A bill to let Florida’s state agencies keep information about network security breaches and cyberattacks confidential is now headed to Gov. Rick Scott’s desk, following months of negotiations among IT leaders, lawmakers and open government advocates.
When state Sen. Alan Hays introduced the legislation — which would create an exemption in Florida’s public records law to shield any information about breaches and reviews of the state’s cybersecurity systems from public disclosure — in October, it immediately prompted pushback.
Barbara Petersen, president of the nonprofit First Amendment Foundation, harbored serious concerns about the bill’s language, claiming that it was so broadly defined as to let state agencies withhold information unnecessarily. But Hays and staff with the Agency for State Technology worked with Petersen to address those concerns and narrowly tailor the bill’s provisions.
Now, the legislation stipulates that only “portions” of security audits or investigations into breaches can be withheld if their disclosure could threaten the security of the state’s networks. Hays told StateScoop he was “quite pleased” with that compromise, and Petersen felt “it addressed all the concerns we had.”
“People sometimes get a little wary of public records exemptions,” Erin Choy, external affairs manager for the Agency for State Technology, told StateScoop. “However, the intent for this bill was to protect vulnerable information that, if in the wrong hands, could be detrimental to the state of Florida for our critical data and assets. It was not an attempt to hide or shield any information from the public.”
State Chief information Security Officer Danielle Alvarez said the legislation isn’t a response to any specific request they’ve received, but she felt it was important to work with lawmakers to get ahead of the curve on the issue nonetheless.
“Whenever I sit there and look at incident reports and all the information contained in them, I know what a hacker would be interested in knowing and what they could do with that information, so this is really a proactive effort,” Alvarez said.
Petersen said she’s always “understood the need” for secrecy in this area, but she threw up a caution flag when the bill was introduced to avoid any “unintended consequences” that could arise from the legislation’s language.
“If it’s threatening security, it needs to be exempt, but at the same time, we need an opportunity for agency oversight,” Petersen said.
Yet Petersen credits the IT agency’s staff for immediately working with her to resolve some of those differences. Choy agreed that teaming up with Petersen was beneficial to the process, and Hays feels this kind of cooperation helped the bill pass the Legislature with little acrimony.
“There’s certain nuts and bolts of good public policy, and this is one of those,” Hays said. “To not have this in place borders on mismanagement.”
Indeed, Choy stressed that, if signed, the bill will let agencies protect “vulnerable information” like server names or IP addresses, as well as the sensitive portions of the risk assessments each agency conducts once every three years.
“A lot of the breach reports contain the vulnerability information that, if disclosed, could allow another attacker to subsequently attack the same system,” Alvarez said. “Those reports have a tendency to have a higher value to the community that would actually launch an attack against state systems before we’ve had a chance to remediate or correct.”
If someone does file a public records request for information on a breach or audit, Alvarez said that the state would still be able to provide “high-level information” about the cyberattack and the agency’s protocols to respond the incident. However, she believes the bill will shield technical information that might not be interesting to the general public but could be “vastly valuable to a would-be hacker.”
“It doesn’t prohibit a citizen from actually understanding that something has occurred, but the details that would allow a re-compromise are what we’re trying to protect,” Alvarez said.
Petersen finds that argument perfectly reasonable, and she said two IT experts she consulted with on the legislation agreed.
All that’s left is for Scott to sign the bill into law. Petersen confidently said that “he’ll sign it,” and Hays noted that he has “no reason to believe he won’t sign” the bill.
The legislation’s supporters won’t have to wait long for an answer — the governor’s office told StateScoop that he’s slated to act on the bill by March 26.
Should Scott give the bill his blessing, Hays thinks it will signal “that our commitment to IT security is quite strong,” and Choy hopes it can become part of a series of new laws on the books focused on IT in Florida.
“It’s been awhile since members could get excited about innovation and technology and where Florida should be in the IT landscape,” Choy said. “So we expect that with the passage of this bill and some other pieces of legislation, that there will be more focus on information technology and IT security in the next session.”
Contact the reporter who wrote this story at firstname.lastname@example.org, or follow him on Twitter at @AlexKomaSNG.