MICHIGAN CYBER CIVILIAN CORPS ACT

House Bill 5426 (H-1) as reported from committee

Sponsor:  Rep. Matt Hall

House Bill 5427 (H-1) as reported from committee

Sponsor:  Rep. Greg VanWoerkom

1st Committee:  Oversight

2nd Committee:  Ways and Means

Complete to 3-12-20

BRIEF SUMMARY:  House Bills 5426 and 5427 would amend the Cyber Civilian Corps Act to revise definitions, to ensure that volunteers with the Michigan Cyber Civilian Corps (MiC3) meet criteria to qualify as a volunteer, to distinguish between deployable and nondeployable volunteers, and to track volunteer and advisor trainings.

FISCAL IMPACT:  The bills would not have a significant fiscal impact on the state or on local units of government. HB 5426 would require volunteers to complete a criminal background check before engaging in training. If there are any active members that have not completed their background checks, they would be required to do so in order to retain membership. The Department of Technology, Management, and Budget would pay the cost of criminal history background checks, which are $42 each, with $30 going to the Michigan State Police and $12 going to the Federal Bureau of Investigation.

THE APPARENT PROBLEM:

The Michigan Cyber Civilian Corps, or MiC3, is a program operated by the Cybersecurity and Infrastructure Protection Division of the Department of Technology, Management, and Budget (DTMB) under which cybersecurity experts may volunteer to assist municipal, educational, nonprofit, or business organizations during a cybersecurity incident. MiC3 includes volunteers from government, education, and business sectors. MiC3 is the first volunteer cybersecurity program in the nation. In 2019, teams were deployed three times to assist local governments experiencing cyber attacks.

An audit of the MiC3 prepared by the Office of the Auditor General (OAG) was released in September 2019. For the most part, the audit concluded that DTMB’s administration of MiC3 was moderately effective; one material condition and one reportable condition were highlighted in the audit report. A material condition is considered to have the potential to impair the ability of management to operate a program in an effective and efficient manner and/or to adversely affect the judgment of an interested person concerning the effectiveness and efficiency of the program. A reportable condition is considered less severe than a material one, and is a matter that falls within any of several categories such as fraud, illegal acts, and significant violations of provisions of contracts or grant agreements. The report also listed several observations of measures that MIC3 could take to further mature the program. After an OAG audit, an agency is provided time to respond to audit findings, to agree or disagree with the findings, and to describe actions taken or intended to be taken to correct identified deficiencies.

Some of the recommendations appear to need legislative action to implement. For instance, the audit found that a significant number of MiC3 volunteers had not completed the required criminal background check. Currently, a criminal record renders a person ineligible to serve as a volunteer. However, extremely skilled cyber experts are rare, and even some of the top-ranked experts (such as former hackers) do have criminal convictions in their past. It has been suggested that, rather than excluding such individuals, a separate category be created in statute to allow such persons to act in an advisory capacity, but not actually be deployed to a governmental or critical infrastructure site where they could have increased access to sensitive information or structures. In addition, MiC3 volunteers may currently be deployed to assist private businesses experiencing a cyber attack. Since the training and oversight of the volunteers are supported by tax dollars, some feel that deployment should only be to governmental entities and critical infrastructure (e.g., public utilities).

THE CONTENT OF THE BILLS:

House Bill 5426 would amend the Cyber Civilian Corps Act to allow DTMB to appoint individuals to serve as advisors, in addition to volunteers as under current law, and revise provisions in the act to apply also to advisors.

Michigan Cyber Civilian Corps advisor or advisor would be defined as an individual who has entered into a volunteer agreement with DTMB to serve as a nondeployable advisor in the MiC3.

In addition, the current definition for “Michigan Cyber Civilian Corps volunteer” would be revised to mean an individual who has entered into a volunteer agreement with the DTMB to serve as a deployable volunteer in the MiC3.

Currently, DTMB must enter into a contract with any individual wishing to accept an invitation by the department to serve as an MiC3 volunteer. The bill would apply the provision also to MiC3 advisors and specify that volunteers and advisors must meet the qualifying criteria for those positions as determined by the Michigan Cyber Civilian Corps Advisory Board.

The act requires individuals who accept an invitation to serve in the MiC3 to undergo a state and national criminal history check. The bill would add that if a background check results in previous criminal history, the individual could appeal to the DTMB director, or his or her designee, for nondeployable Michigan Cyber Civilian Corps advisor status. MiC3 volunteers or advisors could not engage in training until either the background check or appeal regarding the background check process was completed.

Finally, the act’s current definitions of “client” and “Michigan Cyber Civilian Corps” include business organizations as, respectively, entities that request and use MiC3 assistance and entities to which MiC3 volunteers provide rapid response assistance. The bill would replace “business organization” with “critical infrastructure organization” in each definition.

Critical infrastructure would mean systems and assets, whether physical or virtual, so vital to the United States or Michigan that the incapacity or destruction of that system or asset would have a debilitating impact on security, economic security, public health or safety, or any combination of these as determined by DTMB.

MCL 18.222 et seq.

House Bill 5427 would amend the act to require the advisory board to meet at least twice annually and require it to review and make recommendations on individuals applying for nondeployable advisor status. The chief information officer, after consulting with the advisory board, would have to establish and maintain a formal process to track volunteer and advisor trainings and compliance with standards as determined by DTMB.

Currently, DTMB must publish guidelines for the operation of the MiC3 program. The bill would add the following as one of the required guidelines: an explanation of the process by which the MiC3 will select and prioritize which prospective clients should receive assistance.

MCL 18.229 and 18.230

The bills are tie-barred to each other, which means that neither could take effect unless both were enacted.

ARGUMENTS:

For:

The bills would address some concerns highlighted by the recent OAG report on the MiC3 program. HB 5426 would allow persons who have one or more criminal convictions to appeal to the Michigan Cyber Civilian Corps Advisory Board for designation as an advisor. In this way, the state can benefit from the expertise such a person has while maintaining integrity in the program and safety for the entity requesting assisted from the corps. An advisor would be able to provide assistance remotely, but would not be deployed to the site of a requesting entity.

Further, HB 5426 would no longer allow corps volunteers to be deployed to any business requesting assistance. There are private firms that provide similar assistance, and businesses could enlist their help. Since the MiC3 is taxpayer-supported, the rapid response services it provides should be reserved for governmental entities and critical infrastructure such as public utilities. The bill would make the necessary statutory changes to implement this change.

HB 5427 would address other weaknesses in the operation of the program that were brought to light by the audit. For instance, it was found that the advisory board had not been meeting regularly. DTMB has already revised its policy and intends the board meet quarterly. The bill would ensure that the board meets at least twice a year. The bill would also require the board to establish a formal process to better track volunteer and advisor trainings and ensure that they are in compliance with standards that DTMB will develop.

Together, the bills will strengthen Michigan’s groundbreaking Cyber Civilian Corps and ensure that, should schools, governmental entities, or critical infrastructures come under a cyber attack, the state will have a group of well-trained, well-equipped cyber experts to lend a hand.

Against:

No arguments opposing the bills were offered in committee testimony.

POSITIONS:

A representative of the Department of Technology, Management, and Budget testified in support of the bills. (3-4-20)

The following entities indicated support for the bills (3-4-20):

Michigan Bankers Association

Michigan Municipal League

                                                                                        Legislative Analyst:   Susan Stutzky

                                                                                                Fiscal Analyst:   Michael Cnossen

This analysis was prepared by nonpartisan House Fiscal Agency staff for use by House members in their deliberations, and does not constitute an official statement of legislative intent.