The House Committee on Government Transparency & Operations met on March 20 to take up pending business and bills on the agenda.  This report focuses on bills taken up relating to cybersecurity.
 
HB 1604 (Blanco) Relating to an acknowledgement of vulnerabilities and risks in a state agency's information security plan.

  • Blanco laid out the bill
  • Requires executive heads acknowledge weakness and vulnerabilities
  • Todd Kimbrel, Department of Information Resources – Bill is effort to make sure information security officers are fully engaged and hopefully understand scope of assessments
  • Bill left pending

 
HB 1605 (Blanco) Relating to the powers and duties of the Department of Information Resources regarding cybersecurity.

  • Require DIR to submit DIR to submit biennial report and request emergency funding in case of attack
  • Committee substitute added a confidentially clause and change the date, allowing DIR to add questions to existing surveys among other things  – CS needs to be given to the clerk and then will be given to members (CS was not laid out)
  • Bill left pending

 
HB 1452 (Blanco) Relating to a study regarding cyber-attacks on election infrastructure.

  • Bill author laid out bill – he had committee substitute but unable to lay out since it was not yet given to the committee
  • Lindsey Aston, Secretary of State – resource witness
    • Gonzalez – Bill analysis says no fiscal impact to this date, it seems like there is some work out there?
    • There is existing research that we can apply to our current voting machines. We did identify a small cost relating to potential third party costs for security firms. It is a small fiscal impact, not significant. 
    • Gonzales: Are you comfortable, can you absorb this without something on the appropriating side?
    • L. Aston: It depends on the extent the legislature would like us to go into, especially if we would like to go into county websites. We estimated a ball park figure of around $75,000 to hire a third party security firm.
  • Bill left pending

 
HB 8 (Capriglione) Relating to cybersecurity for state agency information resources.

  • Capriglione laid out the bill
  • The bill contains provisions for assessing risk, implementing best practice and working with leaders in IT, among other things  
  • There will be a committee substitute that clarifies definitions and includes local government provision, adding training, etc
  • Sarah Matz, CompTIASupports HB 8 noting it would provide several important cybersecurity measures and appreciate commitment to cybersecurity training
  • Justin Yancy, Texas Business Leadership CouncilSupports HB 8 as it elevates and addresses critical elements needed in cybersecurity 
  • Bill left pending

 
HB 9 (Capriglione) Relating to cybercrime; creating criminal offenses.

  • Bill goes after activity, create offense for intentionally interrupting access to computer system, etc
  • There will be a committee substitute coming, includes definition changes, additional offense, change
  • W. Scott McCullough, Data Foundry Inc.
  • On the bill but believes by end they will be in firm support
  • Support the goals of the bill but we have some technical concerns:
    • Current definition of malware could be construed to include actions that aren’t malicious or harmful; it could also be under-inclusive
    • Believes definition of ransomware could more accurately capture what author was trying to do
    • Don’t outlaw all information service providers, cloud providers – bill author was trying to get at interlopers – need to be fixed 
    • Bill involves a host of actors
  • We would like to see the following:
    • A limited exception to prosecution to certain actors
    • An additional offense for breaking encryption
  • Tinderholt – Am I correct in saying that it is not just individuals who represent these bad actors, a lot of times these actors are in groups?
    • Some of the main actors are often organized crime
    • Tinderholt – A change I would like to add is to change the word ‘person’ in the bill to add “or a group or organization”
  • Capriglione – We have heard concerns, will be accepting many recommendations, and look forward to making adjustments in the committee substitute
  • Bill left pending