Print πŸ–¨

The House Select Committee on Cybersecurity met on September 26 to hear invited and public testimony on the Jack Voltaic 2 exercise, state agency cybersecurity practices, and election security.

This report is intended to give you an overview and highlight of the discussions on the various topics the committee took up. It is not a verbatim transcript of the hearing, but is based upon what was audible or understandable to the observer and the desire to get details out as quickly as possible with few errors or omissions.

 

Report on the Jack Voltaic 2 Cybersecurity Exercise

Robert Butler, AECOM Management Services, Texas Cybersecurity Council

  • Speaking on the Jack Voltaic 2 (JV2) cybersecurity exercise conducted in Houston over the Summer, report still being developed
  • Exercise modeled both physical and digital threats
  • Bottom-up approach is the correct path, particularly for emergency response involvement
  • Attempting to get Guard involved in cyber response, capacity is building, but need authorization
  • JV2 had great results, but was a one-off event; need a program statewide to allow cities to be engaged with others and learn from best practices
  • Statutes and policies also provide challenges, particularly in positioning cyber response
  • Worked with the army to identify defense-critical infrastructure & identify cyber weak spots
  • Recommendations include a statewide exercise/training program involving P3s to get commercial entities involved
  • Need to develop repeatable methodologies & frameworks that can scale to different cities
  • Need to better integrate frameworks, e.g. DIR framework, physical planning framework
  • Need for TMD authorization and playbook to expand TMD cybersecurity efforts
  • Blanco – Who would host the state plan?
    • Would look to have that under Chief Kidd under TDEM and supported by DIR and the State Military Department
    • We have a physical response plan and need to integrate the cyber response into that
  • Capriglione – when an assessment is done in one city, what can we take away and share with other cities and what is specific to that city?
    • City of Houston has done a quick after-action report, best practices can be transferred to other cities in terms of mutual assistance and coordination
    • Challenges to response can be shared
    • The after-action report will help identify many of those challenges
  • Capriglione – what would some of the statutory changes be in terms of utilizing national guard versus state military department?
    • We need an inventory of assets in each state
    • We need to find a way to get the guard engaged in cyber activities earlier on – need to think through how we want them involved – something like a β€œrolling start”

 

State agency cybersecurity and data privacy practices, and H.B. 8 (85R) implementation

Ernesto Ballesteros, Texas Department of Information Resources

  • Described legislative authority for the Texas Cybersecurity Coordinator – SB 1102 (83rd)
  • 512 – Texas Government Code – β€œTexas Cyber Security Coordinator shall establish and lead a cyber security council that includes public and private leaders and cyber security practitioners to collaborate on matters of cyber security concerning the state – HB 8 (85th)
    • Established the Texas Cyber security Council
  • Reviewed his educational and professional background
  • Current threat landscape in Texas includes an increasingly sophisticated threat with growing capabilities
    • Difficult to contain unilaterally
    • Need to coordinate efforts across many areas in a collaborative/cooperative effort
  • Cyber Security Coordinator is responsible for coordinating cyber security of non-governmental based organizations, k-12, commercial organizations, non-profit organizations and private citizens
    • Essentially everything outside of state agencies
  • A culture of security will have to be fostered
  • Role includes chairing the Cyber Security Council
    • Have created task force and designated task leads, which will create reports on assigned issues to bring forward to the legislature
  • Capriglione – what are you trying to accomplish before the next meeting in January/February?
    • Top priority is to continue exploring viable options for a state level information sharing and analysis organization to foster the needed collaboration and coordination between entities

 

Steve Buche, Health and Human Services Commission

  • Described personal and professional experience
  • Over 115,000 computer devices in the agency
  • Faces over 94 million cyber attacks annually
  • Required to comply with multiple federal agency requirements (HIPA, etc.)
    • Takes a diligent effort to keep up with changes in these standards and how to move forward

 

