HB 3-DEFINITION OF "DISASTER": CYBERSECURITY  3:05:43 PM CHAIR KREISS-TOMKINS announced that the first order of business would be HOUSE BILL NO. 3, "An Act relating to the definition of 'disaster.'" 3:06:12 PM REPRESENTATIVE DELENA JOHNSON, Alaska State Legislature, prime sponsor, introduced HB 3. She stated that there are many events that elicit an emergency declaration; however, a cybersecurity threat is not one of them. She informed the committee that current Alaska statutes are vague on whether a cyber attack could qualify for such a declaration. She said HB 3 would provide clarity by adding cybersecurity attacks to the definition of disaster, so in the event it's needed, action could be taken, and resources could be used. She relayed that there is an alarming rate of cyber threats throughout the world and referenced a recent cyber attack on the Matanuska-Susitna (Mat-Su) Borough, which created disruptions in day-to-day service operations. She noted that the city of Valdez was also the target of a ransomware attack that was costly to resolve. Additionally, she reported that several state agencies were target by cyber criminals, including Department of Health and Social Services (DHSS) and the Division of Elections. To conclude, she asserted that cybersecurity should qualify for an emergency declaration to allow for the use of emergency funds; the application of funds and other resources that might not be otherwise readily available; and disaster preparation planning. 3:08:39 PM ERIC CORDERO, Staff, Representative DeLena Johnson, Alaska State Legislature, on behalf of Representative Johnson, continued to present HB 3. He reiterated that the bill adds cybersecurity to the definition of a disaster - more specifically, HB 3 adds subsection (F) to AS 26.20.900, the general provisions of the Alaska Disaster Act. Subsection (F) read as follows: (F) a cybersecurity attack that affects critical  infrastructure in the state, an information system  owned or operated by the state, information that is  stored on, processed by, or transmitted on an  information system owned or operated by the state, or  a credible threat of an imminent cybersecurity attack  or cybersecurity vulnerability that the commissioner  of administration or commissioner's designee certifies  to the governor has a high probability of occurring in  the near future; the certification must be based on  specific information that critical infrastructure in  the state, an information system owned or operated by  the state, or information that is stored on, processed  by, or transmitted on an information system owned or  operated by the state may be affected;  MR. CORDERO clarified that the language, "the certification must be based on specific information that critical infrastructure in the state," covers agencies within the nonprofit sector and the private sector that have responsibilities regarding health, energy, telecommunication, or transportation to the public. He further noted that the Department of Military & Veterans' Affairs (DMVA) is responsible for planning, managing, and creating the list of qualifications for "critical infrastructure," which Mr. Cordero could not obtain. He stated that critical infrastructure is not defined under Alaska statutes, adding that DMVA uses the U.S. Department of Homeland Security's definition. He went on to add that according to Legislative Legal Services, the governor could, in some instances, call an emergency if there were a cybersecurity attack or threat; however, the statutes are vague because in in 2000, the legislature removed the words "manmade causes" from the Alaska Disaster Act. He noted that other states that can issue a statewide emergency on cybersecurity have relied on that language. There is, he said, a small provision in the Alaska statute that mentions "equipment," which arguably, could be considered information systems or a database. He emphasized that HB 3 would clarify and update the language in the Alaska Disaster Act. 3:12:59 PM MR. CORDERO reported per the Department of Administration (DOA), that in the last 10 years, there have been as many as 817,000 attempted attacks per year that are general in nature, such as spam mail, viruses, and malware, and 400,000 [attempted] directed attacks per year, which are focused against specific individuals, systems, or departments. He noted that not all attempted attacks were successful. He stated that annually, there have been 497 successful attacks against the state, in which systems or data were either infiltrated or compromised. He added that historically, the most targeted state agencies are Division of Elections, Division of Motor Vehicles (DMV), Department of Revenue (DOR), DHSS, and Department of Transportation & Public Facilities (DOTPF). 3:14:17 PM CHAIR KREISS-TOMKINS opened invited testimony. 