I want to clear up some misconceptions about HB 1068. This is a narrowly tailored bill that will clarify state law that prevents the release of documents that would aid cyberattackers and our backup plan (COOP) should that happen.
The purpose of this bill is to prevent bad actors from obtaining a report that lists our vulnerabilities that could make it easier to gain access to our elections systems, or government computer network.
These reports already receive the highest level of protection by the federal government and cybersecurity agencies. We can’t even share them within the county without an operational justification. All HB 1068 does is synchronize and clarify this level of protection with state law.
The bill does not prevent the release of information about election audits or anything else about election operations.
But this explanation deserves a little history:
Back in the summer of 2019, Thurston County received a public records request from a reporter that was covering election security. In particular, they requested a copy of a recent cybersecurity assessment we’d received from the Department of Homeland Security. For obvious reasons, I did not want to release a roadmap to infiltrating the county’s computer network.
It became quickly apparent that at least in Thurston County, we did not feel statute was clear if we were required to release that assessment heavily redacted or not at all. In the end we didn’t (nor did any other county that received the same request) release the assessment, I really like laws to be very clear.
During the 2020 legislative session I worked with the county’s public records attorney, the Secretary of State’s office and Rep. Laurie Dolan to introduce HB 2293. This bill clarifies RCW 42.56.420 and also exempts our COOP (Continuity of Operation Plans). You can watch the public hearing on that bill here. It starts at 48.36 minutes. That earlier bill passed out of committee with bi-partisan support but did not reach a floor vote. So, the bill was reintroduced this year as HB 1068.
We know there is a persistent and growing cyberthreat to government networks. Just last month, the City of Ellensburg lost access to their entire network because of a ransomware attack. We don't want to leave any clues for anyone to figure out how to attack our systems.
This bill is very narrow in scope and exempts only continuity of operation plans and physical and cyber security assessments.
To put this in real world terms, here’s a great analogy. The intent of this bill is to prevent releasing a copy of a police cruiser key or the password to a government laptop. The key and the password are technically public resources. But there is an overriding public interest in making sure police cars and government computers are only accessed by authorized staff.
Don’t hesitate to reach out if you have any questions.