Cybersecurity & Tech

The Democratic National Committee is claling on state party offices to srengthen cyber security.

Buzz Feed | DNC Warns State Parties On Cybersecurity: Be Better

Connecticut is creating the Connecticut Cyber Task Force.

The Connecticut Cyber Task Force will consist of:

• a mix of Local, state and federal law enforcement agencies:
  • FBI
  • Drug Enforcement Administration
  • U.S. Secret Service
  • U.S. Postal Inspection Service
  • Homeland Security Investigations
  • Internal Revenue Service – Criminal Investigation
  • Defense Criminal Investigative Service
  • Connecticut State Police
  • 11 police departments from across the state, including the Bridgeport, Bristol, Fairfield, Greenwich, Hartford, New Canaan, New London, Norwalk, Stamford, Torrington and Westport Police Departments
• coordinated efforts for  emerging cyber threats
• provide training, resources and investigative strategies to address the significant ransomware and business email compromise attacks

2 Priorities of the tax force:

• identify and disrupt criminal organizations that use computer intrusions to defraud companies of their money and information
• target criminal activity on the dark web

United States Attorney’s Office District of Connecticut | U.S. Attorney and Law Enforcement Partners Announce Formation of Connecticut Cyber Task Force

A bipartisan bill in Congress seeks to require social media companies to disclose the same campaign related information that is required of radio and tv.

Which social media companies would be affected? websites, apps, search engines, social media and ad networks with over 50 million unique visitors

What would be trigger amount for dislcosures?  if a person or entity spends at least $500 on political ads a year

What disclosures would be required?

•  copies of ads
• information about groups purchasing ads
• data on the targets of the ads 

S 1989 (2017) by Kolbuchar, McCain and Warner

The Hill | Bill to halt election meddling on social media introduced

Alexandria Virginia News | Warner, Klobuchar, McCain Introduce Bipartisan Legislation To Prevent Foreign Interference In Future Elections, Improve Transparency Of Online Political Ads

Federal:

• Free Credit freezes:  HR 3766, S 1810 and SB1816,

States:

• New York SB 6879
  • ​require credit reporting agencies to automatically place a freeze on consumer credit files
• ​New York SB 6880
  • require businesses to disclose breaches within 15 days of discovery
•  Illinois (HB 4095 and SB 2230)  & Michigan (HB 5055)
  •  as well as measures providing for free credit freezes

Congressman Tom Graves H.R. 4036:

• “A voluntary review process that individuals and companies can utilize before using active-defense techniques;
  • This provision allows defenders to benefit from review of their proposed active-defense measures by the FBI Joint Taskforce, which will assist defenders in conforming to federal law and improving the technical operation of the measure;
  • The authority to conduct these reviews would exist under a two-year pilot program, and could be amended or renewed at a later date.
• Requires notification to the government for the use of active-cyber defense measures that go beyond beaconing;
• Clarification that the bill does not interfere with a person’s right to seek damages;
• Requires an annual report on the federal government’s progress in deterring cybercrime.”

Tom Graves | Rep. Tom Graves Formally Introduces Active Cyber Defense Bill

• West Virginia’s elections team added a cybersecurity expert from the state National Guard with a top-secret federal security clearance
• Colorado “will now verify election results via an advanced statistical procedure called a risk-limiting audit.”
• Rhode Island “will now verify election results via an advanced statistical procedure called a risk-limiting audit.”
• Delaware is moving its voter-registration list off the state’s aging mainframe computer

There are also new federal guidelines for election machines.

New York Times |  Wary of Hackers, States Move to Upgrade Voting Systems

The State: Kentucky

The proposed legislation would require companies responsible for a data breach to provide impacted Kentuckians:

• access to a free credit freeze
• 3 free credit reports each year from each of the major credit reporting agencies
• 5 years of credit monitoring
• Require all credit reports be encrypted.

How was the bill proposal announced? The State Attorney General Andy Beshear and the bill’s author, State Senator McGarvey, at AARP Kentucky’s Louisville headquarters

Insider Lousiville  | AG, senator announce legislation to protect Kentuckians following Equifax data breach 

California regulations on ride share require annual data reports. The data required to be sent to the state includes:

• types of service they provide
• what neighborhoods they serve
• how many miles their drivers log

What data do the cities want? 

• Data to help solve local transporation issues
• Ride Share’s affect on roads
• Ride Share’s affect on the environment

The data’s big bad issue: Privacy concerns about rider personal information

The Recorder | Uber and Lyft Resist Regulators’ Appeal for Data Sharing

October is National Cyber Security Awareness Month. Here’s exampkes of what governments and businesses have done to engage:

• D.C. has a Cyberscoop’s  DC CyberWeek  that brings together experts, executives, innovators, influencers and decision makers from government and business sectors to learn, network, hack and improve cybersecurity outcomes.
• ESETand Wrapify are sending a squad of #CyberAware vehicles on San Diego roads offering cyber security trivia and prizes
• Secure San Diego is a day event sponsored by partners The Cyber Center of Excellence & the City of San Diego  to showcase region-wide efforts to nurture a more secure cyber environment

We Live Security | Five cool things happening for National Cyber Security Awareness Month

Thus far in 2017, the number of education data breaches:

• doubled over 2016
• the first half of 2017 saw an increase of 103%
• North American bears the brunt of educaiton hacks, with 88% occuring here
• 74% were caused by malicious outsiders
• 13% were caused by stolen, lost or otherwise compromised records

Campus Technology | Education Data Breaches Double in First Half of 2017

Resiliance is the name of the game. R Street is calling for “resiliance” and not “remediation” in legislative solutions to data breaches.