3:15:02 PM MARK BREUNIG, Chief Technology Officer, Office of Information Technology, Department of Administration, informed the committee that states such as Florida, Texas, and Washington, as well as the federal government, have been impacted by cybersecurity attacks. He reported that in July 2018, the Mat-Su Borough and the city of Valdez were victims of cyber attacks, and in both cases, critical services were disrupted, and significant damage was caused. Ultimately, emergency relief funding in the Mat-Su Borough alone exceeded $2.5 million. As one of the on-site volunteers to help restore service, he recalled asking "where is the state?" Upon joining DOA, he realized that the state was not unsympathetic, but the language to address a major cybersecurity attack was missing from Alaska statutes. He said HB 3 seeks to remedy that gap. He addressed several instances of cybersecurity attacks in other states, such as Florida, where attackers gained access to industrial control systems at a water treatment plant and attempted to increase the amount of sodium hydroxide. He opined that the additional language in HB 3 is critical to support processes and the success of disaster remediation in Alaska. 3:17:23 PM REPRESENTATIVE EASTMAN asked how far the Mat-Su Borough progressed into the disaster declaration process before the missing language became an obstacle. MR. BREUNIG reported that the Mat-Su Borough's request was received, but there was no legally viable recourse. 3:18:19 PM REPRESENTATIVE CLAMAN inquired about the likelihood of receiving information on a pending cybersecurity attack, which could result in a disaster declaration, before it happens. MR. BREUNIG said the time interval from receiving intelligence before an attack to the time of an actual attack continues to shrink, which is why intelligence from federal and industry partners is greatly valued. He provided the example of solar winds, explaining that the state received the update on solar winds hours before it hit everywhere else allowing Alaska to act quickly. Nonetheless, he reiterated that the days of receiving advanced notice are disappearing. REPRESENTATIVE CLAMAN surmised that in terms of cybersecurity attacks pertaining to critical data, "we're not talking about a disaster declaration because tomorrow we think something's coming - it's going to be ... this just happened ... and now we need help fixing it and it's going to take time and money." MR. BREUNIG replied it will be a mix. He pointed out that [the state] received word of "certain Iranian activities" one week in advance. He emphasized that typically, the amount of advanced notice varies, if any is received at all. 3:21:26 PM REPRESENTATIVE KAUFMAN asked if HB 3 goes far enough to encompass the state's cybersecurity needs. Additionally, he asked if Hb 3 is missing any components. MR. BREUNIG said there is work that needs to be done, but [HB 3] is a significant start. 3:22:02 PM CHAIR KREISS-TOMKINS asked if beyond the scope of this bill, there are recommendations that the legislature should further explore or investigate regarding cybersecurity in general. MR. BREUNIG answered yes, adding that he would welcome a follow- up discussion and further investigation. 3:22:48 PM REPRESENTATIVE VANCE inquired about available federal funds specific to cyber attacks in a declared emergency. MR. BREUNIG relayed that the state currently receives funding through the Federal Emergency Management Agency (FEMA) for emergency response. He noted that recently, CISA [Cybersecurity & Infrastructure Security Agency] announced its intention to contribute additional funding; however, the amount and the date of availability has not been publicized. CHAIR KREISS-TOMKINS asked what the acronym "CISA" stands for. MR. BREUNIG answered Cybersecurity & Infrastructure Security Agency. 3:24:27 PM REPRESENTATIVE STORY asked if qualifying for assistance requires reaching a certain level of disaster. MR. BREUNIG said there is a framework and different criteria for determining the level of attack and disaster. REPRESENTATIVE STORY requested that a description of the criteria be provided to the committee. MR. BREUNIG offered to follow up with the requested information. 3:25:52 PM PAUL NELSON, Director, Division of Homeland Security & Emergency Management, Department of Military & Veterans' Affairs (DMVA), said he has no official testimony prepared at this time; however, he is available for questions from the committee. 3:26:26 PM REPRESENTATIVE EASTMAN offered his understanding that DMVA is involved in the process of declaring a disaster. Referencing Page 2 of the bill, he asked if the Division of Homeland Security and Emergency Management helps determine whether something is a cybersecurity vulnerability. MR. NELSON acknowledged that the division has a minor role and follows the lead of OIT [Office of Information Technology] to identify cybersecurity vulnerabilities. He added that the division and OIT work with other federal and infrastructure partners - both public utility and private sector - to determine the vulnerabilities in the cybersecurity domain and, ideally, mitigate and eliminate them. 3:27:50 PM REPRESENTATIVE KAUFMAN asked where Alaska stands in relation to others. MR. NELSON replied from the perspective of emergency management, Alaska seems to be okay, but there's more work to be done going forward. He opined that HB 3 is a great start, later noting that there is no indication that [cybersecurity attacks] are going to stop, they will only grow more advanced. 