaviors, as part of the court's finding. So, [the second change] clarifies the conditions that the department would seek a waiver from the new rules, and that the department is responsible for making that request and that the court is not responsible for tracking that information. 1:51:48 PM REPRESENTATIVE EASTMAN asked whether allowing the department to make that request results in the legal effect of now denying the court's ability to do that absent the department's request or if the department is slow in making a request. MR. DAVIDSON responded that he and Director Dompeling do not believe the courts would be intervening to decide where a minor should be held. He said Ms. Meade [General Counsel, Alaska Court System] might testify if asked that [the courts] would prefer the department make the request and then the courts would make a judgement. But, he continued, [the courts] are not in the business of deciding without request where a minor should be held. He recounted that in the previous hearing, DJJ said it believes that for most of these cases the division will be the one holding minors subject to the automatic waiver and the discretionary waiver, and that these variances would not be something DJJ would be seeking on a regular basis. The division is equipped to handle most of these cases, and it would be very rare that DJJ would seek a variance. 1:53:41 PM REPRESENTATIVE EASTMAN requested Mr. Davidson explain the third change proposed in Amendment 2 and to state what the practical consequences would be if [the amendment fails]. MR. DAVIDSON reviewed the third of the three changes proposed in Amendment 2, a change that would be made on page 8, line 12. He explained that this change is like the one aspect of the second change which emphasizes the department's responsibility to request a continuance of that decision by the court that a minor can be held in an adult facility. He related that this is something the court system requested of DJJ in terms of amendment to clarify that the court system is not going to be tracking where minors in DOC custody are being held, but if [DJJ] wants to have a variance under this process [DJJ] would request it of the court. It's an extension of the previous section where the department will request of the court to make a continuation of this finding. 1:55:04 PM REPRESENTATIVE DRUMMOND removed her objection to Amendment 2. There being no further objection, Amendment 2 was adopted. VICE CHAIR SNYDER returned the gavel to Chair Claman. 1:56:17 PM REPRESENTATIVE SNYDER moved to report HB 105, as amended, from committee with individual recommendations and the accompanying fiscal notes. There being no objection, CSHB 105(JUD) was reported out of the House Judiciary Standing Committee. HB 3-DEFINITION OF "DISASTER": CYBERSECURITY  1:56:49 PM CHAIR CLAMAN announced that the final order of business would be HOUSE BILL NO. 3, "An Act relating to the definition of 'disaster.'" [Before the committee was CSHB 3(STA).] 1:57:07 PM The committee took an at-ease from 1:57 p.m. to 2:00 p.m. 2:00:48 PM CHAIR CLAMAN noted that this is the first hearing of CSHB 3(STA) in this committee. 2:01:02 PM ERICK CORDERO-GIORGANA, Staff, Representative DeLena Johnson, Alaska State Legislature, assisted in introducing CSHB 3(STA) on behalf of Representative Johnson, prime sponsor. He stated that Alaska statute is vague about whether a cyberattack or cyberthreat could elicit an emergency declaration. He explained that HB 3 would add cybersecurity to the definition of a disaster to update Alaska's laws, give clarity, and if necessary, use resources to act if there is a widespread and imminent threat. There is an alarming rate of cyberthreat throughout the world and nation, he pointed out. Not long ago the Matanuska-Susitna (Mat-Su) Borough was shut down after a cyberattack, creating severe disruptions in the day-to-day service and operation of the local government. The City of Valdez was the target of a ransomware attack, and many funds were spent to again be able to access the city's information. The states of Louisiana, Florida, and Colorado declared an emergency after a cyberattack disrupted most of their government operations not too long ago. 2:02:35 PM REPRESENTATIVE DELENA JOHNSON, Alaska State Legislature, as the prime sponsor, introduced CSHB 3(STA). She stated that cybersecurity needs to be added to the list of reasons for an emergency declaration. She explained that a disaster declaration would provide for disaster relief funds, to apply for federal funds and resources that might not otherwise be readily available, for disaster preparedness planning, and to provide for intervention when the security of Alaska residents has been compromised. She deferred to Mr. Cordero-Giorgana to continue discussing the bill. 2:03:47 PM MR. CORDERO-GIORGANA reiterated that CSHB 3(STA) would add cybersecurity attacks and threats to the definition of a disaster. He said the bill would add [subparagraph] (F) to AS [26.23.900(2)] within the general provisions of the