Committee approves creation of cybersecurity commission

Two years ago, the city of Atlanta suffered a cyberattack that crippled its computer systems for days as hackers were able to shut down services such as utility payments, access to court records and even some public safety functions, threatening to keep them off unless paid a “ransom” to restore them.

Similar ransomware attacks disrupting essential services were also reported last year in Baltimore and a number of other communities around the country.

The House Government Operations Committee on Tuesday approved a proposal meant to help Minnesota better prepare and defend itself from such cyberattacks.

Sponsored by Rep. Kristin Bahner (DFL-Maple Grove), HF4536 would establish the Legislative Commission on Cybersecurity, an eight-member group of legislators who would stay abreast of the latest threats and oversee the state’s response to them. The bill was referred, as amended, to the House State Government Finance Division. There is no Senate companion.

Rep. Kristin Bahner

The commission would coordinate the state’s cybersecurity efforts by reviewing the policies and practices of agencies, and offering recommendations, or developing legislation, to help combat threats.

Bahner, who currently serves on the Governor’s Blue Ribbon Council on Information Technology, said the state’s internal tracking shows that people have already begun probing its systems and services looking for vulnerabilities.

“There is one thing we know for certain, the individuals perpetrating these crimes don’t pack up and go home,” Bahner said. “They will not stop, but rather they will look for opportunities to exploit in good times and times of crisis. … Threats continue to expand and evolve with the speed of our technology.”

The legislative cybersecurity commission would consist of four House members and four members of the Senate. The majority and minority leaders in each body would each appoint two members of the commission, who would serve two-year terms.

The first appointments would need to be made by July 1, 2020 and the commission would be required to meet at least twice this year. A sunset provision is provided, meaning the commission would cease existence at the end of 2028, unless extended.

Rick King, who chairs the blue ribbon council and is also an executive with Thomson Reuters in Eagan, said it’s important there are “in-the-know experts” on cybersecurity issues in the Legislature who, in turn, will help educate other lawmakers.

“There is no other place in the whole of the Legislature and [executive branch] where secure briefings can take place about the threats that are all around,” King said. “… The vision is that this would be the place where all of the details, or most of the details, would be disclosed. The level of threats would be clear.”

Rep. Jim Nash (R-Waconia), who also serves on the governor’s council, also offered his support for the bill.

“It is vitally important that we have a better understanding of these issues and a broader understanding of these issues from the member perspective,” Nash said. “… There are things in our state that we don’t have legislative arms around it, and yet we are asked to appropriate money for it, and I think that this is a good step in the right direction.”

Bahner said 31 states enacted legislation related to cybersecurity in 2019 to deal with issues such as training for security threats, creating commissions such as the one proposed, addressing security of utilities and critical infrastructure, connected devices and elections security.

“The bill before you takes the first critical step in addressing all of these issues,” Bahner said.

Technical language added

Members also approved an amendment adding the language of HF4527 to the proposal.

That bill, also sponsored by Bahner, was also approved by the committee on Tuesday, and referred to the House Floor. It has no Senate companion.

The bill would make technical changes to statutory language regarding the state’s information technology office, including changing its official name from the Office of MN.IT to the Minnesota Department of Information Technology Services.

Jon Eichten, a deputy commissioner for MN.IT, said the change would “normalize” the name, which is currently an acronym and can cause confusion. He said the bill would also clarify that the primary scope of the department is in the executive branch of government.

Bahner said combining the two bills would help better align the legislation with what is being done in the Senate, which she has been operating “in close concert” with so the bills will “make it across the finish line.”