The Broadband Task Force met today to talk about cyber security. It was an interesting conversation – especially if you have a technology business or o any sort of technology contracting/consulting. The focus shifted a bit on finding legislation to encourage better cyber security to making recommendations that might support better security and privacy especially for government agencies, business and nonprofits.

10:00 a.m. – 10:15 a.m.  Introductions, Approval of Minutes, Public Comments

Notes approved

10:15 a.m. – 10:30 a.m. Update from the Office of Broadband Development (OBD)

New team members (David) will be doing support. Old team member (Ryan) is leaving for a new job and we are looking for a replacement. We want someone with planning, data and GIS

The NEW grant applications are open today.

Construction on OLD grant projects has been hiccupped due to rain but still on track for completion.

New maps are out now. If you know there are inaccuracies, please let OBD know. They have validators coming to the state and any heads up on questionable areas is appreciated.

We are helping people understand the new applications. (They have done webinars on the changes and the archive is possible.)

We expect a lot of applications and applications for new types of projects.

Working on a meeting on digital inclusion.

K12 efforts are still happening. But stalled. Recent Legislation included the wireless pilot project and we are helping them put that grant together.

USAC is looping us into conversations on changes in lifeline.

10:30 a.m. —11:00 a.m. Protocol for Working Together

We need some rules of engagement.

Sometimes the MHTA has different opinions than the Task Force. We try to differentiate the MHTA opinions from Task Force opinions, especially with different letterhead.

The position of the TF is not always the same as my clients. We need to make our positions clear at the TF. I don’t see my role as speaking for the TF but I try to be clear that I don’t speak for the TF.

There have been some heated moments and maybe part of the issue is that we don’t leave time to discuss the prickly topics.

How can we handle these differences in and out of the Task Force?

Maybe we need to have an understood and clear process with how we are going to work through any conflicts.

The OBD makes a list of their legislative topics early on and that helps us stay on track.

Between now and August maybe we need to make a list of “live issues” and do a survey on how folks feel about those issues. That is how we took care of speed goals last year. Last year we were pretty divided so a couple of us worked on it.

So we could start on that.

Maybe we need to have time each meeting to discuss the potential policy aspects of each presentation/meeting content. Then if we feel there are topics that need to be addressed the sub-committee in the driver’s seat can take the lead on how to go farther.

Last month, someone was asked to write up the meetings notes to track what we are observing and what might make sense in terms of formal policy decisions.

What did we can we’d do this year?

Affordability – definition of affordability to start.

Taking the temperature of how people feel about policy each meeting would be useful.

Can we get a presentation on the OBD maps?

11:00 a.m. – 12:00 p.m. Melissa Krasnow, Dorsey—Data Breaches and Cybersecurity Plus State Comparison on Cybersecurity Efforts

Security is well regulated.

If you’re a broadband provider or contractor, what laws apply to you? It’s constantly changing. I’m hoping to share with you what I look at on these topics.

Most issues aren’t legal. It’s happens when breaches happen. Target doesn’t think of themselves as being regulated but it is the standard. Retail measures themselves against Target’s response.

FCC wants to regulate broadband providers and privacy.

How much info does a provider get to see?

If the company has a breach – the provider knows as much as the impacted.

There’s a bill to thwart FCC action. The FCC says we have a duty to protect consumer privacy. This would heighted data breach and cyber security.

They are looking at a law that says if there’s a data breach you have to report it – to the FCC and potentially to the FBI and secret service.

When the Target breach happens they have to notify the folks who were affected BUT not authorities. If it’s nonfinancial but criminal they notify the FBI. The FBI is often more effective than local police. They have a cyber-security department. BUT right now this is not law – but they are looking at it.

The FBI is way too busy. The secret service is not as busy.

Sometimes you don’t know if there’s been a breach. Target for example – didn’t know the depth of the breach. Minnesota law says you have to notify the affected immediately. Each state has a different law.

Best advice – be prepared.

How do you minimize breaches? Protocols and preparation.

The FCC is looking to pre-empt state laws. That’s a problem. It won’t work in this context. One options is using the FCC rules as the floor. If the state law is more stringent, you could go with that.

The recommendation is to follow the issue and keep an eye on it.

There is a federal law proposal that include the DHS and includes federal breach notification.

One problem is that the FCC doesn’t regulate everyone. Google is out of their realm. They don’t regulate wireless.

It seems like these rules are punitive to the victims (businesses) that have been hacked. It’s like blaming the bank for getting robbed. We are always trying to stay ahead and it’s very difficult.

