Report proposes changes to Iowa’s cybersecurity efforts

August 8, 2016 GMT

DES MOINES, Iowa (AP) — Iowa could be better prepared to address ever-increasing cybersecurity threats if it made some legislative changes and added new guidelines, a state report released Monday said.

The “Cybersecurity Strategy” report lacks clear details on how much the efforts could cost. Drafted by multiple state agencies, it lists a range of recommendations for how Iowa could reduce risks to state government operations, including better guidelines for state employees when they receive emails and store information that can be vulnerable to hacking. The report also suggests updating state law that defines aspects of security breaches. It also recommends imposing more specific consumer-notification requirements whenever there’s a data breach.

Gov. Terry Branstad said many potential changes may not require formal action in the Legislature, which has a Republican-controlled House and Democratic-majority Senate.

Robert von Wolffradt, Iowa’s chief information officer, said the state wants to help employees “navigate and deal with all of the electronic data that passes in front of them.”

“What we’re trying to do is provide a lot more visibility on cybersecurity from a threat perspective and also mitigation perspective,” said von Wolffradt, whose office led the report.

Cybersecurity threats have the potential to disrupt systems that deliver critical services like electricity, transportation and water, the report said. Von Wolffradt described Iowa’s risk level for cybersecurity threats as “moderate,” but he provided little additional information.

Branstad issued an executive order in December aimed at establishing a cybersecurity plan for the state. Monday’s roughly 30-page report was part of that executive order. It does not include detailed operational plans or a budget, but the Republican governor said those steps are next as his office reviews the report.

“We will address this between now and when we present the budget and recommendations to the Legislature in January,” he said.

The report notes the lack of specifics on funding, though it points out the need for “investments” on collaboration, best practices, education, protecting infrastructure and risk assessments. Collaboration could include private-sector partnerships to share criminal and cyberthreat information.