Indiana lawmakers recently passed legislation that will greatly increase the amount of information sharing among statewide agencies and between the state and local government regarding cyberattacks and threats to government IT assets.
House Bill 1169, which Gov. Eric Holcomb is expected to sign in the coming days, will give the Indiana Office of Technology a much wider scope over how public-sector entities report and respond to incidents like ransomware, denial-of-service attacks, website defacements and software vulnerability exploitations, including zero-day attacks.
Under the bill, IOT will build a repository of cyber incidents affecting state agencies and local governments. Those entities will also be required to report any incidents to the Indiana Office of Technology “without unreasonable delay,” or within two business days of discovery. It also empowers IOT to work more closely with other state agencies on a range of technology and security matters and to advise local governments by providing lists of third-party vendors that could be useful when responding to incidents.
“The state and localities are constantly sharing data and have a variety of technical connections, where if one party did have a successful attack, others could be vulnerable,” Graig Lubsen, IOT’s director of communications, told StateScoop in an email. “Think of it as your neighbor letting you know there was mischief on their property the other day; it is helpful to know that.”
The state’s technology agency proposed this bill to legislators before the start of the current session, Lubsen said, because it didn’t have a complete sense of how frequently Indiana government bodies are hit by cyberattacks.
“This data will help IOT and the legislature better understand the scope of the problem and then better formulate policy moving forward,” he wrote.
During an online roundtable Wednesday with some of his fellow state chief information officers, Indiana CIO Tracy Barnes called the bill’s passage one of his proudest accomplishments over the past year. It passed unanimously in both the Indiana House of Representatives and Indiana Senate.
Closer cooperation between states and their local governments on cybersecurity has long been a priority for groups like the National Association of State Chief Information Officers and the National Governors Association, both of which have pushed their members to embrace a “whole-of-state” approach.
Lubsen said that in crafting the bill, the Indiana Office of Technology also worked with local government associations to ensure its information-sharing measures were not too burdensome. He said those groups were “very receptive” to the idea.
Under the bill’s provisions, the new reporting requirements would go into effect July 1.