On Monday, Aug. 7, Gov. Bruce Rauner signed House Bill 2371, an amendment to the state’s Data Security on State Computers Act requiring annual cybersecurity training from the Department of Innovation and Technology (DoIT) for state employees.
The amendment allows DoIT to adopt rules to implement the training and to make the training an online course. It also requires that the education cover how to detect phishing scams; prevent spyware infections and identity theft; and how to prevent and respond to data breaches. It takes effect on Jan. 1, 2018.
“Cybersecurity protection of our digital assets and the personal information of our residents is one of the most important public safety issues facing the state. It’s essential to keep the people of Illinois safe and to keep their privacy reserved, that we are at the forefront of cybersecurity,” Rauner said before the 3 p.m. Central Daylight Time signing.
The governor was joined in DoIT’s Innovation Center at the James R. Thompson Center in Chicago by Illinois Chief Digital Officer and Secretary Designate Hardik Bhatt and Chief Information Security Officer Kirk Lonbom, both of whom also discussed the bill via livestream before and after the signing.
Bhatt said Illinois is working on a “complete digital transformation” informed by the statewide cybersecurity strategy Rauner unveiled in March, and told the audience that more than 95 percent of state employees have already received cybersecurity training.
“One of the weaker points in most organizations across the globe is the human being. It is very important that our employees become our first line of defense as it comes to cybersecurity, as it comes to making sure our environment is safe,” Bhatt said.
Rauner said roughly 47,000 of 50,000 state employees have already been trained.
Lonbom reminded those assembled that as much as 91 percent of cyberattacks begin via phishing, a time-honored tactic that’s popular again, and that most information breaches begin with a stolen password.
The state of Missouri is among the agencies that “phishes” its own employees to test them.
“Cyberattacks are continuing to grow in frequency and scale, and it’s essential that we have a comprehensive approach,” Lonbom said.
As he signed the bill, Rauner praised legislators on both sides of the aisle for coming together to help preserve citizens’ private data and train state employees by passing it.
But he acknowledged the state’s budget is still not balanced, and highlighted the general assembly’s choice to remove $900 million in technology improvement funds before approving it.
“Where it’s disappointing to see the general assembly’s decision on gutting the IT budget, that’s going to cost us billions more in the future. This is investment that has return for taxpayers,” Rauner said.
Bhatt said online technology has changed how state agencies do business, and they’re not changing back.
“IT is not just technology. It’s how we serve our citizens now. Technology is basically so pervasive that it does need investment,” Bhatt said. “We have fortunately been able to find a few dollars for cybersecurity training. We will be able to get by, but it’s very important that there is investment in this area."
The cost of HB 2371 and the amount of funding behind it remains unclear.
However, House Amendment No. 1 to the bill — which was put forth by a House committee in February — exempted several populations of state employees from having to take the training.
The amendment to the bill specified that the term “employee” be limited, and not include staffers in the legislative or judicial branches of state government, constitutional officers other than the governor, or employees of a public state university.
State Rep. Emanuel “Chris” Welch, D-Hillside, the bill’s primary sponsor, told Government Technology via email that the changes had been proposed by Rauner's office and DoIT.
“The bill reflects the governor's changes. Trailer legislation is always possible at a later date,” Welch said via email.
“Who’s left? That wasn’t my choice, that was a determination of the lead sponsor,” Rep. Robert Pritchard, R-Hinckley, told Government Technology.
Pritchard noted that “any piece of legislation is a compromise,” and called the bill “a start” that could potentially be altered or adjusted at a later date.
“And hopefully it won’t necessarily have to be a law change," Pritchard said. "It will be that the executive and judicial and legislative branches will see that and have their employees included.”