If bills shouldn’t require that  consumers receive free credit report monitoring and cyber security standards and breach notification requirements for entities that maintain consumer data, what should bills do?

• Require the National Institute of Standards and Technology to maintain a list of brest practices
• The guidelines would ” empower[s] consumers to improve their resilience to cyberattacks”

R Street | Remediation won’t cut it – we need cyber resilience

Recode | Equifax rival TransUnion has hired cybersecurity lobbyists in Washington, D.C.

The Hill | Reddit hires first lobbyists

Texas State Representatives Minajarez, Pickett, Dale, Oliverson & Goldman requested the following interim charge:​

• Study what precautions toll road operators in Texas have in place to prevent cyber security threats, both internal and external.

The Minajarez, Pickett, Dale, Oliverson & Goldman letter to Speaker Straus dated 10.2.2017

During the Congressional hearings on the Equifax breach, Republicans bandied about the idea of requiring credit reporting businesses, that have exposed consumer information, to pay affected consumers “a couple thousand bucks each [consumer]”

The rational: An incentive to keep business data security up to snuff

The Republican: Congressman Joe Barton (R-TX), a founder of the bipartisan Congressional Privacy Caucus

The Hill | GOP rep pitches fines for hacked credit-monitoring firms

Data Security makes Governing’s Top 5 Government Trends to Watch. 

Why is data security such a big deal?

• costly
• includes identity theft which hits your constituents
• securing data and fighting off ransomware is expensive
• as it comes to health care and infrastructure- data security willultimately cost lives

Governing | 5 Government Trends to Watch

• 40% of local government CIOs report experiencing more attacks during the last 12 months
• 26% of CIOs reporting an attack, incident or breach attempt occurring hourly
• 18% report a cyberattempt at least daily
• 78% of municipalities don’t have an adequate password management policy
• 97% of the municipalities he surveyed don’t have a well-documented disaster recovery plan
• 46% store their backup files and records onsite rather than offsite or in the cloud
• 90% of local governments don’t bother to encrypt sensitive emails

Government Technology | Small Towns Confont Big Cyber-Risks

A House Companion to the Senate’s, Securing Energy Infrastructure Act of 2017 by Senator Angus King (I-ME) and Senator James E. Risch (R-ID), has been filed by Congressman C.A. Dutch Ruppersberger (MD-02) and Congressman John R. Carter (TX-31). The legislation will:

• “establishes a two-year pilot program to study covered entities and identify new classes of security vulnerabilities and research and test technology – like analog devices – that could be used to isolate the most critical systems of covered entities from cyber-attacks
• develops a working group to evaluate the technology solutions proposed and develop a national cyber-informed strategy to isolate the energy grid from attacks
• requires the Secretary of Energy to submit a report to Congress describing the results of the program, assessing the feasibility of the techniques considered, and outlining the results of the working group’s evaluations.”

H,R. 3958 (2017)

Congressman Rup[ersberger | RUPPERSBERGER INTRODUCES HOUSE COMPANION TO SENATE ENERGY GRID SECURITY MEASURE

According to the association representing tech giants, cryber crime will have a $6 trillion impact on the U.S. 

Politico | Morning Cyber Security | Cybercrime will cost up to $6 trillion by 2021

The State:  New York

The regulator:  New York’s Department of Financial Services

The Subpoena: Seeks more information about Equifax’s data breach, including:

• details on when Equifax learned of the breach
• details on what actions Equifax took after the breach was discovered

More regulatory enforcement in the works? Yes, New York also wants to impose the financial data security rules it finalized this year to apply to credit reporting agencies like Equifax.

What does this mean for other states? Colorado followed in New York’s footsteps to become the 2nd state to impose specific data security requirement son the financial industry. Look for a specific application to credit reporting agencies forthwith

Reuters | New York regulator subpoenas Equifax over massive data breach: Report

New York Law Journal | NY Issues Subpoena to Equifax Over Breach, Vullo Confirms

Kentucky Attorney General proposes revisions to the state’s data breach notification statute to require:

• Kentuckians impacted by a data breach would gain access to a free credit freeze
• Require access to 3 free credit reports each year from each of the major credit reporting agencies
• Require 5 years of credit monitoring
• Require all credit reports be encrypted

WCPO | Kentucky’s attorney general proposes new data breach protections after Equifax incident

New York General Assembly measure A08679 would allow New Yorkers to check their credit reports as often as they wanted for free.

Federal law requires an annuak free credit report check be available.

New York State Assembly measure SO 6886  would require a breached entity to provide 5 years of free credit freezes.

In the Cybersecurity Act of 2015,   Congress created the Health Care Industry Cybersecurity Task Force.

6 “critical” recommendations were offered:

1. Define and streamline leadership, governance, and expectations for health care industry cybersecurity.

2. Increase the security and resilience of medical devices and health IT.

3. Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.

4. Increase health care industry readiness through improved cybersecurity awareness and education.

5. Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure.

