On its face, the issue looks simple – like much of government policy.
Public officials argue they need the ability to talk secretly among themselves about their computer vulnerabilities.
That’s the aim of new legislation speeding through Sacramento and up for a close look tomorrow at the State Senate’s Judiciary Committee – chaired by Orange County’s own local State Senator Tom Umberg (D-Santa Ana).
But like always, especially when it comes to the government, it’s important to probe the seemingly obvious.
Sponsored by the City of Carlsbad and authored by Assemblywoman Tasha Boerner (D-Encinitas), the effort known as AB 2715 would seek to hollow out our state’s open meeting law to offer officials wide discretion to meet in darkness when it comes to cybersecurity issues.
Open government groups – like the First Amendment Coalition and Oakland Privacy – are already ringing alarm bells over the effort, arguing that crafting such an exemption can really fuel government secrecy.
In essence, all you have to do is label something a potential cybersecurity threat.
Boom, the cone of silence drops over the issue.
Back in 1953, California leaders set up some of the nation’s robust open government standards – arguing that the people rule over government bodies, not the other way around.
“The people of this State do not yield their sovereignty to the agencies which serve them,” reads the preamble to the 1953 Brown Act, which enshrines open government as a standard in California.
[Read: Brown Act: Landmark for Protecting Open Government]
“The people, in delegating authority, do not give their public servants the right to decide what is good for the people to know and what is not good for them to know. The people insist on remaining informed so that they may retain control over the instruments they have created.”
Here in Orange County, we’ve seen what officials can do with Brown Act exemptions.
Don’t forget that the City of Anaheim met in closed session to sell off Angel Stadium and the 150 acres around it, arguing that real estate exemptions to the Brown Act allowed them to essentially negotiate in private.
[Read: Months Before Public Vote, Anaheim Politicians Secretly Decided to Sell Angel Stadium]
That’s how an effort to lease the land turned into a purchase.
A local judge even went along with it.
It took a scathing FBI affidavit filed in a local court to show how corrupt the Anaheim dealings were.
FBI agents detailed a process so flawed that the deal fell apart.
Yet without that historic action by FBI agents – to essentially unveil their investigative efforts prematurely – the stadium would be gone.
All thanks to the real estate exemption.
Is More Government Secrecy Coming?
The Brown act does offer government leaders a few exceptions that allow them to meet secretly to discuss public business.
Things like purchasing land or discussing lawsuits or personnel issues.
Indeed, there’s already existing exemptions for discussing threats to public security of buildings or essential public services.
But for some reason – one that neither the bill sponsor or the author want to discuss publicly with the media – there’s a desire now to add cybersecurity to the exemptions.
All without adding a host of specific openness requirements like for so many other exemptions that carry strict limitations and specific requirements for reporting out in public.
The bill’s supporters have told open government advocates the Brown Act already has public reporting requirements.
But transparency advocates argue before adding cybersecurity, there needs to be clear language on what needs to get reported back to the public.
Without that, there’s a serious risk officials could hike budgets or pay out contracts with little publicity.
If political leaders want to keep establishing exemptions to openness, then transparency advocates argue there should be clear stipulations about what needs to get reported out.
Especially to a term as broad as cybersecurity.
According to the analysis prepared by the Senate Judiciary committee, “The city argues that this ‘bill is necessary because, although current law allows for the discussion of a pending specific threat during closed session, it does not expressly permit nonspecific cybersecurity matters to be discussed.’ The City of Carlsbad states that this will allow local public agencies ‘to be more informed about potential threats and the extent of agency vulnerabilities.’”
The Judiciary analysis notes that “Cyber security threats have become an ever present problem for public and private entities alike. In 2023, the San Bernardino Sheriff’s Office was attacked with ransomware, and to regain control of its computer system, the Sheriff’s office paid a $1.1 million ransom in cryptocurrency. In 2020, the University of California paid $1 million in ransom following a cyber attack.”
Groups like the CA League of Cities also argue in the analysis, that “In an age of continuously evolving technology and growing cyber security threats, it is important that state law is abundantly clear that local governments can discuss general cybersecurity risks, vulnerabilities, and threats facing the agency with the appropriate personnel in closed session.
“As targets of cybercrime, local governments are especially at risk of threatened interference to both economic security and overall public safety. A digital attack to a local government’s network could compromise operational functions that local agencies are responsible for providing, including emergency response services that are essential to keeping individuals and our communities safe.”
Open government groups, however, warn against creating exemptions that protect officials from discussing, in many cases, mistakes they have made.
“We do not dispute that legislative bodies may need to meet in closed session with law enforcement or security personnel to discuss specific threats to critical infrastructure controls or an agency’s vulnerabilities when a cybersecurity attack is not imminent,” notes the Senate Judiciary Committee analysis quoting letters from openness advocates.
“But this need for confidentiality must be balanced with the public’s right to be informed about official decision-making, including on the subject of whether public agencies are adequately prepared for and competently addressing cybersecurity threats,” reads the analysis.
Transparency Advocates Push Back
Transparency advocates want language added to the bill confirming that final decisions made in closed session will be reported out in public session.
Open government advocates are also pushing fo stipulations that decisions requiring a discussion and vote in closed session – like adding additional budget or staff or contracting out to a vendor or consultant – will in fact be made in open session.
In addition, advocates are demanding language requiring the identities and titles of all security or other personnel who attend the closed session to be named on the agenda.
Along with a requirement that agencies cite in the agenda the specific provision related to cybersecurity as opposed to existing security exemptions.
Finally, advocates are urging legislators to include a statement of intent consistent with the narrow purpose of the bill to help people understand what happened behind closed doors and guide judges if there’s a dispute of an improper closed session.
Here in Orange County, we have some experience with cybersecurity dealings with large agencies.
[Read: County Officials Didn’t Protect Computer Systems from Obvious Hacking Risks, Auditors Say]
And thanks to the reporting of our former colleague, Nick Gerda, we found out that our local transit agency had to spend $600,000 to combat a cyber attack that took out computer servers for days.
[Read: Transportation Authority Kept Secret Cyber Attack That Cost $600,000]
Cyber attackers, according to OCTA, wanted $8,500 in ransom – something officials say they are advised to avoid paying.
It took officials two days to restore systems.
And yet OCTA never announced much on the incident until our reporter asked about it.
“At no point in the six months since it happened, even after the vulnerability was fixed in early March, has the agency issued a specific announcement regarding the attack or put it on a public meeting agenda. The board approved the $218,000 in emergency contracts with Microsoft and CISO during a Feb. 22 closed-session meeting,” read the story.
So much for the simplicity that current bill supporters argue.
Again, when government wants to craft policy in secret, stay alert.
And keep asking questions.
•••
Can you support Voice of OC with a donation?
You obviously care about local news and value good journalism here in Orange County. With your support, we can bring you more stories like these.