Gov. Larry Hogan signed measures to strengthen cybersecurity in state and local governments in Maryland on Thursday, after lawmakers approved legislation and big investments earlier this year to protect vital systems against cyberattacks.
One of the measures aims to help local governments, school systems and health departments work with more resources and assistance from the Maryland Emergency Management Agency to improve cybersecurity. The agency will support local governments in developing vulnerability assessments and response plans.
“Today we are signing into law bipartisan legislation to continue solidifying our standing as the cyber capital of America, and further strengthen our infrastructure to protect Marylanders against cyberattacks,” the Republican governor said in reference to the number of cybersecurity companies in the state, as well as cyber-related federal agencies and military installations.
In a year with a huge budget surplus, Maryland lawmakers approved roughly $570 million for cybersecurity and information technology upgrades in the legislative session that ended last month. That includes about $200 million for cybersecurity and nearly $334 million for information technology development projects.
State Sen. Katie Fry Hester, a Democrat who was the lead Senate sponsor of cybersecurity legislation, said it’s vital to protect the state’s basic public infrastructure.
“Now, everything is electronic: our drinking water, our transportation, our public safety, our education, our financial systems — this is the government’s responsibility to maintain,” she said. “We have to make sure that our Marylanders’ day-to-day routines are not disrupted, and I think these three bills in combination with the $570 million in the 2023 budget will get us a long ways toward achieving those goals.”
Hogan also signed a bill to create reporting requirements for state agencies and local governments, including reporting of cybersecurity incidents. Agencies will be required to complete a cybersecurity assessment and to remediate findings. Local government entities will have to consult with the local emergency manager to create or update a cybersecurity preparedness and response plan.
Another measure expands cybersecurity requirements for state agencies and water and sewer systems. It requires public or private water or sewer systems that serve 10,000 or more users and receive financial assistance from the state to assess their vulnerability to a cyber attack.
Last year, a hacker gained entry to the system controlling the water treatment plant of a Florida city of 15,000 and tried to taint the water supply with a caustic chemical. Cybersecurity experts said the incident exposed a danger that has grown as systems become both more computerized and accessible via the internet.
A provision in the bill also requires that at least 20% of the amount spent on information technology in fiscal year 2023 to be spent in the following fiscal year.
State and local governments are ripe targets for hackers, even as President Joe Biden’s administration has announced additional steps to safeguard federal government systems from hacking. Cities also have come under cyberattack.
Baltimore County was one of about 50 school systems across the nation attacked with ransomware in 2020, costing the county millions of dollars. In December, Maryland’s health department was hit by a ransomware attack that impeded information about health metrics relating to COVID-19.