Public Comments for 01/31/2022 Communications, Technology and Innovation
HB466 - Volunteer cybersecurity and information technology; Sec. of Admin. to establish register.
Last Name: Nies Locality: Bamboo Creek

Have you tried Roll On – 200mg from JUSTCBD?

Last Name: Mead Organization: City Council, City of Staunton, Virginia Locality: City of Staunton

HB1290 | Hayes | Public bodies; security of government databases and data communications. As a member of Staunton City Council I oppose this bill. Time Constraint: 24 hours is not enough time to properly assess the extent of the situation, formulate the best strategy, and speak with staff and other individuals affected.  Definitions: I have serious concerns about the lack of definition of “incident”. Without a definitive definition the term “incident” becomes extremely vague allowing for misinterpretation on what constitutes as an incident that must be reported. Secondly, there is no specific language on what needs to be reported. Once again allowing for misinterpretation of what must be reported.  Reporting: HB1290 requires the public body to report the incident to the State before having the opportunity to discuss the matter with the City's insurance company, provider, or agency of choice. This creates another reporting mandate for public bodies. Before The Virginia Information Technologies Agency, working with state and local stakeholders, should develop and publish guidance concerning the scope and implementation of the required incident reporting.

HB1177 - Virginia Digital Service; established, duties.
Last Name: Mead Organization: City Council, City of Staunton, Virginia Locality: City of Staunton

HB1290 | Hayes | Public bodies; security of government databases and data communications. As a member of Staunton City Council I oppose this bill. Time Constraint: 24 hours is not enough time to properly assess the extent of the situation, formulate the best strategy, and speak with staff and other individuals affected.  Definitions: I have serious concerns about the lack of definition of “incident”. Without a definitive definition the term “incident” becomes extremely vague allowing for misinterpretation on what constitutes as an incident that must be reported. Secondly, there is no specific language on what needs to be reported. Once again allowing for misinterpretation of what must be reported.  Reporting: HB1290 requires the public body to report the incident to the State before having the opportunity to discuss the matter with the City's insurance company, provider, or agency of choice. This creates another reporting mandate for public bodies. Before The Virginia Information Technologies Agency, working with state and local stakeholders, should develop and publish guidance concerning the scope and implementation of the required incident reporting.

HB1290 - Public bodies; security of government databases and data communications, report.
Last Name: Hensel Organization: Virginia Risk Sharing Association Locality: Richmond

Good morning Chair and Committee, We agree with Virginia Information Technologies Agency (VITA) that public bodies hold significant amounts of sensitive data and control and support critical systems. And during cyber incidents, the ingestion time is critical. I ask the committee to please consider VITA, working with state and local stakeholders, to develop and publish guidance concerning the scope and implementation of the required incident reporting.

Last Name: Ward Organization: County of Roanoke (IT Assistant Director) Locality: County of Roanoke

HB1290 needs to be tabled/discontinued. If the concept is to be reconsidered in the future, it requires study and input from local government IT Directors responsible for cyber incident response. I recommend working with the VALGITE group of local Gov IT directors to gain insight from a wide reach of localities (all size and regions). If this requirement is moved forward, shared incident response reporting to the state is very complex and must include: 1) clear definition on incident scope 2) simplicity in reporting framework/format 3) extended timeframes to not conflict with actual incident response strategy and cyber insurer reporting requirements 4) clearly defined, robust security and access methods for any transmitted or gathered data 5) clear and measurable goals for use of the individual or aggregated incident data, with defined outcomes or deliverables from the use of the data at the state level 6) without this level of clarity, there is too much risk and room for error in handling the confidential data and a potential to have unclear/confusing/conflicting goals for greater security and localities will not be able to comply There are many areas local governments need assistance in providing cyber security protection that would have a much greater impact than collecting narrative incident data- such as a state funded managed security vendor and security operations center agreement that localities could participate in with either no/very low cost. Localities are all trying to fight the battle against cyber threats individually and with limited funds, and having state support for common use of expensive tools and services would be a much better way to protect both state and local systems

Last Name: Hatmaker Organization: Town of Christiansburg Locality: Salem

Support: I support the goal of HP1290 expressed in 2.2-2009 A. “To provide for the security of state government electronic information from unauthorized uses, intrusions or other security threats, …” Opposition: I do not support 2.2-5514 C. because it will not achieve that goal. Reasoning: Cyberthreats, such as NotPetYa, which started in the Ukraine and took down sites in Britain (WBB), Denmark (Maersk), and Spain within the span of two hours before spreading to the US, are far too swift to be countered using methods described in that paragraph. By the time “reports shall be made to the Chief Information Officer within 24 hours from when the incident was discovered”, state systems could already be down. To be effective a solution must be in place that: a) Operates 24x7, 365. Many municipal IT departments are not staffed nights and weekends by the systems operate at all times and could be infected while IT staff are away. b) Is staffed by experts. Many municipal IT departments lack expertise to identify all threats or determine their ability to propagate to state systems. c) Alerts network engineers and system operators concurrently with management. Moving through the chain of command could be too slow. Notification must be at the level of those who can implement countermeasures immediately. Summary: HB1290 2.2-5514 C. cannot achieve its goal and will burden small agencies who do not have the skills or manpower to comply.

