[Senate Report 116-227]
[From the U.S. Government Publishing Office]


                                                      Calendar No. 458
116th Congress     }                                    {       Report
                                 SENATE
2d Session         }                                    {      116-227 
_______________________________________________________________________

                                     



                    CYBERSECURITY STATE COORDINATOR 
                              ACT OF 2020

                               __________

                              R E P O R T

                                 of the

                   COMMITTEE ON HOMELAND SECURITY AND

                          GOVERNMENTAL AFFAIRS

                          UNITED STATES SENATE

                              to accompany

                                S. 3207

            TO REQUIRE THE DIRECTOR OF THE CYBERSECURITY AND
             INFRASTRUCTURE SECURITY AGENCY TO ESTABLISH A
 CYBERSECURITY STATE COORDINATOR IN EACH STATE, AND FOR OTHER PURPOSES







              [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]








                  June 1, 2020.--Ordered to be printed

                               __________

                      U.S. GOVERNMENT PUBLISHING OFFICE
                      
99-010                     WASHINGTON : 2020 
















        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                    RON JOHNSON, Wisconsin, Chairman
ROB PORTMAN, Ohio                    GARY C. PETERS, Michigan
RAND PAUL, Kentucky                  THOMAS R. CARPER, Delaware
JAMES LANKFORD, Oklahoma             MAGGIE HASSAN, New Hampshire
MITT ROMNEY, Utah                    KAMALA D. HARRIS, California
RICK SCOTT, Florida                  KYRSTEN SINEMA, Arizona
MICHAEL B. ENZI, Wyoming             JACKY ROSEN, Nevada
JOSH HAWLEY, Missouri

                Gabrielle D'Adamo Singer, Staff Director
                   Joseph C. Folio III, Chief Counsel
              Colleen E. Berny, Professional Staff Member
               David M. Weinberg, Minority Staff Director
               Zachary I. Schram, Minority Chief Counsel
     Jeffrey D. Rothblum, Minority Senior Professional Staff Member
                     Laura W. Kilbride, Chief Clerk














                                                      Calendar No. 458
116th Congress     }                                    {       Report
                                 SENATE
2d Session         }                                    {      116-227  
======================================================================



 
              CYBERSECURITY STATE COORDINATOR ACT OF 2020

                                _______
                                

                  June 1, 2020.--Ordered to be printed

                                _______
                                

 Mr. Johnson, from the Committee on Homeland Security and Governmental 
                    Affairs, submitted the following

                              R E P O R T

                         [To accompany S. 3207]

      [Including cost estimate of the Congressional Budget Office]

    The Committee on Homeland Security and Governmental 
Affairs, to which was referred the bill (S. 3207) to require 
the Director of the Cybersecurity and Infrastructure Security 
Agency to establish a Cybersecurity State Coordinator in each 
State, and for other purposes, having considered the same, 
reports favorably thereon with an amendment in the nature of a 
substitute and recommends that the bill, as amended, do pass.

                                CONTENTS

                                                                   Page
  I. Purpose and Summary..............................................1
 II. Background and Need for the Legislation..........................2
III. Legislative History..............................................3
 IV. Section-by-Section Analysis......................................4
  V. Evaluation of Regulatory Impact..................................5
 VI. Congressional Budget Office Cost Estimate........................5
VII. Changes in Existing Law Made by the Bill, as Reported............6

                         I. Purpose and Summary

    S. 3207, the Cybersecurity State Coordinator Act of 2020, 
requires the Director of the Department of Homeland Security's 
(DHS) Cybersecurity and Infrastructure Security Agency (CISA) 
to appoint a Cybersecurity State Coordinator in each state with 
appropriate qualifications and expertise. Each Cybersecurity 
State Coordinator is responsible for building Federal and non-
Federal relationships; serving as a cybersecurity risk advisor 
to Federal and non-Federal entities; assisting in the sharing 
of cyber threat information between Federal and non-Federal 
entities; and among other things, alerting non-Federal entities 
to available Federal resources. Each responsibility that 
involves a non-Federal entity is to be executed on a voluntary 
basis only if the non-Federal entity agrees.
    The bill also requires the CISA Director to brief Congress 
within one year after the enactment of this bill, and again 
three years later, on the placement and efficacy of the 
Cybersecurity State Coordinators.

