Amid growing threats, Iowa lawmakers push for better state and local cybersecurity

Cyberattacks represent an increasingly serious threat to Iowa's state and local governments, prompting a need to consider strategic changes through legislation and policies to tighten security, two key Iowa lawmakers say.

Rep. Zach Nunn, R-Bondurant, and Rep. Chris Hall, D-Sioux City, are spending Thursday and Friday at Microsoft's headquarters in Redmond, Wash., for meetings with company officials and legislators from other states to discuss a host of policy issues, including cybersecurity. Both agreed the high-tech threat is a bipartisan concern.

"I think the Legislature is probably going to have to look long term at what we are going to have to do to address technology innovation and security," said Nunn, an Iowa National Guard intelligence squadron commander who previously directed cybersecurity for the National Security Council in Washington, D.C.

Hall, the ranking Democrat on the Iowa House Appropriations Committee, agreed.

"Every business is experiencing this, as well as every government body," he said. "It's a new reality that we have to adapt to. But the better prepared we are, the better everybody will be served in the long run."

The two legislators' visit to Microsoft headquarters follows two recent serious breaches of cybersecurity in Iowa: The theft of hundreds of thousands of dollars from 103 retirees' accounts with the Iowa Public Employees' Retirement System and a cyberattack involving the Johnston school district that was identified after several parents received anonymous text messages that threatened violence to schools and students.

But Nunn, who just returned from a trip to Israel where he talked with start-up firms working on cybersecurity, said his interest in strengthening state and local government cyber-defense isn't new. He met in April with the FBI and the state's chief information security officer to discuss Iowa's cybersecurity policies and he said they have a good relationship.

A Microsoft spokesperson confirmed that state legislators are participating in a roundtable event at the company's campus this week that will cover a variety of policy issues.

Microsoft has a statement on its corporate web site regarding cybersecurity policy:

"Increasing cybersecurity in critical sectors is vital to the future of national economies, and has become a priority for governments around the world. Microsoft supports these risk-management efforts and believes that every nation should have a strategy to frame its investments and desired outcomes in cybersecurity," Microsoft said.

Geoff Greenwood, spokesman for Iowa Attorney General Tom Miller, said Miller's staff is reviewing Iowa’s cybersecurity statutes, including identifying shortfalls in current legal requirements for those who store personal information.

"We’re also looking at ways to enhance consumer protection provisions and lessening the burden on consumers who’ve been victimized by data breaches. For example, we’re scrutinizing the fees that credit reporting agencies are allowed to charge Iowans for freezing and unfreezing credit reports — particularly data breach victims," Greenwood said.

Greenwood added that the attorney general's office will work with the Legislature as it reviews Iowa’s cybersecurity and consumer protection statutes, and the staff has already conducted cybersecurity law discussions with the state's Office of the Chief Information Officer.

Regarding Iowa's two recent cybersecurity breaches, Nunn said officials with the Iowa Public Employees' Retirement System and the Johnston School District both reacted quickly when they became aware of problems, which he believes was the appropriate course to take.

But Nunn suggested more layers of cyber-defense are probably needed in state government and in city and county offices and school districts when dealing with financial institutions. One of the most direct ways to accomplish this is through a two-factor authentication, which can include a series of challenge questions, in addition to a password, which can be broken relatively quickly. Another step is to use an authentication credential, which is a card inserted into a card reader on a computer.

"But we don't want to have so many checks in place that it becomes unmanageable," Nunn said. One strategy to avoid such problems is to use a layered cyber-defense coupled with biometrics, which includes distinctive characteristics such as a fingerprint, facial recognition, or iris recognition.

Other states are also taking cyberattacks matters more seriously. The National Conference of State Legislatures has established a cybersecurity task force to share best practices and to develop guidelines to implement cybersecurity initiatives.

"Sensitive information is increasingly stored online, allowing greater access to anything from bank accounts and medical records, to water and energy systems, and even law enforcement files," according to an NCSL task force statement. "Crime has also moved online, presenting significant human and economic costs of data breach and cyber-attack incidents and highlighting the essential need to strengthen the security and resilience of state networks and cyber policies.

At times in the past, hackers have repeatedly succeeded in attacks on state government computer systems in Iowa

In December 2010, a hacker breached a server used by the Iowa Department of Public Safety and reissued an Amber Alert bulletin involving a missing Council Bluffs teenager who had been found safe many months previously. Earlier that year, a hacker accessed a licensing database of the Iowa Racing and Gaming Commission, exposing the personal information of 80,000 people because of a security lapse during maintenance on a firewall and improperly installed software patches on a server.

Another hacking incident occurred in March 2010 when an overseas attacker gained access to a web site operated by the state's Homeland Security and Emergency Management agency, defacing the site with an "abstract, colorful" image.