Lawmakers Introduce Bills to Bolster State Cybersecurity

Members of the General Assembly rolled out a package of bills to offer more protections to state and local government online networks on Wednesday following the discovery of myriad vulnerabilities in the state’s cybersecurity systems.

“Vulnerabilities in our IT systems will continue to cost our taxpayers and that cost is high,” House Speaker Adrienne A. Jones (D-Baltimore County) said at a House news conference Wednesday.

Del. Patrick G. Young Jr. (D-Baltimore County) and Sen. Katie Fry Hester (D-Howard) co-chaired the Maryland Cybersecurity Council’s Ad Hoc Committee on State and Local Cybersecurity, which studied the state’s technological failings and researched methods other states have taken to increase their security.

Young and Hester, who also co-chair the Joint Committee on Cybersecurity, Information Technology, and Biotechnology, are co-sponsoring the package of bills.

Young said Wednesday that cybersecurity is an issue the state needs to tackle head-on “because this isn’t a theoretical exercise and a theoretical threat.”

“We are past day zero; we have already been attacked at the state level, at the local level,” he continued.

In the past several years, Maryland has been subject to a series of cyberattacks, including attacks against Baltimore City, Baltimore County Public Schools and most recently the Maryland Department of Health.

Hester said that the repair effort for the Department of Health’s network will cost $50 million.

The package includes House Bill 1202 and Senate Bill 754, which would require the Maryland Department of Emergency Management to help local governments prepare for the possibility of an attack. It would also create the Local Cybersecurity Support Fund to help smaller governments upgrade their security systems.

House Bill 1205 and Senate Bill 811, would create a funding mechanism to modernize all of the state’s legacy IT systems.

The bill initially called for $1.5 billion in bond funding from the Maryland Stadium Authority to upgrade the systems, but Young said the bill is being amended to find another source. Hester said modernizing the Department of Health’s legacy system alone will cost about $2 billion. She said that they hope to identify a new source of revenue within the next year.

House Bill 1346 and Senate Bill 812, would centralize all IT systems among state agencies to be under the purview of the Department of Information Technology. It would also require all state and certain local agencies to undergo annual security assessments and create new offices to assist local governments to bolster their cybersecurity systems.

Hester said that legislators have gotten pushback from some state agencies about this policy, “but the ones that are pushing back have major infractions in terms of their audit reports and the security of their personally identifiable information.”

According to Hester, the Maryland Department of Transportation asked to be excluded but was reported in a legislative audit to have had over 10 million pieces of personally identifiable information not properly secured.

On Friday, an MDOT spokeswoman said the personally identifiable information was not compromised, but involved a software program that displayed all digits of Marylanders’ social security numbers on computer displays; a software change in 2021 addressed the concern.

“We’re more connected now than we’ve ever been,” Young said. “But while we embrace innovation, we must also recognize the risks that come with it, and make sure that we’re modernizing our cybersecurity posture to protect our infrastructure, essential services … and the data and privacy of Maryland citizens.”

Editor’s Note: This story was updated Friday to include additional information from the Maryland Department of Transportation.

Republish