Legislature(2021 - 2022)GRUENBERG 120
02/23/2021 03:00 PM House STATE AFFAIRS
Note: the audio ![]()
and video ![]()
recordings are distinct records and are obtained from different sources. As such there may be key differences between the two. The audio recordings are captured by our records offices as the official record of the meeting and will have more accurate timestamps. Use the icons to switch between them.
| Audio | Topic |
|---|---|
| Start | |
| HB3 | |
| HB32 | |
| Adjourn |
* first hearing in first committee of referral
+ teleconferenced
= bill was previously heard/scheduled
+ teleconferenced
= bill was previously heard/scheduled
| *+ | HB 3 | TELECONFERENCED | |
| *+ | HB 32 | TELECONFERENCED | |
HB 3-DEFINITION OF "DISASTER": CYBERSECURITY
3:05:43 PM
CHAIR KREISS-TOMKINS announced that the first order of business
would be HOUSE BILL NO. 3, "An Act relating to the definition of
'disaster.'"
3:06:12 PM
REPRESENTATIVE DELENA JOHNSON, Alaska State Legislature, as
prime sponsor, introduced HB 3. She stated that there are many
events that elicit an emergency declaration; however, a
cybersecurity threat is not one of them. She informed the
committee that current Alaska statutes are vague on whether a
cyberattack could qualify for such a declaration. She said HB 3
would provide clarity by adding cybersecurity attacks to the
definition of disaster, so in the event it's needed, action
could be taken, and resources could be used. She relayed that
there is an alarming rate of cyber threats throughout the world
and referenced a recent cyberattack on the Matanuska-Susitna
(Mat-Su) Borough, which created disruptions in day-to-day
service operations. She noted that the city of Valdez was also
the target of a ransomware attack that was costly to resolve.
Additionally, she reported that several state agencies were
targeted by cyber criminals, including Department of Health and
Social Services (DHSS) and the Division of Elections. To
conclude, she asserted that cybersecurity should qualify for an
emergency declaration to allow for the use of emergency funds;
the application of funds and other resources that might not be
otherwise readily available; and disaster preparation planning.
3:08:39 PM
ERICK CORDERO, Staff, Representative DeLena Johnson, Alaska
State Legislature, on behalf of Representative Johnson, prime
sponsor, continued to present HB 3. He reiterated that the bill
would add cybersecurity to the definition of a disaster - more
specifically, HB 3 would add [subparagraph] (F) to AS 26.20.900,
the general provisions of the Alaska Disaster Act.
Subparagraph] (F) read as follows:
(F) a cybersecurity attack that affects critical
infrastructure in the state, an information system
owned or operated by the state, information that is
stored on, processed by, or transmitted on an
information system owned or operated by the state, or
a credible threat of an imminent cybersecurity attack
or cybersecurity vulnerability that the commissioner
of administration or commissioner's designee certifies
to the governor has a high probability of occurring in
the near future; the certification must be based on
specific information that critical infrastructure in
the state, an information system owned or operated by
the state, or information that is stored on, processed
by, or transmitted on an information system owned or
operated by the state may be affected;
MR. CORDERO clarified that "the certification must be based on
specific information that critical infrastructure in the state"
covers agencies within the nonprofit sector and the private
sector that have responsibilities regarding health, energy,
telecommunication, or transportation to the public. He further
noted that the Department of Military & Veterans' Affairs (DMVA)
is responsible for planning, managing, and creating the list of
qualifications for "critical infrastructure," which Mr. Cordero
could not obtain. He stated that critical infrastructure is not
defined under Alaska statutes, adding that DMVA uses the U.S.
Department of Homeland Security's definition. He went on to add
that according to Legislative Legal Services, the governor
could, in some instances, call an emergency if there were a
cybersecurity attack or threat; however, the statutes are vague
because in in 2000, the legislature removed the words "manmade
causes" from the Alaska Disaster Act. He noted that other
states that can issue a statewide emergency on cybersecurity
have relied on that language. There is, he said, a small
provision in the Alaska statute that mentions "equipment," which
could be considered information systems or a database. He
emphasized that HB 3 would clarify and update the language in
the Alaska Disaster Act.
3:12:59 PM
MR. CORDERO reported per the Department of Administration (DOA),
that in the last 10 years, there have been as many as 817,000
attempted attacks per year that are general in nature, such as
spam mail, viruses, and malware, and 400,000 [attempted]
directed attacks per year, which are focused against specific
individuals, systems, or departments. He noted that not all
attempted attacks were successful. He stated that annually,
there have been 497 successful attacks against the state, in
which systems or data were either infiltrated or compromised.
