House State Affairs met on April 26th to discuss the following interim charges: expansion of broadband services to rural areas, implementation of pole replacement programs, review of state goods and services owned by Russian government as well as a study of cyber security preparedness. An archive video of this meeting can be found here.

 

This report is intended to give you an overview and highlight of the discussions on the various topics taken up. It is not a verbatim transcript of the discussions but is based upon what was audible or understandable to the observer and the desire to get details out as quickly as possible with few errors or omissions.

 

Interim Charge #1: Monitor the agencies and programs under the Committee’s jurisdiction and oversee the implementation of relevant legislation passed by the 87th Legislature. Conduct active oversight of all associated rulemaking and other governmental actions taken to ensure the intended legislative outcome of all legislation, including the following:

 

HB 5 Implementation – Invited Testimony

Korry Castillo, Comptroller’s Office – Neutral

  • Will need to hire grant management support staff for implementation
  • Highlights statewide availability map
  • State broadband plan to serve as a strategic guide; will establish greater access/affordability of broadband services
  • Listening tour includes townhall sessions in March-April; over 5,600 miles traveled
  • Roundtable discussions in each region in 5 topic areas (including education and public health)
    • 684 people registered to attend roundtables; 65 hours of discussion
  • Statewide survey to gather basic information on access/affordability; 7,215 total responses from 232 counties
    • News media, radio, social media, and using partners to promote survey
  • Many people believe broadband should be treated as a utility; equity is very important; underserviced communities should be a priority; uncertainty in cost of expanding broadband can preclude investment
  • People aren’t taking advantage of subsidies deferring costs of broadband; not widely known which impacts digital literacy; hotspots don’t solve all the issues
  • Initial state plan due June 15, 2022; anticipate to learn and refine services after this date
  • Broadband development map required showing eligible areas (where less than 80 percent of addresses have access and no federal funding); deadline to post map is January 2023
  • 10 member board of advisors; required monthly meetings
  • Other outreach activities include presentations, monthly newsletter, and a toolkit for communities that need technical assistance and grants
  • Hunter – Compliment on not saying rural broadband; Need to do a better job on explaining the meaning of broadband and say better/direct access
  • Hunter – Hurricane season starts June 1st; make sure the 14 gulf coast counties are prioritized on the listening tours; work with my office
  • Howard – in Austin being a tech friendly city we would be connected sufficiently; we have portions that aren’t connected due to affordability issues (during COVID millions of dollars were spent on bringing connection to schools)
  • Howard – Are there ways we’ll be able to look at cities like Austin that do have large areas that aren’t connected?
    • There are federal programs related to affordability and access to devices; we can look into distributing those to the Austin area
  • Howard – So they would have access to other options?
    • Yes and we’ve heard comments on tour that the quality of the access is something we need to improve
  • Shaheen – One of the most difficult things is going to be the distance; Is there any discussion on where fixed wireless devices are going to be located?
    • That’s part of the conversation; different types of tech that can reach and whether it will get the speed necessary; the goal is to be technology agnostic so we’ll look at all of the options
  • Shaheen – As the maps are being developed that’s being taken into consideration? I’m more worried about the long haul and how to get data transmitted.
  • Hernandez – when will the online survey close?
    • May 5 so we can incorporate the data into our report but we’ll keep it up and include data in advertising
  • Hernandez – Is advertising only in English?
    • We have the survey in Spanish; our social media does have Spanish but radio and newspaper are only in English
  • Raymond – advertising in weekly newspapers?
    • Can complete survey on the phone; TX news network
  • Raymond – Suggesting reaching out to county commissioners and city council in rural areas
    • We’ve reached out to county commissioners
    • We’ve provided printed surveys and worked with libraries to promote them; all media buys are in rural areas

 