3:29:31 PM CHAIR KREISS-TOMKINS asked if HB 3 were to pass, how the state would evaluate the impact of the cybersecurity attack on the Mat-Su Borough. He asked whether it would reach the threshold of warranting a disaster declaration. MR. NELSON explained that Division of Homeland Security & Emergency Management would set up the state emergency operations center wherever the intrusion occurred and evaluate the response and immediate needs while following OIT's lead, which is the standard foundation for any type of response, be it flooding, an earthquake, or a cybersecurity attack. He said the absence of cybersecurity attack from the definition of disaster within AS 26.23.900 "makes it more obscure," whereas the language in HB 3 would help improve the state emergency operations plan. MR. BREUNIG expanded on Mr. Nelson's comments by noting that the National Guard is building cyber capability through their own mandate. He explained that identifying this as a leverage point for declaring a disaster would enable the National Guard to provide cyber support throughout the state. 3:32:57 PM PETER HOUSE, CEO, Deeptree, Inc., informed the committee that his business is an IT firm that specializes in risk management with a particular emphasis on cybersecurity. He provided several personal anecdotes, one which highlighted his work on the Mat-Su Borough attack. He said he saw firsthand the scope of the incident and the impact on Alaskans. He added that whether in the scope of losing access to essential services or disruptions to business, the [cybersecurity] attack was functionally equivalent to the organization being impacted by a traditionally defined disaster. As a responder, he said, the level of responsibility was significant because citizen lives were impacted by the lack of digital infrastructure support. He explained that the responders had two tasks on hand: restore services as quickly as possible and ensure that the evidence required by law enforcement and insurance was retained. He noted that sometimes, it felt like those tasks were at odds with each other when it came to resources and staffing. He recounted that due to the depth of the attack, a large number of specialists and generalists was required; further, for the first few months, the daily briefings were at capacity. He offered his belief that the Borough's declaration of a state of emergency was essential because of those operational factors. He pointed out the extra support that resulted from the disaster declaration made a significant impact on the time it took to restore services; additionally, they received improved operational agility and response capabilities. He went on to convey that that because Alaska is sparsely populated and spread out over thousands of miles, the state has a unique profile, which makes digital technology not only a nicety but a necessity. Furthermore, it places the digital systems on which Alaska relies in a state of operational significance. He pointed out that sometimes the replacements for that equipment are thousands of miles away. MR. HOUSE continued by addressing the 2013 attack on Target. He said it's not widely known that the attack had an initial point of entry through an HVAC vendor. The criminal actors identified a third-party vendor, sent a phishing email, compromised the systems, and rode an engineer's laptop onto the networks when the engineer went on site. He emphasized the importance of that story because Alaska is very connected. He opined that when considering the threat of exposure that could come from a similar situation, Alaska compared to other states has a mildly higher threat profile given the state's geographic location and economy. He added that Alaska does not have many economic "crown jewels," but the few that exist are very important. He concluded by opining that knowing the State of Alaska has a strong security posture and the ability to respond to an emergency enhances the state's overall defensive position. 3:38:21 PM REPRESENTATIVE EASTMAN pointed out that HB 3 speaks to the credible threat of an attack or a cybersecurity vulnerability that has a high probability of occurring in the future. He questioned whether the language opens the door for a situation in which Alaska would be eligible for a disaster for the foreseeable future. He remarked: Or maybe, based on your experience, you would expect that [the] window would close. If so, when would we no longer be in the situation where there is a vulnerability that exists that could trigger this disaster. 