6. Improve information sharing of industry threats, weaknesses, and mitigations.

JAMA | Cybersecurity—A Serious Patient Care Concern

The local government: Montgomery Co. Maryland

The hackers demanded: 9 bitcoins, valued at between $40,000 and $50,000

Other local governmetns have been able to retrieve data from back up and not pay the ransom, was that tried? Yes, but for reasons unrelated to the hack the backup was not a viable option

What was the value of the data to the county? $5 million

Montgomery Advertiser  | Montgomery County pays ransom, gets data back

Wisconsin’s election officials have created a state elections security team, and here’s what you need to know:

• Inter-agency Communication.  It will work with federal, state and local elections officials
• Cyber security Infrastructure. Builds on cyber-security steps already taken
• Best Practices. Establishes best practices to address ever-changing threats
• Statewide Policies?  The team will consider whether to mandate that local clerks meet minimum security requirements for hardware and software they use
•  3 Ways the Security Team will Help Local Election Administrators.
  • ​Training of local election officials
  • Maintaining a list of key federal, state and local contacts
  • Developing contingency and action plans to deal with security issues

Wisconsin Law Journal | State creating elections security team, plan

• Partner with the private sector and local nonprofits.
• Be creative and develop a program that is customized to the particular area. 
• Develop connections between military and government units that have use for the local talent and the companies that surround them.
• Facilitate the local placement of national government cybersecurity capacities. 

Politico | How to erect an economic powerhouse using cybersecurity

Cybersecurity as an Engine for Growth Authors: Natasha Cohen, Rachel Hulvey, Jittip Mongkolnchaiarunya, Anne Novak, Robert Morgus and Adam Segal

A new report, Cybersecurity as an Engine for Growth, looked at Beersheba, Israel; Malvern, United Kingdom; and San Antonio, United States to find 3 ways cyber security can lead to economic growth:

• Proximity to government cybersecurity functions ups the talent pool & opens up contracting opportunities.
• Being able to attract or develop a workforce is critical.
• Requires Research centers and incubators nearby.
• Industry leadership help raise public awareness & bring crucial capital to the market

Politico Morning Cyber Security | How to erect an economic powerhouse using cybersecurity

• The new hot commodity in data security: blockchain
• How does it work? Llike a spy network where no one entity or server has all the information.
• How quickly can information and payments move? Instaneously with no holding fees.

How does the spy network analogy play out for data?

Say your a city controller making payments to a contractor. The payment can be processed instaneously without being hacked because the information is broken down into packets, encrypted and each packet is sent a different path & then reassembled so that the city knows the funds have been withdrawn and the contract recipient has funds deposited.

Governing | The Next Big Technology to Transform Government 

New York State Assembly is pursuing SB06880 to require a consumer to be notified of a breach within 15 days of discovering the breach.New York SB 06880 (2017)

Supporting changes to New York’s Data Security and Notification Act, the state Attorney General states:

• Expect more from companies entrusted with your data
• All companies need reasonable security measures for their scale of company and type of business (what’s good for Equifax isn’t good for the Zavala Patisserie)
• Private information should include your phone fingerprint or face scan and a slew of other private information

New York Daily News |Op-Ed by New York A.G. Eric Schneiderman | Raising our guard vs. mega-breaches 

Long Island Business News  | AG calls for tighter regs after Equifax breach

Convenience and Fuel retailers and a coalition of that includes the American Hotel & Lodging Association, International Franchise Association, National Association of Realtors, National Association of Truck Stop Operators, National Council of Chain Restaurants, National Grocers Association, National Retail Federation,  Society of Independent Gasoline Marketers of America, and the U.S. Travel Association support 4 principles of data security legislation:

• National Standards. Not piecemeal state regulation.
• Reasonable data security standards. A standard of reasonableness is logical as politics is very reasonable.
• FTC enforcement standards. A path to reign in the other federal agencies exercising data security enforcment- bonjour– FTC, HHS, and SEC.
• Any and all breached entities should be required to notify. No special industry exceptions.

NACS | RETAILERS OUTLINE FOUR PRINCIPLES OF DATA SECURITY 

Illinois is proposing to eliminate fees that credit-reporting companies are allowed to charge for imposing or lifting a credit security freeze.

Illinois Senate Bill 2230 (2017). 

2 Attorneys General (MA and NY) are suing, or my soon sue, Equifax for violating state consumer laws.

This sparked legislation to require credit reporting agencies to have the same scrutiny as banks, hospitals and others that handle confidential consumer data.

CBS This Morning | Mass. attorney general to sue Equifax for violating state consumer protection laws

WGBH | Mass. AG Maura Healey Will Sue Equifax Over Data Breach

Nebraska State Sen. Adam Morfeld is proposing a bill to require a credit reporting agency that has a breach to offer lifetime credit monitoring for free.

Morfeld’s reasoning? Equifax response to its hack was not enough

Virginia de-certified touch screen voting machines that do not leave a paper trail after voting machines were hacked within seconds at a tech conference earlier this year.

A vote by the State Election Department triggered the removal of the voting machines.

Tech Crunch | Virginia just decertified its most hackable voting machines

What is a data trespass law? While it sounds like data security, these laws create a crime against physically entering land to acquire data like pollution or animal cruetly.

Are data trespass laws constititional? Maybe not. A Federal Appeals court has found a Wyoming law likely violates the 1st Amendment.

