House Bill 4508 as enacted
Public Act 132 of 2017
Sponsor: Rep. Brandt Iden
House Committee: Communications and Technology
Senate Committee: Energy and Technology
Complete to 11-13-17
BRIEF SUMMARY: House Bill 4508 creates the Cyber Civilian Corps Act to establish the Michigan Cyber Civilian Corps program within the Department of Technology, Management, and Budget (DTMB).
FISCAL IMPACT: The bill would have an indeterminate, but likely minimal, direct fiscal impact on the DTMB. The DTMB is already an administrator of the existing Michigan Cyber Civilian Corps (MiC3) and would not incur significant costs to expand the program as described in the bill. There would likely be costs related to training an increased number of volunteers; however, these costs could be offset by charging clients a fee, an option the bill provides.
The bill could help reduce future negative fiscal impacts to local governments and state agencies. While additional volunteer workers would not replace any current full-time worker equivalent costs, an expanded volunteer program could help reduce costs to the state by mitigating the need for additional cybersecurity staff as cyber threats increase. The bill could also reduce potential future costs by minimizing the impact to government organizations and the disruption of services following a cybersecurity incident through the deployment of trained volunteers.
THE APPARENT PROBLEM:
The constant advances in information technology bring new cyber threats in tow. According to the bill sponsor, the State of Michigan detects tens of thousands of cyberattacks every day. These threats are not only aimed at governments; businesses and nonprofits are also at risk for cyberattacks. Therefore, to protect government agencies and private entities in the state, a framework to provide for a team of trained individuals to help in times of disaster is crucial. Even though the Cyber Civilian Corps already exists, House Bill 4508 puts it into statute under the control of the DTMB.
THE CONTENT OF THE BILL:
House Bill 4508 allows the DTMB to invite and appoint individuals to serve as Michigan Cyber Civilian Corps volunteers, and allows civilians with expertise in addressing cybersecurity incidents to volunteer and provide a rapid response and assistance to a municipal, educational, nonprofit, or business organization in need of expert assistance during a “cybersecurity incident.”
“Cybersecurity incident” refers to an event occurring on or conducted through a computer network that actually or imminently jeopardizes the integrity, confidentiality, or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems, or information resident on any of these. A cybersecurity incident includes, but is not limited to, the existence of a vulnerability in an information system, system security procedures, internal controls, or implementation that is subject to exploitation.
The DTMB may provide appropriate training to prospective and existing volunteers, and at its discretion may provide compensation for actual and necessary travel and subsistence expenses incurred by Michigan Cyber Civilian Corps volunteers on a deployment.
Michigan Cyber Civilian Corps volunteer
A “Michigan Cyber Civilian Corps volunteer” refers to an individual who has entered into a volunteer contract with the DTMB to serve as a volunteer in the Corps. The DTMB must enter into such a volunteer contract with any individual who wishes to accept its invitation to serve as a volunteer. At a minimum, the contract must include all of the following:
· Acknowledgment of the confidentiality of information relating to this state, state residents, and clients. (“Client” refers to a municipal, educational, nonprofit, or business organization that has requested and is using the rapid response assistance of the Cyber Civilian Corps under the direction of the DTMB.)
· Protection from disclosure of any confidential information of this state, state residents, or clients acquired by the volunteer through participation in the program.
· A requirement that the volunteer avoid conflicts of interest that might arise from a particular deployment; comply with all existing DTMB security policies and procedures regarding information technology resources; consent to background screening considered appropriate by the DTMB under the Act; and attest that he or she meets any standards of expertise that may be established by the DTMB.
A Michigan Cyber Civilian Corps volunteer is not classified as an agent, employee, or independent contractor of this state for any purpose and has no authority to bind this state with regard to third parties. This state is also not liable to a volunteer for personal injury or property damage suffered by the volunteer through participation in the Corps program.
Background check
When an individual accepts an invitation to serve as a volunteer, the DTMB must request the Department of State Police (MSP), on a form and in the manner prescribed by the MSP, to conduct a criminal records check through the Federal Bureau of Investigation and a criminal history check on the individual. The volunteer must give written consent and submit fingerprints. The MSP must report results within a reasonable time and provide the results of the criminal records check from the FBI, indicating whether or not the individual can become a volunteer. The MSP also must continually check new arrest fingerprints against the submitted fingerprints and notify the DTMB whether the individual is still cleared or no longer cleared to remain as a volunteer.
Immunity from civil liability
Except as otherwise provided in the Act, the DTMB and this state are immune from tort liability for acts or omissions by a volunteer. In addition, also except as otherwise provided in the Act, and without regard to discretionary or ministerial nature of the conduct of a volunteer, each volunteer is immune from tort liability for an injury to a person or damage to property that occurs while he or she is deployed and acting on behalf of the DTMB, but only if all of the following are met:
· The volunteer is acting, or reasonably believes that he or she is acting, within the scope of his or her authority.
· The volunteer's conduct does not amount to gross negligence that is the proximate cause of the injury or damage. Gross negligence is conduct that is so reckless that it demonstrates a substantial lack of concern for whether an injury would occur.
· The volunteer's conduct is not a material breach of the volunteer agreement during that deployment.
