Tue, Oct 5, 2021 3:11 PM
By John Haughey | The Center Square contributor, The Center Square
(The Center Square) – Florida Chief Information Officer Jamie Grant said last week that the newly created Florida Digital Service (FDS) is too short-staffed and busy with “incident response” to implement a state digital infrastructure cybersecurity plan as requested by lawmakers when they approved his $30 million request for the project last spring.
Grant told the House Government Operations Subcommittee on Sept. 29 that about one third of 186 FDS positions are vacant. The manpower shortage is aggravated by a leadership drain, he said, noting FDS has lost two chief information security officers, a chief data officer, an “enterprise architect” and chief operations officer in the last year.
“One of the things our team’s challenged with is just, with the limited number of people, having to do incident response and coordinate with the policy team on the operational work plan,” Grant said.
In 2019, lawmakers created a 15-member Florida Cybersecurity Taskforce and established the FDS within the Department of Management Services (DMS) to address cyber threats at state agencies.
The task force convened last October to develop proposals on how to improve the state’s cybersecurity infrastructure, governance and operations. They were submitted to Gov. Ron DeSantis and lawmakers in February.
In March, Grant submitted a $30 million request to implement the recommendations, including $672,000 for cybersecurity training, $3.2 million for a Cybersecurity Operations Center and $320,000 to buy an “incident tracking tool.”
He got what he asked for. Lawmakers unanimously passed House Bill 1297, The Information Technology (IT) Security Act, which enacts task force recommendations and provides blueprints for “first-of-its-kind investments in cybersecurity.”
But last week, Grant told the House panel he is holding off on spending the $30 million to avoid “putting something in writing that makes us look laughable later.”
Instead of spending money in dribs and drabs, he said Florida would get more bang for its buck by retaining the $30 million until FDS can respond to cyberthreats now while also planning responses to future threats.
DeSantis named Grant, an attorney and former Republican House representative from Tampa, to lead the newly-created FDS after the 2020 legislative session.
Ransomware attacks against municipalities, government agencies and utilities are a mushrooming concern across the globe and, certainly in Florida.
Last October, the state’s Department of Business & Professional Regulation (DBPR) was victimized by “malicious activity” that hampered operations for weeks and last spring, the state’s CONNECT unemployment site was hacked; at least 58,000 unemployment recipients’ data was stolen.
In February, as lawmakers prepared to convene, a hacker remotely accessed a computer for the city of Oldsmar’s water treatment system and briefly increased the amount of sodium hydroxide, or lye, by a factor of more than 100. A supervisor saw the change and reverted it, avoiding catastrophe.
House Government Operations Subcommittee members questioned Grant about when he plans to fill the 60-plus vacancies at FDS but he would not be specific.
“It just seems like the office is struggling. Do we just need more money to recruit people into these positions?” asked Rep. Carlos Guillermo Smith, D-Orlando.
No, the $30 million is adequate, Grant said, but spending before FDS has the manpower to move on the task force’s initiatives is unwise. He assuring lawmakers work is being done on the plan and that FDS protecting the state’s digital infrastructure.
He hinted discord within FDS has been smooth-over by recent departures and the office will gain steam as its better manned.
“Some turnover is good and very healthy,” Grant said. “Sometimes you give opportunities for people to resign and to move on rather than protracting an HR event.”