The stack of bills related to cybersecurity is piled high on state Sen. Katie Fry Hester’s desk.
In the past few years, Marylanders have been hit hard by cyberattacks. They waited in gas lines when the Colonial Pipeline was targeted; their virtual classes were canceled in Baltimore County Public Schools; and they had trouble getting AIDS medication when the Maryland Department of Health was the victim of a ransomware attack.
“The average citizen has experienced what poor cybersecurity practices can mean,” said Hester (D-Howard and Carroll). “We have to get (reform) done this year.”
Hester was the co-chair of a Maryland Cybersecurity Council committee formed to investigate problems with state cybersecurity and to propose solutions. The committee’s report, released in December, recommended that Maryland centralize the state’s IT staff and budget.
Hester said she has asked budget analysts and technology officers to find out how much Maryland spends on cybersecurity, but answers have not been forthcoming thanks to the current decentralized situation.
In Vermont, a 2017 executive order created an Agency of Digital Services to centralize all IT and security functions. It eliminated shadow IT systems, allowed the state to better prioritize modernization needs, and resulted in savings through consolidations of vendors and contracts, the Maryland committee found in its report.
Hester has proposed a bill that would create a similar office within Maryland’s Department of Information Technology (DoIT). The office would have its own appropriation in the budget and would oversee procurement of all information technology for the executive branch.
She is also proposing legislation that would provide critical cybersecurity support and coordination for local governments.
Del. Pat Young (D-Baltimore County), who is introducing similar legislation in the House, said that centralizing cyber preparedness and response is key to the state’s ability to protect itself from costly cyberattacks. He noted that Gov. Larry Hogan’s fiscal 2023 budget includes $100 million to protect against cyberattacks.
“Without a significant change to our overall approach to cybersecurity, we risk diluting the impact of this funding,” Young told the House Appropriations Committee in January.
Hester has proposed another bill, Modernize Maryland, that would create dedicated funding for cybersecurity-related purchases of software and hardware.
Some state officials have lingering questions about centralization.
Chip Stewart, the state’s chief information security officer, said centralized models can have disadvantages as well as advantages.
“Decisions about IT organizations should be based on trade-offs in each organization when comparing centralized versus distributed or federated models,” he said.
During an Appropriations Committee hearing, Del. Reid Novotny (R-Howard and Carroll) asked if centralizing IT operations would create more bureaucracy and “throw good money or effort after bad.”
Sam Bell, chief information security officer for Edwards Performance Solutions, replied that centralizing would allow the state to survey the whole threat landscape.
These discussions follow the passage of the federal infrastructure bill, which includes $1 billion in grants to help state and local governments protect themselves from cyberattacks.
The General Assembly will also consider legislation that establishes a cyber preparedness unit within the Maryland Department of Emergency Management to support local governments.
Another bill would help the state protect critical infrastructure such as water, sewer and electric systems.
Hester, who said the Maryland Cybersecurity Council report revealed the extent of IT vulnerabilities in the state, called for a bipartisan response to strengthen cybersecurity protections.
“We know what the bare minimum is and we’re not doing it,” Hester said. “Last year, DoIT’s budget went down. We’re going in the wrong direction without legislative action.”