HB 5 Implementation – Public Testimony

Mark Seale, TX Telephone Association – Neutral

  • 43 member companies across the state who maintain and operate voice and data traffic; serve 3 million customers and almost 1 million access points
  • Appreciate efforts and transparency of Comptroller’s Office
  • The Comptroller’s Office needs more people and more resources because this is a big job
  • Asked by Senator in east Texas to fiber his district; it would take $1.4 billion dollars and 15 years

 

John Mason, AT&T – Neutral

  • Hyper focused resources on closing digital divide; looking at expanding speeds
  • Since February AT&T is offering free internet to eligible households
  • Active participants in listening tour
  • Imperative that government funds are utilized
  • Focus on transparency, prioritization of products that help customers and focus on alternatives to government owned networks
  • Shaheen – Is AT&T in rural areas?
    • We’re mainly urban/suburban
  • Deshotel – on issue of getting service, there’s cellular phone service available in larger area than broadband?
    • Yes
  • Deshotel – I can search internet in anywhere I get cell service; why can such a broader area get access to internet on cell phone where there’s not wi-fi
    • It’s a function of infrastructure and cost; wireless and fiber work differently in different areas

 

Julia Harvey, Texas Electric Cooperatives – Neutral

  • Electric cooperatives are member owned
  • Some have elected to use broadband
  • Active participants in comptroller’s office preliminary work
  • Believe state should administer program with emphasize on projects that are future-proof; provide higher speeds and proven technologies
  • Should include high level of accountability in distribution of funding
  • 6 members per mile which makes economics challenging but office can ensure grants are available to those areas of the state
  • Sheen – how are they doing long haul? Fixed wireless?
    • A mix of fixed wireless and fiber; depends on geographic circumstances and density
  • Sheen – In area of TX where it’s incredibly remote, will you have to build your own towers
    • We leverage existing infrastructure; our members would look at any solution to get access out there; I agree that is a challenge
    • We’re part of the solution, not the entire solution
  • Are you able to work with the coops?
    • We’re open to working with any entity
    • As far as I’m aware our members are looking for any opportunity to expand access

 

Kenny Scudder, AARP – Neutral

  • Future is bright for broadband access
  • Many areas in West Texas lack internet access
  • Help older Texans combat social isolation
  • AARP commends comptroller’s office for listening tour

 

Mike Hunsucker, Windstream – Neutral

  • Windstream serves primarily non-urban areas
  • 5 customers per square mile and 38,000 square miles
  • Over 12 thousand miles of fiber in the state
  • Concerned with cost of providing service in the last mile
  • Partnerships with Sabine County to cover 95% of the county; $17.4 million build
  • Signed agreement with city of Andrews to get fiber; put up 74% of the fund
  • Commends broadband office on their engagement
  • Comptroller’s office is understaffed to handle grant applications
  • State needs additional money; $3 billion federal but need $10 billion
  • Need to keep the process simple for the application; Sabine county didn’t have the resources to write the application, so Windstream wrote it for them
  • Windstream committed to participating in American Connectivity Program
  • Improving digital literacy
  • Upscaling fiber
  • Raymond – You talked to the city of Andrews so what did they do?
    • The city put up $400,000; the county did not
    • They hold half the money until we finish
  • Raymond – That’s significant for how small Andrews is. To what extent can we get more partnership from cities and counties?
    • We’re talking to cities, counties, schools, and hospitals asking them to work together to provide the money.
  • Deshotel – what would the federal money be used for?
    • To get service to underserviced areas
  • Deshotel – What would TX look like in terms of broadband service?
    • $10 billion is what it takes to solve this issue in the entire state
  • Deshotel – Even to far places that don’t have electricity?
    • Yes; but if you don’t have electricity you won’t have broadband
  • Deshotel – It seems like we’re spending time on rural broadband and if $10 billion would solve all of these issues it doesn’t seem like a lot; we used $7 billion on flood mitigation
    • Could be higher or lower but that’s the range; I’ve heard numbers up to $12 billion
  • Shaheen – Your map answered my question; You have ILEC and CLEC?
    • Yes
  • Shaheen – You have fiber all the way down to South Texas; are you planning to provide service down there?
    • That fiber is probably CLEC owned and we whole sell that
  • Shaheen – At this current time you don’t have plans to make that residential?
    • Just selling to carriers
  • Shaheen – From a network perspective, what is the obstacle?
    • Take the city of Andrews, we have a central office and start building fiber out to locations; once outside the city limits you’re stopped
  • Shaheen – So Windstream doesn’t leverage wireless technology, you’re capable of fiber?
    • Our issue is access to poles
    • If we go to wireless it’ll give customers less
  • Shaheen – The problem is really rural areas and it doesn’t make sense to run something underground
    • Only with a grant
  • Shaheen – What about from an ongoing maintenance perspective
    • Doesn’t include ongoing maintenance cost; maintaining fiber costs less than copper

