The new technology committee in the Iowa Senate is looking to tackle the latest frontier in lawmaking — cybersecurity.

As cybersecurity attacks become a glaring reality for Iowa’s public and private institutions to navigate, Iowa lawmakers are looking to guide public institutions and the private industry with a handful of laws on topics ranging from ransomware to cyberstalking.

Cyberattacks are on the rise, with a 28 percent increase in the third quarter of 2022, according to Check Point Research. Education, health care, and government are the largest targets for cyberattacks. Education and research organizations face almost twice as many cyberattacks as other industries.

Several Iowa school districts and the University of Iowa Hospitals and Clinics have been victims of recent cyberattacks.

Mollie Ross, the Technology Association of Iowa vice president of operations, said cyberattacks are becoming more frequent in Iowa. With treasure troves of personal data stored in government servers, it makes them targets for bad actors, she said.

With a target on their backs, state officials, lawmakers, and industry experts are working to enhance Iowa’s cybersecurity to fend off future cyberattacks and update the state’s laws regarding cybercrimes.

Revamping the state’s cybersecurity and IT agency

A major legislative priority for the Iowa House and Senate technology committees is the creation of a cybersecurity incident response task force. This task force would contain the Iowa Secretary of State, the Office of Chief Information Officer, the Iowa National Guard, and other state agencies.

The Office of the Chief Information Officer is also looking to develop a statewide cybersecurity plan for all of Iowa’s agencies and local governments to implement a standardized cybersecurity structure in the state.

The state’s Chief Information Officer Matt Behrens said his office is looking to create partnerships between public entities, private companies, and educational institutions like Iowa State University to create a multipronged approach to cybersecurity and cybersecurity education in the state.

His office is funded by fees charged to the agencies, school districts, cities, and counties that use its services.

Under Gov. Kim Reynolds’ proposal for the next budget year, the Office of the Chief Information Officer would receive $4.1 million from the state to stabilize cybersecurity for the Iowa government, Behrens said.

Aaron Warner, CEO of ProCircular — a Coralville-based security firm — said there aren’t enough resources for Iowans who are victims of cybercrimes. With the FBI’s cybersecurity unit handling mostly high-profile cases due to the large volume of complaints, Warner said Iowans need state and private companies they can go to for help.

Warner said creating education opportunities and attracting cybersecurity firms to the state will help alleviate the shortage of cybersecurity help.

New committee to create innovative solutions for cybersecurity problem

The Iowa House and Senate technology committees recently approved a bill that would standardize consumer data protections in the state. Senate File 262 and House File 346 would require corporations to disclose what data they collect from customers and create reporting requirements for consumer data breaches.

Another bill, which is currently tabled in the House and Senate committees, would allow victims of cyberattacks to defend themselves in court if they had reasonable protections against an attack, which is also standardized in the legislation.

The bill would incentivize companies to bring their cybersecurity up to national industry standards, Ross said.

Warner said lawmakers should look at regulating and prosecuting bad actors, not victims, in the wake of cybersecurity incidents.

“It’s not a time to be taking options off the table, particularly if you’re a school district that has students that start tomorrow, and to make that happen you have to pay a ransom,” Warner said.

Other legislation currently being considered by Iowa House and Senate technology committees seek to address gaps in the current Iowa code:

• Criminalizing the production and distribution of ransomware — software that duplicates or encrypts a user’s files and locks them from the user — in the state.
• Changing the definition of a county and city’s essential purpose to allow local governments to sell bonds to fund cybersecurity projects.
• Criminalizing and providing penalties for cyberstalking.
• Public-private partnerships to improve communication, knowledge on cyberattacks

Iowa lawmakers want to encourage young Iowans to fill the gap in the cybersecurity workforce. A bill in the Iowa House aims to provide funding for a cybersecurity training facility at ISU.

With a rapidly growing need for cybersecurity workers and almost 3.5 million cybersecurity job openings in 2022, according to Forbes, lawmakers want to expand ISU’s cybersecurity program to train the next generation of cybersecurity experts.

The bill would fund research and the creation of a cybersecurity simulation training center at ISU. The center would be open to businesses, students, teachers, local governments, and state officials interested in learning more about cyberattacks and how to defend against them.

Doug Jacobson, an ISU professor of cybersecurity, said cooperation and communication between education, the private sector, and the public sector would be necessary to improve cyberattack outcomes in the state.

Jacobson said a lack of information on potential threats because of poor communication can result in other agencies or businesses falling victim to similar attacks.

The Department of Homeland Security and other federal agencies hold briefings on cybersecurity threats that are hard for private cybersecurity experts to gain access to, which results in a reduced ability to fend off attacks.

During a presentation to the Senate Technology Committee, Jacobson and Warner urged lawmakers to break down roadblocks in communication between the three sectors to improve responses to cybersecurity threats in the state.

Jacobson said information is rarely shared about cybersecurity attacks because of fears of civil and criminal repercussions of the disclosure. This leads to a blockage in the flow of information that is vital to protect from cyber threats, he added.

Ross said this new frontier is complicated and that no one solution will fix it all, but a working relationship between lawmakers, state agencies, private companies, and academics will create a thriving cybersecurity workforce.

“There is no silver bullet that’s going to stop all of the threat actors out there, but where we can partner with our state legislature and public entities to provide support for private industry and others to work against the threats that exist,” Ross said. “We appreciate the creativity the legislature has expressed in trying new ideas and trying to do what they can to keep pace with the technology industry.”