State

Texas signals potential changes to cybersecurity policies

A report from the Texas Department of Information Resources includes numerous recommendations it will make to the state legislature.

By Colin Wood

November 17, 2022

(Getty Images)

There could be some sizable changes coming to how Texas, the nation’s second-most populous state, manages cybersecurity, according to a biennial report published Thursday by the state Department of Information Resources.

The report, which looks back on two years of progress the state’s IT division has made relative to the goals outlined in its strategic plan, also includes recommendations it soon plans to present before state lawmakers. These include creating new cyber-incident reporting requirements for local governments and school districts, requiring government entities to adopt the .gov domain, allowing information security officers to serve as joint officials presiding over several jurisdictions and establishing a statewide chief privacy officer role.

State Chief Information Officer Amanda Crawford said in a press release the report indicates “significant progress in delivering secure, innovative technology that makes government more efficient, effective, transparent, and accountable,” but the report also highlights gaps in the state’s technical capabilities and presents possible solutions, many related to Texas’ cyber capabilities.

Texas could have “a more complete picture” of the cybersecurity landscape and “prevent future attacks” if K-12 districts were held to the same 24-hour reporting requirement for cyber incidents that state agencies and higher education institutions must currently meet, according to the report.

“This incongruent reporting of cybersecurity incidents may hinder Texas in tracking trends and understanding the scope and complexity of cyberattacks as well as how they may be related to another cyberattack,” the report reads.

A March report from the K12 Security Information Exchange blamed weak disclosure requirements at school districts for a nationwide undercount of cyber incidents. The group counted 166 incidents across 162 districts nationwide in 2021, but surmised the actual number of incidents may be 10 to 20 times greater.

New domain, old workforce

The Texas report also recommended requiring all government entities in the state migrate their web presences to a .gov domain to reduce fraud. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, which manages the top-level domain, waived the $400 fee to register shortly after taking over its administration last year, but adoption has still only trodded along since. One projection says it will take 15 years at the current rate to reach 100% government adoption of the .gov domain.

Texas also in its report cites a nationwide shortage of cybersecurity professionals who are equipped to fill the role of information security officer, which it called a “vital role.” To solve this problem, the state IT division recommended changing the current rules to allow its current ISOs to serve as joint ISOs, presiding over two or more agencies. A recent report from the National Association of State Chief Information Officers called out such workforce issues faced by government, characterizing them as nearing a “crisis.”

Cyber policies, blockchain movement

The Texas report shows it’s also considering joining the ranks of states that have a statewide role for managing data privacy. More than 20 states currently have a chief privacy officer. In Texas, the role would help instate best practices across agencies to bolster cybersecurity and help educate the public about how to protect their personal information.

The report showed that Texas agencies are finding mixed success in their cybersecurity policies. Eighty-two percent of Texas agencies reported that they regularly review or revise their cybersecurity incident response plans, but only half said they had adequate resources to address security incidents. The sophistication of cyber threats and lack of funding were named as the top two challenges facing agencies seeking to manage their cybersecurity.

Beyond cybersecurity, Texas still has its eye on blockchain, the distributed ledger technology best known for backing cryptocurrencies. Blockchain has mostly fizzled out in state government, CIOs have told StateScoop, but the Texas report recommends that the state’s blockchain working group, which was created last year by House Bill 1576, educate public-sector organizations on the technology’s best practices.

“Best practices could include, but are not limited to, defining blockchain benefits, use cases, contractual language, development of a blockchain innovation/center of excellence, and education or curriculum development,” the report reads.