SENATE BILL REPORT

SHB 1470

As Reported by Senate Committee On:

Government Operations & Security, March 24, 2015

Title: An act relating to establishing a blue-ribbon panel on cybersecurity.

Brief Description: Establishing a blue-ribbon panel on cybersecurity.

Sponsors: House Committee on General Government & Information Technology (originally sponsored by Representatives Hudgins, Smith, Stanford, S. Hunt, Ormsby, McBride and Tarleton).

Brief History: Passed House: 3/02/15, 97-0.

Committee Activity: Government Operations & Security: 3/12/15, 3/24/15 [DP].

Majority Report: Do pass.

Signed by Senators Roach, Chair; Pearson, Vice Chair; Liias, Ranking Minority Member; Dansel, Habib and McCoy.

Staff: Samuel Brown (786-7470)

Background: Office of the Chief Information Officer (OCIO). OCIO was created in 2011 within the Office of Financial Management and is responsible for the preparation and implementation of a strategic information technology (IT) plan and enterprise architecture for the state. OCIO, directed by the state Chief Information Officer (CIO), works toward standardization and consolidation of IT infrastructure and establishes IT standards and policies, including state IT security policies. OCIO also prepares a biennial state performance report on IT, evaluates current IT spending and budget requests, and oversees major IT projects.

Military Department. The Military Department administers the state's comprehensive program of emergency management. The Adjutant General directs the Military Department and is responsible for developing a comprehensive, all-hazard emergency plan for the state that includes analysis of natural, technological, or human-caused hazards and procedures to coordinate local and state resources in responding to such hazards.

In 2013 Governor Inslee designated the Military Department as the primary agency for communication with the Department of Homeland Security on all cybersecurity matters within state government and appointed the Adjutant General as the senior official representing Washington for management and coordination of cybersecurity issues within the state and at the federal level.

Summary of Bill: A blue-ribbon panel on cybersecurity, to be co-chaired by the CIO and Adjutant General, is created. Panel membership must include representatives from local governments, public utility districts, private utilities, state IT officials, and cybersecurity experts. The panel must review issues such as protecting critical infrastructure from the threat of cyberattack, protecting data transfer and enhancing the security of the state's intergovernmental network, and best practices for local government response in the event of a cybersecurity incident.

OCIO must provide staff support for and pay the expenses of the panel. OCIO must submit a report of the panel's recommendations to the Legislature, the Governor, and organizations representing local governments or utilities, by December 12, 2016.

Appropriation: None.

Fiscal Note: Available. New fiscal note requested on March 10, 2015.

Committee/Commission/Task Force Created: No.

Effective Date: Ninety days after adjournment of session in which bill is passed.

Staff Summary of Public Testimony: PRO: Right now cybersecurity is adapting very quickly, and infrastructure is frequently targeted. Security has been the top priority for CIOs in state governments for the last two years. The panel will point to gaps we need to shore up and start a risk assessment, matching tools, procedures, and training to make us more secure. There’s no way to get 100 percent security – you just find the problems where the solutions have the biggest bang for the buck and implement those.

Persons Testifying: PRO: Tony Kevin, F5 Networks; John Roach, Global Business Analysis, Inc.

Persons Signed in to Testify But Not Testifying:  No one.