 

Jennifer Harris, Connected Nation – Neutral

  • HB 5 will prevent use of federal funds; can’t make grants where broadband is already available
  • Satellite and mobile don’t meet everyone’s needs
  • Current definition misleads saying there’s no problem to solve
  • Updating broadband definition to 100/20 which would be in compliance with IIJA
  • Deshotel – Those changes that would make qualifications broader, who would oppose that legislation?
    • I would think everyone would want to take advantage of federal dollars
  • Deshotel – Some of limitations you spoke about in drafting HB 5, those were placed by someone’s interest; is there an interest by some groups?
    • We passed HB 5 in a bubble before knowing the federal government’s actions
    • Based on IIJA requirements, it’s in our best interest to match that or else we can’t use those dollars
  • Deshotel – We should make those changes so we can access those additional dollars; hopefully that’s why the limitations are there

 

Walt Baum, Texas Cable Association – Neutral

  • Supports HB 5
  • Funds should be directed to unserved areas first; none should be used on areas with broadband access
  • Applicants should have ability to build
  • Push back on government-owned networks; not necessary when they’ve already built networks
  • Plan should identify barriers to adoption and solutions to connect people
  • In areas where cities have put out bids to put out networks where they already have coverage; it would be more helpful to work with existing providers
  • TCA Members have won Rural Digital Opportunity Fund awards; have lit up new areas in El Paso and working on East Texas
  • Raymond – this may be the year we try to be bold because $10 or $12 billion seems doable; a lot of one-time costs; do you think it’s something we could look at this next session?
    • I think HB 5 provides good framework with clean up and more federal money; if the resources will continue to be there it can get done
  • Raymond – Let’s say we had all of the money right now, how quickly could we get it done?
    • Members with RDOF awards had timelines within 6 years and that timeclock started last year
  • Raymond – As we build out, workers will come and it will pay benefits to Texas economically and in every area

 

Luis Acuña, Texas 2036 – Neutral

  • We’ll be working on fiscal policies and hope to work with Rep. Raymond’s office
  • Developing an underserved definition in statutes addressing gaps of areas that may have 23 speeds; also including affordability
  • Worked on report with Rice University
  • Pilot program in Hector County
  • Consider tracking policy framework
  • Consider other pilot projects
  • Broadband office is spread too thin and need support
  • Shaheen – I’m struggling to see fiber as the right solution; satellite exists today?
    • New technology being developed as low-earth orbit satellite
  • Shaheen – Is there anything in statute that would prevent us from using that type of technology?
    • I’ll need to evaluate that to give a clear answer; Hector County is piloting that technology with 90 households and some improvements need to be made with customer service
  • Howard – We need a plan that brings everything into play that is also nimble; technology changes rapidly and it’s hard to catch up
  • Howard – Thank you for what you’re putting together; need more input from you to benefit all Texans
    • State needs to look at broadband as a tool to meet goals

 