He added that historically, the most targeted state agencies are
the Division of Elections, the Division of Motor Vehicles (DMV),
the Department of Revenue (DOR), DHSS, and the Department of
Transportation & Public Facilities (DOT&PF).
3:14:17 PM
CHAIR KREISS-TOMKINS announced the committee would hear invited
testimony.
3:15:02 PM
MARK BREUNIG, Chief Technology Officer, Office of Information
Technology, Department of Administration, informed the committee
that states such as Florida, Texas, and Washington, as well as
the federal government, have been impacted by cybersecurity
attacks. He reported that in July 2018, the Mat-Su Borough and
the City of Valdez were victims of cyberattacks, and in both
cases, critical services were disrupted, and significant damage
was caused. Ultimately, emergency relief funding in the Mat-Su
Borough alone exceeded $2.5 million. As one of the on-site
volunteers to help restore service, he recalled asking "where is
the state?" Upon joining DOA, he realized that the state was
not unsympathetic, but the language to address a major
cybersecurity attack was missing from Alaska statutes. He said
HB 3 seeks to remedy that gap. He addressed several instances
of cybersecurity attacks in other states, such as Florida, where
attackers gained access to industrial control systems at a water
treatment plant and attempted to increase the amount of sodium
hydroxide. He opined that the additional language in HB 3 is
critical to support processes and the success of disaster
remediation in Alaska.
3:17:23 PM
REPRESENTATIVE EASTMAN asked how far the Mat-Su Borough
progressed into the disaster declaration process before the
missing language became an obstacle.
MR. BREUNIG reported that the Mat-Su Borough's request was
received, but there was no legally viable recourse.
3:18:19 PM
REPRESENTATIVE CLAMAN inquired about the likelihood of receiving
information on a pending cybersecurity attack, which could
result in a disaster declaration, before it happens.
MR. BREUNIG said the time interval from receiving intelligence
before an attack to the time of an actual attack continues to
shrink, which is why intelligence from federal and industry
partners is valued. He provided the example of solar winds,
explaining that the state received the update on solar winds
hours before it hit everywhere else allowing Alaska to act
quickly. Nonetheless, he reiterated that the days of receiving
advanced notice are disappearing.
REPRESENTATIVE CLAMAN surmised that in terms of cybersecurity
attacks pertaining to critical data, "we're not talking about a
disaster declaration because tomorrow we think something's
coming - it's going to be ... this just happened ... and now we
need help fixing it and it's going to take time and money."
MR. BREUNIG replied it will be a mix. He pointed out that [the
state] received word of "certain Iranian activities" one week in
advance. He emphasized that typically, the amount of advanced
notice varies, if any is received at all.
3:21:26 PM
REPRESENTATIVE KAUFMAN asked if HB 3 goes far enough to
encompass the state's cybersecurity needs and whether the bill
is missing any components.
MR. BREUNIG replied that there is work that needs to be done,
but the proposed legislation is a significant start.
3:22:02 PM
CHAIR KREISS-TOMKINS asked if beyond the scope of the bill,
there are recommendations that the legislature should further
explore or investigate regarding cybersecurity in general.
MR. BREUNIG answered yes, adding that he would welcome a follow-
up discussion and further investigation.
3:22:48 PM
REPRESENTATIVE VANCE inquired about available federal funds
specific to cyberattacks in a declared emergency.
MR. BREUNIG relayed that the state currently receives funding
through the Federal Emergency Management Agency (FEMA) for
emergency response. He noted that recently, the Cybersecurity &
Infrastructure Security Agency (CISA) announced its intention to
contribute additional funding; however, the amount and the date
of availability has not been publicized.
3:24:27 PM
REPRESENTATIVE STORY asked if qualifying for assistance requires
reaching a certain level of disaster.
MR. BREUNIG said there is a framework and different criteria for
determining the level of attack and disaster.
REPRESENTATIVE STORY requested that a description of the
criteria be provided to the committee.
MR. BREUNIG offered to follow up with the requested information.
3:25:52 PM
PAUL NELSON, Director, Division of Homeland Security & Emergency
Management, Department of Military & Veterans' Affairs (DMVA),
said he has no official testimony prepared at this time;
however, he is available for questions from the committee.
3:26:26 PM
REPRESENTATIVE EASTMAN offered his understanding that DMVA
participates in the process of declaring a disaster.
