Michigan lawmakers advance cybersecurity secrecy bill — with Flint-inspired changes

A bill to shield state cybersecurity plans and threat assessments from public disclosure is picking up steam in Michigan’s Legislature, after some heavy revisions in the wake of the Flint water crisis.

State Rep. Kurt Heise introduced the bill last May, but it only reached the floor of the House last week after it cleared the chamber’s Committee on Natural Resources.

Though the bill is now designed to exempt records on state “cybersecurity plans, assessments, or vulnerabilities” from release under Michigan’s Freedom of Information Act, Heise originally intended it to also shield records that might disclose “critical energy infrastructure information” as well.

That stipulation attracted some pushback from environmental groups at the time, but as details about state regulators’ failures to respond to lead contamination in Flint’s water pipelines attracted public outcry over the last few months, the notion of shrouding energy infrastructure in secrecy quickly became politically toxic. Accordingly, Heise told StateScoop that he agreed to drop that section of the bill and make it “a lot more palatable to folks on all sides.”

“This is just not a great time in history to be dealing with the energy issue, especially in Michigan,” Heise said. “But this is the legislative process, there’s give and take. You can’t always get what you want, so we compromised.”

With that controversy avoided, Heise is hoping to see some movement on an issue that he feels is critically important for the state to address. Specifically, he worries that infrastructure providers like telecom companies will be increasingly hesitant to share cybersecurity information with the state if they believe those plans can be accessed through public records requests.

“There has to be a give and take, and I certainly don’t want them to give us their information, only to have a third party use the FOIA laws against us to obtain that information, which then can be used to undermine their cyber operations,” Heise said.

But even with the energy provision removed from the bill, some open government groups continue to oppose the bill.

Lisa McGraw, public affairs manager for the Michigan Press Association, said her group was “grateful” that the energy infrastructure exemption was removed, since “exempting any sort of infrastructure from FOIA doesn’t seem very expedient right now, given what’s gone on in Flint.” Yet, she still feels that Heise’s revised bill is misguided.

“We still have concerns that the language exempting cybersecurity plans could be over-reaching and have unintended consequences,” McGraw said. “We’re just worried that, ultimately, if there was some sort of problem, it could prevent the public from having access to information under the guise of cybersecurity of our state employees’ computers.”

[Read more: Florida Legislature mulls bill to promote cybersecurity secrecy]

Indeed, McGraw believes the terms of the bill are so “broadly defined” that it would give state agencies outsized power to shield information from disclosure. While the bill does provide some definitions of what documents constitute cybersecurity plans or threat assessments, opponents charge that a section exempting “information that would identify or provide a means of identifying a person that may, as a result of disclosure of the information, become a victim of a cybersecurity incident” could give the state the latitude to withhold all kinds of data unrelated to cybersecurity.

“[That] pretty much defines all information,” wrote state Rep. Martin Howrylak in testimony submitted to the committee considering the bill. “Please take a look at this language and seek to sharpen its focus.”

But Heise argued that the bill only limits the disclosure of information in a “narrow sense” to prevent cyber attackers from “stealing people’s identities and ruining people’s credit and undermining banking.” He noted that representatives from the Michigan State Police and the Michigan National Guard testified in support of the bill as evidence of the importance of its cybersecurity provisions.

“I know that there are some folks from the Michigan Press Association, maybe some others in the media, that might give us some pushback, but that’s their job, frankly,” Heise said. “The bill does not totally prohibit access to that information, it only provides more safeguards.”

Yet McGraw charges that, even if those security concerns are valid, state and federal law already include exemptions to protect cyber information. Specifically, Michigan’s FOIA already protects “records or information of measures designed to protect the security or safety of persons or property,” and McGraw thinks piling on additional exemptions could have a chilling effect on disclosures.

“Those protections are in place already,” McGraw said.

Accordingly, she hopes “to continue working on further compromise” on the bill, and believes that other lawmakers share her group’s concerns.

But Heise pointed to the House committee’s unanimous vote to move the bill to the floor as evidence of its support, and he’s hopeful lawmakers will vote on it “within the next 30 days.”

“This is a pretty important part of legislation,” Heise said. “We need to get that done and get that moving.”

Contact the reporter at alex.koma@statescoop.com, and follow him on Twitter @AlexKomaSNG.