Florida lawmakers eye new cybersecurity requirements for public sector

Legislation introduced Thursday in the Florida House of Representatives would give public-sector agencies across the state more cybersecurity-related responsibilities, including requirements to report ransomware attacks and other incidents to state authorities and annual cyber hygiene training for many state and local government employees.

The bill, introduced by state Rep. Mike Giallombardo, also includes a ban on state and local government entities paying ransomware demands, as some Florida victims have paid in the past.

“We have to ask, should we allow taxpayer dollars to be financiers of terrorist organizations to our foreign adversaries?” Giallombardo said, according to the Tampa Bay Times.

In June 2019, the City of Riviera Beach paid roughly $600,000 to affiliates of the Ryuk malware outfit to regain control of its computer systems. Less than a week later, officials in Lake City forked over almost $500,000 to ransomware actors.

Florida, if it adopts Giallombardo’s bill in full, would not be the first state to formally prohibit ransomware payments — North Carolina implemented a ban last year — but cybersecurity industry experts have openly questioned whether such rules are effective in decreasing the threat of extortion-by-malware. A policy blueprint published last April by a 60-person Ransomware Task Force stopped short of recommending payment bans because such declarations could simply motivate financially motivated criminals to focus on other potential victims.

Moreover, the task force concluded that governments are better off improving their defenses through IT investments and training meant to cut down the number of successful attacks overall.

“As such, any intent to prohibit payments must first consider how to build organizational cybersecurity maturity, and how to provide an appropriate backstop to enable organizations to weather the initial period of extreme testing,” the task force’s report read.

But the Florida bill introduced Thursday contains several other measures aimed at shoring up both state and local cybersecurity. Among Giallombardo’s proposals is to require all state and local agencies to report cyber incidents to a new unit in the Florida Department of Emergency Management — the State Watch Office — similar to how they would report any other disaster. Local governments would also be required to notify their county sheriffs.

Agencies that report cyber incidents would also have to file after-action reports to the Florida Digital Service, the state’s IT agency, which is building a new cybersecurity operations center.

The bill would also require all employees with access to a government network to undergo cybersecurity training within 30 days of their hiring and annually thereafter. Workers who deal with “highly sensitive information” would have to undergo “advanced” training.

Florida officials have been reshuffling their cybersecurity policies amid a broader shakeup of IT governance that began in 2020 when the Florida Digital Service was created. James Grant, the agency’s director and Florida’s chief information officer, recently announced plans to spend $15.9 million on governmentwide cybersecurity modernization.

The bill passed its first committee hearing unanimously, but there’s no companion legislation in the Florida Senate.