Consolidated Technology Services.
The Consolidated Technology Services agency, also known as Washington Technology Solutions (WaTech), supports state agencies as a centralized provider and procurer of certain information technology (IT) services. The Office of the Chief Information Officer (OCIO) is established within WaTech and has certain primary duties related to state government IT, which include establishing statewide enterprise architecture for IT and standards for consistent and efficient operation of IT services throughout state government. The OCIO is responsible for establishing security standards and policies to ensure the confidentiality and integrity of information transacted, stored, or processed in the state's IT systems and infrastructure. In 2021 the Office of CyberSecurity (OCS) was statutorily established within the OCIO. Some of the OCS's responsibilities include establishing standards and policies to protect the state's information technology systems and infrastructure, developing a centralized cybersecurity protocol for protecting and managing state IT assets and infrastructure, creating a model incident response plan for agencies to adopt for certain incidents, and defining core services that are required to be managed by agency IT security programs.
Under the OCIO policy, agencies must classify data into categories based on the sensitivity of the data as follows:
Public Records Act.
The Public Records Act (PRA) requires state and local agencies to make all public records available for public inspection and copying unless a record falls within an exemption under the PRA or another statute that exempts or prohibits disclosure of specific information or records. The PRA is liberally construed, and its exemptions interpreted narrowly. To the extent necessary to prevent an unreasonable invasion of personal privacy, an agency must delete identifying details from the records sought when it makes a record available. A person's right to privacy is violated only if disclosure would be highly offensive to a reasonable person and is not of legitimate concern to the public. Exemptions under the PRA are permissive, meaning that an agency, although not required to disclose, has the discretion to provide an exempt record. Certain information relating to security is exempt from disclosure under the PRA. For example, information regarding the public and private infrastructure and security of computer and telecommunications networks are exempt. Public and private infrastructure and security of computer and telecommunications networks includes: security passwords; security access codes and programs; security risk assessments; security test results to the extent that they identify specific system vulnerabilities; and any other information which, if released, may increase the risk to the confidentiality, integrity, or availability or security of IT infrastructure or assets.
The OCIO must design, develop, and implement enterprise technology standards specific to malware and ransomware protection, backup, and recovery (standards).
The OCIO must also establish a ransomware education and outreach program to educate public agency employees on prevention, response, and remediation of ransomware. As part of the education program, the OCIO must publish and distribute ransomware-response educational materials specifically for chief financial and chief information officers of state agencies. In addition, the OCIO must provide ongoing assistance to the Legislature by identifying mission critical systems that do not maintain backup and recovery capabilities and may require further investment to do so. The OCIO must modify existing portfolio reporting mechanisms to support the collection of data necessary to monitor risk associated with malware and ransomware protections.
Except for institutions of higher education, a state agency that is defined within the standards established by the OCIO must:
The data reported by agencies must be analyzed for risk and used to provide the Legislature with a prioritized list of mission critical systems that requires additional protections to maintain continuity of operations in the event of malicious cyber activity.
By October 31, 2023, the OCIO must analyze and aggregate the data reported by state agencies and report the following to the Governor and Legislature:
This report issued by the OCIO and any information used to inform the report are confidential and may not be disclosed.
Beginning on December 31, 2024, the OCIO must submit a biannual report to the Legislature, Governor, and Technology Services Board on:
The biannual report is exempt from public disclosure.
By December 31, 2025, the Office of Financial Management, Department of Enterprise Services, and WaTech must ensure that all mission critical and business essential IT systems are compliant with established standards and supported by immutable backups. "Immutable backup" means that no external or internal operation can modify the data and the data must never be available in a read or write state to the client.
The Information Security Account is created in the custody of the State Treasurer as a non-appropriated account. Disbursements from the account are subject to authorization by the Director of WaTech (Director). Expenditures from the account may only be used for state agencies to procure immutable data backup and disaster recovery services for mission critical and business essential applications or other critical IT systems. The Director must consider disbursements based on the agency's prioritized application list to ensure the funding is allocated to protect the most vulnerable IT systems containing the most sensitive public information. Money in the account may supplant existing funding to WaTech.
