Washington State Amends State Cybersecurity Law to Create Advisory Committee and Technology Service Board

On April 21, 2023, the Governor of Washington State signed Second Substitute Bill 5518 into law, establishing a cybersecurity advisory committee and related subcommittees to provide recommendations for identifying and responding to cybersecurity breaches. The bill creates a cybersecurity advisory committee as a subcommittee of the existing cybersecurity emergency council for providing “advice and recommendations that strengthen cybersecurity in both industry and public sectors across all critical infrastructure sectors.” It also creates a “technology service board” to review “emergent cybersecurity attacks” and “assess risks” to the State’s existing information technology from “security incidents” among other duties.

The cybersecurity advisory committee is specifically tasked with (i) “[i]dentify[ing] which local, tribal, and industry infrastructure sectors are at the greatest risk of cyberattacks and need the most enhanced cybersecurity measures; (ii) “us[ing] federal guidance to analyze” the State’s current cybersecurity structure to find vulnerabilities “that could reasonably result in catastrophic consequences if unauthorized cyber access to the infrastructure occurred;” (iii) “recommend[ing] cyber incident response exercises that relate to risk and risk mitigation” in certain industries as the committee deems appropriate; and (iv) “examin[ing] inconsistencies” between state and federal cybersecurity laws. The technology services board is required to assist the office of cybersecurity with recommending “tabletop cybersecurity exercises” and an “information reporting system,” in addition to assisting the office of cybersecurity with the development of “best practice recommendations for state agencies.”

The new law also adds a ransomware definition, defining the term to encompass “a type of malware that attempts to deny a user or organization access to data or systems, usually through encryption, until a sum of money or other currency is paid or the user or organization is forced to take a specific action.” The bill tasks both the cybersecurity advisory committee and the technology services board with developing the State’s response to ransomware incidents corresponding to this new definition.