If a claim is made or a civil or criminal action is commenced against a volunteer, and the above requirements are met, the DTMB may pay for, engage, or furnish the services of an attorney to advise the volunteer as to the claim and to appear for and represent the volunteer in the action. The DTMB may also compromise, settle, and pay a civil claim before or after the commencement of a civil action or for a judgment for damages, as well as indemnify the volunteer for a judgment. Furthermore, a volunteer may obtain reimbursement for legal expenses stemming from a criminal action.
Deployment
Upon the occurrence of a cybersecurity incident that affects a client, the client may request DTMB to deploy 1 or more volunteers to provide rapid response assistance under the direction of the DTMB. The DTMB has discretion to initiate deployment of volunteers upon the occurrence of a cybersecurity incident and the request of a client. The deployment of a volunteer to assist a client is for 7 days, unless the writing initiating the deployment contains a different period. At the direction of the DTMB, the deployment of a volunteer may be extended in writing in the same manner as the initial deployment.
A volunteer may decline to accept deployment for any reason. If a volunteer accepts deployment for a cybersecurity incident, acceptance must be in writing.
To initiate the deployment of a volunteer for a cybersecurity incident, the DTMB must indicate in writing that the volunteer is authorized to provide the assistance. A single writing may initiate the deployment of more than 1 volunteer. The DTMB must maintain the writing for 6 years from the time of deployment or for the time required under the DTMB's record retention policies, whichever is longer.
Advisory board
The bill creates the Michigan Cyber Civilian Corps Advisory Board as an advisory body within the DTMB. The advisory board is composed of the Adjutant General (National Guard), the director of the DTMB, the director of the MSP, and the director of the Department of Talent and Economic Development (or their designees). The advisory board is responsible for reviewing and making recommendations to the DTMB regarding the policies and procedures to be used in implementing the Act.
Department responsibilities
After consultation with the advisory board, the DTMB's chief information officer must approve the set of tools that the Corps may use in response to a cybersecurity incident and determine the standards of expertise necessary for an individual to become a member of the Corps. (The “chief information officer” is the individual within the DTMB designated by the governor as the chief information officer for the state.)
Also after consultation with the advisory board, the DTMB is required to publish guidelines for the operation of the Corps program. At a minimum, the published guidelines must include the following:
· An explanation of the standard used to determine whether an individual can serve as a volunteer and an explanation of the process by which an individual can become a volunteer.
· An explanation of the requirements imposed for a client to receive the assistance of the Corps and an explanation of the process by which a client may request and receive assistance.
The DTMB is the entity to enter into contracts with clients as a condition for providing assistance through the Corps. The DTMB may also establish a fee schedule for clients. The DTMB may recoup expenses through the fees but may not generate a profit.
Finally, the following information given to the volunteer group is exempt from the Freedom of Information Act:
· Anything that would identify or provide a means of identifying a person that may, as a result of disclosure of the information, become a victim of a cybersecurity incident.
· Anything that would disclose a person’s cybersecurity plans or cybersecurity-related practices, procedures, methods, results, organizational information infrastructure, hardware, or software.
The Cyber Civilian Corps Act takes effect January 24, 2018.
BACKGROUND INFORMATION:
The Michigan Cyber Civilian Corps (MiC3) is a group of trained cybersecurity experts who volunteer to provide expert assistance to enhance the state's ability to rapidly resolve cyber incidents when activated under a governor-declared state of emergency. The group includes 52 volunteers from government, education, and business sectors, and they hope to raise membership to 200 volunteers.
The mission of MiC3 is to work with government, education, private sector organizations, and volunteers to create and implement a rapid response team to be activated under a governor-declared cyber state of emergency and to provide mutual aid to government, education, and business organizations in this state.
Membership is currently open to information security professionals who are residents of the state of Michigan. According to its website, applicants should have at least 2 years of direct involvement with information security, preferably security operations, incident response, and/or digital or network forensics. Applicants should also have a basic security certification (ANSI-certified/DOD 8570 compliant certifications such as Security+, C|EH, CISSP, or GIAC certifications are strongly preferred). Applicants will also be required to pass a series of tests to demonstrate basic knowledge of networking and security concepts, as well as basic IR and forensics skills. Because of the time commitment (up to 10 days/year for training and exercises), applicants must provide evidence of employer support. Successful applicants are also subject to background screening and sign a confidential disclosure agreement.[1]
ARGUMENTS:
For:
Proponents of the bill believe that with the rapid development of information technology and constant reliance on its functioning, Michigan and businesses within the state are at an ever-increasing risk of disastrous outcomes in the event of a cyber attack. The program created under the bill and headed by the DTMB would ensure that the state and various business could bounce back quickly if a cyber incident occurs.
Against:
Opponents of the bill are concerned that a state-run volunteer program for specialized technological services would hinder the private sector. The bill appears to be anti-competitive in nature as local businesses would be shut out of business opportunities: if someone can get the same services for free through the volunteer program, why would they pay a private company?
Response:
Supporters of the bill have responded to this concern by stating that the program is meant to aid with very large-scale or disaster-type cyber incidents. Volunteers under the program would not be deployed for everyday incidents (such as simple hacking); there will still be a market for private businesses for other incidents.
Legislative Analyst: Emily S. Smith
Fiscal Analyst: Michael Cnossen
■ This analysis was prepared by nonpartisan House Fiscal Agency staff for use by House members in their deliberations, and does not constitute an official statement of legislative intent.