ANNAPOLIS — House leaders Wednesday vowed the state would take the initial steps in modernizing state and local government information technology systems.
The effort to modernize the systems is not new or always easy to understand. Recent high-profile attacks on local government as well as a three-week shutdown of the state Health Department website has increased the level of concern.
“We are past day zero,” said Del. Pat Young, D-Baltimore County and co-chair of a joint House and Senate Committee that has worked on the issue. “There’s already been an attack.”
A three-bill package working its way through the House — with companion pieces cross-filed in the Senate — seeks to ratchet up cybersecurity efforts, centralize the state’s handling of information technology issues. The effort would include a modernization of state and local information technology systems.
But such an effort will come with a steep price tag that could reach into the billions over the better part of a decade.
This is not the first year that the state and many local governments have grappled with the issue.
Many are now coming to the realization that legacy systems and the interconnectivity of government agencies at all levels creates real vulnerability.
Keith Young, a cybersecurity official with Montgomery County government, said local governments are concerned about the risks posed from the interconnectivity of government agencies. An intrusion into a system in one county, could allow cyber-attacks on connected systems in other counties. Young said it is similar to how one major home improvement retailer was made vulnerable by a heating and air conditioning contractor that was the victim of an initial cyber-attack.
“That’s why these bills are critical in protecting counties across the state, for that exact reason,” he said.
Montgomery County, the state’s most populous jurisdiction, logs 15 million security incidents per day, according to Young.
The security incidents range from outsiders attempting to access websites operated by the county to sustained attacks “from abroad.”
“It’s across the entire spectrum,” Young said.
Government, however, has woefully underfunded its cybersecurity and information technology systems.
Sen. Katie Fry Hester, D-Carroll and Howard Counties and co-chair of the joint committee reviewing cybersecurity issues, said one bill would require the governor to program ongoing cybersecurity into the budget.
“For the federal government, it’s about 15% and for the private sector, it’s higher. For state’s right now, it’s averaging 2% or 3%.”
Initially, the House and Senate bills called for $1.5 billion in bonds. The borrowing for those upgrades would have come from the Maryland Stadium Authority.
Both sides have now struck that provision. In the House, Pat Young said an initial phase would be paid for with $110 million earmarked by Gov. Larry Hogan. Another $20 million within the Department of Information Technology could augment those efforts.
Hester said about $334 million is available to help pay for some upgrades to legacy systems.
“Neither is enough,” said Hester.
The money is seen as an initial step in a process that could take six to eight years to complete. The costs could run into the billions.
The Senate plan would hire a consultant to provide an overview of the work and potential costs. It’s estimated that the consultant will cost the state about $500,000, according to Hester.
She said some initial estimates place the costs of “upgrading the Maryland Department of Health into the 21st Century” at $2 billion.
Hester said spending for cybersecurity and upgrading old systems are different focuses.
“The legacy systems are the big expensive lift and that could take a decade,” said Hester. “We’re hoping to do it in six years. The cybersecurity priority and focus, we have money to do that now.”