Who is for these laws? Land owners, members of the Farm Bureau

Who is against these laws? People for the Ethical Treatment of Animals, Center for Food Safety, National Press Photographers Association

Casper Star Tribune | Denver court rules against Wyoming data trespass law

Recent cyber security philanthropic gifts:

• creating a cybersecurity research center aimed at African American students in underserved communities
•  $30 million in gifts to fund the construction of the Madison Cyber Labs as well as scholarships for students and support for additional faculty and staff at Dakota State University
• Harvard, which received a $15 million gift from Robert and Renee Belfer to establish the Cyber Security Project
• Amherst, which netted a $15 commitment from MassMutual Foundation that includes $3 million for its Cybersecurity Institute;
• MIT, Stanford, and UC Berkeley, which received funding thanks to the Hewlett Foundation’s $45 million effort to establish new academic centers for cybersecurity.

Inside Philanthropy | Are Gifts for Cybersecurity the Next Gold Rush for Campus Fundraisers?

Hurricane Harvey exposed the need for energy security legislation by:

• highlighting that we must ensure our energy resources are safe, secure and plentiful
• allowing states to leverage federal resources, knowledge, and expertise to build stronger partnerships with public and private stakeholders to guarantee a better energy future

The Hill | Opinion by Rep. Fred Upton (R-MI) | In Harvey’s wake, energy security legislation needed now more than ever

Oracle repoprtedly broke with other tech companies, to openly back a federal human trafficking bill.

The legislation:Stop Enabling Sex Traffickers Act, sponsored by Senator Richard Blumenthal (D-CT) and Senator Robert Portman (R-OH)

What this bill would do:  Amend protections for social networking sites & online platforms such as Google and Facebook from being held legally liable for content shared by those on the site.

What do tech opponents say? These amendments will create endless lawsuits and stifle digital innovation.

Tech Crunch | Oracle breaks with tech industry in backing human trafficking bill

A review of grid security by Symatec reveals that since 2015 hackers have been trying to gain access to the energy sector. Here’s what you need to know:

• It’s not only US based energy sector that is being targeting. The energy sectors in the U.S., Switzerland and Trukey.
• New technology targets. the hackers are looking for expanded access to operational systems & are taking screenshots of all systems in use to outline their function
• Hackers gained access through malware and phishing employees of  power generation, transmission and distribution companies.

The Hill | Sophisticated hacking campaign has targeted energy sector since 2015

 National Association of Insurance Commissioner’s approved Insurance Data Security Model Law to improve cyber risk management in the U.S. insurance market.

What does the model law do?

• establish industry standards for data security
• applies to insurers, brokers, and agents
• requires companies to have written information security program protecting sensitive data
• requires annual cetification to state insurance commissioners
• requires notification of data breaches within 72 hours
• encourages insurers to incorporate cybersecurity into their overall enterprise risk management & corporate governance practices
• minimum practices of board and senior management reporting
• oversight of information security practices
• monitoring of third party service provider
  arrangements

Reinsurance News |  NAIC’s new security model to improve U.S. insurance sector’s cyber risk management: Fitch

• Direct State Funding
• Federal Funding via National Institute of Standards and Technology, which Congressional budget bills defund
• State Funding Via an agency that oversees election cybersecurity

8 States have a plan to replace their voting machines: MN, MI, NV, NM, CO, AR, MD, RI

Politico | Cash-strapped states brace for Russian hacking fight

Governing | State Election Officials Need Money to Boost Cybersecurity, But Where Will They Get It?

Experts say self driving cars are better protected from hackers; making human driven cars more likely to face a hacker.

Why are non-selfing driving cars easier to hack? Because the cars send signals via sensors to themselves about distances and the like over low-level system that hackers have been penetrating for years. 

The fusion of these sensors in self-driving cars creates a ecueity protection as each sensor doesn’t trust the others data and the system as a hwole can override a command.

Guardian News | Assume self-driving cars are a hacker’s dream? Think again

Hurricane Harvey marks the 1st wide scale commerical use of drones after a disaster.

In addition to news crews utilizing drone footage, drones have been deployed by :

• Insurance Companies to document and determine damages
• Telecommunications companies to assess damages to infrastucture

San Antonio Express News | Government Technology | How Fleets of Drones Are Helping Assess Damage from Hurricane Harvey

465,000 pacemakers are under voluntary recall for security issues that could allow a cybersecurity breach that would allow a 3rd party to :

• modify pacing commands
• cause premature battery depletion

No known cybersecurity issues with the pacemakers are known.

Regulatory Affairs Professionals Society | Abbott Recalls 465,000 Pacemakers for Cybersecurity Patch

In 2013 North Carolina created the 1st Innovation Center (iCenter) in the U.S.

Since 2013, the iCenter has become focused on changing the culture of state government by:

• working with higher ed
• reaching out to local governments to help with IT 
• using technology to think differently and approach issues differently 

What does this mean? State innovation centers are a way to introduce new technology to all levels of government within a state.

Government Technology | North Carolina’s iCenter Reaches Beyond State Agencies for New Ideas, Best Practices

Data Centers are chosing to set up shop in Iowa. Corn fields and data servers go together like Bluebell Ice cream and Texas.