3:39:29 PM MR. HOUSE said typically, the software developer - or whoever is responsible for managing the solution - eliminates the vulnerability by patching the system. He noted that in his professional experience, he has never seen a nonterminated vulnerability; further adding that in terms of mainline critical infrastructure vulnerabilities, there is a low probability of a vulnerability persisting for an interminable amount of time. REPRESENTATIVE EASTMAN questioned whether Mr. House is referring to an existing vulnerability or, as the bill expresses, one that has a high probability of occurring in the future. MR. HOUSE said he could not speak to that specific passage; however, he offered his understanding that when something is specifically classified as a vulnerability, it is a "technical exercise" that wouldn't leave room for interpretation. He opined that the legislation as it's currently written, would not allow a state of emergency to continue for an unlimited amount of time. 3:41:41 PM REPRESENTATIVE STORY expressed her concern that people do not have basic protections in place to [protect] them from a cybersecurity [attack]. She asked if municipalities and state agencies are taking adequate precaution. MR. HOUSE recalled seeing higher levels of information sharing and security, as well as an uptick in security operation centers (SOCs), since the Mat-Su Borough event. He provided an example of an institution that provides threat and vulnerability information sharing, which local jurisdictions are partaking in. Furthermore, He said more professionals are undertaking advanced education and training. He noted his specialization in memory forensics, a specialized portion of incident response to cybersecurity events, in which the level of interest has risen. 3:44:36 PM REPRESENTATIVE TARR inquired about the perpetrator's motivation to carry out these attacks. MR. HOUSE said motivations vary. He explained that criminal actors are interested in auctioning off the stolen information on the dark web. Additionally, when the network is compromised, he recalled a growing practice where the network itself is auctioned off for criminal actors to pull the data from, ransom the network, or both. He added that the motivation for nation state actors also varies - in general, they are looking to monetize the networks or gain geopolitical influence. 3:46:36 PM REPRESENTATIVE TARR questioned whether the bill language pertaining to the commissioner designee should be more specific. MR. CORDERO explained that typically, each department determines a plan they want to submit to DMVA and DMVA develops the mitigation and response. He noted that DOA is included in the bill language because it houses the Office of Information Technology. He added that the language regarding the commissioner designee is for the committee to consider at their discretion. 3:48:33 PM REPRESENTATIVE CLAMAN expressed his interest in clarifying the definition of critical infrastructure and what constitutes it. 3:49:25 PM MR. CORDERO read from the document, titled "From the Cybersecurity & Infrastructure Security Agency" [included in the committee packet], as follows: There are 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof. MR. CORDERO acknowledged that "critical infrastructure" is not defined in Alaska statutes. He added that the duty to make that determination was given to [DMVA]. 3:50:27 PM REPRESENTATIVE CLAMAN sought to clarify whether that is the federal definition. MR. CORDERO answered yes. REPRESENTATIVE CLAMAN pointed out that there are other sections in statute that reference federal authority or federal regulation. He suggested including a reference to the federal regulations or federal statutory authority in HB 3 to avoid writing a definition that changes every two years. He opined that the reference would strengthen the bill because it would align the state and federal definition of what constitutes critical infrastructure. MR. CORDERO agreed that it could help clarify critical infrastructure. 3:51:29 PM REPRESENTATIVE EASTMAN asked if there is a definition of cybersecurity that the bill refers to. MR. CORDERO deferred to Mr. Breunig. 3:52:20 PM REPRESENTATIVE VANCE asked if the state has insurance that covers cybersecurity attacks and if so, what criteria must be met to access it or other federal funding. MR. CORDERO offered to follow up with the requested information. 3:53:42 PM CHAIR KREISS-TOMKINS shared his understanding that there was similar, or possibly identical, legislation in the last legislative session. He asked if there are substantive differences between the previous legislation and HB 3. REPRESENTATIVE JOHNSON answered no and explained that that HB 3 is a continuation of the same bill from last session. CHAIR KREISS-TOMKINS advised that there might be a committee substitute with a title change pending further discussions with the sponsor's office. 3:54:55 PM REPRESENTATIVE CLAMAN asked who sponsored the previous legislation. CHAIR KREISS-TOMKINS answered Representative Johnson. [HB 3 was held over.]