Alaska Disaster Act. He read from the proposed subparagraph, which read as follows: (F) a cybersecurity attack that affects critical  infrastructure in the state, an information system  owned or operated by the state or a political  subdivision of the state, information that is stored  on, processed by, or transmitted on an information  system owned or operated by the state or a political  subdivision of the state, or a credible threat of an  imminent cybersecurity attack or cybersecurity  vulnerability that the commissioner of administration  or commissioner's designee certifies to the governor  has a high probability of occurring in the near  future; the certification must be based on specific  information that critical infrastructure in the state,  an information system owned or operated by the state  or a political subdivision of the state, or  information that is stored on, processed by, or  transmitted on an information system owned or operated  by the state or a political subdivision of the state  may be affected;  MR. CORDERO-GIORGANA noted that the changes in the committee substitute before the committee, CSHB 3(STA) added the words "political subdivision" to page 2, lines 19 and 21. He explained that this was done for clarity to ensure that boroughs and local governments were not left out. MR. CORDERO-GIORGANA stressed that the bill is necessary given that nowadays it is heard in the news about foreign governments trying to hack U.S. computer systems, which includes U.S. electric grids, hospitals, airports, and services that provide energy or critical infrastructure. He allowed that the meaning of critical infrastructure is currently open to interpretation but advised that the duty to make that definition rests with the Department of Military and Veterans Affairs, but the department was unable to come before the committee today. 2:07:15 PM REPRESENTATIVE EASTMAN requested a definition of "cybersecurity" and noted that the term is not defined here. He further asked whether it is defined elsewhere in statute or whether something would be used to reference the meaning of the term. MR. CORDERO-GIORGANA replied that it would be technical definitions by professionals for cybersecurity and cyberthreat. Usually, he continued, they are defined as events that result in data exposure, data loss, outright alteration, or impact to a service. He stated that there is no exact definition in statute and that cybersecurity, like technology, keeps changing on a day-to-day basis so that today's definition may [be different from a future definition]. 2:08:15 PM REPRESENTATIVE DRUMMOND said she appreciates the bill's intent. She said she understands from Mr. Cordero-Giorgana's testimony that a political subdivision of the state would be a borough or municipality. She noted that school districts and the University of Alaska have massive databases and asked whether they would be considered political subdivisions of the state. REPRESENTATIVE JOHNSON qualified she is speaking from experience and not immediate research, but her understanding is that a school district would fall under a borough. She related that the boroughs in Alaska were originally created in 1964 to oversee and dispense money to the school districts. So, she continued, the political subdivision in that instance would be a borough. The unorganized borough would be under the state and under the state's purview. The University of Alaska is not identified as a political subdivision of the state and it's not an incorporated borough or municipality or city, so her belief is that it would fall under State of Alaska equipment. She offered to get back to the committee with details if requested. 2:10:11 PM REPRESENTATIVE DRUMMOND stated that the computer systems of the Anchorage School District (ASD) are totally separate from those of the Municipality of Anchorage. Given there have been arguments over the last 20 years about whether they should be combined she said she isn't sure the aforementioned would apply to a school district that is ultimately governed by that borough or municipality which used to be a borough and a city. She said she thinks Representative Johnson is covering the regional educational attendance areas (REAAs) in the unorganized borough. She added that the state gives the school districts roughly $1.2 billion to spend, and if [the districts' systems] were breached in a cybersecurity attack, then a lot of services would be at risk. REPRESENTATIVE DRUMMOND, responding to Chair Claman, requested clarity on what is included in the list of political subdivisions. She said if it doesn't cover school districts and the university, she would like to find a way to cover them. 2:12:04 PM REPRESENTATIVE KURKA said he is cautious about increasing emergency powers because he is concerned about abuse. He requested an explanation on how an emergency declaration would help the state or political subdivision resolve the damage of a security breach and how it would be different with an emergency declaration as opposed to how the state operates now. REPRESENTATIVE JOHNSON replied that a widespread and life- threatening example would be a compromise of the power grid during the winter, given the grid is run by computers. This example would be an occasion where additional funds and help from federal experts would potentially be needed for resolution. 