Last Name: Bateman Organization: City of Roanoke Locality: Richmond

The CIty of Roanoke is opposed to HB 1290 and suggests that a study be conducted first. The Virginia Information Technologies Agency, working with state and local stakeholders, should develop and publish guidance concerning the scope and implementation of the required incident reporting. This is critical.

Last Name: Mead Organization: City Council, City of Staunton, Virginia Locality: City of Staunton

HB1290 | Hayes | Public bodies; security of government databases and data communications. As a member of Staunton City Council I oppose this bill. Time Constraint: 24 hours is not enough time to properly assess the extent of the situation, formulate the best strategy, and speak with staff and other individuals affected.  Definitions: I have serious concerns about the lack of definition of “incident”. Without a definitive definition the term “incident” becomes extremely vague allowing for misinterpretation on what constitutes as an incident that must be reported. Secondly, there is no specific language on what needs to be reported. Once again allowing for misinterpretation of what must be reported.  Reporting: HB1290 requires the public body to report the incident to the State before having the opportunity to discuss the matter with the City's insurance company, provider, or agency of choice. This creates another reporting mandate for public bodies. Before The Virginia Information Technologies Agency, working with state and local stakeholders, should develop and publish guidance concerning the scope and implementation of the required incident reporting.

Last Name: James Organization: City of Fredericksburg Locality: Richmond

The City of Fredericksburg is concerned that the language in HB 1290 is not strong enough to protect the information that is reported from localities to the state CIO, especially early in responding to an incident. The City thinks that the must be given priority as HB 1290 is considered.

Last Name: Mester Organization: City of Falls Church Locality: Fairfax

Dear Communications, Technology and Innovations Committee Members: On behalf of the City of Falls Church Council I write in OPPOSITION to HB1290 as currently written. We applaud the bill’s patron and this committee for addressing this important and vital issue…. cybersecurity is certainly a front and center issue for all of us and indeed the General Assembly just experienced the impact and risk first-hand. The City does not believe the nuances and unintended consequences of this bill have been vetted adequately, with all vital stakeholders, and fear outfall of significant unintended consequences. Therefore, we respectfully request that The Virginia Information Technologies Agency (VITA), working with state and local stakeholders, should develop and publish guidance concerning the scope and implementation of the required incident reporting. We do this with outmost respect for VITA which has provided valuable resources to localities. We concur with the point outlined by VML and many of our locality CISOs: • Time Constraint: there has not been enough time to properly assess the extent of the situation, formulate the best strategy, and speak with staff and other individuals affected. • Definitions: serious concerns about the lack of definition of “incident”. Without a definitive definition the term “incident” becomes extremely vague allowing for misinterpretation on what constitutes as an incident that must be reported. Secondly, there is no specific language on what needs to be reported. Once again allowing for misinterpretation of what must be reported and possibly creating more of a security risk than the intent of this legislation. • Reporting: HB1290 requires the public body to report the incident to the State before having the opportunity to discuss the matter with your insurance company, provider, or agency of choice. This state code requirement needs to be coordinated the CISA, FBI and other federal agencies as well. This creates another reporting mandate for public bodies. Again, we request that this bill be forwarded to a comprehensive study work group. Thank you for your attention to this matter. Cindy Cindy L. Mester, ICMA-CM Deputy City Manager/ Legislative Liaison Pension Plan Administrator/ Risk Manager 300 Park Avenue, Suite 203E Falls Church, VA 22046 phone: 703-248-5042 (TTY 711) cell: 571-641-5586 fax: 703-248-5146 email: cmester@fallschurchva.gov

HB1304 - Information Technology Advisory Council; membership, powers and duties, report.
Last Name: Mead Organization: City Council, City of Staunton, Virginia Locality: City of Staunton

HB1290 | Hayes | Public bodies; security of government databases and data communications. As a member of Staunton City Council I oppose this bill. Time Constraint: 24 hours is not enough time to properly assess the extent of the situation, formulate the best strategy, and speak with staff and other individuals affected.  Definitions: I have serious concerns about the lack of definition of “incident”. Without a definitive definition the term “incident” becomes extremely vague allowing for misinterpretation on what constitutes as an incident that must be reported. Secondly, there is no specific language on what needs to be reported. Once again allowing for misinterpretation of what must be reported.  Reporting: HB1290 requires the public body to report the incident to the State before having the opportunity to discuss the matter with the City's insurance company, provider, or agency of choice. This creates another reporting mandate for public bodies. Before The Virginia Information Technologies Agency, working with state and local stakeholders, should develop and publish guidance concerning the scope and implementation of the required incident reporting.

End of Comments