              II. Background and the Need for Legislation

    Ransomware is an extremely prevalent threat technique for 
malicious actors, especially when targeting state, local, 
tribal, and territorial (SLTTs) governments.\1\ In the first 
quarter of 2019 alone, new ransomware techniques increased 
attacks by 118 percent.\2\ By August 2019, two-thirds of 
publicly-known ransomware attacks had targeted SLTT 
governments.\3\ All told in 2019, ``ransomware attacks . . . 
impacted at least 966 government agencies, educational 
establishments and healthcare providers at a potential cost in 
excess of $7.5 billion.''\4\
---------------------------------------------------------------------------
    \1\Some examples of recent notable ransomware attacks include the 
2017 global WannaCry attack, the 2018 attack against the city of 
Atlanta, and the 2019 attacks against the State of Texas and the cities 
of Baltimore and New Orleans. See, e.g., What States, Locals and the 
Business Community Should Know and Do: A Roadmap for Effective 
Cybersecurity. Hearing before the S. Comm. on Homeland Sec. & 
Governmental Affairs, 116th Cong. (2020) [hereinafter What States, 
Locals and the Business Community Should Know and Do] (testimony of 
Christopher Krebs, Director, Cybersecurity and Infrastructure Security 
Agency, U.S. Department of Homeland Security).
    \2\McAfee Lab Threats Report 5, McAfee (Aug. 2019), https://
www.mcafee.com/enterprise/en-us/assets/reports/rp-quarterly-threats-
aug-2019.pdf.
    \3\StateScoop, Report: Two-thirds of ransomware attacks in 2019 
targeted state and local governments (Aug. 28, 2019), https://
statescoop.com/report-70-percent-of-ransomware-attacks-in-2019-hit-
state-and-local-governments/.
    \4\The State of Ransomware in the US: Report and Statistics 2019, 
EMSISOFT (Dec. 12, 2019), https://blog.emsisoft.com/en/34822/the-state-
of-ransomware-in-the-us-report-and-statistics-2019/.
---------------------------------------------------------------------------
    On February 11, 2020, the Committee held a hearing 
entitled, ``What States, Locals and the Business Community 
Should Know and Do: A Roadmap for Effective Cybersecurity.''\5\ 
The purpose of the hearing was to examine how SLTT governments 
and U.S. critical infrastructure entities can mitigate and 
protect against persistent cybersecurity threats, with a focus 
on ransomware. During the hearing Amanda Crawford, Executive 
Director of the Texas Department of Information Resources, 
discussed how Texas was targeted by 50 known ransomware attacks 
last year.\6\ This included a coordinated ransomware event in 
August 2019 that hit 23 municipal entities.\7\ Incident 
responders included state government entities, private vendors, 
and the Federal Government, including DHS and the Federal 
Bureau of Investigation.\8\ Ms. Crawford discussed the 
voluntary assistance CISA provided during the August 2019 
ransomware event, including reverse engineering the malware.\9\ 
Ms. Crawford lamented that there was miscommunication between 
CISA and the state response efforts, which ``primarily resulted 
from role confusion and a lack of clarity concerning what 
resources DHS-CISA could provide to help Texas.''\10\
---------------------------------------------------------------------------
    \5\What States, Locals and the Business Community Should Know and 
Do, supra note 1.
    \6\Id. (testimony of Amanda Crawford, Executive Director, Texas 
Department of Information Resources). See also Texas Dep't of 
Information Resources, Ransomware and Incident Response in Texas (Jan. 
2020).
    \7\Kate Fazzini, Alarm in Texas as 23 towns hit by `coordinated' 
ransomware attack, CNBC (Aug. 19, 2019), https://www.cnbc.com/2019/08/
19/alarm-in-texas-as-23-towns-hit-by-coordinated-ransomware-
attack.html.
    \8\Texas Dep't of Information Resources, Ransomware and Incident 
Response in Texas (Jan. 2020).
    \9\What States, Locals and the Business Community Should Know and 
Do, supra note 1 (testimony of Amanda Crawford, Executive Director, 
Texas Department of Information Resources).
    \10\Id.
---------------------------------------------------------------------------
    A key takeaway from the hearing was the need to deploy 
additional CISA resources to assist SLTT governments and U.S. 
critical infrastructure entities. According to CISA Director 
Christopher Krebs, CISA ``must make it easier for our State and 
local partners to work with us in the Federal Government.''\11\ 
This includes ``deploying additional dedicated risk advisors, 
State coordinators to the field with clear expectations on what 
services or assistance to expect from the Federal Government . 
. . .''\12\ Krebs continued, ``[o]ne of the things I want to 
make sure I have is a State and local dedicated resource in 
every State Capitol. I am under-invested in cyber advisors. I 
have to get more resources out in the field . . . .''\13\ 
Christopher DeRusha, Chief Information Officer for the State of 
Michigan, agreed that having a dedicated state coordinator will 
ensure ``greater continuity between efforts of State and 
Federal Government, [and] provide a stronger State voice within 
CISA, helping them better tailor their assistance to States and 
localities who have widely varying levels of maturity and 
needs.''\14\
---------------------------------------------------------------------------
    \11\Id. (testimony of Christopher Krebs, Director, Cybersecurity 
and Infrastructure Security Agency, U.S. Department of Homeland 
Security).
    \12\Id.
    \13\Id.
    \14\Id. (testimony of Christopher DeRusha, Chief Security Officer, 
Cybersecurity and Infrastructure Protection Office, State of Michigan).
---------------------------------------------------------------------------
    S. 3207 requires CISA to designate and deploy Cybersecurity 
State Coordinators to each state to ensure dedicated 
cybersecurity resources to, and clear communication with, SLTTs 
and non-Federal entities.

