Florida lawmakers are close to approving legislation that will overhaul the state’s cybersecurity governance at a time it’s dealing with the fallout of incidents like the hack of a local water treatment facility and a potentially costly ransomware attack against one of its biggest school districts.
The bill, HB1297, would add more cybersecurity duties to the Florida Digital Service, the agency that was created last year when the state underwent one of its frequent IT overhauls. Among the young agency’s new responsibilities would be developing annual cybersecurity trainings for state employees, creating a 19-member Cybersecurity Advisory Council and creating a statewide plan to be updated annually. The bill is modeled on a report released in January by 15-member task force that included Lt. Jeannette Nunez, state Chief Information Officer James Grant and law enforcement officials, along with representatives from Florida universities and corporations like Walt Disney World.
The new council would include many of the same members as the task force, as well the state chief information security officer, a position that’s been vacant since last December when its former occupant, Thomas Vaughn, left the state government to become CISO of the capital city of Tallahassee. It would also include three representatives of critical infrastructure facilities, at least one of whom would be required to be from a water treatment facility. State and federal authorities are still investigating a February incident in which a hacker allegedly attempted to raise the levels of sodium hydroxide to dangerous levels at a plant in the town of Oldsmar.
Meanwhile, Broward County Public Schools, the nation’s sixth-biggest K-12 district, was hit earlier this month with a ransomware attack that demanded $40 million, a record-setting sum. (The district has said it will not pay, thought it briefly attempted to negotiate with the ransomware gang that attacked it.)
HB1297 has already been approved unanimously by several Florida House committees, and companion legislation is working its way through the state Senate. The bill is also moving as lawmakers consider a spending plan for the 2022 fiscal year, which includes a $31.6 million increase in cybersecurity funding that would support the recommendations in task force’s January report, including more endpoint detection and threat-assessment tools, hardening of industrial control systems like those at water plants, upgrades of government websites to .gov domains and 15 new positions in the Florida Digital Service.
The state’s increased cybersecurity spending, though, is on a list of programs that will only be funded if Florida receives enough pandemic relief, according to the appropriations bill.