Jerry Stevens, VTX Communications – Neutral

  • Every inch of Texas is covered by satellite; whether that is usable because of interest or cost
  • There can be no last mile without middle mile; we look for places to put up towers and extend fiber in middle mile
  • Appreciate of cooperatives which deliver service to rural communities; would like to see more partnership between wireless service providers and electric coops
  • Encourages committee to ensure TxDOT and transportation authorities takes advantage of every road and put in public-use conduit for fiber
  • Interest in Comptroller’s BDO office to identify where middle mile fiber is (dark or active)
  • Deshotel – I agree with your suggestion about the new roadways, this will be at a cost to consumers we just want to opportunity to get the service
    • We’re building a road for communication as well as transportation
  • King – In the early 2000s did we have discussion about TxDOT openings rideaways and there was pushback?
    • Organizations and bureaucracies are challenged when something new is proposed
    • We’re only talking about the conduit
  • King – When this was a hot topic, the issue was providers wanted access to rideaways so they wouldn’t be charged; the pushback from TxDOT was damaging utilities through construction correct?
    • Yes; we’re talking about utilities that want to be in the same trench
  • King – The discussion was using telecom for underground deployment?
    • I never understood why there was reluctance to do that

 

Harrison Heiner, Communications Workers of America – Neutral

  • Critical to expand broadband in a matter that will create good jobs across Texas
  • When telecom providers request funds preference will be given to workers who meet criteria; direct employment not subcontractors to ensure highest level of safety
  • Locally based workforce should be prioritized; if there isn’t one, there should be a training program
  • Give preference to employers that have OSHA trainings
  • CWA thinks fibers should be prioritized

 

Snapper Carr, Texas Municipal League – Neutral

  • TML and TCCUI have been working to create partnerships
  • Large urban areas have been investing their own dollars and extending utility departments to address issues
  • Raymond – Issue of getting whole state wired and helping people get connected, they’re two different things, right?
    • Yes, and there is an affordability issue like in El Paso
    • Even in areas that are considered fully wired, there are areas on the fringe that don’t have service offerings; local governments have that information
    • Some cities like Andrews have incentivized to partner with advisers they have been maintaining their own networks; most cities don’t want to own internet networks
  • Raymond – Are you here to ask how we can get the whole state an infrastructure? Separate from that, the affordability?
    • We support HB 5 and the efforts of Comptroller’s Office
    • I’m here to share that cities are looking for opportunity to partner, invest money, and provide resources
  • Raymond – Because of the pandemic?
    • It became a priority because of the urgency
    • The rural cities might have some service and are willing to put money; have some of the best planning resources to assist
    • Cities just looking at service deployment standpoint
  • Raymond – Is it possible for us to come up with a plan with your suggestions about working with cities/counties?
    • I don’t believe it’s too ambitious
    • Cities are very much wanting to partner to advance this
    • Suggest looking at how to foster partnerships because there are territorial customer concerns
    • San Antonio school districts worked collaboratively with private sector in that region at no cost to those homes during the pandemic
  • Raymond – I would encourage you to push hard these next few months; we might have another one at some point so moving in a bold way would pay dividends in the future
    • It is something that is a big issue for local officials

 

Korry Castillo, Comptroller’s Office – Neutral

  • Raymond – Please follow up on what I’ve brought up.
    • On the need for assistance for locals to make connections, the BDO is looking at providing technical assistance for local governments
    • Federal money requires entities to contribute 25% of funds for them to use it
  • Raymond – I understand it’ll be harder for some cities
    • Provision for IIJA for needy communities to bypass that contribution
  • We’ve been working with TxDOT allowing for installation during road construction, joint trenching
  • We’ve heard on tours that some of the needs for locals and coordination is on permitting
  • IIJA program called Enabling Middle Mile; billion dollar competition program including long list of applicants
  • Hunter – I reviewed your slides and part of it is a plan so are you all developing an emergency management plan?
    • TDEM typically handles that and includes energy response
    • Our plan is more focused on development of broadband network and access but we’re happy to work with TDEM as much as possible
  • Hunter – Wants TDEM to speak on this at a future hearing

 

