|
THE SENATE |
S.B. NO. |
1478 |
|
THIRTY-SECOND LEGISLATURE, 2023 |
|
|
|
STATE OF HAWAII |
|
|
|
|
|
|
|
|
||
|
|
||
A BILL FOR AN ACT
relating to offensive cybersecurity.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:
"Subpart . Offensive Cybersecurity Program
§27-A Definitions. As used in this subpart:
"Agency" means any executive branch agency of the State or any county agency.
"Breach":
(1) Means unauthorized access or acquisition of computerized data that has not been secured by encryption or other methods or technology that renders electronic files, media, or databases unreadable or unusable; and
(2) Does not include the good faith acquisition of personal information by an employee or agent of the employee if the personal information is not used or subject to further unauthorized disclosure.
"Common vulnerability scoring system" refers to the open industry standard, which is maintained by the Forum of Incident Response and Security Teams or a successor entity, for assessing the severity of computer system security vulnerabilities and uses a numerical score to help organizations properly assess and prioritize their vulnerability management processes.
"Criminal justice information" means private or sensitive information collected by federal, state, or county law enforcement, including:
(1) Fingerprints or other biometric information;
(2) Criminal background and investigation information; and
(3) Personal information.
"Cybersecurity" means processes or capabilities, wherein systems, communications, and information are protected and defended against damage, unauthorized use or modification, and exploitation.
"Cybersecurity strategy" means a vision, plan of action, or guiding principles, but does not mean an associated operational plan.
"Denial of service attack" means an attack against a computer system designed to make the system inaccessible to users.
"Financial information":
(1) Means banking, credit, or other account information that, if accessed without authorization, may result in potential harm to a person; and
(2) Includes account numbers or codes, credit card expiration dates, credit card security codes, bank account statements, and records of financial transactions.
"Health insurance information" means a person's health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify a person.
"Identity
theft or identity fraud" means all types of crime in which a person
wrongfully obtains and uses another person's personal data in a way that
involves fraud or deception, most commonly for 󠅍economic
gain.
"Malware":
(1) Means software or firmware intended to perform an unauthorized process that will have an adverse effect on the confidentiality, integrity, or availability of an information system; and
(2) Includes a virus, worm, trojan horse, spyware, adware, or other code-based system that infects hosts.
"Medical
information" means a person's medical history, mental or physical
condition, or medical treatment or diagnosis by a health care professional.
"Office"
means the office of enterprise technology services.
"Penetration testing" refers to a method for gaining assurance in the security of an information technology system by attempting to breach some or all of that system's security, using tools and techniques that a bad actor may use.
"Personal information":
(1) Means a person's first name or first initial and last name in combination with the following when names and data are not encrypted:
(A) The person's social security number;
(B) The person's driver's license number;
(C) The person's Hawaii state identification card number;
(D) The person's financial institution account number, credit card number, or debit card number in combination with required security codes, access codes, or passwords that permit access to a person's financial accounts;
(E) The person's date of birth;
(F) The maiden name of the person's mother;
(G) Medical information;
(H) Health insurance information;
(I) An identification number assigned to the person by the person's employer in combination with security codes, access codes, or passwords; or
(J) The person's digitized or other electronic signature; and
(2) Does not include information available
to the public from federal, state, or county government records.
"Ransom" means a payment for services or goods to a malicious agent to:
(1) Decrypt data on a computer system;
(2) Retrieve lost or stolen data; or
(3) Prevent the disclosure and dissemination of information.
"Regulated information" means information and information technology resource protection requirements established by the federal government and regulating organizations.
"Regulating organizations" means organizations that establish laws, regulations, policies, guidelines, and standards, including the Federal Bureau of Investigation, Internal Revenue Service, Social Security Administration, Federal Deposit Insurance Corporation, United States Department of Health and Human Services, Centers for Medicare and Medicaid Services, and Payment Card Industry Security Standards Council.
"Significant damage" means:
(1) A degradation in or loss of mission capability to an extent and duration that the agency is not able to perform one or more of its primary functions;
(2) Damages of $10,000 or more to agency assets as estimated by the agency;
(3) A financial loss of $10,000 or more as estimated by the agency; or
(4) Harm to persons involving loss of life or serious life-threatening injuries.
"Social engineering":
(1) Means the tactic of manipulating, influencing, or deceiving a person to gain control over a computer system or steal personal or financial information; and
(2) Includes the use of psychological manipulation to trick users into making security mistakes or giving away sensitive information, such as "phishing" or baiting.
§27-B Offensive cybersecurity program. There is established within the office an offensive cybersecurity program, which shall:
(1) Analyze cybersecurity threats;
(2) Evaluate and provide intelligence regarding cybersecurity;
(3) Promote cybersecurity awareness, including awareness of social engineering threats;
(4) Conduct penetration testing among state and county agencies to evaluate the security of state and county information technology systems;
(5) Conduct agent-based security and ensure that assets are being inventoried and managed according to best practices;
(6) Use the common vulnerability scoring system to evaluate the severity of vulnerabilities in information technology systems across state and county agencies and prioritize remediation; and
(7) Take other proactive measures to ensure increased cybersecurity for agencies.
§27-C Memorandums of understanding; mutual aid agreements. (a) The office may enter a:
(1) Memorandum of understanding with other state, local, or tribal governments of the United States for purposes of ensuring the confidentiality, availability, and integrity of state, local, and tribal information systems and data, including consulting, developing cybersecurity strategy, prevention of cybersecurity incidents, and response strategies to cybersecurity incidents; and
(2) A mutual aid agreement with other state, local, or tribal governments of the United States agreeing to the reciprocal exchange of resources and services for mutual benefit of the parties related to cybersecurity efforts for the purposes of responding to or mitigating active cybersecurity incidents.
