On June 29, Florida governor Ron DeSantis signed into law H.B. 1297, a bill designed to assist the state in combatting the seemingly endless attacks on the IT systems of government bodies and government-sponsored entities (such as public utilities and the like). Some noteworthy examples include:
- The May 7th ransomware attack on Colonial Pipeline, the largest fuel pipeline in the U.S. The attack caused fuel shortages in the Eastern U.S. until May 12th;
- The February intrusion into the city of Oldsmar’s water treatment system. The intruder briefly increased the amount of sodium hydroxide (i.e., lye) from 100 parts per million to 11,100. The change was caught before the public was harmed;
- Multiple ransomware attacks on Florida’s law enforcement agencies, including the 2019 attack on the St. Lucie County Sheriff’s Office. The attack resulted in the loss of network access and loss of about a week’s worth emails and documents; and
- The May, 2019 ransomware attack on the city of Riviera Breach, which forced the city to pay some $600 million in order to regain access to their network.
The new law, the State Cybersecurity Act, with $37.5 million in funding provided by a separate bill, will create a Cybersecurity Operations Center to enable the state to focus its efforts in battling cybercrime. This Center is one of 14 cybersecurity projects funded by the law; others include cybersecurity assessments and asset inventories, endpoint protection, and vulnerability management. The Act stems from the recommendations of the Florida Cybersecurity Task Force, a 15-person task force convened in October of 2019 to address cybercrimes directed against the state.
Why a Cybersecurity Operations Center?
According to IT industry analyst Gartner, “a security operations center (SOC) can be defined both as a team, often operating in shifts around the clock, and a facility dedicated to and organized to prevent, detect, assess and respond to cybersecurity threats and incidents, and to fulfill and assess regulatory compliance.” If the media’s portrayal of darkened rooms filled with the glowing computer screens of “white had” hackers engaging in electronic battles with “black hat” hackers and other threat actors comes to mind, then this is perhaps one instance where the media is not far off the mark. While H.B. 1297 uses the phase “Cybersecurity Operations Center” versus just “Security Operations Center,” the idea is the same – create one institution where information about cybersecurity threats can be processed and evaluated, and possible or confirmed cyberattacks can be responded to as they occur. A 2019 study conducted by the Ponemon Institute cited malware attacks, exploits of existing or known vulnerabilities, spear phishing and malicious insiders as the attacks most commonly identified by SOCs. Overall, SOCs represent a crucial component in an organization’s ability to discern when it is the target of a cyberattack and to respond accordingly.
How the new law will work
Per the prescriptions of the 26-page bill, the state’s Department of Management Services (DMS) is now the lead entity responsible for assessing state agency cybersecurity risks and determining appropriate security measures to combat such risks. The Florida Digital Service (FDS), a state agency tasked with executing IT projects, will work under DMS, and must:
- Develop, and annually update by February 1 of each year, a statewide cybersecurity plan “that includes security goals and objectives for cybersecurity, including the identification and mitigation of risk, proactive protections against threats, tactical risk detection, threat reporting, and response and recovery protocols for a cyber incident”;
- Develop and publish for use by state agencies a “cybersecurity governance framework”;
- Annually provide training for state agency information security managers and computer security incident response team members that contains training on cybersecurity, including cybersecurity, threats, trends, and best practices; and
- Operate and maintain a Cybersecurity Operations Center.
The Cybersecurity Operations Center “shall serve as a clearinghouse for threat information and coordinate with the [Florida] Department of Law Enforcement to support state agencies and their response to any confirmed or suspected cybersecurity incident.”
The prevalence and value of SOCs in government
All or nearly all states already have designated “fusion centers” which collect and share cyber threat actor intelligence with other state and local governments and with the federal government. As to their employment of SOCs, information is scarce. In a 2020 report on the SOC market, analyst firm Market Research Future stated that “[t]he government segment [of the SOC market] held the second-largest market in 2017, valued at USD 4,875.01 million; it is projected to exhibit a CAGR [compound annual growth rate] of 12.60%.” So, while the market for government SOCs is valued at nearly $5 billion and growing at double-digit rates, the pervasiveness of SOCs is perhaps best implied by looking at cybersecurity legislation. For example, in February of 2019, the North Dakota state legislature passed S.B. 2110, which placed the North Dakota Information Technology Department (NDIT) in charge of protecting the state’s 400 public entities from threat actors. It is likely that an effective defense of those entities will necessarily incorporate a SOC. For those government entities that cannot justify housing a SOC internally, the U.S. General Services Administration (GSA), the purchasing body of the federal government, has suggested the use of outsourced SOCs, so-called SOCs-as-a-Service or SOCaaS.
The Florida law and the future of SOCs in state and local government
The State Cybersecurity Act may be the first state statute to specifically mandate the creation of a SOC as part of a larger effort to battle cybercrime. Others are almost certainly on the way. On May 12 of this year, Washington state Governor Jay Inslee signed into law S.B. 5432, a bill that consolidates all state cybersecurity operations into one agency, the Office of Cybersecurity. This law was passed in the wake of an attack on Accellion, an IT services provider, that exposed the personal information of 1.3 million Washington residents. As with the North Dakota statute, the new law does not per se mandate the creation of a SOC; however, detecting and responding to electronic attacks by threat actors in real time all but requires the creation of one. While SOCs are a critical component in protecting government IT and information, the Ponemon Institute study indicated that, at least in the private sector, SOCs have to improve their effectiveness in order to justify their expense. It may well be that SOCs truly come into their own in the state and local government sector.
On Wednesday, July 21, I will be moderating a discussion on H.B. 1297 entitled Florida Bill HB 1297: What Is It and What Does It Mean For My IT Security Team? Presenters include Heath Beach, Co-Founder & Managing Partner of Avail Strategies, and Trace Hollifield, Sr Security Architect at Guidepoint Security. You can register for the webinar here or watch-on-demand after the webinar takes place.