top of page
  • Writer's pictureTim Carpenter, Kansas Reflector

Exposure of IT security weaknesses in Kansas state government inspiring House reform bill

Rep. Blake Carpenter, R-Derby, endorsed a House bill Monday that would initiate a broad overhaul of the stage government's information technology security apparatus by centralizing spending on hardware, software and services, mandating employee training and holding agencies accountable in the budget for lapses. (Rachel Mipro/Kansas Reflector)


By Tim Carpenter, Kansas Reflector


TOPEKA — Rep. Blake Carpenter led a House committee’s initial discussion Monday of a bill initiating a “quite expensive” five-year overhaul of information technology security across the three branches of Kansas government to address vulnerabilities found in a collection of state audits and exposed by cyberattacks on the judicial branch and a state university.


A ransomware attack in 2023 disabling the judicial branch’s IT network, the January cyber assault on Kansas State University and the series of confidential IT audit reports from Legislative Post Audit served as catalysts for developing legislation that acknowledged state government in Kansas was ill-equipped to deal with the menace of government and private bad actors intent on corrupting data, extorting payments or violating privacy rights.


Under the bill outlined by Carpenter, the state government would move to integrate IT security based on standards crafted by the federal government. The judicial, legislative and executive branches would appoint supervisory IT security officers, while four elected offices — attorney general, secretary of state, insurance commissioner and state treasurer — would maintain a level of IT independence.


The state government’s IT funding stream would be integrated into the Legislature’s budget process starting in fiscal year 2026 with an appropriation of $65 million, but Carpenter said there was no way to know at this point the cost of the IT transformation.


The House bill included an enforcement mechanism that triggered financial sanctions on agencies failing to comply with minimum security standards of data protection. The Kansas National Guard would be authorized to engage in testing hacks of executive branch agencies. All employees would undergo cybersecurity training. Details of the IT system, audit results and other information would be exempt from the Kansas Open Records Act.


“Today marks a significant milestone in our continuous journey toward strengthening our state’s defenses against the ever-evolving threatens in our digital world,” said Carpenter, who is the third-ranking GOP member of the House. “By centralizing IT services and ensuring that all branches of government adhere to high standards of data protection, we can better protect the personal and sensitive information of our citizens.”


The Derby Republican said House Bill 2842 would be revised as early as Wednesday by the House Legislative Modernization Committee. The legislation would need to move through the House and Senate before presented to the governor. If signed into law, Carpenter said it would be an evolving piece of statute as state government moved through a five-year process of upgrading IT infrastructure.

 

‘Very supportive’

Jeff Maxon, chief information technology officer in the executive branch, said Democratic Gov. Laura Kelly was “very supportive” of overall concepts and ideas incorporated into the bill, but stood “neutral” pending clarification of definitions and other possible amendments. The state would benefit from greater uniformity in IT governance, he said.


“It’s very much the direction of the governor to … facilitate one direction — not having everybody go 18 different ways,” Maxon said.


He said consolidation of executive branch IT staff and services under the state Office of Information Technology Services could be useful, but the method of transferring IT employees would need to be sorted out and the shift ought to exclude business services personnel. Adoption of the National Institute of Standards and Technology Cybersecurity Framework would be welcomed, he said.


Responsibilities and requirements of government branch security officers should be standardized to avoid confusion and conflict among them, he said.


“A lot of the requirements in the bill mirror what the federal government does,” said Rep. Barb Wasinger, a Hays Republican and chair of the House Legislative Modernization Committee. “It’s not something that has not already been tried. This is something that can be done.”


Clay Barker, an attorney and deputy secretary of state to Republican Secretary of State Scott Schwab, said the office strongly supported a collaborative effort to bolster IT security practices within state government. He said Russian, Chinese, North Korean and Iranian hackers had made clear since 2016 their interest in undermining election security in the United States.


“The bad guys … did try to penetrate the election system,” he said. “We strongly support the intent of this bill.”

 

Initial reaction mixed

Rep. Bill Rhiley, a Wellington Republican, said the proposed bill should be altered to require public universities and colleges were to be included in the new IT security mandate.

“I think that piece needs to be stiffened up,” Rhiley said.


The universities, which engage in classified scientific and military research for the federal government, would need to be handled in ways not contemplated for a regular state worker, Carpenter said. The same could be said for college students gaining access to a secure IT network given those individuals wouldn’t necessarily be state employees, he said.


State agencies undergoing IT administration reforms would likely need ongoing funding for the phased implementation of reforms, said Rep. Allison Hougland, R-Olathe.


The House legislation contemplated a fee-for-service system related to state government IT systems would remain in place for a year or so, but those expenditures would be migrated into the regular state budget to make certain resources were available to state agencies. The power of the purse held by the Legislature, and by a governor with veto power, was constitutionally the most direct method of convincing state agencies to comply with reimagining of IT law, Carpenter said.


“There has to be a culture shift within the agencies,” Carpenter said. “That’s the reason why everybody from the governor to the janitor, whoever is accessing the network, has to take cybersecurity awareness training.”


Olathe Democratic Rep. Nikki McDonald, another member of the House committee, asked Carpenter if consideration had been given to extending IT reform through to city or county governments or the public school system for the benefit of Kansans.


Carpenter said it would be “quite expensive” to implement the bill across state government, and that no one appreciated unfunded mandates passed down from above.


McDonald said K-12 public schools were dealing with lack of funding for special education services to students and that broad reform of IT security standards could leave a substantive hole in school academic budgets. Her commentary was interrupted by Rep. Patrick Penn, R-Wichita, who asserted McDonald was out of order for extending the conversation to areas of government financed in whole or part by the state. Penn begged the committee chair to “shut that down.”


This article was reprinted with permission from the Kansas Reflector. The Kansas Reflector is a non-profit online news organization serving Kansas. For more information on the organization, go to its website at www.kansasreflector.com.

10 views0 comments

Commentaires


Les commentaires ont été désactivés.
bottom of page