(b) As used in this section, "state" means a state of the United States, the District of Columbia, Puerto Rico, the United States Virgin Islands, or any territorial or insular possession subject to the jurisdiction of the United States.
§27-D Disclosures of cybersecurity incidents. (a) State and county agencies shall disclose to the office an identified or suspected cybersecurity incident that affects the confidentiality, integrity, or availability of information systems, data, or services. Disclosure shall be made expediently and without unreasonable delay. Cybersecurity incidents required to be reported include:
(1) Suspected breaches;
(2) Malware incidents that cause significant damage;
(3) Denial of service attacks that affect the availability of services;
(4) Demands for ransom related to a cybersecurity incident or unauthorized disclosure of digital records;
(5) Instances of identity theft or identity fraud occurring on an agency's information technology system;
(6) Incidents that require response and remediation efforts that will cost more than $10,000 in equipment, software, and labor; and
(7) Other incidents the agency deems worthy of communication to the office.
(b) Until a cybersecurity incident is resolved, an agency shall continue to disclose details regarding a cybersecurity incident to the office, including:
(1) The number of potentially exposed records;
(2) The type of records potentially exposed, including health insurance information, medical information, criminal justice information, regulated information, financial information, and personal information;
(3) Efforts the agency is undertaking to mitigate and remediate the damage of the incident to the agency and other affected agencies; and
(4) The expected impact of the incident, including:
(A) The disruption of the agency's services;
(B) The effect on customers and employees that experienced data or service losses; and
(C) Other concerns that could potentially disrupt or degrade the confidentiality, integrity, or availability of information systems, data, or services that may affect the State or a county.
(c) The legislative and judicial branches may disclose to the office cybersecurity incidents that affect the confidentiality, integrity, or availability of information systems, data, or services.
(d) The office shall adopt rules pursuant to chapter 91 regarding the procedures and form in which an agency shall disclose cybersecurity incidents to the office.
(e) The office, to the extent possible, shall provide consultation services and other resources to assist agencies and the legislative and judicial branches in responding to and remediating cybersecurity incidents.
(f) No later than twenty days prior to the convening of each regular session, the office shall submit a report to the legislature that includes:
(1) All disclosed cybersecurity incidents required pursuant to this section;
(2) The status of those cybersecurity incidents; and
(3) Any response or remediation to mitigate the cybersecurity incidents.
The office shall ensure that all reports of disclosed cybersecurity incidents are communicated in a manner that protects victims of cybersecurity incidents, prevents unauthorized disclosure of cybersecurity plans and strategies, and adheres to federal and state laws regarding protection of cybersecurity information.
§27-E Rules. The office may adopt rules pursuant to chapter 91 necessary to implement the purposes of this chapter."
SECTION
2. Chapter 27, Hawaii Revised Statutes,
is amended by designating sections 27-41 to 27-45 as subpart A, entitled
"General Provisions".
SECTION 3. (a) No later than January 1, 2025, the office of enterprise technology services shall:
(1) Complete an initial round of penetration testing on the information technology systems of each agency;
(2) Assess vulnerabilities within those systems using the common vulnerability scoring system; and
(3) Work with agencies to identify and address any vulnerability threats identified having a benchmark score exceeding 3.9 on the common vulnerability scoring system.
(b) No later than twenty days prior to the
convening of the regular session of 2025, the office of enterprise technology
services shall submit a report to the legislature describing the office's progress
in meeting the requirements of this section.
(c) As used in this section, "agency", "common vulnerability scoring system", and "penetration testing" shall have the same meanings as in section 128B-A, Hawaii Revised Statutes.
SECTION 4. There is appropriated out of the general revenues of the State of Hawaii the sum of $ or so much thereof as may be necessary for fiscal year 2023-2024 and the same sum or so much thereof as may be necessary for fiscal year 2024-2025 to:
(1) Perform the duties assigned to the office of enterprise technology services by this Act, including the creation of an offensive cybersecurity program; and
(2) Establish full-time equivalent ( FTE) permanent positions necessary to perform the functions required by this Act.
The sums appropriated shall be expended by the office of enterprise technology services for the purposes of this Act.
SECTION 5. In codifying the new sections added by section 1 and referenced in section 3 of this Act, the revisor of statutes shall substitute appropriate section numbers for the letters used in designating the new sections in this Act.
SECTION 6. This Act shall take effect on July 1, 2023.
|
INTRODUCED BY: |
_____________________________ |
|
|
|
Report Title:
Offensive Cybersecurity; Office of Enterprise Technology Services; Program; Established; Appropriations
Description:
Establishes an offensive cybersecurity program within the Office of Enterprise Technology Services to analyze an evaluate cybersecurity threats and increase cybersecurity awareness and education. Requires the program to conduct penetration testing of state agencies to identify vulnerabilities and assess the severity of computer system security vulnerabilities using the Common Vulnerability Scoring System. Establishes a goal for all state and county agencies to identify and address vulnerabilities having a benchmark score exceeding 3.9 on the Common Vulnerability Scoring System by January 1, 2025. Authorizes the Office of Enterprise Technology Services to enter into memorandums of understanding and mutual aid agreements with other governments within the United States. Makes appropriations and authorizes the establishment of positions.
The summary description
of legislation appearing on this page is for informational purposes only and is
not legislation or evidence of legislative intent.