Legislature(2021 - 2022)BUTROVICH 205
01/28/2022 01:30 PM Senate JUDICIARY
Note: the audio ![]()
and video ![]()
recordings are distinct records and are obtained from different sources. As such there may be key differences between the two. The audio recordings are captured by our records offices as the official record of the meeting and will have more accurate timestamps. Use the icons to switch between them.
| Audio | Topic |
|---|---|
| Start | |
| SJR19 | |
| SB129 | |
| HB3 | |
| Adjourn |
* first hearing in first committee of referral
+ teleconferenced
= bill was previously heard/scheduled
+ teleconferenced
= bill was previously heard/scheduled
| *+ | SJR 19 | TELECONFERENCED | |
| += | SB 129 | TELECONFERENCED | |
| += | HB 3 | TELECONFERENCED | |
| *+ | HB 155 | TELECONFERENCED | |
| + | TELECONFERENCED | ||
HB 3-DEFINITION OF "DISASTER": CYBERSECURITY
2:14:42 PM
CHAIR HOLLAND announced consideration of CS FOR HOUSE BILL NO.
3(JUD) "An Act relating to the definition of 'disaster.'"
2:15:14 PM
REPRESENTATIVE DELANA JOHNSON, Alaska State Legislature, Juneau,
Alaska, speaking as sponsor, stated that HB 3 would add cyber
attacks to the Alaska Disaster Act. She said Alaska's disaster
statutes are vague and need updating. She stated that
cyberattacks are increasing; the state has had several attacks
in the past year. She noted that under the bill, a declaration
must meet two tests to be considered a disaster. First, the
incident must be widespread and must cause damage. Second, each
incident must be assessed on a case-by-case basis. Last year, a
cyber attack disrupted services at the Alaska Court System for
several weeks. In addition, a cyber attack disrupted services at
the Department of Health and Social Services (DHSS) for a
significant time in 2021. The state still does not know the
extent of the monetary damage or quantify other effects from the
cyber attack. Further, a cyber attack shut down the Mat-Su
Borough (MSB), disrupting critical services and causing damages
exceeding $25 million. The City of Valdez experienced a
ransomware attack requiring substantial payments to regain
access to their systems. She related a more significant cyber
attack that occurred in Florida in 2020. Cyber attackers gained
access to the industrial controls of a water treatment facility
and attempted to increase the levels of toxic chemicals in the
water system. Although the authorities contained the attack, it
raises concerns about what could happen if critical
infrastructure disrupts critical services.
2:17:22 PM
REPRESENTATIVE D. JOHNSON said adding "cyber attacks" to the
definition of disaster would clarify the seriousness of the
problem and allow access to resources.
2:17:55 PM
ERICK CORDERO, Staff, Representative Delena Johnson, Alaska
State Legislature, Juneau, Alaska, on behalf of the sponsor,
said the intent of HB 3 was to update Alaska's statutes. He
stated that many states have updated or are in the process of
updating their disaster laws related to cyber attacks.
2:18:18 PM
MR. CORDERO said the bill consists of one section. Page 1, line
4, provides the current definition for a disaster, which read:
(2) "disaster" means the occurrence or imminent threat
of widespread or severe damage, injury, loss of life
or property, or shortage of food, water, or fuel
resulting from ....
MR. CORDERO stated that categories were listed beginning on page
1, line 7 of HB 3, including natural disasters, environmental
dangers, equipment failures, and terrorist attacks. The
definition does not list cyber attacks. In 2000, the statute
included "man-made" disasters, but that language was removed.
The Mat-Su Borough and other political subdivisions requested a
definition for a disaster declaration. He explained that
declaring a disaster could result in the state or communities
achieving access to resources faster. It also would provide the
authority to contact agencies for assistance.
2:19:49 PM
MR. CORDERO said the state responded to the Mat-Su Borough's
request for assistance by saying that the statutes were vague.
He referred to the Legal Services memo in members' packet dated
February 10, 2020, from Megan Wallace, Director, who advised
that equipment failure could qualify as a "disaster" under AS
26.23.900(2)(C). Still, it should be defined to provide
certainty. HB 3 would clarify that cybersecurity is a problem
and define cyber attacks in statute.