Referencing page 2 of the bill, he asked if the Division of
Homeland Security and Emergency Management helps determine
whether something is a cybersecurity vulnerability.
MR. NELSON acknowledged that the division has a minor role and
follows the lead of the Office of Information Technology (OIT)
to identify cybersecurity vulnerabilities. He added that the
division and OIT work with other federal and infrastructure
partners - both public utility and private sector - to determine
the vulnerabilities in the cybersecurity domain and, ideally,
mitigate and eliminate them.
3:27:50 PM
REPRESENTATIVE KAUFMAN asked where Alaska stands in relation to
others.
MR. NELSON replied that from the perspective of emergency
management, Alaska seems to be okay, but there's more work to be
done going forward. He opined that HB 3 is a great start, later
noting that there is no indication that [cybersecurity attacks]
are going to stop, they will only grow more advanced.
3:29:31 PM
CHAIR KREISS-TOMKINS asked if HB 3 were to pass, how the state
would evaluate the impact of the cybersecurity attack on the
Mat-Su Borough. He asked whether it would reach the threshold
of warranting a disaster declaration.
MR. NELSON explained that the Division of Homeland Security &
Emergency Management would set up the state emergency operations
center wherever the intrusion occurred and evaluate the response
and immediate needs while following OIT's lead, which is the
standard foundation for any type of response, be it flooding, an
earthquake, or a cybersecurity attack. He said the absence of
cybersecurity attack from the definition of disaster within AS
26.23.900 "makes it more obscure," whereas the language in HB 3
would help improve the state emergency operations plan.
MR. BREUNIG expanded on Mr. Nelson's comments by noting that the
National Guard is building cyber capability through its own
mandate. He explained that identifying this as a leverage point
for declaring a disaster would enable the National Guard to
provide cyber support throughout the state.
3:32:57 PM
PETER HOUSE, CEO, Deeptree, Inc., informed the committee that
his business is an Internet technology (IT) firm that
specializes in risk management with a particular emphasis on
cybersecurity. He provided several personal anecdotes, one
which highlighted his work on the Mat-Su Borough attack. He
said he saw firsthand the scope of the incident and the impact
on Alaskans. He added that whether in the scope of losing
access to essential services or disruptions to business, the
[cybersecurity] attack was functionally equivalent to the
organization being impacted by a traditionally defined disaster.
As a responder, he said, the level of responsibility was
significant because citizen lives were impacted by the lack of
digital infrastructure support. He explained that the
responders had two tasks on hand: to restore services as
quickly as possible and to ensure that the evidence required by
law enforcement and insurance was retained. He noted that
sometimes, it felt like those tasks were at odds with each other
when it came to resources and staffing. He recounted that due
to the depth of the attack, a large number of specialists and
generalists was required; further, for the first few months, the
daily briefings were at capacity. He offered his belief that
the borough's declaration of a state of emergency was essential
because of those operational factors. He pointed out the extra
support that resulted from the disaster declaration made a
significant impact on the time it took to restore services;
additionally, they received improved operational agility and
response capabilities. He went on to convey that that because
Alaska is sparsely populated and spread out over thousands of
miles, the state has a unique profile, which makes digital
technology not only a nicety but a necessity. Furthermore, it
places the digital systems on which Alaska relies in a state of
operational significance. He pointed out that sometimes the
replacements for that equipment are thousands of miles away.
MR. HOUSE continued by addressing the 2013 attack on Target. He
said it's not widely known that the attack had an initial point
of entry through a heating, ventilation, and air conditioning
(HVAC) vendor. The criminal actors identified a third-party
vendor, sent a phishing email, compromised the systems, and rode
an engineer's laptop onto the networks when the engineer went on
site. He emphasized the importance of that story because Alaska
is very connected. He opined that when considering the threat
of exposure that could come from a similar situation, Alaska
compared to other states has a mildly higher threat profile
given the state's geographic location and economy. He
emphasized that Alaska does not have many economic "crown
jewels," but the few that exist are important. He concluded
that knowing the State of Alaska has a strong security posture
and the ability to respond to an emergency enhances the state's
overall defensive position.
3:38:21 PM
REPRESENTATIVE EASTMAN pointed out that HB 3 speaks to the
credible threat of an attack or a cybersecurity vulnerability
that has a high probability of occurring in the future. He
questioned whether the language opens the door for a situation
in which Alaska would be eligible for a disaster for the
foreseeable future. He remarked:
Or maybe, based on your experience, you would expect
that [the] window would close. If so, when would we
no longer be in the situation where there is a
vulnerability that exists that could trigger this
disaster.
