Print 🖨

The House Committee on Urban Affairs met on Tuesday February 23, 2016 to hear invited testimony on their cybersecurity interim charge.

Identify and address potential gaps in cities’ cyber security policy and ensure that personal information held by cities and other municipal entities is secure.

Panel 1: UTSA

Dr. Mauli Agrawal, UTSA Vice President for Research

  • UTSA is a leader in cyber security thanks in large part to help from the legislature
    • Ranked number 1 in the nation for cyber security education
  • Designated as National Center of Excellence in Information Assurance by the National Security Agency and the Department of Homeland Security
  • Gaps in Cyber Security
    • Lack of information sharing about cyber acts and counter measures
    • Small and midsized businesses are weakest link in supply chain because of inadequate defenses; there are no guidelines or classification systems to rank businesses by cyber-readiness
    • Neutral proving ground: need for a facility where agencies can deploy and test commercial cyber security products in simulated virtual environments, UTSA would like to provide this service
    • Work force development will grow exponentially in the next decade; there is a need at all levels to invest in cyber security

Dr. Greg White, UTSA Director, Center for Infrastructure Assurance & Security (CIAS)

  • CIAS focuses on cyber defense competition program, infrastructure assurance programs, and cyber security training/awareness
    • Infrastructure Assurance Programs work with states and communities on cyber security
  • Two types of cyber events impact states and communities
    • Errors in hardware/software or user input errors
    • Cyber security incident
  • When an event occurs, who will be responsible for addressing it?
  • State and communities need a plan/program
    • CIAS developed the Community Cyber Security Maturity Model to do this
  • FBI has acknowledged more SCADA attacks and increased the cyber budget
  • Is Texas prepared?
    • No, but Texas is not alone, most states are not
    • Texas communities are also not prepared; many are not aware that cyber security is a concern, and few have an adequate budget
  • What does Texas need to do?
    • Texas ISAO (Information Sharing and Analysis Organization) is a place to start
      • Community ISAOs also need to be developed
    • More emphasis on recommendations in 2012 Texas Cybersecurity, Education, and Economic Development Council (TCEEDC) (only one has been accomplished)
    • Department of Information Resources (DIR) needs support to be able to address recommendations and improve security of Texas
  • Texas cannot secure private assets, but they can set an example
  • Chair Alvarado asks which states are leaders
    • Arizona, New Jersey, Delaware, and Maryland
    • These states are leaders because of funding and legislative champions

Questions

  • Rep. Schaefer notes that we do not have enough trained people in cyber security, and notes issues for smaller municipalities with less funds
    • White notes that a water utility was recently hacked, and says you are only as strong as your weakest link
  • Rep. Schaefer says we put smart meters into people’s homes and asks if those systems are at risk
    • White has heard these are permeable, but he has not been involved in any research regarding the issue
  • Chair Alvarado asks what the wish list would be for Texas to accomplish
    • UTSA can help with Security awareness, Security preparedness, security training, and cyber forensics
    • Texas could lead the nation in a “Nature of Security” campaign
    • Investment from the state in UTSA
    • We need information sharing and cohesion
  • Rep. Schaefer says he believes there is a disconnect between agencies because nobody is the “lead dog” or has been tasked with cyber security
  • Chair Alvarado says this needs to be a priority and we should be utilizing UTSA and San Antonio
  • Rep. Bernal says policy recommendations would be helpful in moving process forward

Panel 2: Public Sector (Protecting critical infrastructure and information in the public sector)

Chris Fogle, Delta Risk LLC

  • Consults for both public and private sector
  • Private sector companies have a lot to teach the state
  • In order to maintain proficiency, investments must be made in hands on, realistic, and repeated training
  • Organizations often hyper-focus on technology solutions, but resilience comes from a good plan
  • Cyber security left to IT is generally ineffective
  • Outsourcing is a resource for companies, but you must make financial and non-financial investment in becoming cyber secure
  • Some of best tools available are simulation exercises
    • Exercises are often not well-designed and lack depth in sophistication which leads to false confidence