HB 1505 Implementation – Invited Testimony

Korry Castillo, Comptroller’s Office – Neutral

  • HB 1505 dedicated $75 million to pole replacement program
  • Treasury has stated that stand-alone pole replacement programs are an ineligible use of funds
  • Comptroller published rules for program (March 2022)
  • Set to apply to Treasury for funding in September 2022

 

HB 1505 Implementation – Public Testimony

Julia Harvey, Texas Electric Cooperatives – Neutral

  • Last session opposed bill because it shifted costs onto rural consumers
  • Welcome partnerships but only in a safe manner
  • Came to agreement on a bill that wont’ shift costs
  • HB 1505 formalized cost for pole replacements, defined actions, set terms for abandoned attachments
  • Should funding source not materialize from federal government, they’ll support alternative options for funding

 

Walt Baum, Texas Cable Association – Neutral

  • Members have issues when dealing with electric coops about accessing poles
  • Disappointed if Treasury says the $75 million is ineligible
  • Thought it was clear this money could be used for broadband infrastructure
  • Listening costs said pole replacement costs were still an issue

 

Luis Acuña, Texas 2036 – Neutral

  • Underserved communities should be prioritized
  • Provide flexibility and nimbleness for program

 

Jerry Stevens, VTX Communications – Neutral

  • Internet service providers are interested in collaborating with rural electric coops
  • Cooperation could lead to an acceleration even in the absence of funding

 

Interim Charge #2: Review the impact of state government procurement of goods and services from businesses and other commercial entities owned or controlled by the Russian government or Russian nationals, and determine the need for restrictions on state government procurement. Consider the impact of any proposed procurement restrictions on state government efficiency and effectiveness and the state’s access to scientific and technological advances

Korry Castillo, Comptroller’s Office – Neutral

  • We didn’t find anything that would fit within this charge
  • Shaheen – If someone wanted to work with legislation, it could be limited to first or second tiered companies?
    • Yes and attestations and clauses are clear that you’re not associated with a Russian ownership
  • Shaheen – I can’t imagine we buy much from them to begin with but thank you.
  • Raymond – last couple of sessions we got into Chinese investment particularly purchase of land near a military base in West Texas, did you all follow that?
    • Yes and we did some reviews of business with China last session
  • Raymond – Do we know of that kind of investment by former Russian military?
    • Can look into this
  • Raymond – I think we’d want to know

 

Interim Charge #3: Study the status and adequacy of cyber security preparedness among state agencies and contractors. Make recommendations that enhance cyber security measures considering evolving threats to Texas’ information technology infrastructure

Nancy Rainosek and Amanda Crawford, Department of Information Resources – Neutral

