After discovering that his personal information was put on the Dark Web, state Sen. Dave Min started a cybersecurity and identity theft prevention committee. Select committees are designed to help senators learn about issues.
Lea este artículo en español.
For the record: This post has been revised to reflect that this is not the first state legislative committee of its kind. The California State Assembly has had a select committee on cybersecurity since 2015. Three other states have committees specifically relating to cybersecurity.
Early this year, state Sen. Dave Min discovered that his Social Security number, date of birth and other personal information had been published on the Dark Web, hidden networks that aren’t accessible through search engines and are considered a free-for-all for cybercriminals across the world. Not only was his own information compromised, he said, but so was that of his three children.
The experience has inspired Min, a former law professor at UC Irvine and Irvine Democrat, to start a senate select committee on cybersecurity and identity theft prevention.
Cyberattacks have increased in the past couple of years, said Ronald Manuel, a supervisor on the FBI’s Los Angeles cyber task force, and rose during the coronavirus pandemic. Recent cyberattacks have targeted thousands of businesses, hospitals, a police station and a major pipeline. CalMatters also reported about an increase in ransomware attacks against schools.
President Joe Biden signed an executive order to boost cybersecurity for critical infrastructure, but there still isn’t much legal or policy framework for cyberattacks and cybersecurity, according to experts. For example, there are no federal or state reporting requirements for cyberattacks.
“I really believe that in the next 10 years, most of us, and maybe almost all of us, will be subject to some kind of hack,” said Min, who was part of a large hack targeting the University of California. “It’s just inevitable, given just how broad and pernicious the problem of hacking is.”
A new cybersecurity committee is born
Min’s new committee is what’s called a select committee.
Select committees don’t hear bills 一 they’re designed for legislators to delve deep into issues without having to produce anything.
Previous criticisms of select committees detailed a lack of accountability and transparency. Some select committees only had one member, used committee staff as their own personal staff and didn’t meet at all, according to reporting from the Sacramento Bee in 2012. Select committees also are not audited and aren’t required to report their findings.
Min’s office said his select committee also won’t hire any staff.
“We’re not coming into this with prebaked solutions, necessarily,” he said. “We want to be thoughtful … nonpartisan ideally and just approach this in a way that’s systematic. But we think that there’s a lot here to do as far as learning, educating ourselves and hopefully creating a record for the body of the state Senate.”
Do select committees actually achieve anything?
Well, it depends on how you define “achievement.”
The goal of select committees is to learn more about designated topics. That doesn’t always translate into policy.
Santa Clara County Supervisor Joe Simitian served in the California Legislature from 2000 to 2012 as both an assemblymember and senator. He was on several select committees and said the utility and productiveness of select committees varied greatly depending on the chair and committee.
“I think a candid assessment … would be that select committees were only as good as the time and effort the chairs put into them,” he said. “Different chairs used select committees in very different ways, for very different purposes.”
Simitian said that the productivity of select committees is often not apparent until years later.
“The challenge is that you really can’t tell for some time after whether or not the select committee generated any significant benefit,” he said. “So during the course of any given year or two, it’s going to be hard to assess just how productive or not a particular committee has been. Over a period of years, though, there should be some work product that is readily identifiable to justify the creation and use of the committee.”
What will the committee do, exactly?
Over the next year, Min will bring in experts and other witnesses to discuss cybersecurity and identity theft prevention issues.
But with all the pressing concerns the Legislature has to deal with, the select committee is a way to focus attention on cybersecurity.
“There’s a lot of balls in the air right now and I think Senator Min wanted to make sure that this topic was given ample attention from the Legislature,” said Sen. Ben Allen, a Santa Monica Democrat. He said the Legislature hasn’t paid attention to cybersecurity.
“Well, people pay attention to the topic,” he said. “But there’s so many things happening, there’s so many issues, there’s so many difficult policy challenges, each of them merit more attention. The creation of this committee in some respects is an acknowledgement of the fact that we need to pay more attention to this issue.”
Min said new laws on cybersecurity are overdue and blames a lack of one for the pervasiveness of California’s Employment Development Department fraud.
“One of the reasons EDD fraud was so pernicious here in California and really across the country was because so many criminals have access to IDs,” he said. “I mean, there are millions of IDs that they just can access almost immediately. And that’s why they were able to open up accounts, because they had all the information and it’s really hard to stop.
“They were facing issues that they were not equipped to deal with. What do you do when somebody has all of the information that you’d need to open up any kind of an account?”
Other issues committee members said they want to learn more about: ransomware attacks, California’s food and water infrastructure security, the scope of the UC breach and artificial intelligence.
Who are the other cybersecurity committee members?
- Santa Monica Sen. Benjamin Allen As a former lecturer at UCLA’s law school, he was also implicated by the University of California breach, although he doesn’t know if his information is on the Dark Web.
- Menlo Park Sen. Josh Becker, who represents Silicon Valley, home of tech giants like Apple, Google and Facebook.
- Fresno Sen. Andreas Borgeas will serve as the sole Republican on the committee. He hopes that guarding food production from cyberattacks will be a focus for the select committee.
- Santa Barbara Sen. Monique Límon and Orange County Sen. Tom Umberg both chair influential committees that intersect with cybersecurity and identity theft issues: Límon chairs the banking committee and Umberg chairs both the judiciary and artificial intelligence committees.
Cybersecurity advice is often scattered and difficult to understand if you’re not a tech expert — it can be brutal out there for school administrators, educators and parents trying to figure out how to protect their schools from cyberattacks. CalMatters spoke with over a dozen cybersecurity experts to help you out.
As ransomware attacks target them, some California schools are scrambling to respond while others have done little to protect themselves.
A ransomware attack — where cybercriminals hold online systems hostage until victims pay a ransom — can have devastating consequences for schools. Experts say the number of attacks against schools in California and across the country are rising as educators try to figure out whether cybersecurity should be a priority.