2:20:23 PM
MR. CORDERO said the language on page 2 line 17, subparagraph
(F) would add cyberattacks to the definition, specifically if it
affects critical infrastructure. He characterized critical
infrastructure as key. It is a term typically used by the
federal government. It also identified information systems owned
or operated by the state or a political subdivision of the
state.
2:21:08 PM
MR. CORDERO stated that during the committee process, the
sponsor decided to define critical infrastructure using the
federal definition to provide further clarity, which read:
"critical infrastructure" means systems and assets,
whether physical or virtual, so vital to the state
that the incapacity or destruction of the systems and
assets would have a debilitating effect on security,
state economic security, state public health or
safety, or any combination of those matters;
MR. CORDERO said he stated "Alaska" instead of "state" for
emphasis.
2:21:43 PM
MR. CORDERO said a previous US President signed an order a few
years ago citing the different areas for critical
infrastructure, including chemicals, utilities, transportation,
and telecommunications. The Department of Military & Veterans
Affairs (DMVA) plans mitigation strategies and supports state
agencies once a disaster is declared. According to the Alaska
Disaster Act, part of the role includes advance planning. Last
year, DMVA testified that cybersecurity is not in their
guidelines because the term is not in statute.
2:23:06 PM
SENATOR MYERS said the definition states the critical
infrastructure must be "owned or operated by the state." He
asked how it would affect the electrical grid owned by various
cooperatives throughout the state since it is critical
infrastructure.
MR. CORDERO said the bill reads critical infrastructure "or" so
the definition would include the electrical grid.
2:23:54 PM
CHAIR HOLLAND read [subparagraph (F) a cyber attack that
affects] "critical infrastructure in the state, an information
system owned or operated by the state ...." He stated that
language would cover the electrical grid.
MR. CORDERO said the Department of Administration determines
what is included in critical infrastructure.
2:24:44 PM
SENATOR HUGHES referred to page 2, lines 23-24 of HB 3. She said
this language refers to cyber attacks that have not happened but
that could potentially happen. She surmised that if the
department knew ahead of time, it could possibly stop an attack,
but probably not. She wondered why it would be necessary to
declare a disaster.
2:25:28 PM
MR. CORDERO answered that the intelligence community typically
reaches out to government agencies about imminent cyber attacks.
If it is not contained and becomes widespread, the department
would need to take steps to issue a disaster declaration. Often,
the state identifies a vulnerability and the presence of a bad
actor. The department would determine if it warranted using
resources to ensure a cyber attack doesn't happen. He deferred
to the experts at DMVA to answer the question more fully.
2:26:31 PM
SENATOR HUGHES related her understanding that critical
infrastructure does not require state ownership. For example,
suppose banks were attacked and their infrastructure was
infiltrated or dismantled. The critical infrastructure would not
necessarily be a port or power line. She asked if HB 3 would
apply to private sector infrastructure.
MR. CORDERO answered that she was correct. He stated that
critical infrastructure could involve economic loss, lack of
food, medicine, or fuel.
2:27:47 PM
SENATOR SHOWER echoed Mr. Cordero's comments. He explained that
the intelligence community might indicate a cyber attack
happening somewhere in the world that potentially could happen
in Alaska. He surmised that the state could declare a disaster
in advance to prevent it.
2:28:16 PM
SENATOR MYERS noted that Mr. Fisher from DMVA was available to
answer questions.
2:28:35 PM
SENATOR HUGHES said she was initially concerned about the
language on page 3 defining "critical infrastructure" that read
"would have a debilitating effect on security ..." She wondered
if "debilitating" might be subjective but was reassured when she
read the existing language in statute includes "... widespread
or severe damage, injury, loss of life or property, ...."
CHAIR HOLLAND turned to invited testifiers.
2:30:22 PM
PAULA VRANA, Commissioner Designee, Department of
Administration, Juneau, Alaska, stated that the administration
supports HB 3 since it does not change the structure of the
current Alaska Disaster Act statutes but will update the
statutes to address Alaska's current needs. She stated that
Chris Letterman, Chief Information Officer, Department of
Administration, could answer any technical questions.
2:31:55 PM
BRYAN FISHER, Director, Alaska Division of Homeland Security and
Emergency Management, Department of Military and Veterans
Affairs, Joint Base Elmendorf-Richardson Alaska, via Teams,
stated that the administration supports HB 3. He said he was
involved in the Mat-Su Borough (MSB) response to the cyber
attack that affected the borough and the City of Valdez.