                        III. Legislative History

    On January 16, 2020, Senator Margaret Wood Hassan (D-NH) 
introduced S. 3207, the Cybersecurity State Coordinator Act of 
2020, which was referred to the Committee on Homeland Security 
and Governmental Affairs. Ranking Member Gary Peters (D-MI), 
Senator Rob Portman (R-OH), Senator John Cornyn (R-TX), Senator 
Jacky Rosen (D-NV), Senator Chris Van Hollen (D-MD), and 
Senator Kyrsten Sinema (D-AZ) are cosponsors.
    The Committee considered S. 3207 at a business meeting on 
March 11, 2020. During the business meeting, Senator Hassan 
offered an amendment in the nature of a substitute. The Hassan 
Substitute Amendment added that the Cybersecurity State 
Coordinator must have appropriate cybersecurity qualifications 
and expertise; clarified that that the Cybersecurity State 
Coordinator is required to engage with non-Federal entities on 
a voluntary basis only; added that any additional duties 
performed by the Cybersecurity State Coordinator must be 
determined by the Director of CISA; clarified that the Director 
of CISA must consult with the relevant officials and entities 
regarding the appointment and performance of the Cybersecurity 
State Coordinator; required a briefing to Congress after one 
year and three years on the placement and efficacy of the 
Cybersecurity State Coordinators; and made additional technical 
changes.
    The Committee favorably reported the bill en bloc, as 
amended by the Hassan Substitute Amendment, by voice vote. 
Senators present for the vote were: Johnson, Portman, Lankford, 
Romney, Scott, Enzi, Hawley, Peters, Carper, Hassan, Harris, 
Sinema, and Rosen.

        IV. Section-by-Section Analysis of the Bill, as Reported


Section 1. Short title

    This section provides the bill's short title, the 
``Cybersecurity State Coordinator Act of 2020.''

Section 2. Findings

    In this section, Congress finds that cyber threats to SLTT 
entities, such as ransomware, have drastically increased. SLTT 
entities face increased threats from a number of actors, 
including advanced persistent threats, hostile nation states, 
and cybercriminals. As a result, there is a pressing need for 
additional Federal coordination and knowledge to assist SLTT 
entities in increasing their resiliency against cyber threats. 
It is critical that Federal and non-Federal entities, including 
SLTT governments, Information Sharing and Analysis Centers, 
election officials, State adjutants general, and additional 
non-Federal entities coordinate to prevent, manage, and recover 
from cyberattacks.