The latest data center by Apple Inc. includes an economic incentive package that includes:

• $208 million in state and local tax benefits
• Apple will provide 50 jobs, buy 1000 acres and build cpaital investments of $1.4 Billion

What does the Hawkeye State have to offer?

• generous tax breaks
• wind-generated power
• relative security from natural disasters

AP | Apple gets $208 million in tax breaks to build Iowa data center

Nevada is streamlining its state email servers, for all its state employees, to a single provider contract.

Government Technology | Nevada CIO: State’s Major IT Initiatives Are Moving Forward

Cinncinati is using predictive modeling to determine which properties might fall into disrepair to thwart blight before it occurs. 

Government Technology | Battling Blight: Four Ways Cities Are Using Data to Address Vacant Properties

The Business: Integrated Roadways

What are integrated roadways? Roads with sensors, phone, and internet connectivity, telecommunications, fiber-optic cable, and high-speed Internet, as well as other hardware, inside road surfaces.

Would these integrated roads collect data for the benefit of the city? Yes.
 

What type of dats would roadways collect?  data on vehicle counts, speeds, and weights to give cities access to information

Equipment World | Smart pavement pilot projects stuffing roads with sensors and internet connectivity

Virginia has a new state level program to train veterans to fill cybersecurity jobs.

Virginia’s vetrans training program :VetSuccess Immersion Academies via SANS CyberTalent Solutions

The veterans can take up to 3 courses and receive certification when they qualify.

Government Technology | Virginia Expands Cybersecurity Training for Veterans in Bid to Fill Vacant Positions Statewide

The State: Virginia

The goal of the public-private partnership:  “optimizing opportunities for innovative collaboration and investment in Virginia’s transportation system”

The data shared with the private sector: 22 different data sets, with initial data sets including traffic volumes, speed limits, travel advisories, lane closures, crashes, truck restrictions, traffic sensors, incidents, sign messages and locations, paving schedules, short- and long-term weather events, the Six-Year Improvement Plan, major road construction and Signal Phase and Timing data.

Equipment World | Virginia DOT launches SmarterRoads data portal for transportation app development

Gartner Inc. estimates that cybersecurity spending will increase in 2017:

• By 7%
• Accounting for a world-wide spending of $86.4 billion in 2017 and $90 Billion in 2018

Spending will be focused on:

• cyber security services
• IT outsourcing
• consulting
• implementation services

By 2020, bundled cybersecurity contracts will account for 40% of all managed security service contracts and will include:

• cybersecurity
• IT deisgn build outsourcing

Politico | Morning Cyber Security | Still a Growing Boy

Gartner Inc. | Gartner Says Worldwide Information Security Spending Will Grow 7 Percent to Reach $86.4 Billion in 2017

Maryland is offering its Medicaid patients a Telehealth App with these policy goals:

•  By offering emergency room telehealth visits, Maryalnd estiamtes it will cut down on Medicaid ER costs
• It can help connect patients to medical professionals, such as where to find services
• Allows for prescriptions to be called in after a telehealth visit

State Government Tech | Maryland Offers Medicaid Users Free Telemedicine App

These 30 Governors, Republican and Democrat, signed onto ther National Governor’s Association Confront the Cyber Threat Initiative: AL, AK, AZ, AR, CA, CO, CT, DE, Guam, HI, ID, IN, IA, KY, LA, MA, MD,MI, MN, MO, MT, NV, NH, NJ, NC, ND, OK, OR, PA, Puerto Rico, RI, UT, VT, Virgin Islands, WA, WV, WI, WY.

The Compact calls for 3 major strides:

The Federal Trade Commission settled a data privacy investigation by Uber agreeing to 20 years of privacy audits.

The FTC says the company “failed consumers”

CNBC | Uber agrees to 20 years of privacy audits after FTC says it ‘failed consumers’

First comes banning investments in the country du jour, now comes stopping outsourcing funds or policy initiatives related to cybersecurity to Russia.

Amendments bandied about D.C. by Senators Durbin, Warren and Whitehouse prohibit the use of federal funds to establish or support a “joint cybersecurity initiative” with Russia.

This trend is heading toward statehouses near you.

Politico | Morning Cybersecurity | Amendments to the policy roadmap

North Carolina’s electronic voting system in 2016 was hacked. The way hackers got in was through the company that provided the poll book- the electronic data that allows voting personnel to verify voters.

What changes we will we see to election procurement:

• contracts will contain and require higher data security standards
• vendors may be audited for data security purposes
• election workers will be equiped to switch to paper ballots, if during voting, it is discovered that election data is compromised

NPR | Russian Cyberattack Targeted Elections Vendor Tied To Voting Day Disruptions

71 % of health care organizations budget for cyber security

The majority say cybersecurity is more than 3% of their budget

A majority have hired a chief information security officer or other executive level cybersecurity position

75% do regular cybersecurity testing

80% of US healthcare orgnaizations will increase cybersecurity spending in 2017

Healthcare Dive | HIMSS survey: Hospitals ramping up cybersecurity efforts

Michigan created a volunteer public private task force to step in at a moment’s notice to resolve a cyber attack on state systems.

What is the group called? Michigan Cyber Civilian Corps, MiC3

Has Michigan Cyber Civilian Corps, MiC3 been deployed? No

How does it function? Like a volunteer fire department

Who has volunteered? cybersecurity experts from government, education and private industry

Has any other state done this? No. 

