Iowa lawmakers look for ways to take on cyberattacks

DES MOINES — Cybersecurity is the focus of a slate of bills in the Iowa Legislature as lawmakers hope to provide resources to schools, local governments and other entities to respond to cyberattacks.

A new technology committee in the Iowa Senate was formed this year, and the state House’s technology committee is considering bills criminalizing ransomware in the Iowa Code, creating a cybersecurity unit in state government and seeking to develop cybersecurity professionals in the state, among other things.

Cyberattacks — attempts to access, damage or destroy a computer system — have been on the rise. Attacks increased by 28 percent globally in the third quarter of 2022, according to CheckPoint, a cybersecurity company. Schools, health care settings, banking and utilities are common targets, CheckPoint says.

Chris Cournoyer, a Republican from LeClaire who chairs the new Senate Technology Committee, said she wants to look at finding measures that will arm schools and local governments with the tools to defend against attacks.

“It’s really important that we pay attention to it at the state level,” she said. “And make sure that we’re providing the (Iowa chief information officer) the resources that he needs to go out and support those local governments.”

When it comes to the private sector, Cournoyer said she wants to address technology concerns without hamstringing businesses’ ability to function.

“I want to be able to responsibly use technology to protect the rights of our citizens, the privacy of our citizens, without tying the hands of our business and technology sector,” she said. “Because we want to continue to attract businesses and tech in the state.”

J.D. Scholten, a Democrat from Sioux City who sits on the House Economic Growth and Technology Committee, said he hopes the committee passes legislation that is flexible and can react to the rapid pace of technology challenges government is facing.

Some of the bills are “10 years too late,” he said.

“What I don't want is to have this as a bill that we see in several other areas, where we’re trying to adjust things from 1992 legislation,” he said. “Technology is going to be ever-evolving, and we need to make sure that we keep up with the times.”

Challenges to cybersecurity

In a presentation to the Senate Technology Committee last week, two security experts said while Iowa is in a relatively strong position on cybersecurity, challenges exist with collaboration between the public and private sectors.

Both private industry and the public sector struggle with finding people with the expertise to respond to their needs, Doug Jacobson, director of Iowa State University's cybersecurity center, told the committee. Communication between the two areas also could be improved, and private businesses aren’t always granted access to the same information as governments, he said.

Smaller organizations also can have a difficult time getting funding or accessing resources during a cyberattack, said Aaron Warner, who runs Coralville-based cybersecurity firm ProCircular.

“Those FBI case agents carry 30 cases … probably a million dollars is an average amount of ransomware that they’re dealing with, so that small accounting firm in Clarinda is going to have great difficulty getting access to those cybersecurity resources,” he said.

Ransomware

One bill passed out of a subcommittee would make it a crime to launch a ransomware attack, punishable by up to a Class C felony.

Ransomware — a type of software that disables a computer system until a sum of money is paid — is not currently a crime under state law in Iowa, and advocates said it’s an important first step in adding protections for businesses and government organizations.

Major school districts were disrupted in ransomware attacks last year. The Cedar Rapids Community School District paid a ransom after suffering a cyberattack last summer, though it did not disclose the amount paid. Weeks later, names and Social Security numbers of thousands of current and former employees may have been stolen in a cybersecurity breach at the Linn-Mar Community School District. And a hacker group claimed to have stolen troves of data from the Davenport district, and a spokesperson said the hackers demanded a ransom but it was not paid.

Sheila King, the chief information officer for Central Iowa's Heartland Area Education Agency, said schools are among the top target for ransomware attacks.

"Having penalties for violators seems like a reasonable thing," she said. "We see this as a top issue for the education community."

Mollie Ross, the vice president of operations for the Technology Association of Iowa, said the bill is a good start for protecting Iowa businesses, as well.

Ransomware is a crime on the federal level. Attacks often come from international sources, and prosecution is difficult. Still, Ross said, the state law could act as a hindrance from someone building ransomware or launching an attack in Iowa.

“Anything we can do to help prevent those attacks from happening in the first place is a good start,” she said. “Right now ransomware is technically legal in Iowa, which is pretty outrageous, I think everyone would agree.”

Some other states have made it illegal for government organizations to pay a ransom after suffering an attack, but Warner urged lawmakers not to limit options.

“It’s not a time to be taking options off the table, particularly if you’re a school district that has students that start tomorrow, and in order to make that happen you have to pay a ransom,” he said.

Cybersecurity unit

Another bill that cleared a subcommittee would create a cybersecurity unit in the state Office of the Chief Information Officer that would collect data and report on cybersecurity breaches in the state.

That bill received some pushback from lobbyists for local governments and utilities during a subcommittee meeting over concerns it would limit their ability to react to a cyberattack and would require the reporting of confidential data.

The terms of the bill give broad reporting requirements to government entities that experience a cyberattack, requiring them to report the date of the incident, the date it was discovered, what data was accessed or obtained, a list of agencies that will be notified and “additional information to the extent available.”

Doug Struyk, a lobbyist for the city of Des Moines, said he was concerned other provisions of the bill would give the state office too broad authority over how local entities can respond.

“When you read this in its entirety, it appears to be giving the cybersecurity unit the ability to manage and coordinate a response of a political subdivision to a cybersecurity event,” he said.

The Area Education Agencies of Iowa are registered in favor of the bill. King said it would create a support system for public entities.

“Any time in our public system that we can add expertise or structure to supporting cybersecurity, it seems that that is a reasonable approach and could be a good thing,” she said.

County, city essential purpose

Another bill, soon to go to a subcommittee review, would require cities and counties to protect against cyberattacks as part of their legally defined essential purposes.

The bill would allow counties broader freedom to spend public funds on cybersecurity without requiring a public vote to take on debt, said Lucas Beenken, public policy specialist for the Iowa State Association of Counties.

“We think that’s very important because of the timeliness of making those investments if they’re necessary,” he said. “Not having to wait for approval next election, special election, whatever the case may be. Sometimes these things need to happen quickly.”

Establishing training center

A cybersecurity simulation training center would be established at ISU under another bill being considered in the House. Dubbed CySim, the center is proposed to be a “cybersports complex” that would train students using simulations, challenges and scrimmages to respond to cyberattacks, according to ISU.

It would also be a resource for businesses, state agencies and other government bodies, according to the bill.

Warner said he was excited about the program because it would train experts that could fill the need seen across the state.

“Every single person in this program is a potential employee/resident in the state of Iowa,” Warner said. “They’re all very highly compensated because they’re in huge demand. They’re exactly the kind of people that we want to recruit here in the state of Iowa.”