Shirley Erp, Health and Human Services Commission

  • Utilizes both proactive and reactive approach to cyber security
  • Created operations center for threat identification
    • Have purchased technology to automatically stop threats
  • Individual users are still a threat
  • Have over 38,000 employees
    • Have a document structure that communicates security requirements and culture
  • Regarding HB 8
    • In process of redacting confidential information
    • Conduct web enabled training annually
    • Described multiple cyber security awareness programs
    • On target to have the vulnerability report complete by October 15 due date
    • Information security plan is on target to be submitted by October 15
    • Internet website and mobile application updates to standards are in process and on target for compliance
    • Targeted remediation in coordination with responsible agencies are underway
  • Blanco – related to stories concerning personal information being found in a dumpster, are we comfortable that the steps you have outlines will protect against data breaches and leaking of documents in the future?
    • That is in the physical security side, we visited them and discussed what the process is for handling shredding of information
    • Buche – it is critical for us to do the analysis and get it right and use lessons learned to move forward – currently doing that analysis with the IT team
  • Capriglione – will speak offline about additional funding requests

 

Boyd Bush, Texas Dental Board

  • There has been a lot of turnover in the last three years
    • A lot of information has been lost regarding security plan
    • Worked with DIR to get on track
  • Most problems found have already been corrected
  • Working to replace servers
  • In process of looking at vulnerabilities and considering options for securing’s those
  • Have not had any breaches or lost information at this point
  • Working to move as much to the cloud as possible
    • Integration is difficult – looking for one vendor to handle all parts of this
  • Developed reporting module has been created and will require additional building out as needs arise

 

Allison Benz, Texas State Board of Pharmacy

  • Requested funding for IT last session – total of $340,000 for the biennium; Network switches, software, etc.
  • Licensing database requires handwriting forms to be transferred into the database – $108,000 requested to develop electronic inspection process allowing for digital upload of form information
  • VOIP – DIR was no longer going to be supporting the old phone system – project was funded separately and has been implemented
  • Still need to purchase tablets for the licensing database
  • Have appointed staff member in IT to be designated as the security analyst – trained through DIR INFO SEC academy
  • Moving more information to the cloud
  • Working on HB 8 report s and will be submitting those soon
  • Capriglione – in 2015 the FBI said you had holes in your system, in response you requested funds and have not received those yet?
    • That is correct, utilizing a work around by encrypting data that is sufficient for the FBI

 

Darran Anderson, Texas Department of Transportation

  • Oversees TxDOT’s information management operations
  • HB 8 – Substantial legislation relating to agency cybersecurity and IT resources through the information sharing & analysis center, training, best practices guidance, etc.
  • TxDOT has implemented many provisions of HB 8, incl. additional cybersecurity CE requirements, security assessments, mitigation of information security issues, etc.
  • Legislature approved appropriation of $10 million from the SHF to TxDOT, has been devoted to several cybersecurity initiatives at the agency, incl. compliance & security tools, security awareness
  • TxDOT will continue to improve on training, further improve process & tools
  • Intending to automate detection & response efforts, renewing independent verification/validation agreements, intend to extend encryption processes around agency, etc.
  • Longstanding operational & traffic systems across the state are historically closed, but modern technology gives expectation for more online capability, TxDOT’s vision is a smart system that is also robust against cybersecurity threats
  • TxDOT has a number of projects ongoing currently involving authentication of users accessing system, other system maturity aspects
  • TxDOT assessments of systems change year-over-year due to developing threats, continually attempt to update risk mitigation to match; robust cyclical risk-management system is important
  • Dale – When incidents like Colorado transport hack occur, do you contact other states to try and learn from what they experienced and response activities?
    • TxDOT was in contact with the Guard and Colorado
  • Dale – Was there any kind of information sharing
    • Also have cybersecurity panels and lesser organizations that share information
  • Dale – I assume toll contractors have certain security standards, what type of auditing does TxDOT do on these contractors?
    • Toll operations division has responsibility over that, there is a PCI compliance review, also conducting review with Deloitte
  • Blanco – What has TxDOT done to ensure employee information was protected after incident where info was found to be changed?
    • With the original incident, W2 and account info was accessed for a few individuals, individuals were identified & notified, worked with IRS & FBI
    • Attacks were done through phishing and social engineering, these have been addressed through education efforts at TxDOT
  • Blanco – Road signs have been compromised recently, what have you done
    • Has not happened on any of our integrated dynamic signs, to the best of our knowledge has only happened on portable signs
    • Many times, this is physical access & not network-based attacks; response is focused on access identification
  • Blanco – Have compromises led to physical danger?
    • Not that I’m aware of, will need to get back to you