  • HB 1118 – mandatory cyber security training and annual certification is ongoing
    • Requirements refined last session to include elected and appointed officials and K-12 employees
  • SB 475 – improved security posture
    • Created risk authorization and management program
    • State agency advisory board
    • Data management officer to protect data that agencies hold
    • TXRAMP allows for any cloud products that a state agency will contract with must be certified in Texas
    • Built framework for regional cybersecurity working groups which allows strong relationships to grow
    • Expanding regional cybersecurity pilot to West Texas by partnering with universities; Angelo State University will be first partner
  • Raymond – 23 local governing entities had ransom-ware attacks, was there a common theme as to what they were stealing?
    • Crawford – The criminals came through a desktop connection through a managed service provider seeking to shut down the systems; no ransom was paid
  • Raymond – What does recovery mean?
    • From a state response, it’s like a firefighter stopping the spread and collecting evidence for an investigation; they caught the criminal responsible and he was from Russia
    • Texas’ response was such a success that Homeland committee asked us to testify
    • It took 7 days to recover
  • Harless – Who’s paying for the program at Angelo State?
    • Texas
  • Harless – Do you see it moving to other universities?
    • They can take donations and have no cost for real estate
    • Moving forward the state will need appropriations
  • Harless – What will the appropriations involve?
    • Start up cost would be more but ongoing costs would be less
  • Agencies are required to report to DIR
  • One of the challenges is that agencies are forced to choose between spending a dollar on their mission or their technology and they choose their mission meaning technology is in debt
  • DIR helps come up with cost-effective plans, many are low to no cost for state government
  • Cybersecurity coordinator leads council to provide recommendations
  • Highlights cybersecurity staff positions at DIR
  • DIR trains and provide cybersecurity certifications for government customers
  • Texas Information Security Offices (ISO) is a free of charge service and DIR shares timely threat networks
  • Raymond – The agencies have to be diligent themselves but when do you come in?
    • Think of us as the folks on the wall, defenders
    • Doesn’t prevent someone from clicking on an email
  • Raymond – Besides clicking on an email, what are you doing daily?
    • Monitoring, blocking incidents, attempts of intrusion
  • Raymond – Is it constant?
    • All day everyday
  • Raymond – Since the incident with TxDOT in 2020 to now are you telling me that no one has gotten through?
    • Rainosek – There haven’t been any ransomware incidents since then
  • Raymond – What happened with TxDOT?
    • It shut down a majority of TxDOT
  • Raymond – How long did it take to recover?
    • Several weeks; takes a while to determine how they got in and plug the holes
  • Raymond – We didn’t pay any ransom?
    • No
    • Crawford – TxDOT had provider insurance
  • Raymond – I assume it’s like other state agencies where the AG is their lawyer; DIR helps the agency & we’re depending on you guys to take the lead
    • DIR puts policies and standards out that agencies need to comply with
    • Each state agency will have their own IT officer and shops under the federated model
    • We’re there to provide policy standards guidance, but depends on the size & sophistication of the agency, e.g. TxDOT would have a large IT section, smaller agencies may not be able to hire at decent salaries
  • Raymond – How many FTEs at your agency?
    • 228
  • Raymond – What about other states? Florida?
    • Not sure what is a comparable state; depends on if states are federated or not
    • My understanding is ours is one of the smallest IT sections out there, NY has maybe 4-5k
  • Raymond – are they pushing IT personnel out of different agencies and centralizing?
    • Some are doing this, don’t know that this is the best model, there are certainly conversations to be had around authority and reporting
  • Raymond – Ransomware operators are also getting information on these agencies
    • Crawford – Agencies are required to report when this occurs
  • Raymond – How often have bad actors successfully gotten to a school, university, agency?
    • Don’t have that number
    • Rainosek – For agencies, traffic going out is a red flag, one of the reasons we have a consolidated data center and DIR monitors traffic
    • Definitely a concern, some agencies just don’t have the budget to modernize systems
  • Raymond – Hard for me to believe no one has been successful at getting into a sate agency or local governments
    • Local governments are a different story
  • Raymond – We’ve not had any ransomware incidents since TxDOT?
    • There was another ransomware incident at a small state agency who maintains servers outside of the DIR datacenter; can name off the record
