While most of us are aware of the outcomes from November’s election in gubernatorial, state legislature and other local races affecting where we live, you may be less aware of the impact of those state elections. Because of the wide range of governance responsibilities held by states, these elections have huge consequences for their residents and the local governments they control. Recently I had the opportunity to present on issues in state and local cyber security, one major area where state policy is critically influential. What states choose to do with that power has significant effects.
As a result of federal inaction — or restraint, depending on your perspective — it is largely up to states to set cybersecurity policy for the public and private organizations within their borders. Although the federal government does have institutions like NIST, the National Institute of Standards and Technology, which guides federal agencies through its cybersecurity framework, the US Congress has in general been far more hesitant than the European Parliament to pass laws to regulate the internet or technology Additionally it has only just voted to centralize federal management of cybersecurity issues into a single agency. This approach has left many aspects of cybersecurity management unaddressed at the national level, leaving states to frequently serve as the highest legal authority on cybersecurity issues.
In this environment, local governments do what they can — but often aren’t happy with the level of security they are able to achieve. ICMA, the International City/County Management Association, partnered with University of Maryland – Baltimore County researchers to produce the 2016 Cybersecurity Survey of local governments. Among other things, the survey revealed that more than a quarter of the local governments who track attacks on their information systems find evidence of attacks happening on an hourly basis. The most frequent cause governments identify for attacks are illegal efforts to hold their systems for ransom. Most local governments don’t feel they currently have enough resources to achieve the highest levels of cybersecurity. In fact, around 40% of local governments don’t even track system breaches, and less than half of local governments have formal cybersecurity plans, standards for vendors, plans for breach recovery, or a risk management plan.
Some state legislatures are providing leadership. California has come to occupy a role of national leadership on tech regulation – partly by being the first to create new law in the area, but also by being a large enough market to affect the design of commercial products. In 2002, California passed the first data breach notification law in the country, influencing the rest of the states to adopt versions of their own. State data breach laws, in turn, reduce public harm by causing companies to become much more responsible with consumer information, since consumers now have much more information about the actual frequency of data breaches.
California is again providing leadership by passing a trifecta of important cybersecurity laws. It recently passed the first state IOT security law, which is likely to have much larger effects due to the size and significance of the California consumer market. Coming into effect in 2020, California’s IOT law aims to stop the sale of IOT devices that have preprogrammed passwords, a flaw that has allowed devices to be hacked for the commission of DDOS attacks. The IOT security law comes on the heels of the passage of the California Consumer Privacy Act, which further strengthens security measures because it adds a private right of action when companies fail to secure consumer information. Finally, California just passed a law creating the Office of Elections Cybersecurity. Given the fact that states are the level of government managing all US elections, elections-focused cybersecurity law is a particularly critical area for states to get right. California’s new state office will be responsible for coordinating information sharing with county- and city-level elections officials as well as federal officials on cyber threats, becoming the overseer of local boards of election cybersecurity training. The state plans to dedicate $134 million in additional election spending during the next few years to modernize voting equipment.
Other states have also passed a number of cybersecurity laws, which in turn support the security of their local governments. There has been periodic progress on security across the data lifecycle: now 14 state governments are bound by data disposal laws, for example, and more than half of states require businesses to properly dispose of personally identifying information (PII) that they have collected. All states now have laws which identify computer crimes. Specific areas of crime are becoming increasingly defined: for example, 20 states have laws to criminalize spyware installation and 24 criminalize phishing. Other individual states (beyond California) are also finding new ways to protect residents by supporting local governments. The Michigan Department of Technology, Management and Budget recently created a center for supporting municipal cybersecurity – they call it “CISO [Chief Information Security Officer] as a service.”
The National Conference of State Legislatures (NCSL) regularly compiles information about specific areas of state legislation and they have put together a comprehensive overview of the 265 cybersecurity bills that were considered in state legislatures across the country in 2018. To give you a better view of what this looked like by state and topic, we categorized the bills in the NCSL’s list by general subject — identifying whether they dealt with improving opportunities for workforce education (“education”), election security (“elections”), improving security within government (“government”), regulating the Internet of Things (or other devices) (“IOT”), or regulating private behavior, often by identifying new categories of computer-based crimes (“public”). We also noted whether the bills had passed into law or not as of late October.
All in all, it’s clear that state legislatures are working actively to try to improve cybersecurity for individuals, governments and private companies. Are they doing enough in your state? It’s a great time to find out. Since we’re currently in the moment when many state legislatures are accepting “prefiled” bills for the next legislative session, and with so many newly elected legislators and governors just shifting from campaigning to governing, now is the time to contact your state officials. Ask them what aspects of cybersecurity matter to them and find out about whether they support the legislation that matters to you.