MR. FISHER highlighted that the governor's cabinet has a subset
known as the governor's disaster cabinet that reviews a cyber
event, analyses it, and makes recommendations to the governor
based on the statutory definition on whether an event rises to
the level of a disaster emergency. He said the disaster cabinet
met three times and held six hours of discussions on this
definition. The division fully supports adding cyber attacks and
cyber events to the definition of "disaster".
2:33:17 PM
MR. FISHER, in response to Senator Hughes' earlier questions,
referred to a handout in members' packets from the Federal
Cybersecurity & Infrastructure Security Agency that identifies
16 critical infrastructure sectors. The State of Alaska
Emergency Operations Plan addresses cyber events. He stated that
a cyber attack that affects the economic sector is one measure.
However, the division has other programs and policies it must
consider. He said private businesses generally do not benefit
from state or federal disaster funds after an emergency is
declared.
MR. FISHER highlighted that a hurricane might fall into "the
credible threat of an imminent cyber attack or cyber event"
because weathermen can forecast hurricanes. Thus, communities
may need additional resources to prepare for one. He related
that the state deployed the US Army National Guard to remove
snow from roofs of critical infrastructure in Yakutat to prevent
damage. He suggested that any "imminent threat or credible
threat" as certified by the Department of Administration would
be similar.
2:35:13 PM
SENATOR KIEHL asked about "cyber event" as a term in the bill
that was not defined.
MR. FISHER emphasized the distinction between a cyber attack and
a cyber event. He highlighted instances of natural, man-made or
cyber attacks to infrastructure that are not necessarily cyber
attacks. These cyber events lack criminal, human, or terrorist
intent. However, these events could lead to system failures that
could compromise the security, availability, integrity and
assurance of systems. For example, some years ago, lightning
struck the State Office Building causing damage to the
telecommunications infrastructure.
2:37:30 PM
CHRIS LETTERMAN, Chief Information Security Officer, Office of
Information Technology, Department of Administration, Juneau,
Alaska, read prepared remarks.
The cyber threats that are facing the public sector
continue to evolve in terms of speed, volume, and
their impacts. Malicious cyber actors ranging from
novice to nation-state sponsored, are principally
motivated by financial gain and political ends. Cyber
threat to political sector critical infrastructure has
expanded the conversation beyond the digital into the
physical realm with the potential to impact life,
safety, and public health.
This legislation would support the state and political
subdivisions should critical infrastructure systems be
impacted by a cyber attack or a cyber event. It will
bring about a needed maturity to enable support
activities and timeliness of resources necessary for
recovery.
2:39:20 PM
PETER HOUSE, IT Security Expert, Deeptree, Inc., Palmer, Alaska,
via teleconference, said he was testifying from Utqiagvik. He
advised that he is a cybersecurity professional who worked on
the Mat-Su Borough during their cyber attack. He was surprised
at the number of departments that needed to restore services. He
reported that the cyber attack disrupted work throughout the
entire borough, so staff scrambled to find ways to do their jobs
without digital technology. He wondered what would happen if a
cyber event created life threatening events. He offered his view
that HB 3 will go a long way towards allowing a rapid response
to these cyber events and accelerate the state's ability to
ensure that critical services are available to the public with
minimal disruption. He said there are many metrics this bill
will help address.
MR. HOUSE reported that he has noticed an overall increase in
cyber attacks on organizations throughout Alaska from his
vantage point in the security operation center. He offered his
belief that HB 3 will go a long way to help the state respond to
cyber attacks or events.
2:42:13 PM
SENATOR SHOWER reported that the state receives an average of
over one million attempted cyber attacks per day.
2:42:34 PM
SENATOR HUGHES appreciated Mr. House's insight. She indicated
that the legislature is concerned about keeping all communities
in the state safe.