Section 3. Cybersecurity State Coordinator

    Section 3, subsection (a) adds a new section to the 
Homeland Security Act that authorizes the CISA Director to 
appoint a Cybersecurity State Coordinator in each state and 
describes the responsibilities of the Cybersecurity State 
Coordinators.
    Subsection (a) of the new section authorizes the Director 
of CISA to appoint a Cybersecurity State Coordinator, with the 
appropriate qualifications and expertise, in each state. 
Subsection (b) of the new section outlines the duties of the 
Cybersecurity State Coordinator, which include: building 
Federal and voluntary non-Federal relationships; serving as a 
cybersecurity risk advisor to Federal, and non-Federal 
entities; assisting in the sharing of cyber threat information 
between Federal and non-Federal entities; alerting non-Federal 
entities to available financial, technical, and operational 
Federal resources; supporting training and exercises to 
expedite recovery in the event of a cyberattack; being a 
principal point of contact for non-Federal entities to engage 
with the Federal Government; assisting in the development and 
coordination of vulnerability disclosure programs for non-
Federal entities; and performing additional duties as 
determined by the Director of CISA to manage cybersecurity 
risk. This section explicitly states that responsibilities vis-
a-vis non-Federal entities are to be undertaken on a voluntary 
basis only. Subsection (c) of the new section requires the 
Director of CISA to consult with the relevant state and local 
officials regarding the appointment of the Cybersecurity State 
Coordinator within each state. This section also requires the 
Director of CISA to consult with the appropriate state and 
local officials, as well as non-Federal entities, on the 
performance of the Cybersecurity State Coordinator.
    Section 3 subsection (b) requires the Director of CISA to 
brief Congress not later than one year and again three years 
after the date of enactment of this Act on the placement and 
efficacy of the Cybersecurity State Coordinators.
    Section 3 subsection (c) provides a rule of construction 
that clarifies that nothing in this legislation shall be read 
to affect or modify the authority of Federal law enforcement to 
investigate cyber incidents.
    Finally, section 3 subsection (d) provides a technical and 
conforming amendment to modify the Homeland Security Act of 
2002's table of contents consistent with the new section added 
by this legislation.

                   V. Evaluation of Regulatory Impact

    Pursuant to the requirements of paragraph 11(b) of rule 
XXVI of the Standing Rules of the Senate, the Committee has 
considered the regulatory impact of this bill and determined 
that the bill will have no regulatory impact within the meaning 
of the rules. The Committee agrees with the Congressional 
Budget Office's statement that the bill contains no 
intergovernmental or private-sector mandates as defined in the 
Unfunded Mandates Reform Act (UMRA) and would impose no costs 
on state, local, or tribal governments.

             VI. Congressional Budget Office Cost Estimate

                                     U.S. Congress,
                               Congressional Budget Office,
                                    Washington, DC, March 31, 2020.
Hon. Ron Johnson,
Chairman, Committee on Homeland Security and Governmental Affairs, U.S. 
        Senate, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for S. 3207, the 
Cybersecurity State Coordinator Act of 2020.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is Aldo 
Prosperi.
            Sincerely,
                                         Phillip L. Swagel,
                                                          Director.
    Enclosure.

    
    

    S. 3207 would direct the Cybersecurity and Infrastructure 
Security Agency (CISA) to improve the capacity of state and 
local governments to protect against cybersecurity threats. The 
bill would require CISA to appoint a cybersecurity coordinator 
for each state. Those coordinators would help entities affected 
by malicious cyber activity access the financial, technical, 
and operational resources that are available from the federal 
government.
    For this estimate, CBO assumes that the bill will be 
enacted in fiscal year 2020. Under that assumption, CISA could 
incur some costs in 2020, but CBO expects that most of the 
costs would be incurred in 2021 and later. On the basis of 
information from CISA, CBO expects that the department would 
need 56 new employees to serve as cybersecurity coordinators at 
an average compensation of $179,000. After accounting for the 
time needed to appoint those coordinators and adjusting for 
inflation, implementing S. 3207 would cost $37 million over the 
2020-2025 period, CBO estimates. Such spending would be subject 
to the availability of appropriations (see Table 1).

                TABLE 1.--ESTIMATED INCREASES IN SPENDING SUBJECT TO APPROPRIATION UNDER S. 3207
----------------------------------------------------------------------------------------------------------------
                                                           By fiscal year, millions of dollars--
                                          ----------------------------------------------------------------------
                                             2020      2021      2022      2023      2024      2025    2020-2025
----------------------------------------------------------------------------------------------------------------
Estimated Authorization..................         *         1         4         9        11        12         37
Estimated Outlays........................         *         1         4         9        11        12         37
----------------------------------------------------------------------------------------------------------------
* = between zero and $500,000.

    The CBO staff contact for this estimate is Aldo Prosperi. 
The estimate was reviewed by Leo Lex, Deputy Director of Budget 
Analysis.