  • Raymond – Possible they are getting more sophisticated in getting in and getting data covertly?
    • DIR also monitors the dark web, contracts with leaders in the industry to provide data monitoring services
  • Raymond – Hard to believe
    • References slide 20, part of an assessment and overview of cybersecurity maturity for state govs; Texas is far above peers
  • Raymond – What has happened since the attack on 23 cities?
    • A lot; with local govs part of what we know is based on what they report, no state law requires it
  • Raymond – Maybe we should have a law, we get them to report other crimes & shouldn’t be difficult
    • I think there are understandable concerns for damage to reputation, but there are exception in Public Information Act that keep this confidential
    • This is also how we can do trends and reporting
  • Raymond – How often has this happened since the 23 city incidents?
    • Since 2019, 38 cities, 17 counties, 5 state agencies, 8 higher ed universities
  • No evidence for data exfiltration from state agency networks
  • Have knowledge of a vulnerability in widely used open source code that was discovered last year, DIR is working to address Log4j vulnerability this but no evidence of exfiltration
  • One local government was affected by ransomware due to the Log4j vulnerability, won’t be the last time legislature hears of this due to the widespread nature
  • Gov Abbott sent a letter to DIR and DPS to use every resource available, DIR well positioned to address nation-state actors
  • Active with other agencies daily, increased blocking, diving deeper on routine blocks; looking not just at potential attacks from Russia, but all vectors
  • Other state CIOs and SSOs are replicating what Texas is doing, envious of state leadership support
  • Raymond – Introduced bill last session on info for the private sector that didn’t pass, do you want to comment on this? Can you speak to small businesses?
    • Part of the private sector is just what we hear, part through Texas Ice Out, DIR does have some informational programs also have a Cyber Star program
    • Rainosek – Anyone can apply for Cyber Star and demonstrate their program, DIR awards a certificate; DIR essentially tells them what they need to be secure
  • Raymond – Info on how many?
    • Just rolling out right now
  • Raymond – To what extent do you feel attacks are happening in the private sector?
    • Crawford – Depends, private sector is highly at risk and private entities are at different levels of preparedness
    • One of the things that can help is less blame, this is one of the reasons people are reluctant to share, there is reputation & legal risk
    • Getting more conversation out there can destigmatize, highlights Jackson County attack and County Judge was instrumental in speaking on the attack and getting others prepared
  • Raymond – Maybe we need to work with Chambers of Commerce, etc.
    • Sure
  • Highlights slides, showcases how IT maturity is ranked for Texas agencies; broad range of maturity from the local level to state agencies
  • Since 2014, have seen steady maturity level improvement, generally level 3 for state government which is needed for compliance
  • With counties, lack of maturity has to do with budget, size, and resources
  • DIR scope of authority limited to state agencies, higher ed, and junior colleges
  • Local government need is primarily training, local gov compliance with training is low, but recent legislation added need to certify training to qualify for certain Gov grants
  • Hunter – Are we adequately prepared?
    • We are prepared
  • Hunter – You’ve told us about preparedness, but not yet about adequacy
    • If the question is “is the state secure?” I don’t think anyone would tell you any organization is secure
    • We have plans in place from a state gov perspective
    • Problem with adequacy is that tech evolves and adequacy is a moving target
    • Are we on the right path? Yes, and better suited than other states
    • Could we do more? Yes, especially with reporting
  • Hunter – What are your recommendations so we feel good about adequacy?
    • Reporting for local governments would be huge, Regional Operations Center funding would be huge
  • Hunter – Would like to be provided with specific recommendations we can help on, also hearing that we’re in pretty good shape; do want to highlight that you’re following the dark web
  • Raymond – Would like to sit in on the dark web briefing with Rep. Hunter
  • Howard – Visited the ARSOC in San Antonio, very impressive how everyone was working together and in one space
  • Shaheen – How does DIR monitor agencies? All on the same network
    • In general, most agencies are on the state agency network if they’re in the Capitol Complex network; essentially Austin-based, some in Austin not on the network
  • Shaheen – Significant amount of traffic that operations center is not monitoring, probably need to address that; does this need to happen legislatively?
    • Can get back to you on that
  • Shaheen – State Affairs voted out a bill to do the local reporting and it died in Calendars

