Texas is at risk more now than ever from cyberattacks.
That’s why — as criminals keep aggressively targeting online information ranging from credit card numbers to election data — at least one lawmaker says Texas needs to beef up its digital defense.
The state, of course, has countless cybersecurity systems and firewalls in place to protect against the estimated 5 billion attacks that occur each month on government computers and systems.
But that’s not enough, said state Rep. Giovanni Capriglione, R-Southlake.
“There are all these cybercriminals and terrorist organizations trying to find weaknesses in the state’s computer systems in order to steal information,” he said. “We want to protect the databases.
“We have 254 counties ... and with cybersecurity, the weakest point is the part we are most worried about. A lot of times, criminals use the weakest point to get into the whole system.”
Capriglione has filed two bills to try to protect the state. One focuses on cybercriminals and the other calls for studies, reviews and ways to boost cybersecurity in Texas.
These bills follow reports of cyberattacks being waged against people, businesses and governmental agencies across the state.
In one Tarrant County case, a government employee last year began having problems on a computer, which led to a malicious software program penetrating an extensive security system that included at least two next-generation enterprise firewalls.
The employee’s files were locked by the attacker and a ransom was demanded before the worker could again access that data.
But the ransom wasn’t paid. Instead, an emergency computer incident response crew swept in, isolated that person’s data from the rest of the system and restored files to where they were an hour before the software attack occurred, with no information lost or stolen.
“Cybersecurity is one of those issues that isn’t on the public’s mind until something major and unexpected happens to expose the state’s vulnerability or the public’s private information,” said Brandon Rottinghaus, a political science professor at the University of Houston. “As new technology is used almost exclusively to connect citizens to government through state agencies, measures need to be taken to safeguard Texans’ privacy.”
Capriglione said he hopes the bills he has filed — The Texas Cybersecurity Act and The Texas Cybercrime Act — will prevent people from messing with Texas.
This is a long war that we will be waging.
State Rep. Giovanni Capriglione, R-Southlake
If the measures become law, Capriglione said he believes they will move Texas “a big step forward” in staying safe.
“This is a long war that we will be waging,” he said. “We just want to do it in a smart way, starting right now.”
In the wake of an increasing number of cyberattacks from criminals and foreign governments — even questions about Russia’s influence on the election due to cyber activity — cybersecurity has become a national priority.
“Cyberspace and its underlying infrastructure are vulnerable to a wide range of risk stemming from both physical and cyber threats and hazards,” according to the U.S. Department of Homeland Security. “Sophisticated cyber actors and nation-states exploit vulnerabilities to steal information and money and are developing capabilities to disrupt, destroy, or threaten the delivery of essential services.”
In Texas, Capriglione and other lawmakers have been studying the issue, talking with government officials and security experts and advisers, trying to determine the best legislative options to address the problem.
He’s heard about the cyberattacks that have hit cities, counties, the state, businesses and Texans, as cybercriminals work to gain government employee credentials, travel itineraries, credit card information, social security numbers and more.
They want information they can sell, use to find more information or help them create custom attacks.
“A wide range of attacks are coming from all over the world,” Capriglione said, citing problems such as phishing, when attackers send emails hoping to gain personal information such as credit card numbers and passwords from victims, to ransomware, a malicious system that blocks people out of their own system until they pay a “ransom.”
So Capriglione filed House Bill 8, the Texas Cybersecurity Act.
The measure calls for an audit of Texas systems, training on how to respond to risks and attacks, a review of state digital data storage and a state response plan that can be used in the event of a cyberattack to be created no later than Sept. 1, 2018.
Part of the bill asks the Texas Rangers to study cyberattacks on election infrastructure, including looking at vulnerabilities and risks regarding county voting machines and the lists of registered voters. It also seeks information on any attempted cyberattack against county voting systems and any recommendations to protect election machines and lists of registered voters.
Concerns about election tampering spiked during and after the presidential election, pulling the issue from relative obscurity directly to the attention of lawmakers.
Brandon Rottinghaus, political science professor at University of Houston
“Concerns about election tampering spiked during and after the presidential election, pulling the issue from relative obscurity directly to the attention of lawmakers,” Rottinghaus, the UH professor, said. “This kind of emergency helps to get attention to otherwise obscure legislation and get it passed.”
The measure also would create a cybersecurity task force to coordinate cybersecurity resources and develop guidelines — and a cyber sharing task force to determine best practices of cybersecurity for the state. It also requires state agencies to contract with independent third parties to audit security risks, destroy personally identifiable information and establish mandatory guidelines for cybersecurity certification.
Capriglione did say this bill could cost the state around $20 million, which he realizes is a lot of money, particularly in an already-tight budget year.
“I think it’s going to be difficult getting money for anything” this session, he said. “But when we talk about the security and safety of our citizens, it is a priority.”
The Texas Business Leadership Council — one of many groups working with legislators about cyber security preparedness — has come out in support of HB 8.
“Strengthening our cyber infrastructure has been long overdue,” said Justin Yancy, president of the group.
HB 9, the Texas Cybercrime Act, makes it a third-degree felony if someone “intentionally interrupts or suspends access to a computer system” or network, unless the person is working on behalf of law enforcement.
It also makes it a Class A misdemeanor for someone to alter data transmitting between two computers in a network or system or introduce malware or ransomware — software that gives people access to a computer system and data without permission or requires users to pay to regain access to their data or information — on a computer, network or system.
The more costly the offense, though, the more severe the charge. If an offense involves more than $300,000, that bumps the charge up to a first-degree felony.
We need to create new laws for some of the newer attacks, to counter what people are doing. I want to make sure that private information stays private.
State Rep. Giovanni Capriglione, R-Southlake
“We need to create new laws for some of the newer attacks, to counter what people are doing,” Capriglione said. “I want to make sure that private information stays private.”
Capriglione’s bills join other cyber bills proposed in the Texas Legislature, including HB 1452, which calls for a study about cyberattacks on election infrastructure, and Senate Bill 83, regarding protecting “energy critical infrastructure from electromagnetic, geomagnetic, terrorist and cyber-attack threats.”
“Rep. Capriglione has spent months looking at how to better protect citizens’ private data,” according to a statement from House Speaker Joe Straus. “Thanks to the good work of Rep. Capriglione and several House committees, we have an opportunity to pass needed, significant cybersecurity legislation this year.”
The issue of cybersecurity came up locally last year during a Texas House County Affairs Committee meeting in Fort Worth.
At the time, local officials said they hoped state lawmakers would consider passing a measure to make sure cyber offenders would receive tough sentences.
Officials last year declined to detail the ransomware that penetrated local systems, but they said it was the first time in at least two years that anything like it had made it through firewalls.
Ransomware is a computer malware that installs on a person’s computer — or even on a tablet or smartphone — that starts to encrypt files, which prevents them from being opened by their rightful user. It could come through an email that contained a link the user may have opened.
On a computer, the software can run quietly in the background unnoticed until perhaps the wallpaper changes and a message pops up demanding a ransom and telling the user how to pay to be able to access files, photos and data again. Officials have long stressed that anyone who receives those messages should not pay.
“Cybersecurity measures make for smart conservative politics by protecting businesses who do contract with the state and safeguarding individual privacy,” Rottinghaus said.
Across the world, estimates suggest there are at least 4,000 ransomware attacks unleashed every hour.
“As the use of technology increases in our daily lives, it is more important than ever that private citizen data is protected,” Capriglione said. “We need the necessary tools to educate and protect ourselves from the rapidly evolving world of sophisticated cyberattacks.”