It’s the type of crime unlike physical crime – where the answer is call the police. The victim is blamed.

A notification letter is also part of public record.

Tomorrow I will be part of a closed meeting at the city because of a cyber breach. The records have been held hostage – we will find out tomorrow the extent of the damage.

MN Data Practices Act

Data Security – if there’s a breach. Who is going to be the fall guy?

It’s like the hockey goalie – you don’t always get credit for the goals blocked but you will get blamed for the goals scored.

And maybe the security breach is the problem of the guy who just left.

Breach Notification

• Have to tell the person impacted
• Have to prepare a report
• If more than 1000 people were impacted you have to notify the big three credit reporting agencies
• Must inform MN Office of the Legislative Auditor

If you don’t comply with notification there are remedies and penalties

• Action for damages
• Injunction
• Action to compel compliance
• Criminal charges

Data Security Risk Oversight

So would grant recipients have to adhere to these rules?

For the purposes of the length of the contract – for the existence of the contract or the asset?

• Probably asset. The role of the contractor is to provide as much info as possible. Usually in contracts they do agree to comply and cooperate.

The state doesn’t own the infrastructure. But they have helped pay for the deployment. It’s more like capital investment funding. At what point is the state responsible/no responsible for the security.

• Actually given that scenario – the state is probably not responsible.

Is a broadband provider an information service or common carrier? This is a big issue.

The FCC is saying it’s more like a subway. You are responsible for keeping the car and the track safe.

The justification for Title 2 was that ISPs only move data. Not they are saying the ISPs are doing stuff with data.

Minnesota Business Corporation

• Directors are responsible – that’s being discussed
• Target issuedd an impressive report on this topic

Lessons to prevent

• Prepare for a breach
• Be careful with what is publicly said – prepare for reactions

Notes that seemed helpful

• Try not to ask for SSN
• It’s not always the law – it’s the contract

Where does cyber-security usually live in a nonprofit?

• Usually the audit committee
• But it comes down to the organization
• New question – do you need a technology committee.
• Need to discussion laws, guidance and contracts
• Learn from breaches.

What are the recommendations for nonprofit boards?

• CIO should be involved
• Promote awareness inside of the organization
• Preamble from top down

Other States’ Laws

• NO governement data privacy
• 12 sate have laws address cyber security prevention
• 47 state have talked about disclosure

Recommendations

• Monitor the laws
• Determine which laws relate to you
• Inventory and maintain contracts so they are readily available, review policy provisions
• Conduct training and awareness
• Consider cyber liability insurance

12:00 p.m. – 12:30 p.m. Lunch with presentation by Minnesota State Representative Pat Garofalo, National Council of State Legislatures Executive Committee Task Force on Cybersecurity

1. Get more people involved with cyber security – encourage young people to get into cyber security
2. Standardization – we must have physical separation of transport. It’s more expensive but it’s too important to ignore
3. The US is a prime target – we need to recognize that and we need to recognize the impact of technology on all infrastructure.
4. Public policy – understand the limitations of policy. There are 1-2 legislators that are qualified to talk about this. It’s too important to let elected official decide. Statewide funding should be available for security. We need to understand the importance – without public understanding, there won’t be public support for funding.

Questions:

What can we do to promote education with legislators?
Let them know that it’s really important and too difficult for legislators to understand to the depth they need to understand.

How do we compare to other states?
We’re in the middle of the pack. Where are we in compared to our potential? We’re far behind.

You mention nuclear as an infrastructure worth watching?
There’s a lot of radioactive materials going through the state right now. We need policies that are looking at that issue, and others:
Energy generation and distribution – is concerning.
Refineries are issues.
Air traffic control is an issue.
Much of this is privately held but critical infrastructure needs critical infrastructure.
There are dams that are remote controlled (not in MN); that’s scary.

What can we do about having private meetings given the Open Meeting and Data Practice laws?
IDs and passwords are not subject to data practices laws. We have not been limited by these laws – and I move toward moving this away from elected officials.

12:30 p.m. –12:45 p.m. Break

12:45 p.m. – 1:45 p.m. The Cyber Threat Landscape and Q&A – Michael Krause, Supervisory Special Agent, Federal Bureau of Investigation [PPT to follow – when I get it]

Cyber Threats will surpass terrorist threats soon – if not already.

We see stories in the news about serious breaches. They attack governments, banks, infrastructure and others.

Best cyber security – unplug your computer. Kind of a joke but ironically very old infrastructure is sometimes impenetrable because it requires manual manipulation – not remote.

Some nations feel like responsibility for protecting information really remains with the owner of the information.

