A new law that strives to enhance cybersecurity in Maryland for local governments and small organizations will go into effect Friday.
The law aims to promote cybersecurity oversight and advisement between the secretary of information technology, the attorney general and the legislative and judicial branches of government for offices and agencies of state government, according to the bill, SB049.
“Maryland is going to be proactive,” said Sen. Susan Lee, D-Montgomery. “We can’t drop the ball, especially with technology advancing so quickly these days.”
The bill, modeled after 2019 legislation in North Dakota, promotes greater cybersecurity awareness for local municipalities. Understanding malicious software like ransomware can help protect local organizations before a cyber attack instead of addressing the problem after the fact, according to Lee.
The cybersecurity bill comes on the heels of a ransomware attack that struck the Baltimore City government in May 2019. This cyberattack was followed by a devastating ransom attack that hit Baltimore County Public Schools in November 2020.
The Baltimore City ransomware attack affected a network of approximately 7,000 users and disrupted city services, according to a press release from the mayor’s office.
The Baltimore County Public Schools ransomware event compromised a wide range of systems, from paychecks to class schedules but the school system was able to continue operations a week after the attack, according to Charles Herndon, a spokesman for Baltimore County Public Schools.
In a ransomware attack, a captor holds a person or organization’s files hostage through encryption. The easiest way to decrypt the data is to pay the captor what they want.
Baltimore County Public Schools declined to answer how much the ransom was and whether or not the school system paid the ransom, according to Herndon.
Another bill, SB623, which Lee also sponsored, prohibits the use of ransomware, with the intent to disrupt or impair, in the state of Maryland and will also go into effect Oct. 1. She explained that this type of bill is one of the first of its kind.
“The two (cybersecurity) bills go hand-in-hand,” said Lee. “A lot of the ransomware attacks have been on localities and on city governments, on hospitals and critical infrastructures. At least we are taking a first step in addressing these cyberattacks against our localities.”
Chip Stewart, state chief information security officer for the department of information technology, said people and organizations need to focus on cybersecurity. He cites the events of the past year and a half as evidence that anyone can be a target.
“I certainly encourage counties and municipalities to use the provisions, mentioned in SB049, to get help from us,” Stewart told Capital News Service. “We are here to help.”
One of the ways Maryland’s Department of Information Technology provides help to localities is with the department’s security manual. In it, readers can find how Maryland agencies seek to best protect their digital information, according to the manual.
Joe Carrigan, a senior security engineer at Johns Hopkins University, believes the bill gives a local municipality a greater opportunity for cybersecurity protection moving forward.
“The only thing (small organizations) can do is engage with a security consultant and that costs them something.
“Here with this new law, now they have a resource that they can go to and say, ‘Hey what do we do?’” Carrigan said.