2:43:30 PM
ERIK WYATT, IT Director, Matanuska-Susitna Borough (MSB),
Palmer, Alaska, via Teams, stated that the legislature was aware
of the MSB's cyber attack that occurred three years ago. He
highlighted that the cost of recovery from the cyber attack was
$2.5 million. Cyber attacks directed at critical infrastructure
adversely impacted the MSB and other political subdivisions'
ability to serve the public. He reported that the cyber attack
disrupted the borough for 60 days. MSB's critical infrastructure
affected included its emergency services (EMS), fire and rescue
services, and GIS resources that support them. The Kenai
Peninsula Borough (KPB) experienced a cyber attack that
adversely affected its 911 communications. Cyber attacks can
destroy or disrupt emergency operations and communications. The
MSB also provides water and sewer services to Talkeetna. During
the winter cyber attacks could halt transportation by disrupting
the borough's ability to plow roads.
2:46:04 PM
SENATOR MYERS asked what systems were affected in the Mat-Su
Borough cyber attack.
MR. WYATT answered that all MSB's IT systems were affected,
including email and servers. One exception was the separate
network that provides a land mobile radio system that supports
MSB's emergency services. He said that system was not affected.
2:46:55 PM
SENATOR HUGHES asked what precautions the Mat-Su Borough has
taken since the cyber attack.
MR. WYATT answered that the Mat-Su Borough (MSB) added a
cybersecurity analyst position and converted another position to
a part-time chief information security officer. The borough also
added some IT security systems to create layered security that
will allow MSB to identify and isolate cyber threats. MSB also
issued contracts to allow the borough to reach out more quickly
to consultants and improve cybersecurity responses.
2:48:24 PM
NILS ANDREASSEN, Executive Director, Alaska Municipal League
(AML), Juneau, Alaska, spoke in support of HB 3. He stated that
he agreed with the previous testifiers. He said AML supports the
language in the bill that includes political subdivisions. He
emphasized the importance of maintaining the relationship
between the state and its political subdivisions. Ambiguity is
the last thing needed during a cyber attack. AML supports
efforts to strengthen the state's Disaster Act. He characterized
it as critically important to ensure that state support and
resources are on hand for deploying efficiently and effectively
when a local government is overwhelmed by a cyber attack. He
said he appreciated the sponsor bringing this bill forward.
2:49:38 PM
SENATOR HUGHES commented that prevention is less expensive than
treatment. She asked if communities were acquiring expertise and
information to bring them current on cybersecurity measures.
2:50:11 PM
MR. ANDREASSEN answered that AML has prioritized cybersecurity.
Last year, AML implemented a shared service program for local
governments that focuses on in-point protection. This helps to
ensure that all systems have the appropriate hygiene and
communities perform updates to ensure their systems are
protected. He remarked that federal infrastructure funding is
available to support that effort. He said that many local
governments have already added layers of protection to their
systems.
2:51:35 PM
SENATOR KIEHL said HB 3 would add language to the front of the
Disaster Act. However, the statutes provide powers once a
disaster is declared. He asked if the committee should narrow it
down to limit triggering these powers.
MR. FISHER answered that AS 26.23.020 of the Alaska Disaster Act
enumerates the governor's powers when a disaster emergency is
declared. He offered his view that narrowing these powers should
not be done. For example, Mr. Letterman stated how cyber threats
cross over from the virtual to the physical world. Suppose the
state had a cyber attack that caused water and electrical
distribution. There might be powers at the front end of these
statutes the governor has such as controlling access to a
disaster area if a kinetic or physical disruption occurred. Mr.
Wyatt stated that systems were in place for MSB to conduct
business electronically that had to change. Local ordinances and
the borough's charter allowed MSB to use some local
flexibilities. He envisioned the state might need the
flexibility to suspend regulations to enable the community to
conduct business in another way if their systems were
compromised, disrupting regular business functions.
2:54:20 PM
SENATOR SHOWER asked if the Alaska Disaster Act has a nexus to
federal funds.
MR. FISHER answered yes. Just as the state can declare an
emergency, it can request federal disaster funds.
2:55:34 PM
SENATOR HUGHES said she had the same concern. She advocated for
the legislature to revise the Alaska Disaster Act and to create
a separate section for health disasters. She expressed concern
about the checks and balances between governmental branches. It
might make sense for the legislature to decide if some executive
orders should continue. She acknowledged that this bill was not
the appropriate vehicle for a rewrite since it could delay
passage of HB 3.
2:57:22 PM
CHAIR HOLLAND held HB 3 in committee.