2:14:30 PM REPRESENTATIVE CLAMAN opened invited testimony on CSHB 3(STA). 2:14:44 PM ERIC WYATT, Information Technology (IT) Director, Matanuska- Susitna Borough, related that in 2018 the borough was the target of a cyberattack by four different organizations rather than a single attacker. The Federal Bureau of Investigation (FBI) analysis found that the attackers were four nation states by means of some of the worst viruses. In the attack, one of them got in and then sold it to the other organizations. The borough's data was stolen, and its systems disrupted, then one of the groups demanded ransom. The attack brought down all the borough's information systems, completely cutting off the borough from all Internet services and all the data that it continuously used day to day to conduct borough business. MR. WYATT said the effect on operations within the borough was most notably on the borough's fire and emergency medical service (EMS) systems. Also affected were operations and maintenance for taking care of roads and solid waste, as well as finances and legal every aspect of the borough was taken down. When all that was shut off, all the people who used the borough's information system - telephones, computers, and so forth - were dead in the water. The magnitude was that everything was shut down for quite some time. The borough was able to slowly bring back services, getting back to about 95 percent capacity in about 60 days. MR. WYATT explained that to recover at the time without an emergency declaration, the borough had to bring its emergency funds to bear. But what was needed most to recover the systems at the time was additional manpower, so the borough used its emergency funds to hire additional resources to come help, including Peter House of Deeptree, Inc. Several other organizations also volunteered their help, including Mark Breunig, Chief Information Security Officer, Department of Administration. The borough's needs for recovery at the time were monetary resources and skilled manpower to get its operations back online. Mr. Wyatt stressed that the ability to declare a disaster and form a team of experts as volunteers or paid manpower to help recover is absolutely critical. The borough used nearly $2.5 million in emergency funding for its initial recovery and then more was spent on continued recovery. MR. WYATT pointed out that the same week the Mat-Su Borough was hit, the City of Valdez was hit by mostly the same groups, same viruses, and same tactics. It is heard all the time about other states and other cities [being hit] and there have been other attacks in the state of Alaska as well. So, he emphasized, the ability to come to the aid of the organization and plus-up the manpower and resources to recover is absolutely vital, and the borough would like to participate. MR. WYATT further noted that the borough's critical infrastructure its electric grid, telecommunications, gas lines all run on these same kinds of systems. Therefore, the effects from a cyberattack are greatly damaging and include power and gas outages. 2:20:56 PM MARK BREUNIG, Chief Information Security Officer, Department of Administration, stated that the National Guard has a national mandate for cyber-capability to be created in states, but currently, without the language under CSHB 3(STA), there is no legal standing to do it, and the state would not be able to avail itself of the existing resources. 2:22:30 PM NILS ANDREASSEN, Executive Director, Alaska Municipal League, testified in support of CSHB 3(STA) and emphasized the importance of cybersecurity to Alaska's local governments, school districts, and state agencies. He spoke about risks of destabilization and opined that "including this in the definition of state disaster" is imperative. 2:23:47 PM PETER HOUSE, CEO, Deeptree, Inc., said Deeptree, Inc. is a firm that specializes in cybersecurity. He mentioned the zeitgeist and a solar wind attack that resulted in significant consequences for the federal government, fortune 500 companies, and organizations in Alaska. He talked about an attack on e- mail servers that hit approximately 30,000 American organizations and double that worldwide, which has been attributed largely to the Chinese. He said there have been high visibility attacks showing a higher level of aggression, both from criminal organizations and nation state adversaries. He related that in the fourth quarter of 2020, cyber software moved from a soft market to a hard market, which mean that "the portfolio for the insurance company is under pressure," and it usually results in rate increases. He said the attribution by insurance companies for this change is that the number of cyber attacks and