Greg Sarich, CPS Energy

  • Fully integrated utility in San Antonio
  • CPS continues to improve protection initiatives
  • Cyber and Physical Security team have been integrated at CPS
  • There is no single solution, so we must ensure that there are contingencies and redundancies in place
    • CRISP – new information sharing program
    • Cyber Security Information Sharing Act is a movement in the right direction for sharing between public and private sector
  • White House announced plans for Cyber Security National Action Plan
  • CPS works with local leaders in San Antonio and will take part in three audits of the city

Hugh Miller, CTO for City of San Antonio

  • City considers security implications at the beginning of any project planning to come up with early identification of assets and threats
  • City has implemented Incidence Response Plan to outline all activities in the case of an incident
  • Maintains relationship with local companies and other cities

Robert Jones, City of Corpus Christi IT Security Manager

  • Motivation is key for cyber security
  • Applauds new focus on cyber security for utilities
  • Exercises such as phishing emails sent out to employees help create culture of cyber security

Anthony Tull, City of Granbury IT Director

  • Every level of government is guarding vast amounts of personal data for citizens and employees
  • We must commit necessary resources at all levels
  • Cyber security is generally seen as a small part of IT and does not receive necessary resources
  • We need multi-level protection covering hardware/software and users
    • Weakest link in any cyber security plan is the end user
  • Granbury sends out monthly emails to address known scams and threats

Shanna Igo, Texas Municipal League

  • Cyber security has not been an issue that TML has dealt with until recently
  • Larger cities usually have resources, but smaller cities and town need additional resources
  • TML plans on working with other associations and organizations in addressing this issue
  • Looking into risk pool

Questions

  • Rep. Hunter says a basis of concern has been laid out for water, power, etc.; what law should be passed?
    • There needs to be a report or assessment including public, private, and utility concerns regarding cyber security
    • Funding will be necessary in fixing issues after an assessment is completed
    • We need the legislature to not tie our hands financially
    • A team needs to put together to come up with scalable plans that can be implemented across all cities, counties, state agencies
  • Rep. Hunter encourages the panel to go home and come up with legislation to be passed
  • Rep. Schaefer asks if there is a law that breaches be reported
    • Yes, depending on the information that is breached and how many records are breached
  • Rep. Anderson asks if TML could coordinate a team with city and private sector members to come up with policy recommendations
    • Yes
  • Rep. Hunter asks Shana IGO to have TML coordinate a team and come back to present findings and recommendations to the committee
  • Rep. Elkins asks committee to consider requiring all personal information to be encrypted to minimize effects of a breach

Panel 3: Private Sector (Best practices from the private sector for state legislative action)

John Dickson, Denim Group

  • Has done security assessments for public sector across all levels of government
  • After comptroller “breach” in 2011, there were a series of discussions on cyber security; unfortunately a lot of people pointed fingers and did not realize that they also needed to improve their cyber security measures
  • No elected commissioners are held responsible for cyber security measures, but they should be; this is an option for legislation next session
  • State and agencies should lead the way by example
  • Texas Leadership Business

Scott Myers, root9b

  • Hunt Methodology is a revolution in cyber security
    • Proactively and iteratively searching through datasets to detect and respond to advanced threats
    • Continuously collect and aggregate data to analyze that may help find an adversary
  • You are on a continuous hunt under the assumption that the adversary is already there
  • On average, intrusions are not found until after 200 days which offers plenty of time for data to be breached

Larry Hurtado, Digital Defense

  • Public and private sector clients around the world use Digital Defense to assess their cyber security measures
  • People are too trusting and do not believe they are at risk
    • Training may work for compliance purposes but does not usually get actual results when they secretively test organizations
  • Texas needs to develop and execute an engaging program to teach people about cyber security and also secretively test them to make sure the training has worked

Hearing Adjourned