Correction: An earlier version of this article misstated the voting record on HB 2009.
In late 2020, the federal government revealed that it was a victim of cyber attacks, affecting approximately 30 U.S. government agencies, companies and think tanks, according to NPR.
Despite national cyber security and data concerns, state officials in charge of Pennsylvania’s efforts to combat cyber attacks and prevent data breaches are confident the commonwealth’s systems are safe.
Daniel Egan, a spokesman for the Pennsylvania Office of Administration (OA), which oversees the state’s cybersecurity and IT needs, told the Capital-Star that “Pennsylvania is a recognized leader among states in cybersecurity,” by various organizations, including the National Association of State Chief Information Officers.
“We are constantly evaluating our cybersecurity practices and capabilities, and utilize multiple layers of security and industry standards, to safeguard against potential threats,” he said.
Egan said the commonwealth has developed detailed plans to address cybersecurity concerns by working with partners in the federal, state and local government, as well as higher education, law enforcement and the private sector.
“We work with other jurisdictions through a combination of collaboration, information sharing and shared services. For example, the commonwealth provides local governments with access to security awareness training and the ability to conduct social engineering exercises with their employees at no cost to them,” Egan said. “In order to protect the commonwealth’s cybersecurity posture, we cannot discuss the specific tools or capabilities that we may use.”
Thanks to these shared resources and partnerships, Egan said Pennsylvania is able to “quickly identify and mitigate potential security incidents.”
Citing security concerns, Egan could not give any specifics to the Capital-Star, but said, “We safeguard data using multiple layers of security and industry standards, to safeguard against potential threats. In many cases, policies are enforced through technical solutions, standards and tools.”
Pennsylvania’s cyber security measures are tested for effectiveness, Egan said, providing an example.
“One aspect of our security awareness training is showing users how to recognize potential social engineering emails (i.e. phishing),” he said. “We conduct social engineering exercises to assess whether users are applying the techniques for identifying phishing emails that are shown in the training. We can use this information to refine the training or target additional training to specific groups of employees.”
On the Books
However, the Office of Administration’s confidence in Pennsylvania’s cyber security measures is not shared by all.
In fact, Pennsylvania’s cyber security and IT governance procedures have already been the subject of one House bill this session.
Just last week, the House State Government Committee tabled HB40, sponsored by by state Rep. Seth Grove, R-York, that would have established IT governance and oversight, including an Office of Information Technology (OIT) at the state level.
This would have marked a shift in Pennsylvania’s approach to IT governance and oversight since the commonwealth’s current OA/OIT, along with its top role – Chief Information Officer (CIO) – were created by executive order rather than state law.
Executive orders and appointments to these roles are not uncommon, according to the National Conference of State Legislatures. In fact, only 15 states have statutes establishing chief information security officers (CISOs) despite the fact that nearly all 50 states have that post.
Additionally, just nine states have information technology governance and structure attached to state laws.
Grove’s proposal was not the first bill in recent sessions to propose new IT governance and oversight measures.
In 2019, two state House lawmakers introduced bipartisan legislation that would have created a first-of-its-kind cybersecurity oversight board in Pennsylvania.
Sponsored by state Reps. Malcolm Kenyatta, D-Philadelphia, and Andrew Lewis, R- Dauphin, HB 2009 would have established the Cybersecurity Coordination Board.
If it had been approved, the new oversight board would have “[protected] data by conducting cybersecurity audits and improving security and privacy standards,” Kenyatta said. “The board would also collaborate with businesses and academic institutions to assist in providing effective cybersecurity safety awareness and education.”
Kenyatta said he believes the board is necessary, citing public testimony provided by the Office of Administration, which found that there were 21.7 billion attempts to attack the agency’s firewall.
On one day, the OA staved off 703 million attempted hacks, OA testified. Equating to 4.9 billion per week and 21.1 billion attacks per month or 253 billion attacks per year.
Despite receiving unanimous approval of the committee and passing on second consideration without any amendments, it did not get a third consideration vote.
Michel Lee, a spokesperson for Kenyatta, confirmed that he plans to reintroduce the bill this session.
“As elected officials, it is our duty to ensure the safety and well-being of all Pennsylvanians and it’s imperative that cybersecurity be included among the institutions we should be safeguarding because too many Pennsylvanians have been drastically impacted by cyber-attacks,” Kenyatta told the Capital-Star.