HB 3-DEFINITION OF "DISASTER": CYBERSECURITY  2:14:42 PM CHAIR HOLLAND announced consideration of CS FOR HOUSE BILL NO. 3(JUD) "An Act relating to the definition of 'disaster.'" 2:15:14 PM REPRESENTATIVE DELANA JOHNSON, Alaska State Legislature, Juneau, Alaska, speaking as sponsor, stated that HB 3 would add cyber attacks to the Alaska Disaster Act. She said Alaska's disaster statutes are vague and need updating. She stated that cyberattacks are increasing; the state has had several attacks in the past year. She noted that under the bill, a declaration must meet two tests to be considered a disaster. First, the incident must be widespread and must cause damage. Second, each incident must be assessed on a case-by-case basis. Last year, a cyber attack disrupted services at the Alaska Court System for several weeks. In addition, a cyber attack disrupted services at the Department of Health and Social Services (DHSS) for a significant time in 2021. The state still does not know the extent of the monetary damage or quantify other effects from the cyber attack. Further, a cyber attack shut down the Mat-Su Borough (MSB), disrupting critical services and causing damages exceeding $25 million. The City of Valdez experienced a ransomware attack requiring substantial payments to regain access to their systems. She related a more significant cyber attack that occurred in Florida in 2020. Cyber attackers gained access to the industrial controls of a water treatment facility and attempted to increase the levels of toxic chemicals in the water system. Although the authorities contained the attack, it raises concerns about what could happen if critical infrastructure disrupts critical services. 2:17:22 PM REPRESENTATIVE D. JOHNSON said adding "cyber attacks" to the definition of disaster would clarify the seriousness of the problem and allow access to resources. 2:17:55 PM ERICK CORDERO, Staff, Representative Delena Johnson, Alaska State Legislature, Juneau, Alaska, on behalf of the sponsor, said the intent of HB 3 was to update Alaska's statutes. He stated that many states have updated or are in the process of updating their disaster laws related to cyber attacks. 2:18:18 PM MR. CORDERO said the bill consists of one section. Page 1, line 4, provides the current definition for a disaster, which read: (2) "disaster" means the occurrence or imminent threat of widespread or severe damage, injury, loss of life or property, or shortage of food, water, or fuel resulting from .... MR. CORDERO stated that categories were listed beginning on page 1, line 7 of HB 3, including natural disasters, environmental dangers, equipment failures, and terrorist attacks. The definition does not list cyber attacks. In 2000, the statute included "man-made" disasters, but that language was removed. The Mat-Su Borough and other political subdivisions requested a definition for a disaster declaration. He explained that declaring a disaster could result in the state or communities achieving access to resources faster. It also would provide the authority to contact agencies for assistance. 2:19:49 PM MR. CORDERO said the state responded to the Mat-Su Borough's request for assistance by saying that the statutes were vague. He referred to the Legal Services memo in members' packet dated February 10, 2020, from Megan Wallace, Director, who advised that equipment failure could qualify as a "disaster" under AS 26.23.900(2)(C). Still, it should be defined to provide certainty. HB 3 would clarify that cybersecurity is a problem and define cyber attacks in statute. 2:20:23 PM MR. CORDERO said the language on page 2 line 17, subparagraph (F) would add cyberattacks to the definition, specifically if it affects critical infrastructure. He characterized critical infrastructure as key. It is a term typically used by the federal government. It also identified information systems owned or operated by the state or a political subdivision of the state. 2:21:08 PM MR. CORDERO stated that during the committee process, the sponsor decided to define critical infrastructure using the federal definition to provide further clarity, which read: "critical infrastructure" means systems and assets, whether physical or virtual, so vital to the state that the incapacity or destruction of the systems and assets would have a debilitating effect on security, state economic security, state public health or safety, or any combination of those matters; MR. CORDERO said he stated "Alaska" instead of "state" for emphasis. 2:21:43 PM MR. CORDERO said a previous US President signed an order a few years ago citing the different areas for critical infrastructure, including chemicals, utilities, transportation, and telecommunications. The Department of Military & Veterans Affairs (DMVA) plans mitigation strategies and supports state agencies once a disaster is declared. According to the Alaska Disaster Act, part of the role includes advance planning. Last year, DMVA testified that cybersecurity is not in their guidelines because the term is not in statute. 2:23:06 PM SENATOR MYERS said the definition states the critical infrastructure must be "owned or operated by the state." He asked how it would affect the electrical grid owned by various cooperatives throughout the state since it is critical infrastructure. MR. CORDERO said the bill reads critical infrastructure "or" so the definition would include the electrical grid. 2:23:54 PM CHAIR HOLLAND read [subparagraph (F) a cyber attack that affects] "critical infrastructure in the state, an information system owned or operated by the state ...." He stated that language would cover the electrical grid. MR. CORDERO said the Department of Administration determines what is included in critical infrastructure. 2:24:44 PM SENATOR HUGHES referred to page 2, lines 23-24 of HB 3. She said this language refers to cyber attacks that have not happened but that could potentially happen. She surmised that if the department knew ahead of time, it could possibly stop an attack, but probably not. She wondered why it would be necessary to declare a disaster. 