 

Mike Higginbotham, Texas Department of Transportation

  • Gives overview of TxDOT responsibility for information systems statewide
  • Best way to protect records in TxDOT systems is through proactive security measures, leveraging DIR managed Security Services to assist
  • Near term initiatives include procuring security information & event management system, conducting biennial TX cybersecurity framework assessment, executing vulnerability and penetration tests for internet-facing applications, and application security scanning
  • Also implementing email malware detection, cloud certificate validation, internet address management, and data integrity initiatives for driver records
  • Will continue to leverage Managed Security Services
  • Also pursuing two-factor authentication for logins, point data loss prevention, access management automation
  • Capriglione – On dollars we appropriated last time, I have it as managed security provider?
    • This is the Managed Security Services through DIR
  • Capriglione – And things like two-factor authentication can come through that?
    • This is something we can explore

 

John Raff, Texas Facilities Commission

  • Gives overview of TFC’s oversight over building security, etc.
  • Gartner, Inc. conducted a security assessment of TFC in 2013, including a gap analysis; key recommendations were to establish full-time information security officer (ISO) to organize agency-wide security operations
  • TFC requests funds in 18-19 LAR to address most critical aspects of the report, hired ISO in Feb 2018
  • ISO has responsibility over current security operations & promotion of security initiatives like educations, data classification, security policy development, and interfacing with DIR on security efforts; has resulted in many benefits already including DIR security assessment earlier this year & ongoing outreach efforts
  • TFC intends to build on this progress through exceptional item for cybersecurity services and personnel; includes additional FTE to review agency software and progress & cybersecurity monitoring software, @$394k/biennium
  • Capriglione – Part of the reason I started to focus on this was the facilities side, happy to work with continuing to improve facilities security

 

Melvin Neely, Texas Department of Criminal Justice

  • TDCJ did not have any cybersecurity funding last session, cybersecurity is governed by TAC, internal program, and agency directives
  • Information Resource Security Program sets standards and acceptable use of information, works with minimum standards put out for agency cybersecurity operations
  • Internal directives include autologin procedures, firewall procedures, etc.
  • TDCJ takes cybersecurity education very seriously, have CE requirements for basic information resources employees with increasing hours for higher sensitivity
  • Also, actively monitor with malware software and isolation of affected computers
  • Also have robust code checking process to check for vulnerability before it’s put into production environment; also have a very robust patching process
  • Large risk to TDCJ is in the offender management system, system is 40 years old & very outdated; need legislative support to revamp the system, currently have a 26% vacancy rate for system operators
  • Would like to have the system update done by the time CAPPS is online in 2022
  • Dean – When will we see what that number is?
    • In the LAR, $24.1 million this year, but there will be a second phase of $10 million asked for in next biennium
  • Dean – What platform would this be?
    • Web-based with Java
  • Blanco – What is your expected cost to replace?
    • $24.1 million this biennium, $10.5 million next biennium, very large system with 200k offender records
  • Dean – Do the counties interface with this system currently?
    • No, we receive paper records from the counties and input this way
    • We are working with counties to find solution for electronic submission of paperwork
  • Capriglione – Jimmy Carter was President when the system was put into place, not just a security issue, system also does not have modern features for offender tracking; concerned on how much this is costing to keep this running, COBOL programmers are not cheap, etc.

