By Sen. Matt Boehnke
Sometimes, something dramatic can shake people and institutions out of their complacency.
Such was the case two summers ago when a group of extortionists stole data from the owners and operators of a critical American fuel pipeline. The hackers, calling themselves DarkSide and believed to be operating from eastern Europe, used malware to encrypt Colonial Pipeline’s data, then demanded payment before they would release it.
The resulting, pre-emptive shutdown of the pipeline meant tens of thousands of ordinary Americans and several industries no longer had access to critical fuel. Colonial handed over nearly $5 million in untraceable Bitcoins to recover its data, after which it reopened the pipelines and got the gas flowing again.
The Colonial Pipeline ransomware attack changed the view of cybersecurity. It showed how critical areas of the energy infrastructure – public and private – are at risk like never before.
Congress, the media, corporations, and the general public began asking what could be done to better prepare for the next – and inevitable – cyber-attack. The answer seems clear: We must take aggressive action to limit cyber-attacks, be ready when an attack occurs, and be able to bounce back from an attack quickly.
My interest in data protection predates my service as a state legislator. Since 2015, I have served as director and lead professor of the cybersecurity division at Columbia Basin College in Pasco. I also have over 32 years of experience in data privacy and cybersecurity, mainly in the military, working with classified data systems.
I have seen how crippling a cyber-attack can be and the high price organizations pay for failing to prepare and coordinate a defense against these attacks properly.
Cybersecurity is a complex, multifaceted challenge. A lack of coordination, miscommunication, and gaps in policy can leave us vulnerable and without the policies, strategies, and other tools needed to protect Washingtonians and their data.
To address this, I have introduced legislation in Olympia that seeks to centralize and refine plans and technology to protect everyone from cybersecurity threats better.
Senate Bill 5518 would cut across three state agencies. It would establish a Cybersecurity Advisory Committee as a state Emergency Management Council subcommittee and create a security subcommittee within the state Technology Services Board.
It would also expand the Department of Commerce’s authority regarding energy-related activities, including preparing and updating contingency plans for securing energy infrastructure against all physical and cybersecurity threats.
Malicious cyber-attacks, such as ransomware, can devastate people, companies, state agencies, and even our economy. The agency restructuring mandated by my bill would better coordinate cybersecurity efforts and assess best practices for preventing and responding to attacks.
SB 5518 passed the Senate with unanimous support on March 2, and cleared the House State Government and Tribal Relations Committee on March 22. With hard work and good luck, it should continue through the legislative process and eventually reach the governor’s desk.
A recent state audit identified gaps in agency compliance with current security policies, so we know there is still more work to do.
While the number of individuals and groups focused on hacking, taking down networks, and stealing data has remained the same, we have also seen an uptick in state-sponsored attacks. Data released by Google shows a 300% increase in cyber-attacks targeting users in NATO countries compared to 2020.
Much of this stems from the Russian president’s invasion of Ukraine, which has seen cyber-attacks become a central focus. For example, a cyber-attack intended to target Ukraine just before the February 2022 invasion also disrupted internet service for tens of thousands of Europeans. Another attack that April hit the Deutsche Windtechnik-operated wind farm in Germany.
Furthermore, the Chinese Communist Party has also stepped up its intelligence-gathering efforts and continues to pose a long-term strategic threat to global cybersecurity.
We cannot afford to sit back and hope for the best. We must prioritize the funding, coordination, and transparency of our data-protection systems.
Washington is a tech leader among states. We can and must do better.