the total size of the claim are both increasing substantially, with a 20 to 40 percent rate increase expected across different cyber insurance carriers countrywide. MR. HOUSE stated that in general there is a higher level of aggression. He gave as an example from Yankee Buckshot wherein, using off-the-shelf, publicly downloadable tools, the U.S. Department of Defense "attacked itself" to test its defenses and was able to get onto its classified network. He said there is challenge in working with these complex systems; sometimes attackers can "make it in past the border" and "reap a significant amount of damage." MR. HOUSE addressed Representative Kurka's question regarding the benefit of allowing a declaration of emergency. He gave a scenario wherein assets are required to hold evidence for law enforcement or insurance. That is data or logs that need to be tendered over to the organization from a hard drive. He said those systems cost $20,000 and higher. If the systems are set aside for evidence retention, they cannot be used for the restoration of services or to clean or sanitize the systems. The result is a need for double or triple the amount of storage capacity to run the organization day to day. He explained, "By opening up the degrees of freedom, either through funds or other forms of response, there's an ability for an organization to get back on its feet quicker than if they were to try to ... use a slow methodology of moving a little bit at a time, which then stretches out the rate of recovery to a much longer period of time." MR. HOUSE said Alaska is a smaller state, with fewer than a million people, and "this type of line of work is very specialized and difficult." He estimated there are 50-100 people in Alaska who are qualified to do digital forensics and incident response, and he pointed out that it would be difficult for them to respond [to an emergency situation] because "a lot of them will be fighting their own fires." Therefore, he emphasized that the ability to pull in contractors and resources from Outside is essential. He said he believes the language of CSHB 3(STA) would open up that degree of freedom, "in addition to what Mr. Breunig indicated." He noted that when he worked with Mr. Breunig and Mr. Wyatt on the incident with the Mat-Su Borough, the expansion of capability from the emergency funds had a positive impact; there was a wave of momentum that was beneficial. 2:29:45 PM MR. ANDREASSEN, in response to Chair Claman's request that he address Representative Drummond's question about political subdivisions, offered the definition of political subdivision, which appears under AS 26.23.900(7), as follows: (7) "political subdivision" means (A) a municipality; (B) an unincorporated village; or (C) another unit of local government; MR. ANDREASSEN said it is the understanding of the Alaska Municipal League that school districts would be covered under political subdivision of the state. He said school districts are either a subdivision of a municipality or are the responsibility of the Department of Education and Early Development. He offered his understanding that the University of Alaska is considered a political subdivision, "but separately under state law." 2:31:11 PM REPRESENTATIVE DRUMMOND referenced definitions found under AS 39.90.140, [which states that "public body" includes "an officer or agency of" the federal government, state, and political subdivision - subparagraphs (A), (B), and (C), respectively], and she read that which is included under "political subdivision", in paragraph (4), subparagraph (C), sub- subparagraphs (i), (ii), and (iii), which read: (i) a municipality; (ii) a school district; and (iii) a regional educational attendance area; REPRESENTATIVE DRUMMOND noted that the University of Alaska and the Alaska Railroad are not included under [subparagraph (C)]. [They are listed subsequently in subparagraphs (D) and (E), of paragraph (4), regarding "public body".] 2:33:12 PM MR. BREUNIG, in response to the same question, said it is not a topic he can address. 2:33:34 PM REPRESENTATIVE VANCE noted that during a recent Finance subcommittee meeting, Mr. Breunig had spoken about a recent cyberattack and mentioned a type of incident command being established under the Department of Administration for quick response. She referenced language in CSHB 3(STA), on page 2, [on lines 5 and 6], regarding "consultation with the commissioner of public safety or a designee of the commissioner of public safety", and she asked whether that wording fits the organized structure Mr. Breunig is establishing within the Department of Administration regarding cybersecurity and meets the requires of statute. 2:34:46 PM MR. BREUNIG responded that the "incident command structure" (ICS) put out through the Federal Emergency Management Agency (FEMA), is part of an emergency management program and a standard framework that all federal agencies use. The language in the bill would not change that, he indicated. In response to a request from Representative Vance, he spoke about work with the Department of Military & Veterans' Affairs on an [incident response] structure, which currently is not capable of handling a large-scale incident. REPRESENTATIVE VANCE said CSHB 3(STA) speaks to this issue, and she encouraged efforts to speed up response to an incident. 