Texas signals potential cybersecurity policy changes

Written by Colin Wood

There could be some notable changes in how Texas, the nation’s second most populous state, manages cybersecurity, according to a biennial report released Thursday by the state Department of Information Resources.

The report, which looks back on two years of progress the state’s IT department has made towards the goals outlined in its strategic plan, also includes recommendations it plans to submit soon to the state legislature. These include creating new cyber incident reporting requirements for local governments and school districts, requiring government agencies to adopt the .gov domain, allowing information security officers to serve as joint officers in multiple jurisdictions, and establishing a statewide role as Chief Privacy Officer.

Amanda Crawford, the state’s chief information officer, said in a press release that the report shows “significant advances in delivering safe, innovative technologies that make government more efficient, effective, transparent and accountable,” but the report also highlights gaps in the technical ones state’s capabilities and presents possible solutions, many related to Texas’ cyber capabilities.

Texas could have a “more complete picture” of the cybersecurity landscape and “prevent future attacks” if K-12 districts were bound to the same 24-hour cyber incident reporting requirements that state agencies and higher education institutions are currently required to meet, the report said.

“This incongruous reporting of cybersecurity incidents can prevent Texas from tracking trends and understanding the scope and complexity of cyberattacks and how they may be related to another cyberattack,” the report said.

A March report by the K12 Security Information Exchange blamed weak disclosure requirements in school districts for a nationwide undercount of cyber incidents. The group counted 166 incidents in 162 districts nationwide in 2021, but suspected the actual number of incidents could be 10 to 20 times higher.

New domain, old staff

The Texas report also recommended that all state government agencies migrate their websites to a .gov domain to reduce fraud. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, which administers the top-level domain, waived the $400 registration fee shortly after taking over administration last year, but adoption has been slow since then. One forecast is that at the current rate, it will take 15 years for the .gov domain to be 100% taken over by the government.

Texas also notes in its report a statewide shortage of cybersecurity professionals able to fill the role of information security officer, which it describes as a “vital role.” To solve this problem, the government IT department recommended changing the current rules to allow their current ISOs to act as common ISOs and two or more agencies to preside. A recent report by the National Association of State Chief Information Officers identified such human resource issues facing the government as on the verge of a “crisis.”

Cyber ​​policies, blockchain movement

The Texas report shows that it is also considering joining states that have a statewide role in managing privacy. More than 20 states currently have a chief privacy officer. In Texas, the role would help establish best practices across government agencies to strengthen cybersecurity and educate the public on how to protect their personal information.

The report showed that Texas authorities are having mixed success with their cybersecurity policies. Eighty-two percent of Texas government agencies said they regularly review or revise their cybersecurity incident response plans, but only half said they have adequate resources to address security incidents. Sophistication of cyber threats and lack of funding were cited as the top two challenges agencies face when trying to manage their cyber security.

Beyond cybersecurity, Texas is still eyeing blockchain, the distributed ledger technology best known for supporting cryptocurrencies. Blockchain has mostly fizzled out in state government, CIOs told StateScoop, but the Texas report recommends that the state’s Blockchain Working Group, established by House Bill 1576 last year, educate public sector organizations about the technology’s best practices enlightens.

“Best practices could include, but are not limited to, defining blockchain benefits, use cases, contract language, developing a blockchain innovation/competence center, and developing education or curriculum,” the report said.