Lawmakers in Washington state are pursuing legislation that would centralize the state government’s cybersecurity operations into a single office.
The legislation, which Gov. Jay Inslee supports, was prompted by the Feb. 1 disclosure of a data breach by one of the Office of the Washington State Auditor’s software vendors. The breach at Accellion, which provides file-sharing and collaboration software, affected more than 1.6 million people, including individuals who filed for unemployment benefits in 2020, state workers, state and local government agencies and people served by the state Department of Children, Youth and Families.
While the extent of the breach, which occurred some time in January, is still being investigated, it quickly led to a reconsideration of the state’s cybersecurity organization. Inslee called for an overhaul of the existing Office of Cybersecurity, which would take it from a division that advises a string of federated agencies on best practices to one that oversees IT security across the entirety of Washington state government.
During a state Senate hearing Tuesday, Washington Chief Information Officer Jim Weaver, who leads Washington Technology Solutions, the cybersecurity office’s parent agency, lent his support to the bill, saying it would “solidify” the state’s cybersecurity practices.
“While legislature has provided funding to WaTech, and the Office of Cybersecurity, the office has only existed in the budget and had a limited frame for operating,” he said.
The bill would codify the Office of Cybersecurity within WaTech, which itself offers IT services across the state government, and give it broader authority to establish formalized guidelines and create a suite of enterprise services it offers to agencies. Weaver called it a “thoughtful approach to managing state cyber risks.”
One of the legislation’s lead sponsors, State Sen. Reuven Carlyle, who also authored a major data privacy law enacted last year, said this week that it’s long past time to centralize government cybersecurity.
“Washington state has a ferocious addiction to decentralization,” he told the Seattle Times.
While much of the bill’s language formalizes many existing aspects of the Office of Cybersecurity, it assigns numerous duties to the chief information security officer — a role currently held by Vinod Brahmapuram — related to the continuity of government operations in the event of a major cyberattack. The CISO would be responsible for setting governmentwide standards, which agencies would be required to follow, including annual compliance certifications. Agencies would also undergo independent IT security audits at least once every three years.
The Office of Cybersecurity would have until July 2022 to develop a full catalog of enterprise services and products it makes available to agencies. Additionally, the bill would make the state CISO the chief point of contact for local governments seeking cybersecurity support from the state.