 

Seth Christensen, Texas Juvenile Justice Department

  • Have a new Chief Information Officer beginning next week
  • Appropriated $6.8 million for infrastructure refresh & $760k for cybersecurity efforts, $5.9 million has gone to system/equip refresh
  • Seeking approval for transfer of budget to additional capitol budget item updating youth case management system, DIR identified system as an outlier; full replacement is $1.8 million, have received funds and authorization to move forward
  • TJJD has several 2019 planned activities including network/storage replacements, fiber upgrades, new communications, streamlining account management, and funding information resources FTEs
  • Readying information security report and plan by late this year
  • Asking legislature to continue baseline next session, which includes $585k for cybersecurity initiatives
  • Capriglione – When we looked at Gartner data, TJJD was identified as a high priority, many TJJD programs were stripped in conference & it looks like some of these things should have been funded

 

Skylor Hearn, Department of Public Safety

  • DPS is well on the way to developing an excellent cybersecurity unit with authorized strength of 26 FTEs
  • DPS is maturing policies and process to meet HB 8 requirements, moving to a risk-driven program
  • Adopted State Agency Plan Assessments, hired an IT monitor to help stay on schedule, includes security assessment in even-numbered years & focus on maturity progression in odd years
  • Seeking independent 3rd party auditing at least every 5 years
  • Adopting NIST security framework, expected to be implemented by 2020
  • $5 million appropriated last session, $1.8 million invested in data loss prevention, $2.1 million in intrusion prevention & security operations, $960k in vulnerability management
  • LAR has an exceptional item for $14 million for information technology & cybersecurity, includes $11 million for cybersecurity for FTEs and response activities
  • Blanco – Last November it was uncovered that DPS was selling personnel information related to drivers license to other companies, a gateway for security vulnerabilities; what kind of checks are you performing for purchasers before sale?
    • Under the statutory obligations we operate under, all of this information is publicly available, we only require that we don’t release data not publicly available
  • Blanco – Do you have any requirements placed on purchasers
    • Only have ability to reach first purchaser, nothing protect resale
  • Dale – Is there cooperation between DPS and Secretary of State regarding voter registration?
    • Yes, meeting and coordinating between our cyber unit, Fusion Center, and Secretary of State
  • Capriglione – From some perspectives we want to create laws to protect info, but data prevention policies also should include data permission policies; need to have a conversation over what information can be sold
    • This has come up in previous sessions, especially on the criminal justice side
  • Dean – Why would be selling information to begin with?
    • There is cost recovery fee charged with this, but not money making; DPS would prefer not to be involved at all, DPS is the custodian of this data and must be involved
  • Blanco – Where does the $1.9 million go?
    • Will need to check, could go to GR

 