3:39:29 PM
MR. HOUSE said typically, the software developer - or whoever is
responsible for managing the solution - eliminates the
vulnerability by patching the system. He noted that in his
professional experience, he has never seen a nonterminated
vulnerability; further adding that in terms of mainline critical
infrastructure vulnerabilities, there is a low probability of a
vulnerability persisting for an interminable amount of time.
REPRESENTATIVE EASTMAN questioned whether Mr. House is referring
to an existing vulnerability or, as the bill expresses, one that
has a high probability of occurring in the future.
MR. HOUSE said he could not speak to that specific passage;
however, he offered his understanding that when something is
specifically classified as a vulnerability, it is a "technical
exercise" that wouldn't leave room for interpretation. He
opined that the legislation as it's currently written would not
allow a state of emergency to continue for an unlimited amount
of time.
3:41:41 PM
REPRESENTATIVE STORY expressed her concern that people do not
have basic protections in place to [protect] them from a
cybersecurity [attack]. She asked if municipalities and state
agencies are taking adequate precautions.
MR. HOUSE recalled seeing higher levels of information sharing
and security, as well as an uptick in security operation centers
(SOCs), since the Mat-Su Borough event. He provided an example
of an institution that provides threat and vulnerability
information sharing, which local jurisdictions are partaking in.
Furthermore, he said more professionals are undertaking advanced
education and training. He noted his specialization in memory
forensics, a specialized portion of incident response to
cybersecurity events, in which the level of interest has risen.
3:44:36 PM
REPRESENTATIVE TARR inquired about the perpetrator's motivation
to carry out these attacks.
MR. HOUSE said motivations vary. He explained that criminal
actors are interested in auctioning off the stolen information
on the dark web. Additionally, when the network is compromised,
he recalled a growing practice where the network itself is
auctioned off for criminal actors to pull the data from, ransom
the network, or both. He added that the motivation for nation
state actors also varies - in general, they are looking to
monetize the networks or gain geopolitical influence.
3:46:36 PM
REPRESENTATIVE TARR questioned whether the bill language
pertaining to the commissioner designee should be more specific.
MR. CORDERO explained that typically, each department determines
a plan it wants to submit to DMVA and DMVA develops the
mitigation and response. He noted that DOA is included in the
bill language because it houses the Office of Information
Technology. He added that the language regarding the
commissioner designee is for the committee to consider at their
discretion.
3:48:33 PM
REPRESENTATIVE CLAMAN expressed his interest in clarifying the
definition of critical infrastructure and what constitutes it.
3:49:25 PM
MR. CORDERO read from the document, titled "From the
Cybersecurity & Infrastructure Security Agency" [included in the
committee packet], which read as follows:
There are 16 critical infrastructure sectors whose
assets, systems, and networks, whether physical or
virtual, are considered so vital to the United States
that their incapacitation or destruction would have a
debilitating effect on security, national economic
security, national public health or safety, or any
combination thereof.
MR. CORDERO acknowledged that "critical infrastructure" is not
defined in Alaska statutes. He added that the duty to make that
determination was given to [DMVA].
3:50:27 PM
REPRESENTATIVE CLAMAN sought to clarify whether that is the
federal definition.
MR. CORDERO answered yes.
REPRESENTATIVE CLAMAN pointed out that there are other sections
in statute that reference federal authority or federal
regulation. He suggested including a reference to the federal
regulations or federal statutory authority in HB 3 to avoid
writing a definition that changes every two years. He opined
that the reference would strengthen the bill because it would
align the state and federal definition of what constitutes
critical infrastructure.
MR. CORDERO agreed that it could help clarify critical
infrastructure.
3:51:29 PM
REPRESENTATIVE EASTMAN asked if there is a definition of
cybersecurity that the bill refers to.
MR. CORDERO deferred to Mr. Breunig.
3:52:20 PM
REPRESENTATIVE VANCE asked if the state has insurance that
covers cybersecurity attacks and if so, what criteria must be
met to access it or other federal funding.
MR. CORDERO offered to follow up with the requested information.
3:53:42 PM
CHAIR KREISS-TOMKINS shared his understanding that there was
similar, or possibly identical, legislation in the last
legislative session. He asked if there are substantive
differences between the previous legislation and HB 3.
REPRESENTATIVE JOHNSON answered no and explained that that HB 3
is a continuation of the same bill from last session.
CHAIR KREISS-TOMKINS advised that there might be a committee
substitute with a title change pending further discussions with
the sponsor's office.