2:25:28 PM MR. CORDERO answered that the intelligence community typically reaches out to government agencies about imminent cyber attacks. If it is not contained and becomes widespread, the department would need to take steps to issue a disaster declaration. Often, the state identifies a vulnerability and the presence of a bad actor. The department would determine if it warranted using resources to ensure a cyber attack doesn't happen. He deferred to the experts at DMVA to answer the question more fully. 2:26:31 PM SENATOR HUGHES related her understanding that critical infrastructure does not require state ownership. For example, suppose banks were attacked and their infrastructure was infiltrated or dismantled. The critical infrastructure would not necessarily be a port or power line. She asked if HB 3 would apply to private sector infrastructure. MR. CORDERO answered that she was correct. He stated that critical infrastructure could involve economic loss, lack of food, medicine, or fuel. 2:27:47 PM SENATOR SHOWER echoed Mr. Cordero's comments. He explained that the intelligence community might indicate a cyber attack happening somewhere in the world that potentially could happen in Alaska. He surmised that the state could declare a disaster in advance to prevent it. 2:28:16 PM SENATOR MYERS noted that Mr. Fisher from DMVA was available to answer questions. 2:28:35 PM SENATOR HUGHES said she was initially concerned about the language on page 3 defining "critical infrastructure" that read "would have a debilitating effect on security ..." She wondered if "debilitating" might be subjective but was reassured when she read the existing language in statute includes "... widespread or severe damage, injury, loss of life or property, ...." CHAIR HOLLAND turned to invited testifiers. 2:30:22 PM PAULA VRANA, Commissioner Designee, Department of Administration, Juneau, Alaska, stated that the administration supports HB 3 since it does not change the structure of the current Alaska Disaster Act statutes but will update the statutes to address Alaska's current needs. She stated that Chris Letterman, Chief Information Officer, Department of Administration, could answer any technical questions. 2:31:55 PM BRYAN FISHER, Director, Alaska Division of Homeland Security and Emergency Management, Department of Military and Veterans Affairs, Joint Base Elmendorf-Richardson Alaska, via Teams, stated that the administration supports HB 3. He said he was involved in the Mat-Su Borough (MSB) response to the cyber attack that affected the borough and the City of Valdez. MR. FISHER highlighted that the governor's cabinet has a subset known as the governor's disaster cabinet that reviews a cyber event, analyses it, and makes recommendations to the governor based on the statutory definition on whether an event rises to the level of a disaster emergency. He said the disaster cabinet met three times and held six hours of discussions on this definition. The division fully supports adding cyber attacks and cyber events to the definition of "disaster". 2:33:17 PM MR. FISHER, in response to Senator Hughes' earlier questions, referred to a handout in members' packets from the Federal Cybersecurity & Infrastructure Security Agency that identifies 16 critical infrastructure sectors. The State of Alaska Emergency Operations Plan addresses cyber events. He stated that a cyber attack that affects the economic sector is one measure. However, the division has other programs and policies it must consider. He said private businesses generally do not benefit from state or federal disaster funds after an emergency is declared. MR. FISHER highlighted that a hurricane might fall into "the credible threat of an imminent cyber attack or cyber event" because weathermen can forecast hurricanes. Thus, communities may need additional resources to prepare for one. He related that the state deployed the US Army National Guard to remove snow from roofs of critical infrastructure in Yakutat to prevent damage. He suggested that any "imminent threat or credible threat" as certified by the Department of Administration would be similar. 2:35:13 PM SENATOR KIEHL asked about "cyber event" as a term in the bill that was not defined. MR. FISHER emphasized the distinction between a cyber attack and a cyber event. He highlighted instances of natural, man-made or cyber attacks to infrastructure that are not necessarily cyber attacks. These cyber events lack criminal, human, or terrorist intent. However, these events could lead to system failures that could compromise the security, availability, integrity and assurance of systems. For example, some years ago, lightning struck the State Office Building causing damage to the telecommunications infrastructure. 2:37:30 PM CHRIS LETTERMAN, Chief Information Security Officer, Office of Information Technology, Department of Administration, Juneau, Alaska, read prepared remarks. The cyber threats that are facing the public sector continue to evolve in terms of speed, volume, and their impacts. Malicious cyber actors ranging from novice to nation-state sponsored, are principally motivated by financial gain and political ends. Cyber threat to political sector critical infrastructure has expanded the conversation beyond the digital into the physical realm with the potential to impact life, safety, and public health. This legislation would support the state and political subdivisions should critical infrastructure systems be impacted by a cyber attack or a cyber event. It will bring about a needed maturity to enable support activities and timeliness of resources necessary for recovery. 