For months, Alaskans couldn’t get death certificates on time because of an attack against the Department of Health and Social Services. The state had problems keeping track of the number of people who died from COVID-19. The state’s court system was struck by a cyberattack about the same time. Months earlier, the Division of Elections was the target.
Now, legislation advancing toward a final vote in the Legislature would allow an Alaska governor to declare similar cyberattacks a formal “disaster,” unlocking quicker funding and emergency responses.
Rep. DeLena Johnson, R-Palmer, is the prime sponsor of the legislation and guided it through the state House last year. It’s now in the Senate, and the Senate judiciary committee heard it for the first time Friday. Public testimony is scheduled Wednesday, and the bill could move to a vote of the full Senate soon afterward.
Johnson’s bill is the sole piece of cybersecurity-specific legislation advancing in the Legislature since the attacks against the state, but it wasn’t proposed as a response.
Johnson represents a district in the Matanuska-Susitna Borough, which suffered a major cyberattack in 2018. Johnson wrote her bill in response to that attack and a ransomware attack that hit the city of Valdez about the same time, but since the statewide attacks the bill has gained momentum.
The state has a large information technology department and huge amounts of resources to throw at a cyberattack. Cities and boroughs generally don’t.
Valdez paid almost $27,000 to hackers in order to unlock its computers. In Mat-Su, where officials refused to pay a ransom, recovery costs amounted to more than $2 million.
Testifying in the Legislature on Friday, Mat-Su Borough IT director Eric Wyatt said the new legislation would have made things better.
“We could’ve used that help during the time we were recovering,” he said.
Bryan Fisher, director of the Alaska Division of Homeland Security and Emergency Management, is a member of the “disaster policy cabinet,” which advises governors on whether a disaster should be declared.
In the case of the Mat-Su, the disaster policy cabinet met three times for a total of six hours before concluding that state law didn’t allow the state to help.
Under a declared emergency, state law allows a governor to temporarily suspend laws and regulations and spend emergency funding to deal with the problem.
That can cut weeks of red tape or entirely suspend a law that might be preventing the state from helping a smaller community.
“There might be statutory restrictions that prohibit it from happening at all,” said Nils Andreassen, executive director of the Alaska Municipal League, which represents local governments and is supporting the bill.
The text of the bill says that a cybersecurity disaster could involve an attack that affects critical infrastructure in the state or “an information system owned or operated by the state or a political subdivision of the state.”
That means it could cover an attack against one of the state’s electrical cooperatives — which are not state-owned but are considered critical infrastructure — or cities, boroughs and even state-owned corporations like the Alaska Railroad, Andreassen said.
The bill also allows the state to declare a preemptive disaster if advised that an attack is imminent. Fisher compared that to recent heavy snowfall in Yakutat, when members of the National Guard were flown in to remove snow from rooftops and keep them from collapsing and causing a bigger problem.
Andreassen doesn’t worry that the disaster power would be abused.
“It’s not a frivolous thing. Nobody takes this lightly. It’s a declaration at the local level that they need help,” he said.
Fisher said the bill could also unlock federal funding for a statewide cybersecurity disaster if a state disaster declaration matches a federal one.
Several other states have cyberattack disaster language similar to Alaska’s bill, according to the National Conference of State Legislatures. Alaska’s disaster law used to have a reference to “manmade” disasters, and that could have been used to address the topic, but that language was removed sometime after 2000, according to research by Johnson’s staff.
The biggest obstacle to the bill becoming law isn’t something related to cybersecurity or the bill itself — it’s the politics of the COVID-19 pandemic.
A significant number of Republicans have criticized Alaska Gov. Mike Dunleavy for his actions during the pandemic, saying he used the disaster law in 2020 to take inappropriate actions to prevent the spread of the coronavirus. (Democrats and some independents have said the governor’s actions were, and remain, too lax.)
In the state House, Republicans attempted to amend Johnson’s bill to include language restricting the governor’s powers during a public health disaster. Democrats, independents and moderate Republicans defeated those amendments, causing them to fail.
In the end, only three far-right members of the House voted against the bill: Reps. Ben Carpenter, R-Nikiski, David Eastman, R-Wasilla, and Christopher Kurka, R-Wasilla.
If broader disaster-related amendments are adopted in the Senate or in the judiciary committee, it could doom the bill’s support among House Democrats and independents who would be required to consider the changes.
But in Friday’s hearing, Republican Sens. Mike Shower of Wasilla, Shelley Hughes of Palmer and Roger Holland of Anchorage said they are inclined to let the bill go forward without amendments like those considered in the House.
“I think we’ve got some work with the disaster statutes overall,” Hughes said, “but I don’t think this is the vehicle for it, and trying something like that, we could keep this bill from passing.”
© 2022 the Alaska Dispatch News (Anchorage, Alaska). Distributed by Tribune Content Agency, LLC.