Melody Parrish, Texas Education Agency

  • TEA has 88 in-house maintained applications, including Texas student data system; education certification program has the largest userbase
  • Security framework – Gartner did study in 2012, in 2015 they redid the study
    • 40 controls
    • Determined that 3.25/5 was due diligence – 36 of the 40 were at or above 3.25, and 4 that scored lower than 3.25
  • Have moved a large amount of data through server consolidation to the Data Center Services – about 520 servers of there currently
  • All operating systems have been updated to install patches
  • Updated all operating procedures
  • Secured wifi at the building
  • Last session requested funding – did not receive all requested
    • Still working on remaining due diligence items from the framework assessment
  • Have communicated through the service centers – all of them are running risk assessment plan to increase security posture
  • Created monthly webinar to inform and discuss best practices for securing data
  • Long range security plan will hopefully be approved with education long range plan
  • 2018 project to update GED records (currently on paper) – 35% complete with digitizing those records
  • Capriglione – where do the GED documents come from?
    • Will have to get the exact date range of the paper copies
    • Have an outside vendor digitizing and securing that
  • Capriglione – they are all done digitally now though?
    • That is correct
  • Discussed process of requesting GED information
    • In process of scanning all of those in to better access and secure the records
  • Dean – you are going to have an exceptional item to address this issue?
    • Not to address cyber security specifically
    • The GED project has enough funding to be completed by august of next year
  • Dean – do you know how many need to be scanned in?
    • About 200,000
  • Dean – how many do you have on a go forward basis?
    • All new ones will already be electronic
  • Dean – so the person could now download their GED?
    • We are considering formats for the end user
  • Blanco – seeing scanning for charter schools, what about public schools?
    • That is part of the exceptional items – have a contract with regional service center that secures and stores the records, all paper – for closed charter schools – in process of digitizing the records
    • Do have a system on the charter school side to electronically send transcripts with attachments, those records will be accessible through the Texas Records Exchange (TREx) system
    • all active current students are already in the system digitally
  • Blanco – the process for public schools are the same?
    • Correct, they already use this system
  • Capriglione – what kind of information are we talking about?
    • Any information that the charter school had on each student, not necessarily interested in scanning all of the documents in, just education information
  • Capriglione – what happens to the documents after you have scanned them?
    • The paper copies get destroyed
  • Have implemented in 2018 4 of the Gartner objectives: establish and enhance the vulnerability scanning system, establish an enhanced enterprise security awareness program, employed enterprise level redundant external data feeds, ensure encryption in all backups
  • In 2019 will be completing GED scanning project, closed charter school data upload, and completing another framework assessment
  • Texas student data system (TSDS) received funding
    • Collect 3.4 billion records within each key data submission
    • Allows PEIMS data to be collected more efficiently
  • Have initiated contract to complete the consolo9dation of the SPPI14 into the TSDS platform – 8-month effort starting in January 2019 – going through the contracting process
  • Most of the legacy systems are old and maintenance is difficult on them
  • Exceptional items next session is very important to the agency and students
    • School safety and special education are two items

 

Zhenzhen Sun, Texas Higher Education Coordinating Board

  • Described mission of the Texas Higher Education Coordinating Board
  • Millions of records are received each year including student loan information
  • Security initiatives implementations roadmap is used to prioritize security initiatives
    • Supports the mission and strategic plan
    • Uses statutes for prioritization
  • Have completed independent information security assessment
    • Next assessment is scheduled for 2019
  • Did receive some funding last session for security initiatives
    • Identified areas for improvement with a plan including deliverables
  • Actively engaging DIR regarding more controls for various systems in managing security systems
  • Will be proposing 2 exceptional items in 2019: legacy modernization, and creation of formal privacy officer position

 

Mark Havens, Texas General Land Office

  • Before January 2015, GLO had no formal security in place – audit revealed insufficient infrastructure was in place
  • 2016 office of information security was established to maintain records of all divisions of the GLO
    • Especially concerned with HIPA information and loan information
  • Cyber security team has been expanded to 7 full time FTEs
    • Primary focus is to remediate security control gaps
    • Department has its own budget and resources
    • Tasked with training similar to other agencies practices
  • 2017 – cyber security team spend $1.7 million in wrapping up vital security records
  • HB 8
    • $80,000 went to data loss and vulnerability management
    • Will continue to require additional staff to maintain high levels of security
  • Capriglione – regarding house and relief after Harvey – is some of that cost born by the federal government?
    • It is – we had to set standards to meet theirs and the federal government reimbursed the costs

 

Brandon Rogers, Texas General Land Office

  • Present as a resource witness

 

