Cybersecurity Risk or Building Block for More Open Government?

The California State Capitol in Sacramento

The California State Capitol in Sacramento Ed Gavryush / Shutterstock.com

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
Bill Lucia By Bill Lucia,
Executive Editor
 

Connecting state and local government leaders

By Bill Lucia

|

Supporters of IT inventorying legislation in California say it will improve access and spark innovation. But some fear it could help cyber criminals zero in on local governments.

Pointing to cybersecurity risks, a group of rural counties in California is pushing back against parts of a bill in the state legislature that would force local governments to publicize information about the computer systems they use to manage data.

The legislation calls for each local government agency in the Golden State to publish a catalog of their enterprise systems, a category of computer technology which typically includes applications used to manage large databases. The catalog would have to document each system’s product name, vendor and purpose, as well as a description of the data it contains, and details about how often that information is collected and updated.

And as long as the agency has a website, the catalog would need to be posted online.

Improving public access to local government data is among the bill’s key goals. An analysis prepared by Senate staffers notes that the public is often unaware of what data local agencies collect, its format, or where it is stored. A similar lack of information, the analysis says, also keeps the agencies from working together to standardize and publicly release datasets.

State Sen. Robert Hertzberg introduced the bill in February. He sees it as a crucial step toward spurring new innovation around government data.

“What we want to do is to step back and say, let’s look at the big picture, and figure out how we can intelligently and responsibly build a whole data collection system, and a way to use it that lets app-writers come up with elegant solutions to problems that are past our imagination in government,” Hertzberg said during an interview on Wednesday.

“Let’s start with an inventory,” he said.

The Rural County Representatives of California are on board with Hertzberg’s objectives to a degree, according to the group’s senior legislative advocate, Paul A. Smith. The group’s members, he said, are willing to catalog some of their computer systems.

But they also believe the bill, as written, goes too far, and that there’s information that should be off limits from the cataloging process. For instance, specifics about software used for controlling infrastructure, keeping jails secure, or administering health care services.

“What we are most concerned about is basically having to provide to someone the keys to the kingdom, when that’s not what people are really arguing that they should get,” Smith said. “Does the public really need to understand the software data that makes sure that there’s an automatic shutdown of various locks in a county jail, we don’t believe that’s appropriate.”

He added: “If we reveal or make available our technological schemes, we basically could run into a situation where someone could misuse that data, misuse that process and we become vulnerable in the delivery of the services that we have to provide.”

The bill, however, would require local governments to create the catalog as part of their obligations under the California Public Records Act, a series of laws which includes exemptions for a wide range of sensitive information.

Smith said the group of rural counties is crafting a set of amendments that would change the bill so that it only requires local agencies to publicize “the things and the processes” where there’s a “direct line of services, or there’s a direct public interest.” Because the proposed amendments are not complete, Smith said he could not elaborate on how that distinction might get made.

In the view of at least one cybersecurity expert, the concerns the counties have raised about the legislation are not without merit.

Srini Subramanian, a principal in Deloitte & Touche LLP’s cyber risk services practice whose work focuses on state government cybersecurity issues, said the information local agencies would have to share about their computer systems, based on the requirements in the bill, could increase their exposure to cyber attacks.

Subramanian said he would advise against cataloging system vendors and product names. Posting those details online, he said, could help cyber criminals zero in on agencies using computer systems that are outdated or known for vulnerabilities. He also said he would leave out information about how often data is collected and updated.

As for a description of data “layers,” which the bill calls for, Subramanian said he would need to know more about what exactly the state would be looking for before he could offer an opinion on whether putting that information in a public inventory was a good idea.

Subramanian did not see major red flags with the other catalog requirements. But he did say that if he were tasked with fulfilling the mandates in the bill, he would want a clearer definition of what the legislation means by “enterprise systems.” Systems used to manage email, finances, tax collection, or child welfare might all fall under that category, he explained.

“I would definitely ask for more information,” Subramanian said.

Still, he felt it was possible to meet the goal of the legislation without jeopardizing security.

“You can achieve transparency without putting the systems at risk,” he said.

Among the bill’s proponents is the nonpartisan Sunlight Foundation.

Emily Shaw, the organization’s national policy manager, is skeptical that inventorying the computer systems would imperil cybersecurity. She pointed out that information like vendor and product names are already publicly available in contract documents.

And, from Shaw’s perspective, having easier access to the vendor information could be useful from an accountability standpoint. “Wouldn’t it be great to have more public oversight over the number of contracts enjoyed by a single vendor,” she said.

Asked about excluding some computer systems from the inventory because they are considered to be too sensitive, Shaw called that approach a “very slippery slope.”

“This is very top-level information that should be available through other means,” she said. “If there was somebody who had ill intent, they would have other routes to it.”

An Important Building Block for Better Data Use

Hertzberg, the state senator who introduced the bill, believes there are plenty of untapped opportunities in California to put government data to good use.

“Are these programs really working that we spend so much money on? You could determine that if you have all the data,” he said. “Even down to different counties, and different irrigation systems, and how much water does it take to grow an orange.”

“This is just the first step to see what’s out there,” Hertzberg added, referring to the bill. “It’s real simple, it’s just a little spreadsheet.”

The state senator said he would need to see actual proposals from the Rural County Representatives before he could take a stance on whether he’d be open to their amendments. “I am more than willing to meet and talk with anyone interested in my bills, including this data bill,” he said in an email on Thursday, in response to a question about the group’s concerns.

Currently, the bill, S.B. 272, is awaiting action in the Assembly. It passed out of three Senate committees unanimously and cleared the Senate floor on May 7 in a 37-0 vote.

Hertzberg didn’t offer a prediction on whether the bill would win Assembly approval. “I’m working with the members, and talk to them,” he said “I’m hoping, I don’t assume anything.”

In addition to the Sunlight Foundation, the legislation has a number of other influential backers, according to the Senate staff analysis. Some of the supporters include the AFL-CIO, the California Business Roundtable and the National Federation of Independent Business. The analysis did not note any opposition as of May 4.

Sunlight’s Shaw was not aware of similar legislation in any other states. She sees the bill as an important building block in the broader effort to open more data.

“It’s important that people be aware of what it is that the government holds,” she said.

“I have no idea half the time, when I’m interacting with a government, exactly what kind of data they have access to,” Shaw added. “Unless a government actually takes stock of all that, and lets people know about what’s there, the real value of open data can’t be realized.”

Editor's Note: This article has been updated to include additional information about the California Public Records Act.

Bill Lucia is a Reporter with Government Executive’s Route Fifty.
Network security Case Studies
Powered By
Browse The Atlas full case study database or read more case studies about Network security.
Oklahoma Zero-Trust Security Model Secures Remote Network for 35,000 Employees
Oklahoma
Baltimore Police Department Cuts Network Monitoring Time by 85% and Improves Cybersecurity
Baltimore, MD
Los Angeles County champions a collaborative approach to increasing voter participation and access
Los Angeles County, CA
BROWSE LOCAL GOV CASE STUDIES

NEXT STORY: Chattanooga now has two high-speed Internet options

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.