The OCIO must apply for any federal grants or other financial assistance programs for the purpose of security and protection to critical state agency IT systems.
The act is known as the Washington State Ransomware Protection Act.
The requirements that the OCIO design and implement standards specifically for incident reporting and incident response management and remediation and annually review the standards are removed.
The requirement that state agencies comply with the standards is removed, which also removes provisions relating to the waiver from compliance with the standards. The requirement that state agencies execute and analyze monthly vulnerability scans is removed.
The date for state agencies to submit to WaTech a confidential list of prioritized applications based on mission criticality and impact to constituents in the event of system failure or data loss is moved from September 1, 2022, to September 30, 2022.
The OCIO is required to provide ongoing assistance to the Legislature by identifying mission critical systems that do not maintain backup and recovery capabilities.
The purpose of analyzing data that baselines and monitors risk associated with malware and ransomware protections is clarified to require that the data reported by agencies must be analyzed by the OCIO for risk and used to provide the Legislature with a prioritized list of mission critical systems that require additional protections to maintain continuity of operations in the event of malicious cyber activity.
The requirement for technology projects submitted for risk assessment to include an indication of the agency's intent to incorporate data backup and recovery into the project scope is removed.
The Information Technology Security Account is changed from an appropriated to a non-appropriated account and makes the account subject to disbursements by the Director to state agencies to procure immutable data backup and disaster recovery services. WaTech's decisions to disburse funds must consider the agency's prioritized application list. Money in the account may supplant existing funding to WaTech.
(In support) The State Auditor's report published in 2020 highlighted glaring gaps in the state agency's ability to protect public data. As we moved online as a result of COVID-19, public and private data were put at a higher risk due to increased dependency on technology. Malicious cyber activity has increased by 600 percent since 2018. Data backup and investing in recovery systems are ways to protect against ransomware attacks. As demonstrated by the ransomware attack on Lincoln County during the certification of the election in 2020, bad actors are after the valuable identifying information that state agencies collect such as a person's signature, name, address, and date of birth. A person who has access to this information can download another person's ballot online and print a fraudulent ballot, which, if received first, is treated as a legitimate ballot.
Most agency applications used do not have a data backup systems. Mission critical and business essential applications are what we want to protect first. Immutable backups will make it so the data is not changed when it's stored and will allow agencies to recover the data unchanged from those who hold it hostage. This policy signifies that the state will continue its commitment to good stewardship of its residents data and fight against cyber attacks.
(Opposed) None.
(Other) Small and medium sized organizations like state agencies are disproportionately impacted by cyber attacks. Ransomware is overwhelming all organizations. An attack occurs every 11 seconds and the number is growing. The global cost of cyber attacks was around $17 billion in 2020 alone. After an attack, full recovery of data can take six to nine months if there is no backup.
The use of data backup systems and disaster recovery is an important component of recovery from cyber attacks, but there are other security controls that are also important for proactive ransomware protection. WaTech has adopted a cloud-first policy with an intent to migrate state technology assets to cloud services. For applications that aren't cloud ready, they may need to seek data backup services within the state's data center to comply with the 2025 deadline in the bill.
The second substitute bill removes a reference to agency waivers to conform with prior changes made under the substitute bill to remove a process by which agencies could obtain waivers for certain requirements; removes an appropriation of $5 million to the Information Technology Security Account; and adds a null and void clause, making the bill null and void unless funded in the budget.
(In support) There is a rising increase in ransomware attacks across the State of Washington. The risk is growing as state agencies combine and integrate various systems. The policies in this bill should have been implemented several years ago. There are concerns about whether state employees will have sufficient training in preventing ransomware and malware attacks. There are concerns that state employees working from home may present a greater security risk than those working in state facilities.
(Opposed) None.