Governing | Michigan’s Volunteer-Based Cybersecurity Strategy Catches On

• Lack of cyber security funding
• Lack of cyber security talent (see above, talent and government wages don’t align)
• Threats are constantly evolving which takes time, money and talent to stay on top of properly
  • hackers target weakeness such as negligent insiders & unpatched vulnerabilities that leave agencies susceptible to risk

GCN | Why state and local government still struggle with cybersecurity

Missouri tests its state employees with its own phishing scams to keep state employees laser focused on cybersecurity.

Government Technology | In Illinois, Cybersecurity Training for State Employees Now Required by Law

Government Technology | Employee ‘Phishing’ Expeditions Among States’ Tools for Cybersecurity Awareness

Illinois HB 2371 requires every state employee to complete annual cybersecurity training. The Department of Information resources may offer a video in lieu of training.

By every employee, the Legislature managed to exclude these employees:

• legislative
• judicial
• higher education
• every constitutional officer

Government Technology | In Illinois, Cybersecurity Training for State Employees Now Required by Law

Johnson Co. Kansas relies on big data to address public safety and mental health concerns. The use of bug data has saved the local government:

• thousands in revenue
• thousands in man hours saved, saving $200,000 in patrol hours
• reduced mental health related arrests, 45 arrests prevented saved more than $100,000
• reduced reliance on emergency rooms, saving hospitals $150,000

How did Johnson Co. do it? By cross referencing 2 databases- county wide criminal jsutice database and a health and human services database that notes mental health issues.

State Tech | Johnson County (Kan.) Calls On Big Data to Link Public Safety and Mental Health

• What data are they capturing?
• Why are they capturing it?
• Where are they housing it?
• How do they recommend that schools house the data?

As schools place a greater concern on ensuring parents that student data is protected, schools are asking their edcation vendors more about data security.

Ed Tech | 3 Tips to Keep Parents Assured that Student Data Is Protected

A tech researcher visiting DefCon Voting Village in Las Vegas, hacked a U.S. styled voting machine within 2 minutes.

Wired | TO FIX VOTING MACHINES, HACKERS TEAR THEM APART

Companies are finding cybersecuity weaknesses in employees by sending faux phishing emails and seeing which employees bite.  

Corporate test data shows cyber literacy training reduces the number of employees who fall for phishing scams.

How many years until there are cyber literacy requirements in public education? in state contracts?

SC Media | Diagnosing employee phishing weaknesses key to improving email security

Taxpayers for Common Sense is ahead of the curve by creating a database to track federal cybersecurity spending.

The cybersecurity spending database is organized by agency and tracks spending for last 10 years.

The Consumer Tech Association filing with the Commerce Department recommends government action on cybersecurity/datasecurity policies for education because there are so many differnt players in education.

The recommendations that we may soon see in Education Procurement Contracts:

• market driven solutions e.g. contractors should step up and talk about their student data security protocols
• instead of government checklists, we need nimble polcies that can adapt as tech changes
• public-private partnerships are crucial to combat hackers

Consumer Technology Association | Promoting Stakeholder Action Against Botnets and Other Automated Threats 

Your Roomba is mapping your house and collecting data. Let’s repeat, your Roomba is colelcting data about how to get around your house and what is in your house. 

Better yet, the company hasn’t asked you whether they can keep the data, store the data or sell the data. What retailer wouldn’t want to buy data that says you have no loveseat? or only 1 sad and lonely dining chair?

This type of private property data is screaming for legislation. Legislation about disclosure of the data, sale of the data, consent to store the data, and how protected is the Roomba from hackers?

USA Today | Your Roomba already maps your home. Now the CEO plans to sell that map.

Congress’ H.R. 3170 tackles cyber security in small businesses by requiring cyber security training for small business devleopment centers.

In 2016, California created the State Innovation Lab.

California maintains an Office of Digital Innovation.

The policy goal in California is to “create novel, deployable technologies that address needs identified by state entity partners — with a particular focus on open-sourced technology.”

State Tech | How Innovative States Stay Ahead of the Tech Curve

Body cameras- love them, hate them- they collect data and a lot of data.

Lots of people support body cameras:

• 2/3 of police support body cameras
• 60% of the public supports body cameras
• Harris County Sheriff’s Office deployed 2500 body cameras

Body cameras are everywhere in law enforcement, so how are counties handling all that data?

• Harris Co. manages manages approximately 10PB of digital evidence
• Harris County’s 10PB of digital evidence is expected to double in 3-5 years
• Harris County created vendor partners, bringing body cameras together with a storage solution by Dell’s EMC line
• Data storage requires a categorization process- keep DWI videos separate from other felony arrests
• Create a data retention policy

State Tech | How Counties Manage the Body-Worn-Camera Video Data Boom

2017 Q2 reflects record spedning by tech giants. 

The 10 top issues tech wants elected officials and policymakers to know:

• cloud computing
• data centers
• renewable energy taxes
• data protection
• data encryption
•  cross-border data flows
• critical infrastructure protection
• transaction security
• government procurement
• IT modernization

Data Center Dynamics | Tech, data center firms increase US lobbying spend

Arkansas Workforce Services experienced a data breach that exposed the personally identifable details of 600,000 residents and 19,000 employment applications.