Election Security

Keith Ingram, Office of the Secretary of State

  • HB 8 requires this office to do study of vulnerabilities and risks of cyber security attacks of elections systems
    • Both locally and statewide
  • No successful cyber-attacks have occurred yet in Texas
  • Voting Machines and equipment
    • Voting machines are never connected to the internet
    • Computers that tabulate results are never connected to the internet
    • Voting machines and computers are kept under strict physical security
    • All machines are tested prior to and after use
    • Described testing and auditing procedures
  • Electronic Voter Registration Database
    • Contains sensitive information
    • Could be more vulnerable to hacking attempt because of the internet interface
    • Takes advantage of DIR services in addition to instituting multiple security measures like encryption and 2-factor authentication
  • Described interstate council related to sharing security threat information
  • Government Coordinating Council have been working to establish communication protocols
  • Will be having DIR assess security protocols
  • Public facing websites
    • None of the state or county websites have any voting capability but security remains important
  • Election infrastructure security is ongoing and never fished
  • Capriglione – how much total Help America Vote Act (HAVA) funding was there for Texas?
    • $23.3 million
    • Have exceptional item request for 5% matching funds
  • Capriglione – there is no documentation of any cyber attacks on the election infrastructure?
    • That is correct
    • Defined cyber attacks as more serious than scanning attempts
  • Capriglione – heard reports of attempts to access county information from IP addresses outside the united states, is that accurate?
    • There were scan attempts in on Dallas County, but the IP addresses were already blocked
  • Capriglione – some of the counties are very small with limited if any IT staff, how do you address that?
    • The reason we wanted the assessment done on all counties was because the manage securities contract has a tailored program for all ranges of counties and infrastructures
  • Minjarez – when you talk about the testing of the equipment and that it is open to the public – is the elections administrator required to give notice of when that testing will happen?
    • They are, 72-hour notice under the open meetings act
    • Records are maintained for 22 months after the election
  • Blanco – did you visit all counties as part of HB 8?
    • No, not all counties
  • Blanco – how did you determine which counties?
    • Utilized a mix of sizes and methods
    • All anonymous
  • Blanco – all voting machines have to score 100% on the testing before being used for an election, what % failed?
    • Have heard of counties finding issues with ballot programming but typically the county will do an inhouse test before doing the public test to be sure that it will pass
  • Blanco – you currently do not have a seat at the Cyber Security Council, do you think that would be beneficial?
    • Did attend the last meeting where there was discussion of being a supporting member
  • Dale – it has come up before, but what are your thoughts on having paper ballots for recount purposes?
    • That is a policy decision for the legislature

 

Dana DeBeauvoir, Travis County Clerk

  • Grateful to the Secretary of State on moving quickly on best practices especially related to the voter registration system
  • Since 2005 office has been studying how to improve the security and efficiency of electronic voting systems while making incremental changes to existing electronic voting machines
  • Described history of paper trails on electronic voting machines
    • Goal is to get to end to end verification
  • Have worked on creating a more complete electronic voting machine – STAR-Vote
    • Travis county issued RFP to build STAR-Vote
    • Not one proposal to completely build STAR-Vote
    • Required the county to purchase alternative voting machines
  • Reviewed need for risk limiting audits
  • Capriglione – how long have you been the Travis County clerk?
    • 31 years
  • Capriglione – has Travis County ever been attacked through a cyber-attack?
    • No, never been successfully or unsuccessfully attacked
    • There have been errors and mistakes which are just as dangerous as attacks
  • Capriglione – do you know of any attacks on any counties?
    • Only seen the same surfing attempts that happen all the time
  • Dale – it sounds like those are the same things, are we successful in repelling all of those attempts?
    • Yes, we are counting stacks as something more than scan attempts
  • Dale – cautioned that phraseology may be misleading to the public
  • Dean – how do we know other countries have made attempts?
    • Discussion of post t2016 election committee
    • Report will be made available to the committee

 

Public Testimony

Alex Meade, Self

  • Described security polies throughout organizations – 2 factor authentications should be mandatory
  • Legacy systems should be updated to newer languages to better offer proactive security solutions
  • Capriglione – authentication is credited with high level security

 

Closing Remarks

  • Dean – will we have a report prepared?
    • Capriglione – planning on issuing a report in November to be presented to the full House