3:54:55 PM
REPRESENTATIVE CLAMAN asked who sponsored the previous
legislation.
CHAIR KREISS-TOMKINS answered Representative Johnson.
[HB 3 was held over.]
| Document Name | Date/Time | Subjects |
|---|---|---|
| HB 32 Sponsor Statement 2.19.2021.pdf |
HSTA 2/23/2021 3:00:00 PM |
HB 32 |
| HB 32 Testimony Received as of 2.22.2021.pdf |
HSTA 2/23/2021 3:00:00 PM |
HB 32 |
| HB 3 Sponsor Statement 2.18.2021.pdf |
HJUD 3/10/2021 1:30:00 PM HJUD 3/15/2021 1:30:00 PM HJUD 3/17/2021 1:30:00 PM HSTA 2/23/2021 3:00:00 PM |
HB 3 |
| HB 3 Supporting Document - Alaska Health Department Reports Data Breach The Seattle Times 6.28.2018.pdf |
HJUD 3/10/2021 1:30:00 PM HJUD 3/15/2021 1:30:00 PM HJUD 3/17/2021 1:30:00 PM HSTA 2/23/2021 3:00:00 PM |
HB 3 |
| HB 3 Supporting Document - DHSS Cyber Attack Impacts More Than 100,000 Alaska Households 1.23.2019.pdf |
HJUD 3/10/2021 1:30:00 PM HJUD 3/15/2021 1:30:00 PM HJUD 3/17/2021 1:30:00 PM HSTA 2/23/2021 3:00:00 PM |
HB 3 |
| HB 3 Supporting Document - How One Alaskan Borough Survived A Cyber Attack CitiesSpeak 10.1.2019.pdf |
HJUD 3/10/2021 1:30:00 PM HJUD 3/15/2021 1:30:00 PM HJUD 3/17/2021 1:30:00 PM HSTA 2/23/2021 3:00:00 PM |
HB 3 |
| HB 3 Supporting Document - MSBD Press Release Mat-Su Declares Disaster for Cyber Attack 7.31.2018.pdf |
HJUD 3/10/2021 1:30:00 PM HJUD 3/15/2021 1:30:00 PM HJUD 3/17/2021 1:30:00 PM HSTA 2/23/2021 3:00:00 PM |
HB 3 |
| HB 3 Supporting Document - Pipeline Article Alaska Public Media 3.14.2018.pdf |
HJUD 3/10/2021 1:30:00 PM HJUD 3/15/2021 1:30:00 PM HJUD 3/17/2021 1:30:00 PM HSTA 2/23/2021 3:00:00 PM |
HB 3 |
| HB 3 Legal Memo 2.10.2020.pdf |
HJUD 3/10/2021 1:30:00 PM HJUD 3/15/2021 1:30:00 PM HJUD 3/17/2021 1:30:00 PM HSTA 2/23/2021 3:00:00 PM |
HB 3 |
| HB 3 Supporting Document - CISA Critical Infrastructure 2.23.2021.pdf |
HJUD 3/10/2021 1:30:00 PM HJUD 3/15/2021 1:30:00 PM HJUD 3/17/2021 1:30:00 PM HSTA 2/23/2021 3:00:00 PM |
HB 3 |
| HB 3 Testimony - Received as of 2.22.2021.pdf |
HSTA 2/23/2021 3:00:00 PM |
|
| HB 32 Testimony Received as of 2.22.21 Additional - Chicken Gold Camp.pdf |
HSTA 2/23/2021 3:00:00 PM |
HB 32 |
| HB 32 FN LAW CIV TWC 2.9.21.pdf |
HSTA 2/23/2021 3:00:00 PM |
HB 32 |
| HB 3 Fiscal Note DOA-OIT 2.21.2021 (Printed 2.22.2021).pdf |
HSTA 2/23/2021 3:00:00 PM |
HB 3 |
| HB 32 Letters in Support 2.23.2021.pdf |
HSTA 2/23/2021 3:00:00 PM |
HB 32 |
| HB 32 Research Alaska Annual Ecomoic Impact Fact Sheet.pdf |
HSTA 2/23/2021 3:00:00 PM |
HB 32 |
| HB 32 Research Alaska State Economic Impact Table.pdf |
HSTA 2/23/2021 3:00:00 PM |
HB 32 |
| HB 32 Reseach Examples of Inherent Risk Lawsuits.pdf |
HSTA 2/23/2021 3:00:00 PM |
HB 32 |