2:39:20 PM PETER HOUSE, IT Security Expert, Deeptree, Inc., Palmer, Alaska, via teleconference, said he was testifying from Utqiagvik. He advised that he is a cybersecurity professional who worked on the Mat-Su Borough during their cyber attack. He was surprised at the number of departments that needed to restore services. He reported that the cyber attack disrupted work throughout the entire borough, so staff scrambled to find ways to do their jobs without digital technology. He wondered what would happen if a cyber event created life threatening events. He offered his view that HB 3 will go a long way towards allowing a rapid response to these cyber events and accelerate the state's ability to ensure that critical services are available to the public with minimal disruption. He said there are many metrics this bill will help address. MR. HOUSE reported that he has noticed an overall increase in cyber attacks on organizations throughout Alaska from his vantage point in the security operation center. He offered his belief that HB 3 will go a long way to help the state respond to cyber attacks or events. 2:42:13 PM SENATOR SHOWER reported that the state receives an average of over one million attempted cyber attacks per day. 2:42:34 PM SENATOR HUGHES appreciated Mr. House's insight. She indicated that the legislature is concerned about keeping all communities in the state safe. 2:43:30 PM ERIK WYATT, IT Director, Matanuska-Susitna Borough (MSB), Palmer, Alaska, via Teams, stated that the legislature was aware of the MSB's cyber attack that occurred three years ago. He highlighted that the cost of recovery from the cyber attack was $2.5 million. Cyber attacks directed at critical infrastructure adversely impacted the MSB and other political subdivisions' ability to serve the public. He reported that the cyber attack disrupted the borough for 60 days. MSB's critical infrastructure affected included its emergency services (EMS), fire and rescue services, and GIS resources that support them. The Kenai Peninsula Borough (KPB) experienced a cyber attack that adversely affected its 911 communications. Cyber attacks can destroy or disrupt emergency operations and communications. The MSB also provides water and sewer services to Talkeetna. During the winter cyber attacks could halt transportation by disrupting the borough's ability to plow roads. 2:46:04 PM SENATOR MYERS asked what systems were affected in the Mat-Su Borough cyber attack. MR. WYATT answered that all MSB's IT systems were affected, including email and servers. One exception was the separate network that provides a land mobile radio system that supports MSB's emergency services. He said that system was not affected. 2:46:55 PM SENATOR HUGHES asked what precautions the Mat-Su Borough has taken since the cyber attack. MR. WYATT answered that the Mat-Su Borough (MSB) added a cybersecurity analyst position and converted another position to a part-time chief information security officer. The borough also added some IT security systems to create layered security that will allow MSB to identify and isolate cyber threats. MSB also issued contracts to allow the borough to reach out more quickly to consultants and improve cybersecurity responses. 2:48:24 PM NILS ANDREASSEN, Executive Director, Alaska Municipal League (AML), Juneau, Alaska, spoke in support of HB 3. He stated that he agreed with the previous testifiers. He said AML supports the language in the bill that includes political subdivisions. He emphasized the importance of maintaining the relationship between the state and its political subdivisions. Ambiguity is the last thing needed during a cyber attack. AML supports efforts to strengthen the state's Disaster Act. He characterized it as critically important to ensure that state support and resources are on hand for deploying efficiently and effectively when a local government is overwhelmed by a cyber attack. He said he appreciated the sponsor bringing this bill forward. 2:49:38 PM SENATOR HUGHES commented that prevention is less expensive than treatment. She asked if communities were acquiring expertise and information to bring them current on cybersecurity measures. 2:50:11 PM MR. ANDREASSEN answered that AML has prioritized cybersecurity. Last year, AML implemented a shared service program for local governments that focuses on in-point protection. This helps to ensure that all systems have the appropriate hygiene and communities perform updates to ensure their systems are protected. He remarked that federal infrastructure funding is available to support that effort. He said that many local governments have already added layers of protection to their systems. 2:51:35 PM SENATOR KIEHL said HB 3 would add language to the front of the Disaster Act. However, the statutes provide powers once a disaster is declared. He asked if the committee should narrow it down to limit triggering these powers. MR. FISHER answered that AS 26.23.020 of the Alaska Disaster Act enumerates the governor's powers when a disaster emergency is declared. He offered his view that narrowing these powers should not be done. For example, Mr. Letterman stated how cyber threats cross over from the virtual to the physical world. Suppose the state had a cyber attack that caused water and electrical distribution. There might be powers at the front end of these statutes the governor has such as controlling access to a disaster area if a kinetic or physical disruption occurred. Mr. Wyatt stated that systems were in place for MSB to conduct business electronically that had to change. Local ordinances and the borough's charter allowed MSB to use some local flexibilities. He envisioned the state might need the flexibility to suspend regulations to enable the community to conduct business in another way if their systems were compromised, disrupting regular business functions. 2:54:20 PM SENATOR SHOWER asked if the Alaska Disaster Act has a nexus to federal funds. MR. FISHER answered yes. Just as the state can declare an emergency, it can request federal disaster funds. 2:55:34 PM SENATOR HUGHES said she had the same concern. She advocated for the legislature to revise the Alaska Disaster Act and to create a separate section for health disasters. She expressed concern about the checks and balances between governmental branches. It might make sense for the legislature to decide if some executive orders should continue. She acknowledged that this bill was not the appropriate vehicle for a rewrite since it could delay passage of HB 3. 2:57:22 PM CHAIR HOLLAND held HB 3 in committee.