The state is seeking new database services. 

U.S. News and World Report | Data Breach Has Arkansas Seeking New Vendor

Yes, the California Supreme Court held that the California Medical Board can access private patient records in the state prescription database because the state interest in regulating potent prescription drugs and protecting patients from negligent doctors.

Access to patient records + Texas Medical Board Sunset Review = Patient Privacy vs. State Interest Amendments

Law 360 | Calif. Justices OK Medical Board’s Access To Rx Database

• New Mexico
  • Legislation clarifying when the National Guard can be used during cyber events
• Oregon
  • Executive order to unify all cybersecurity efforts into one agency
• Nevada
  •  a bill to create a cyber defense center to lead all their cyber projects in Nevada

State Scoop | 38 governors sign cybersecurity compact

The 2016-2017 Chair of the National Governor Association, Virginia Governor Terry McAuliffe, explains that cyber security directly impacts these policy areas and businesses:

• technology
• health care
• education
• public safety issue
• business and economics, including insurance
• democracy (elections)

State Scoop | 38 governors sign cybersecurity compact

National Governors Association is pushing for state reform of cyber security laws because:

• The federal government is too slow & too inactive
• Cyber security is not just an IT issue.
• Cyber Security is a  technology issue, a health issue, an education issue, a public safety issue, an economic issue and a democracy issue

The National Governor’s Association initiative, Meet the Threat, calls for:

• instituting cybersecurity governing bodies
• organizing computer crime units for law enforcement agencies
• designing cybersecurity education programs for staff 
• coordinating state efforts with cities and counties

State Scoop | 38 governors sign cybersecurity compact

Lloyds of London estimates a global cyber attack will result in damages similar to hurricane Sandy, or $53 billion in economic losses from a global hacking of cloud services.

How do the $53 Billion oin costs break down?

• Average economic losses  $4.6 billion to $53 billion

• Actual losses could be as high as $121 billion

• $45 billion of that sum may not be covered by cyber policies, because

  • companies are underinsuring

• If operating systems are hacked, average losses range from $9.7 billion to $28.7 billion. 

How is Texas regulating the cyberinsurance market?

Washington State University kept sensitive personal information on a backup disk locked in a $159 safe in a small safe in a storage unit.

The WSU storage unit was burlagized, and was the only unit burgalarized.

The takeaway for policy makers: Do not allow state institutions to store personal data in storage units. 

Common sense governing. Better late than never.

Government Technology | Washington State University Data Breach Teaches Valuable Cybersecurity Lesson (Editorial)

A poll by Carbon Black reveals the concern level of voters for election integrity.

• 27% of voters polled are considering not voting because of fear that their voter data will not be secure.
• If the 27% hold true, that reduduces voters by 59 million voters
• 45% think the 2018 elections will be impacted by cyber breaches

SC Media | Cybersecurity concerns may stop 59 million Americans from voting in 2018

In August 2016, Maryland officials notices hackers were trying to get to voter information, that set off a flurry of legislator and regulator activity. Here’s where they ended up almost a year later:

• legislators didn’t find out until it was in the news which ruffled feathers. suprise!
• Within 3 days of noticing the hacking attempt,  state’s computer staff blocked the IP address from multiple parts of the network
• The Maryland elections administrator notified the Governor’s cabinet
• 2 weeks later, Maryland officials alerted the FBI
• The FBI then notified Department of Homeland Security
• In September, Maryland’s elections administrator learned DHS had tools to help states at a conference, which she requested and began 1 month later
• DHS conducts remote weekly “cyber hygiene scans” of Maryland’s systems
• Maryland hired outside contractors to protect and monitor their election systems
• Maryland’s voter-registration database is not connected to the internet
• Maryland’s legislators are still gearing up to act

Wall Street Journal | How Maryland Contended With Attempted Hack Of Its Voter-Registration System

To avoid the use of stolen personally identifiable information, the uK is seeing a rise in the use of biometric identifiers.

SC Media | Rise in use of biometrics products for cyber-security, report predicts

Oregon’s Senate Bill 90 creates a new position of Chief Information Officer who is responsible for:

• Overseeing the Cybersecurity Advisory Council with 9 voting members and an indeterminate number of appointed, non-voting members
  • with required participation by law enforcement representatives
• Creating the Oregon Cybersecurity Center of Excellence tasked with inter- and intra-agency coordination, threat response, & information-sharing
• Mandates agency cooperation with the CIO

Government Technology | Oregon Gets Cybersecurity Booster Shot with Governor’s Approval of Senate Bill 90

Why are Frederick County Public Schools (Maryland) adopting new data security rules? The School experiences a data breach.

5 Elements from the new data breach policy:

• Requires frequent and thorough teacher and staff training for treatment of sensitive information
• incident response planning
• acceptable use of technology
•  information technology security awareness
• sets guidelines to mitigate and communicate risks for FCPS student and staff information systems

Also requires a 3rd party contractor to test the schools’ data security regularly.

