ANNAPOLIS — Gov. Larry Hogan signed into law Thursday a trio of bills aimed at shoring up the state’s cybersecurity efforts.
The bills were part of 105 pieces of legislation passed earlier this year that were signed into law. The package is the result of several years of effort to address the growing risks to state and local government computer systems.
“As we’ve heard from our national security apparatus following the Russian invasion of Ukraine, we must take appropriate steps to ensure that our cyber preparedness and response capacity meets the moment,” said Sen. Katie Fry Hester, D-Howard and Carroll counties. “It is vital that we protect our most basic public infrastructure — our drinking water, transportation, public safety, education and financial systems — to ensure that Marylanders’ day-to-day routines are not disrupted.”
Hester and Del. Pat Young, D-Baltimore County, spearheaded the effort on the three bills. The legislators are co-chairs of the Joint Committee on Cybersecurity, IT, and Biotechnology.
The three-bill package is expected to beef up cybersecurity efforts and centralize the state’s handling of information technology issues. The effort would include a modernization of state and local information technology systems.
But increased security comes at a cost.
One bill creates the Modernize Maryland Oversight Commission, an independent agency, and sets aside $10 million for an initial assessment of risks to state agencies. In fiscal 2024, the governor must set aside 20% of the total IT and cybersecurity budget in a special fund. Next year that amount is expected to be about $20 million.
Hogan, who has been a vocal opponent of legislatively mandated spending, signed the bill into law.
A second law codifies Maryland Cyber Defense Initiative, which was created by executive order. The unit will assist in assessing risks to local governments and developing preparedness and response plans.
More than $300 million could be available to help upgrade systems. That represents a fraction of the total cost, which could easily run into the billions.
Fully upgrading the systems at the Department of Health could cost as much as $2 billion, according to an estimate from earlier this year.
The bills come on the heels of high-profile attacks on local and state government agencies in recent years.
“Signing the cybersecurity package into law represents years of working collaboration between state and local governments, elected officials and experts in the public and private sector,” Young said.
Last year, the Maryland Department of Health was the target of a ransomware attack that crippled the agency for more than three weeks.
Similarly, Baltimore city and the Baltimore County Public Schools have been the focus of other attacks that shut down services.
Montgomery County, the state’s most populous jurisdiction, logs 15 million security incidents per day. The security incidents range from outsiders attempting to access websites operated by the county to sustained attacks “from abroad.”
Officials said that once an outsider gains access to one system, they can sometimes use it to jump to connected systems in other jurisdictions.
Implementation of the laws, Young said, makes the state “safer tomorrow than we were yesterday.”