 

Jeff Williams, Department of Public Safety – Neutral

  • Provides overview of DPS network and monitoring, 2.6k connections, 171 business applications, 40% of which are legacy systems no longer supported
  • Many of these systems connect to statewide LEOs, all LEO data comes through us
  • 30m driver records, 27m criminal history records are with DPS
  • Many legacy systems have backups, though some of them don’t have backups for the application
  • DPS has about 196 control points to assess maturity levels
  • 21% of the legacy systems had a maturity level of 3, 16% had 1; want to push these higher
  • All personal information that needs to be authenticated ultimately comes back to DPS
  • DPS is not in the DIR datacenter program, trying to secure some data through obscurity, but work closely with DIR frequently
  • DPS has done a pretty good job of stopping harmful traffic, but many entities taking shots at DPS’ data
  • Raymond – So in the last 6 months, you’re seeing a lot more viruses making it to your agency?
    • Yes, DIR does a great job of filtering these but in general there are more out there today
  • Raymond – Is it particularly prominent in regards to DPS?
    • No evidence that it particularly targeting DPS
  • Raymond – All probably need to learn more about viruses
    • There’s a reason over 90% of malware is done through a phishing campaign, only need people to open links and viruses can “dwell” on a network to wait for info
  • Raymond – Concerning due to the number of employees

 

Peter Apostolakos, Round Rock ISD – Neutral

  • Dedicated cybersecurity role is rare in the K-12 environment, many districts are understaffed & tech staff are few in number and must fill multiple roles
  • Texas Information Technology Leaders have been working with House IT Caucus to get funding for K-12 cybersecurity; ransomware is K-12’s biggest threat
  • 27 agencies have asked almost $900m to address legacy systems, but K-12 received no funding; need legislators to fund K-12 cybersecurity and support training for tech staff
  • Highlights statistics for ransomware attack in K-12

 

Chris Cummings, Humble ISD – Neutral

  • State of K-12 cybersecurity across the state is concerning, HISD funds $500k/year to support cybersecurity, taking funding away from classrooms, etc.
  • Most schools are woefully underprepared to meet security needs
  • State has invested heavily in local gov and agency cybersecurity, but K-12 has been left out; asking for support
  • Raymond – Our Education Commissioner is a high-tech guy, do we have no presence there?
    • Not that I’m aware of; have reporting mechanisms and TEA provides guidance
  • Raymond – In terms of proactively preventing those attacks? We haven’t given them the ability to do something to help protect schools
    • No sir
  • Raymond – Would imagine Commissioner Morath would want something like that

 

Eduardo Contreras, Self – Neutral

  • Small business owner in managed services/IT field, working with small business and some municipalities
  • No specific guidance for small businesses to follow, many do not know how to implement security measures
  • Many don’t want open source code because bad actors can research to find security holes
  • With broadband rollout, getting many new connections so you need to secure the rollout environments
  • Even sophisticated entities will struggle to deal with large-scale denial of service attacks
  • Commonality between all preparedness frameworks is cybersecurity training, 90% of attacks occur through employees clicking on things they shouldn’t
  • Recommendations incl. cybersecurity safe harbor legislation that allows for leniency for small businesses
  • Raymond – What is it you want leniency on?
    • Safe harbor from liability for businesses who were victims, e.g. safeguards against getting sued if they implemented accepted standards
    • Safe harbor legislation has been passed in Connecticut, Ohio, and Utah
  • Raymond – Anyone introduced it here yet?
    • Not that I’m aware of
  • Second recommendation is tax credits for implementing safeguards; highlights actions taken by Australia
  • Raymond – Has anyone done this?
    • Nobody that I’m aware of
    • Expensive proposition for small businesses to implement, also an issue of what to implement
  • Raymond – I think this is a good idea, trying to figure out how to help the private sector, could be a way we can move in that direction; would be good for customers and the business
  • Texas Health Service Authority was a P3 and created a program called Secure Texas that certifies cybersecurity businesses to work with the medical industry

 

Dennis London, London Security Solutions – Neutral

  • Security threats evolve constantly, many professionals will stop at identifying where attacks happen constantly
  • Security solutions also evolve, security professionals need expertise to handle day-to-day management of security infrastructure and experience to respond to threats
  • Need to be able to demonstrate ability to manage and monitor
  • Provides overview of how a ransomware attack occurs, attackers create problems that need help from IT staff to capture credentials as they address these problems
  • Monitoring is necessary as these types of attacks happen over a very long period of time
  • Should be focused on securing basic infrastructure in Texas