Lawmakers Advance IT Security Bill


By John Celock

Following intense debate over the impact of the bill, Kansas lawmakers voted Friday to give preliminary approval to legislation overhauling the state’s information technology practices.

The state House of Representatives advanced a bill that would codify practices relating to information technology security and to create a new IT security agency in the state. Supporters argued that the bill needed immediate action in order to address IT security threats, while opponents said that more time was needed to set up the IT security agency.

“Highly sophisticated criminals want to infiltrate our government and steal our citizen’s data,” Government Technology and Security Committee Chairman Pete DeGraaf (R-Mulvane) said during the debate.

DeGraaf said that the bill would codify a 2011 executive order from Gov. Sam Brownback (R) to implement new IT security practices and create a chief information technology officer for state government. The bill also includes the creation of a new information security officer for state government and changes the Office of Information Technology that the executive order created and converts it to the Kansas Information Technology Enterprise Agency. Under the terms of the bill, the new agency would have oversight of IT security issues at all cabinet departments in the state, but not over the state’s universities or small regulatory agencies that are funded by user fees.

DeGraaf said the legislation, which was created by his panel by combining two bills together into an omnibus government IT bill, would increase security in state government. He said the smaller agencies did not want to be included under the new agency’s umbrella and said that they would be addressed at a later date.

Rep. Tom Sloan (R-Lawrence) offered an amendment to have the new IT agency apply to all agencies in the executive branch, arguing that the smaller agencies could serve as a gateway for hackers to infiltrate state government systems.

Rep. Jeff Pittman (D-Leavenworth),a technology committee member, led a fight against the amendment and the new IT agency, saying that the legislation did not include a roadmap for the creation of the new agency and its scope. Pittman, who works in technology, said that such a roadmap was needed in order to address the issues surrounding combining a variety of agencies under one IT umbrella, including competing computer systems and software.

Rep. Steven Becker (R-Buhler), a member of the technology committee, questioned being able to bring the small fee-funded agencies under the umbrella of the new IT agency, saying the amendment left unanswered questions about if the IT agency’s chief would be able to take money from the fee funds. He also questioned would the IT employees of the smaller agencies stay with their agencies or move to the new agency. He urged “respect” of the committee’s work. Rep. Joy Koesten (R-Leawood), a committee member, said the panel “worked very, very hard” on the bill and that lawmakers should consider the committee’s work.

Rep. Patsy Terrell (D-Hutchinson), a technology committee member, said that smaller agencies tend to purchase software specific to their missions and train IT staff on that software. She said the Sloan amendment could potentially cause management issues.

Sloan argued that his amendment would not cause issues, noting that the smaller agencyies IT staff are not in place for security reasons.

“The risk is in all agencies mainly the small ones,” he said. “They have IT staff but they are customer oriented and not security oriented.”

Sloan’s amendment failed 49-70.

Several Democrats, including Minority Leader Jim Ward (D-Wichita) and Government Technology and Security Ranking Minority Member Pam Curtis (D-Kansas City), argued against having the IT agency as part of the security bill. Curtis said that no “roadmap” had been drafted by lawmakers for the creation of the IT agency and the lack of a plan would hamper the agency’s creation by the 2019 effective date. She noted that the bill did not address which IT employees would move over and there were “outstanding concerns” that needed to be addressed.

Curtis said the concerns could cause broader issues for the state.

“This will further harm the state’s ability to attract and retain good IT employees,” she said.

Amendments from Pittman and Ward to take the IT agency out of the bill, or delay the agency’s implementation, were both defeated. Ward attempted to take the agency out and create a legislative study committee to meet this year that would have studied the IT agency proposal and created a plan. Ward’s proposed committee would be in addition to the Legislature’s existing Joint Committee on Information Technology, which meets year round.

DeGraaf offered a dire warning for his colleagues about any attempt to delay.

“Barbarians are on the hill and are waiting to attack,” he said. “We should not give another two of three years.”

Pittman argued that any delay would only impact the agency proposal and not the security component of the bill.

“We are not kicking the can down the road for security,” Pittman said. “We are making it so for those agencies that they have time to adjust to the policies for the hardware and software and service that the CITO will bring to the table. It helps with change management and user adaption.”