There’s a whole cyber underground economy – Criminals, organized crime are starting to specialize in skills and needs.

We are usually the person to make a connection with a commercial entity about a breach – more often than they contact us.

IN 2003 there were 500 million devices on the Internet; soon there will be 500 billion. Each is an opportunity for breach.

Password123 is still the most common password. Small companies assume someone else is taking care of this – and they aren’t.

Threat overview:

• Hacktivists
• Criminals
• Insiders
• Espionage
• Terrorists
• Warfare (There have only been two known incidents in the US)

What is at risk?

• Reputation
• Money
• Competitive advantage
• Civil liberty
• Regulatory or Criminal liability (POLICY POINT – what is the role of the provider in providing protection)

Ransomware – software that will attack and encrypt your files

Business email compromise – CEO impersonation

Trends

• Human element
• Vendor/Third Party
• Lack of planning
• Failure to follow business practices
• Healthcare up/Financial down
• Make specialized for the less skilled
• Continually evolving

Question – is there a way to get everyone to work together to share info to recognize patterns to build intelligence?
The infrastructure isn’t there right now. The financial sector is farthest along.

Questions – what about the small company (maybe PR) and someone comes in to steal information with very local value. Where do they turn?
There is no good capacity. We’ll take the call and turn it over to Secret Service. We’ll check with our databases for similarities. If it doesn’t intersect, it will sit in our system.
Locals unfortunately really lack the services and capacity to meet these needs.

Questions – are there any states that have done a good job?
One good example is the Task Force in Utah. They do it jointly with the FBI task force. FBI is multi-jurisdictional. The Inspector General took it over – they only focus on crimes that focus on Utah.
That model has been tried here but no one has that capacity here.

Three parts to cyber investigation

• Computer forensics
• Cybercrime and crimes against children
• Compromising others’ systems

Question – where should that rest?
I’m meeting with BCA

Question – should we recommend funding for cyber investigation?
We need to build the expertise. We struggle to hire people. We need to build interest and skills locally.

Question – what’s the interaction with Secret Service?
We work to help victims/clients get to where they need to be. We work with Secret Service.

Question – what is the dark internet?
The internet is wide open. If you shut it down you run the risk of shutting down the good with the bad. You can setup servers and communities in countries that don’t prosecute cybercrime. And from there you can store a lot of things.

1:45 p.m. – 2:15 p.m. Task Force Discussion of Cybersecurity

What to add in the next report:

We need a few sentences on STEM and using it to encourage cyber security training and all tech training.

We need higher education (community college) classes that meet these needs too. And we need to make sure that folks who are involved in other getting other skills (manufacturing) understand technology/security too.

Generalist training can be as valuable as specialized training – because the specialized training does get outdated and specialties get overcome.

Let’s look to see what we’ve said in previous reports.

Maybe there’s a role for Chambers of Commerce, Trade Associations…

Governance issues are important. Where there are CIOs I public entities – they need to make decisions with leadership. It will help organization be proactive – not reactive.

Should we post best practices and consumer advice on the State website? Public libraries may have a role here.

It’s too late at the disclosure stage. We need to focus on prevention.

Legislation should not get out too far ahead of this issue. Maybe there’s a lot happening outside the state.

There is a National Governors’ task force on cyber security. Maybe we want to keep in touch with them – or the MN rep. Commissioner Baden has also been interested in a private-public group to take this on.

Maybe we can get some recent security stats.

2:15 p.m. – 2:45 p.m. Subcommittee Updates

Affordability – taking on next meeting

• We want to define what is affordable.
• We have providers come in to talk about their low income programs
• Talk about FCC Lifeline
• BEVCOMM is coming in to talk about the impact of the border to border grant program

Discussion of the agenda

Maybe we could have Sally Fineday come in to talk about issues on tribal lands

We need to understand who is using the provider programs and who is using them. We need to hear from the folks those programs target to learn how well its working.

But we don’t want to put the providers in an awkward position by having to report on the proprietary information on success of the programs. And it’s not fair to have someone come in who uses their program.

Maybe San Drong would be a good person to get likely candidates to come to talk about their experience.

Maybe we could get in-take specialists to come in to talk.

To get the word out, you need to find a champion. We found one in our area.

It’s more valuable to have someone who talks to lots of people with connections to users of these programs rather than talking to a person or two using the program.

We might also add someone from K12 to talk about how affordability of broadband has an impact on education.

Dig Once

We are writing something up.

We are working on a conference call for directions.

Wrap Up, Plans for August Meeting, Adjourn