       VII. Changes in Existing Law Made by the Bill, as Reported

    In compliance with paragraph 12 of rule XXVI of the 
Standing Rules of the Senate, changes in existing law made by 
the bill, as reported, are shown as follows: (existing law 
proposed to be omitted is enclosed in brackets, new matter is 
printed in italic, and existing law in which no change is 
proposed is shown in roman):

HOMELAND SECURITY ACT OF 2002

           *       *       *       *       *       *       *


SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) * * *
    (b) Table of Contents.--The table of contents for this Act 
is as follows:

      TITLE XXII--CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY

Subtitle A--Cybersecurity and Infrastructure Security

           *       *       *       *       *       *       *


Sec. 2215. Cybersecurity State Coordinator.

           *       *       *       *       *       *       *


TITLE XXII--CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY

           *       *       *       *       *       *       *


Subtitle A--Cybersecurity and Infrastructure Security

           *       *       *       *       *       *       *


SEC. 2202. CYBERSECURITY AND INFRASTRUCTURE SECURITY 
                    AGENCY.

    (a) * * *
    (b) * * *
    (c) * * *
          (1) * * *

           *       *       *       *       *       *       *

          (10) carry out cybersecurity, infrastructure 
        security, and emergency communications stakeholder 
        outreach and engagement and coordinate that outreach 
        and engagement with critical infrastructure Sector-
        Specific Agencies, as appropriate; [and]
          (11) appoint a Cybersecurity State Coordinator in 
        each State, as described in section 2215; and
          [(11)] (12) carry out such other duties and powers 
        prescribed by law or delegated by the Secretary.

           *       *       *       *       *       *       *


SEC. 2215. CYBERSECURITY STATE COORDINATOR.

    (a) Appointment.--Director shall appoint an employee of the 
Agency in each State, with the appropriate cybersecurity 
qualifications and expertise, who shall serve as the 
Cybersecurity State Coordinator.
    (b) Duties.--The duties of Cybersecurity State Coordinator 
appointed under subsection (a) shall include--
          (1) building strategic relationships across Federal 
        and, on a voluntary basis, non-Federal entities by 
        advising on establishing governance structures to 
        facilitate the development and maintenance of secure 
        and resilient infrastructure;
          (2) serving as a Federal cybersecurity risk advisor 
        and coordinating between Federal and, on a voluntary 
        basis, non-Federal entities to support preparation, 
        response, and remediation efforts relating to 
        cybersecurity risks and incidents;
          (3) facilitating the sharing of cyber threat 
        information between Federal and, on a voluntary basis, 
        non-Federal entities to improve understanding of 
        cybersecurity risks and situational awareness of 
        cybersecurity incidents;
          (4) raising awareness of the financial, technical, 
        and operational resources available from the Federal 
        Government to non-Federal entities to increase 
        resilience against cyber threats;
          (5) supporting training, exercises, and planning for 
        continuity of operations to expedite recovery from 
        cybersecurity incidents, including ransomware;
          (6) serving as a principal point of contact for non-
        Federal entities to engage, on a voluntary basis, with 
        the Federal Government on preparing, managing, and 
        responding to cybersecurity incidents;
          (7) assisting non-Federal entities in developing and 
        coordinating vulnerability disclosure programs 
        consistent with Federal and information security 
        industry standards; and
          (8) performing such other duties as determined 
        necessary by the Director to achieve the goal of 
        managing cybersecurity risks in the United States and 
        reducing the impact of cyber threats to non-Federal 
        entities.
    (c) Feedback.--The Director shall consult with relevant 
State and local officials regarding the appointment, and State 
and local officials and other non-Federal entities regarding 
the performance, of the Cybersecurity State Coordinator of a 
State.
    (d) Oversight.--The Director of the Cybersecurity and 
Infrastructure Security Agency shall provide to the Committee 
on Homeland Security and Governmental Affairs of the Senate and 
the Committee on Homeland Security of the House of 
Representatives a briefing on the placement and efficacy of the 
Cybersecurity State Coordinators appointed under section 2215 
of the Homeland Security Act of 2002, as added by subsection 
(a)--
          (1) Not later than 1 year after the date of enactment 
        of this Act; and
          (2) Not later than 2 years after providing the first 
        briefing under this subsection.
    (e) Rule of Construction.--Nothing in this section or the 
amendment made by this section shall be construed to affect or 
otherwise modify the authority of Federal law enforcement 
agencies with respect to investigations relating to 
cybersecurity incidents.

                                  [all]