CYBER CIVILIAN CORPS ACT

House Bill 4508 as introduced

Sponsor:  Rep. Brandt Iden

Committee:  Communications and Technology

Complete to 5-8-17

SUMMARY:

House Bill 4508 would create the Cyber Civilian Corps Act to establish the Michigan Cyber Civilian Corps program within the Department of Technology, Management, and Budget (DTMB).

The new act would allow the department to invite and appoint individuals to serve as Michigan Cyber Civilian Corps volunteers, and allow civilians with expertise in addressing cybersecurity incidents to volunteer and provide a rapid response and assistance to a municipal, educational, nonprofit, or business organization in need of expert assistance during a "cybersecurity incident."

"Cybersecurity incident" refers to an event occurring on or conducted through a computer network that actually or imminently jeopardizes the integrity, confidentiality, or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems, or information resident on any of these. A cybersecurity incident includes, but is not limited to, the existence of a vulnerability in an information system, system security procedures, internal controls, or implementation that is subject to exploitation.

The department could provide appropriate training to prospective and existing volunteers, and could provide compensation for actual and necessary travel and subsistence expenses incurred by Michigan cyber civilian corps volunteers on a deployment at the discretion of the department.

Michigan Cyber Civilian Corps volunteer

A "Michigan Cyber Civilian Corps volunteer" refers to an individual who has entered into a volunteer agreement with the DTMB to serve as a volunteer in the corps. The department would enter into such a volunteer contract with any individual who wishes to accept an invitation to serve as a volunteer. At a minimum, the contract would have to include all of the following provisions:

·         Acknowledging the confidentiality of information relating to this state, state residents, and clients. (Client refers to a municipal, educational, nonprofit, or business organization that has requested and is using the rapid response assistance of the civilian corps under the direction of the department.)

·         Protecting from disclosure any confidential information of this state, state residents, or clients acquired by the volunteer through participation in the program.

·         Requiring the volunteer to avoid conflicts of interest that might arise from a particular deployment; comply with all existing DTMB security policies and procedures regarding information technology resources; consent to background screening considered appropriate by the department under this act; and attest that he or she meets any standards of expertise that may be established by the department.

A Michigan Cyber Civilian Corps volunteer would not be classified as an agent, employee, or independent contractor of this state for any purpose and would have no authority to bind this state with regard to third parties. This state would also not be liable to a volunteer for personal injury or property damage suffered by volunteer through participation in the corps program.

Background check

When an individual accepts an invitation to serve as a volunteer, the department must request the Department of State Police to conduct a criminal records check through the Federal Bureau of Investigation and a criminal history check on the individual. The department shall make the request on a form and in the manner prescribed by the department of state police. The volunteer must give written consent, and submit fingerprints.  The MSP must report results within a reasonable time and provide the results of the criminal records check from the FBI.  The MSP may charge the DTMB a fee for a criminal history check or a criminal records check that does not exceed the actual and reasonable cost of conducting the check, and the DTMB may pass the fee along to the volunteer.

Immunity from civil liability

Except as otherwise provided in the act, while a volunteer was deployed, the volunteer would have the same immunity from civil liability as a department employee and must be treated in the same manner as a department employee, as provided in Sections 7 and 8 of the Governmental Immunity Act (MCL 691.1407 and 691.1408).

A volunteer who materially breached the volunteer agreement, would not be considered to be acting on behalf of the department, and thus would lose the immunity from civil liability.

Deployment

On the occurrence of a cybersecurity incident that affects a client, the client may request DTMB to deploy one or more volunteers to provide rapid response assistance under the direction of the department. The department would have discretion to initiate deployment of volunteers upon the occurrence of a cybersecurity incident and the request of a client. The deployment of a volunteer to assist a client would be for seven days, unless the writing initiating the deployment contains a different period. At the direction of the department, the deployment of a volunteer could be extended in writing in the same manner as the initial deployment.

A volunteer would be able to decline to accept deployment for any reason. If a volunteer accepts deployment for a cybersecurity incident, acceptance would have be in writing.

To initiate the deployment of a volunteer for a cybersecurity incident, the department would indicate in writing that the volunteer is authorized to provide the assistance. A single writing could initiate the deployment of more than one volunteer. The department would also be required to maintain the writing for six years from the time of deployment or for the time required under the department's record retention policies, whichever is longer.

Advisory board

The Michigan Cyber Civilian Corps Advisory Board would be created as an advisory body within the department. The advisory board would be composed of the Adjutant General (National Guard), the director DTMB, the director of Michigan State Police, and the director of the Department of Talent and Economic Development (or their designees).  The advisory board would also be responsible in reviewing and making recommendations to the STMB regarding the policies and procedures to be used in implementing this act.

Department responsibilities

After consultation with the advisory board, the DTMB's chief information officer would be required to approve the set of tools that the corps could use in response to a cybersecurity incident and to determine the standards of expertise necessary for an individual to become a member of the corps. (The "chief information officer" is defined in the bill the individual within the DTMB designated by the governor as the chief information officer for the state.)

Also after consultation with the advisory board, the department would be required to publish guidelines for the operation of the corps program. At a minimum, the published guidelines would have to include the following:

·         An explanation of the standard use to determine whether an individual could serve as a volunteer and an explanation of the process by which an individual could become a volunteer.

·         An explanation of the requirements imposed for a client to receive the assistance of the corps and an explanation of the process by which a client may request and receive assistance.

The DTMB would be the entity to enter into contracts with clients as a condition to providing assistance through the corps. The department could also establish a fee schedule for clients. The department may recoup expenses through the fees but may not generate a profit.

FISCAL IMPACT:

The bill would have an indeterminate, but likely minimal, direct fiscal impact to the DTMB. The department is already an administrator to the existing Michigan Cyber Civilian Corps (MiC3) and would not incur significant costs to expand the program as described in the bill. There would likely be costs related to training an increased number of volunteers; however, these costs could be offset by charging clients a fee, an option the bill provides.

The bill could help reduce future negative fiscal impacts to local governments and state agencies. While additional volunteer workers would not replace any current full-time worker equivalent costs, an expanded volunteer program could help reduce costs to the state by mitigating the need for additional cybersecurity staff as cyber threats increase. The bill could also reduce potential future costs by minimizing the impact to government organizations and the disruption of services following a cybersecurity incident through the deployment of trained volunteers.

                                                                                        Legislative Analyst:   Emily S. Smith

                                                                                                Fiscal Analyst:   Mike Cnossen

■ This analysis was prepared by nonpartisan House Fiscal Agency staff for use by House members in their deliberations, and does not constitute an official statement of legislative intent.