Connecting state and local government leaders
Supporters of IT inventorying legislation in California say it will improve access and spark innovation. But some fear it could help cyber criminals zero in on local governments.
Pointing to cybersecurity risks, a group of rural counties in California is pushing back against parts of a bill in the state legislature that would force local governments to publicize information about the computer systems they use to manage data.
The legislation calls for each local government agency in the Golden State to publish a catalog of their enterprise systems, a category of computer technology which typically includes applications used to manage large databases. The catalog would have to document each system’s product name, vendor and purpose, as well as a description of the data it contains, and details about how often that information is collected and updated.
And as long as the agency has a website, the catalog would need to be posted online.
Improving public access to local government data is among the bill’s key goals. An analysis prepared by Senate staffers notes that the public is often unaware of what data local agencies collect, its format, or where it is stored. A similar lack of information, the analysis says, also keeps the agencies from working together to standardize and publicly release datasets.
State Sen. Robert Hertzberg introduced the bill in February. He sees it as a crucial step toward spurring new innovation around government data.
“What we want to do is to step back and say, let’s look at the big picture, and figure out how we can intelligently and responsibly build a whole data collection system, and a way to use it that lets app-writers come up with elegant solutions to problems that are past our imagination in government,” Hertzberg said during an interview on Wednesday.
“Let’s start with an inventory,” he said.
The Rural County Representatives of California are on board with Hertzberg’s objectives to a degree, according to the group’s senior legislative advocate, Paul A. Smith. The group’s members, he said, are willing to catalog some of their computer systems.
But they also believe the bill, as written, goes too far, and that there’s information that should be off limits from the cataloging process. For instance, specifics about software used for controlling infrastructure, keeping jails secure, or administering health care services.
“What we are most concerned about is basically having to provide to someone the keys to the kingdom, when that’s not what people are really arguing that they should get,” Smith said. “Does the public really need to understand the software data that makes sure that there’s an automatic shutdown of various locks in a county jail, we don’t believe that’s appropriate.”
He added: “If we reveal or make available our technological schemes, we basically could run into a situation where someone could misuse that data, misuse that process and we become vulnerable in the delivery of the services that we have to provide.”
The bill, however, would require local governments to create the catalog as part of their obligations under the California Public Records Act, a series of laws which includes exemptions for a wide range of sensitive information.
Smith said the group of rural counties is crafting a set of amendments that would change the bill so that it only requires local agencies to publicize “the things and the processes” where there’s a “direct line of services, or there’s a direct public interest.” Because the proposed amendments are not complete, Smith said he could not elaborate on how that distinction might get made.
In the view of at least one cybersecurity expert, the concerns the counties have raised about the legislation are not without merit.
Srini Subramanian, a principal in Deloitte & Touche LLP’s cyber risk services practice whose work focuses on state government cybersecurity issues, said the information local agencies would have to share about their computer systems, based on the requirements in the bill, could increase their exposure to cyber attacks.
Subramanian said he would advise against cataloging system vendors and product names. Posting those details online, he said, could help cyber criminals zero in on agencies using computer systems that are outdated or known for vulnerabilities. He also said he would leave out information about how often data is collected and updated.
As for a description of data “layers,” which the bill calls for, Subramanian said he would need to know more about what exactly the state would be looking for before he could offer an opinion on whether putting that information in a public inventory was a good idea.
Subramanian did not see major red flags with the other catalog requirements. But he did say that if he were tasked with fulfilling the mandates in the bill, he would want a clearer definition of what the legislation means by “enterprise systems.” Systems used to manage email, finances, tax collection, or child welfare might all fall under that category, he explained.
“I would definitely ask for more information,” Subramanian said.
Still, he felt it was possible to meet the goal of the legislation without jeopardizing security.
“You can achieve transparency without putting the systems at risk,” he said.
Among the bill’s proponents is the nonpartisan Sunlight Foundation.
Emily Shaw, the organization’s national policy manager, is skeptical that inventorying the computer systems would imperil cybersecurity. She pointed out that information like vendor and product names are already publicly available in contract documents.
And, from Shaw’s perspective, having easier access to the vendor information could be useful from an accountability standpoint. “Wouldn’t it be great to have more public oversight over the number of contracts enjoyed by a single vendor,” she said.
Asked about excluding some computer systems from the inventory because they are considered to be too sensitive, Shaw called that approach a “very slippery slope.”
“This is very top-level information that should be available through other means,” she said. “If there was somebody who had ill intent, they would have other routes to it.”
An Important Building Block for Better Data Use
Hertzberg, the state senator who introduced the bill, believes there are plenty of untapped opportunities in California to put government data to good use.
“Are these programs really working that we spend so much money on? You could determine that if you have all the data,” he said. “Even down to different counties, and different irrigation systems, and how much water does it take to grow an orange.”
“This is just the first step to see what’s out there,” Hertzberg added, referring to the bill. “It’s real simple, it’s just a little spreadsheet.”
The state senator said he would need to see actual proposals from the Rural County Representatives before he could take a stance on whether he’d be open to their amendments. “I am more than willing to meet and talk with anyone interested in my bills, including this data bill,” he said in an email on Thursday, in response to a question about the group’s concerns.
Currently, the bill, S.B. 272, is awaiting action in the Assembly. It passed out of three Senate committees unanimously and cleared the Senate floor on May 7 in a 37-0 vote.
Hertzberg didn’t offer a prediction on whether the bill would win Assembly approval. “I’m working with the members, and talk to them,” he said “I’m hoping, I don’t assume anything.”
In addition to the Sunlight Foundation, the legislation has a number of other influential backers, according to the Senate staff analysis. Some of the supporters include the AFL-CIO, the California Business Roundtable and the National Federation of Independent Business. The analysis did not note any opposition as of May 4.
Sunlight’s Shaw was not aware of similar legislation in any other states. She sees the bill as an important building block in the broader effort to open more data.
“It’s important that people be aware of what it is that the government holds,” she said.
“I have no idea half the time, when I’m interacting with a government, exactly what kind of data they have access to,” Shaw added. “Unless a government actually takes stock of all that, and lets people know about what’s there, the real value of open data can’t be realized.”
Editor's Note: This article has been updated to include additional information about the California Public Records Act.