2:38:36 PM MR. BREUNIG recalled he had been talking about a solar wind incident during the Finance subcommittee testimony and how speed is of the essence when responding. He said it took departments 24 hours to report back whether they had vulnerable software, at which point security was able to "lock that down" and determine there had been no compromise. However, he emphasized that in cyber terms, "24 hours is an eternity." He posited that CSHB 3(STA) is critical, because it would bring the right people together to build the "speed to response." 2:39:57 PM REPRESENTATIVE KURKA asked for a definition of "imminent cybersecurity attack" and whether there exists a metric of probably of attack. 2:40:54 PM MR. BREUNIG replied that when there is imminent threat, there would be an alert from the federal Cybersecurity Infrastructure Security Agency (CISA) regarding a known attack. State security would watch out for it. That in itself is not a disaster, but if the threat "got in" and caused damage, then it would be a disaster. Regarding Microsoft, he said security knew early on that it was coming and was "able to take practice steps" to mitigate the risk, which he said is another example of imminent threat. In response to a follow-up question, he mentioned a "denial of service" attack in which someone floods a state network segment with malicious traffic "in an attempt to overwhelm it and take it down." 2:42:34 PM REPRESENTATIVE KURKA said it sounds like cybersecurity attacks are happening all the time in various degrees. He directed attention to language in Section 1 of CSHB 3(STA), on page 1, line 4, which gives a definition of disaster, including its causes. He offered his understanding that "we're talking about widespread damage of property," not just "one department had some computers fried." 2:44:55 PM REPRESENTATIVE JOHNSON offered her understanding that the concern is that there could be ongoing declarations of disaster. She deferred to her staff to address the topic further. 2:45:23 PM MR. CORDERO-GIORGANA proffered that "imminent" is a matter of timing and "widespread" is a matter of geography and whether an issue can be contained. When talking about a fire, earthquake, or flood, the consideration is "the amount of resources that would need to be used to be able to achieve the containment goal." He said DMVA will create emergency plans for each category listed in the Act and make recommendations as to what would be considered widespread and imminent. 2:47:31 PM REPRESENTATIVE KURKA indicated that the language in the proposed legislation should be added, but observed that "a lot of the context in which we're talking about this" is found in subparagraph (D), [on page 2], regarding "enemy or terrorist attack or a credible threat of imminent enemy or terrorist attack in or against the state". He offered his understanding that there had been a legal opinion as to "why this wouldn't apply under (D)." He remarked that "all these examples we're talking about ... seem to be foreign actors." 2:48:40 PM CHAIR CLAMAN, in response to Representative Johnson, offered his interpretation that Representative Kurka was reflecting that subparagraph (D) doesn't seem to be cybersecurity-related and perhaps wanted to know how the two issues are addressed when determining whether an emergency has occurred. 2:49:21 PM MR. CORDERO-GIORGANA, at the request of the bill sponsor, addressed the question. He said the separation was done at the recommendation of the bill drafter in Legislative Legal Services to avoid confusion. 2:49:55 PM REPRESENTATIVE VANCE pointed out that CSHB 3(STA) speaks specifically to disaster; "emergency" is not addressed. She gave an example of a disaster being the landslide that recently occurred in Haines, Alaska. She said the governor declared a disaster in the Haines area, but it was not a statewide emergency. 2:50:53 PM REPRESENTATIVE EASTMAN asked for the definition of cybersecurity. 2:51:20 PM MR. CORDERO-GIORGANA said he did not have a definition and deferred to Mr. Breunig. CHAIR CLAMAN noted that it is common for courts to use the dictionary for commonly used terms if those terms are not defined in statute. 