Frederick News Post | New FCPS data security policy takes measures to protect student information

How to pass electric grid cybersecurity standards in 2 steps of legislstive logic:

• Tie expedited permitting of pipelines to electric grid modernization
• Tie electric grid modernization to grid cybersecurity

Natural Gas Intel | Senate Energy Policy Reform Bill Revived, Fast-Tracked

A bipartisan, and awkwardly named piece of legislation, the Promoting Good Cyber Hygiene Act, calls for:

• National Institute of Standards and Technology would establish a set of baseline voluntary best practices for safeguarding against cyber intrusions 
• provide the public access to the cyber hygiene practices
• require annual updates

The Hill | Senators introduce ‘cyber hygiene’ bill

1/2 of health care organizations say they are prepared for a data breach.

The American Medical Association proposes these data security incentives:

• CMS to include among its improvement activities in the Quality Payment Program (QPP), a credit for practices who engage in good cybersecurity hygiene and protect sensitive information;
• best practices and tools must be scalable & able to accommodate the needs of physicians of all sizes and practic areas; and
• larger practices should share their best practices with smaller health care entities to best protect health care communities.

Health IT Security | Incentivize Cybersecurity Best Practices for Data Security

Automakers say they need flexibility to adapt technology of self driving cars. 

What’s known for flexibility? the sarcastic answer: enacted statutes and their ability to keep up with technology

What’s the solution for cybersecurity for self driving cars? According to the American Center for Mobility self imposed rules by industry are the best option.

Automotive News | Cybersecurity push may tie up autonomous-car legislation

Department of Defense is adding cybersecurity standards to its procurement process. 

Requirements in the new contracting rules that take effect this fall are:

• Maintain adequate cybersecurity
• Notify the requisite agency of cyber incidents
• Applies to any subcontractors

FedScoop | Pentagon will soon hold contractors to elevated cyber standards

Data Breach at HHSC? No, a box of client records was left in a box unattended by a dumpster in Houston.

The personal information exposed included:

• names
• client numbers
• birth dates
• case numbers
• phone numbers

The HHSC response:

• 1 year of free credit monitoring to anyone affected
• A review. of HHSC’s document destruction procedures

SC Media | 2,000 Texas HHSC clients health data compromised

HHSC | HIPAA Notice: Houston-area Accidental Loss of Client Information

Vermont’s Governor signed S135 that will expand economic opportunity for financial technology industries.

Arizona’s Governor signed HB2417  that recognizes blockchain signatures and smart contracts

Buckley Sandler | Vermont Governor Enacts Law Including Blockchain Application

GOP Data Firm, Deep Root Analytics, stored personal details of roughly 198 million citizens unprotected and publicly assessible. 

A cybersecurity firm says potentially all of America’s 200 million registered voters were exposed, including names, dates of birth, home addresses, phone numbers, and voter registration details.

The complaint: McAleer v. Deep Root

Business Insider Nordic | ‘The mother lode of all leaks’: A massive data breach exposed information that ‘you can use to steal an election’

SC Media | No recourse, perhaps, for 200M affected in breach of RNC database, attorney says

21 States responded to President Trump’s repeal of Obama era internet privacy regulations, by offering state regulations for internet privacy. Let’s take a peak.

In California, one internet service providfer, AT&T, has spent $2.71M in the last year.

Federal preemption isn’t a concern because the FCC laws and rules share duties with the states and there is no explicit preemption.

NCSL | PRIVACY LEGISLATION RELATED TO INTERNET SERVICE PROVIDERS

The Recorder | Calif. Pushes Internet Privacy Rules That Trump Repealed

21 States responded to President Trump’s repeal of Obama era internet privacy regulations, by offering state regulations for internet privacy. Let’s take a peak.

In  California, Assembly Bill 375, will:

• Customer information an only be used or sold after obtaining “opt-in” consent
• Prohibit penalties or discounts based on consent

Federal preemption isn’t a concern because the FCC laws and rules share duties with the states and there is no explicit preemption.

NCSL | PRIVACY LEGISLATION RELATED TO INTERNET SERVICE PROVIDERS

The Recorder | Calif. Pushes Internet Privacy Rules That Trump Repealed

Some say hospitals that get hit by a ransomware attack need not disclose the ransomware data breach.

The question- If data is held hostage/accessed but is not taken must that be disclosed?

The supporters for disclosure say: More mandatory reporting.This regulatory gap limits the health-care system’s ability to fight cybercriminals.

Who is counted among supporters of disclosure? Congressman Ted Lieu, a California Democrat who along with Congressmen Will Hurd, a Texas Republican

What do hospital lawyers say? Hospitals have financial and competitive incentives to avoid all but required reporting

WallStreet Journal | Why Some of the Worst Cyberattacks in Health Care Go Unreported

Cyber security is becoming an element in analysis for bond markets.

Is this shift a result of a catalyst? Yes, the use of malware toward local governmental entities

Does this follow inthe footsteps of other entities disclosing cyber protections to investors? Yes, utilities and hospitals are starting to disclose any information to potential investors in bond documents about cyber risks or defenses

Reuters | U.S. muni market slowly starts paying heed to cyber risks

State: Illinois

Illinois’ Solutions to prevent election hacking in the 2018 mid term elections:

• Sending election officials a letter with these instructions:
  • scrub voting systems of potential malware
  • fill any kind of security gaps
  • continue to be vigilant 

Politico | LAND OF LINCOLN PREPS FOR 2018

WGN | Illinois among 8 states investigating Russian hacking of its elections

Chicago Tribune | From the community: Sen. Michael E. Hastings works to protect Illinois election data from foreign cyber threats