COLLEGE PARK–Protecting Maryland’s utility infrastructure and state agencies from cyber threats is the top priority for a new advisory panel comprised of state and federal officials working alongside private-sector security experts.
The Maryland Cybersecurity Council plans to develop recommendations on how to take advantage of the cyber institutions in Maryland, create additional cybersecurity jobs and promote economic development, according to state Attorney General Brian Frosh, chair of the council.
The council, which met for the first time Tuesday, plans to develop statewide guidelines for a coordinated response in the event of cybersecurity attacks.
Maryland needs to be vigilant so “hackers, crooks and terrorists — our enemies,” cannot use networks to gain access to utilities and other infrastructure, Frosh said.
The council can “help tell our government, help tell our private sector, how to get to cybersecurity.”
A successor to the now defunct Maryland Commission on Cybersecurity Innovation and Excellence, council membership includes stakeholders from the private and the public sector with representatives from places like the National Security Agency, University of Maryland, University College and Booz Allen Hamilton.
The commission, disbanded by law in 2014, reviewed federal and state cybersecurity laws and worked to promote cyber innovation in Maryland. During its tenure, the commission proposed legislation, which was later passed, to protect agencies from cyber attacks and to prevent and protect health care records from identity theft, according to its final report.
State Sen. Susan Lee, D-Montgomery, co-chair of the former commission and a member of the council, said she wants the new panel to work to both prevent cybersecurity risks and take advantage of the cyber job markets in the state.
Both the NSA and the U.S. Cyber Command are located in Fort Meade, Maryland.
“We could be, we should be, the epicenter of cyber innovation and jobs. But you have to make it a priority,” Lee said.
The primary sponsor for the bill establishing the council, Lee originally wanted to extend the life of the commission beyond its three-and-a-half year lifespan but came across opposition, she said. “No one wants to get regulated or (to) change things.”
“Maybe it’s because they don’t understand the gravity of this problem,” Lee said, citing potential threats to both government and commercial industries.
“What if they attacked a utility or public service carrier? That would be horrible,” Lee said. “That would really impact public safety.”
Lee called the recent data breach at the U.S. Office of Personnel Management a “harsh reality check” for federal agencies and contractors.
In June 2015, the agency found a breach in its background investigation records, which compromised “sensitive” information, like Social Security numbers, of 21.5 million people, according to OPM.
The University of Maryland also had a major data breach in February 2014. Hackers accessed records like Social Security numbers, names and birthdates of all individuals with a school ID card between 1998 and 2014, according to the university.
Michael Greenberger, a council member and former member of the commission, said the council broadened its membership to include stakeholders across the state with experts from the federal government and private industry.
Greenberger, founder and director of the University of Maryland Center for Health and Homeland Security, said that cyber attacks could wreak havoc on critical infrastructure and, for example, harm the integrity of the utilities grid or the efforts of first responders.
Maryland “still (has) a high degree of vulnerability, as is true throughout the country,” Greenberger said.
The attorney general as chair will help bring credibility to any recommendations the council offers, Greenberger said. A more permanent structure, unlike the limited tenure of the commission, will allow for “staying power” with the council, Greenberger said.
The General Assembly established the Maryland Cybersecurity Council during the 2015 legislative session, tasking it to work with both federal agencies and the private sector to create a strategic plan for cybersecurity in Maryland while ensuring compliance with federal guidelines.
The council will work closely with the National Institute of Standards and Technology, commonly referred to as NIST, to find which local infrastructures are most vulnerable to cyber attacks and require enhanced cybersecurity.
In 2014, following an executive order, NIST, headquartered in Gaithersburg, released business and technology standards to reduce the risk of cyber attacks and promote protection, according to the state Department of Legislative Services.
The council is also supposed to work with private-sector cybersecurity businesses to follow NIST’s standards, according to the Department of Legislative Services.
To protect the state and help advance its economy “we have to be proactive, not always responding,” Lee said. Maryland can work to advance its policy and approach to cybersecurity because the U.S. Congress has yet to pass comprehensive cyber legislation.
Cyber technology has to become part of the fabric of innovation, said Henry Muller, a council member and director of the U.S. Army Communications-Electronics Research, Development and Engineering Center.
“Cyber is an enabler” for technological advancement, Muller said, and requires careful application to avoid creating system vulnerabilities.
Cybersecurity is an important topic for the governor, said Michael White, communications director for the Maryland Department of Information Technology. “It is responsible to make sure the state is protected from all angles.”