2:52:08 PM MR. BREUNIG defined cybersecurity as "any protection used to prevent cyber-attacks." REPRESENTATIVE EASTMAN said he is familiar with definition, and it makes sense to him. He continued: But in this case we're talking about a cybersecurity attack, and so if we're using tools to prevent attacks, but then we're ... adding the word "attack" on them, I'm a little confused as what that [emphasis on "that"] means. MR. BREUNIG responded he thinks the intent is that it would be an attack against [Alaska's] cybersecurity - against the systems and tools that the state has to protect itself. REPRESENTATIVE EASTMAN asked for confirmation that what is being discussed is an attack where "someone's trying to overcome some type of security" as opposed to "a run-of-the-mill fiber attack." MR. BREUNIG answered, "Yes, I would agree." REPRESENTATIVE EASTMAN noted that the previously discussed subparagraph (D), which addresses enemy or terrorist attack, points to a definition of "attack" existing in [AS 26.20.200], and since that definition does not fit what is being discussed in the cyber realm, he suggested a definition may be necessary in subparagraph (F). MR. BREUNIG said he concurs with the bill sponsor and her staff that the intent is to clarify. In subparagraph (D), "enemy" and "terrorist attack" traditionally relate to military-related attacks, not cyber-attacks, which are specifically addressed under subparagraph (F), which allows the emergency operation center to bring resources to bear in regard to cyberattacks rather than other "traditional forms of disaster or emergency attack that are already identified." REPRESENTATIVE CLAMAN noted that subparagraph (F) is proposed new language. He said a cyberattack would be, for example, somebody getting into his home computer; a cybersecurity attack would be on a larger scale. MR. BREUNIG concurred. 2:56:12 PM REPRESENTATIVE EASTMAN referenced a memorandum ("memo") from [Megan Wallace of] Legislative Legal Services [to the bill sponsor and staff, dated 2/10/20 and included in the committee packet], to [subparagraph (C), which lists equipment failure as one of the causes of a "disaster" and read as follows]: (C) equipment failure, if the failure is not a predictably frequent or recurring event or preventable by adequate equipment maintenance or operation; REPRESENTATIVE EASTMAN offered his understanding that the memo talks about "why ... [subparagraph] (C), equipment failure, ... may not be adequate, and why this bill might be needed for that reason." He asked to what extent it is the sponsor's intent "to predicate the cybersecurity attacks we're talking about on intentionality." He continued: Because certainly, ... if we're focusing on intentionality, then an IT tech who spills coffee and destroys a server probably wouldn't be captured in the intent that we're talking about here. 2:57:18 PM REPRESENTATIVE JOHNSON explained that intentionality must have credible background. If [the attack] is imminent and widespread, as determined by the commissioner or commissioner's designee, he/she would determine that it was a credible threat. She added, "The intentionality of maybe mindreading some would not fall into that category." 2:58:13 PM MR. CORDERO-GIORGANA said he was not sure he understood Representative Eastman's question. REPRESENTATIVE EASTMAN indicated that [subparagraphs] (A), (B), (C), and (E) address disasters that are not man-made and intentional. He questioned whether it is important to "tie it to that intentionality," as is being done in [subparagraph] (F) or to be more focused on the impact. He asked, "Is there a reason that we're making it narrower than ... just a larger impact type of definition?" 2:59:52 PM MR. CORDERO-GIORGANA noted that the legislature removed "manmade" from the disaster Act, which caused ambiguity as to whether cybersecurity qualified under the Act. He continued: If a widespread system failure is the result of another cause that is not manmade, or in this case an attack or a threat, it actually would probably fall into one of the other categories. So, in the case, for example, of an earthquake: a system goes down, but it's really the result of an earthquake, not necessarily a cybersecurity attack. And so, if I'm understanding correctly, this would actually clear authority specifically to those type of items." REPRESENTATIVE EASTMAN asked whether it is important to make a distinction between "those manmade actions which are intentional and which are accidental." For example, he said an installation of "a security patch" that cause a major outage "wouldn't qualify here" because it is not a cybersecurity attack, even though it may have the same result if someone had done it intentionally. MR. CORDERO responded that that would be a cyber vulnerability, and he indicated that was addressed in another part of [subparagraph] (F). He said there are so many definitions that could be included in the bill that would make it lengthy, for example, for the following terms: cyberattacks, cyber incidents, cyberthreats, major threats, minor threats, and primary targets. He stated, "We're just trying to make it clear that cybersecurity counts; give it an overview, and then it's up to the Department of Military & Veterans' Affairs to come up with ... plans." 3:02:22 PM CHAIR CLAMAN remarked that a lot of this comes back to the size and cost of what has happened. CHAIR CLAMAN announced that CSHB 3(STA) was held over. 3:04:13 PM ADJOURNMENT  There being no further business before the committee, the House Judiciary Standing Committee meeting was adjourned at 3:04 p.m.