Texas Stands Up Cyber Command
Lets face it; Texas public sector entities don’t have a good cybersecurity track record.
- 2019: 22 cases including Keene, Birger, Bonham, Gramam and Vernon
- 2022-2023: Dallas Appraisal District, City of Dallas, Travis Central Appraisal District, Dallas County, Fort Worth
- 2024-2025: Tarrant County Central Appraisal District, Richardson, McKinney, Coppell, Killeen and Lubbock, Mission, Matagorda County, Kaufman County
- 2019-2021: Fort Worth, Athens, Lancaster, Allen, Judson, Port Neches-Grove, Sheldon,Paris, North Lamar, Rockwall, Arlington and Mesquite Independent School Districts
And that is only a small part of the list.
So the Texas legislature passed HB 150 to stand up the Texas Cyber Command over the next few years. It is going to do a couple of things.
Sort of weirdly, the Texas Cyber Command will operate under the University of Texas. I guess they figure that this is less threatening than to operate it under some law enforcement entity like the Texas Rangers.
In theory, eventually, Texas agencies will be forced to comply with whatever regulations these folks come up with.
Also eventually, private contractors who sell to the state and local entities will need to comply also.
Private critical infrastructure firms can opt in to government oversight. Not sure if any will, but maybe.
Right now the agency, which was JUST stood up, is house at the University of Texas at San Antonio. San Antonio was probably picked because of the large federal government (including military) presence in the area).
Here is the key thing. Up until now state cybersecurity was run by the Department of Information Resources. While they had a really small amount of power to enforce any rules, their authority was very, very limited. They are now, as best I can tell, kicked to the curb.
At a very high level the TXCC is responsible for:
- Incident response and recovery
- Threat monitoring and intelligence
- Policy standards (for government agencies)
- Training (for public sector employees)
- Operational and strategic support including assessments, remediation and strategy
But here is the bad news. THEY HAVE ZERO ENFORCEMENT AUTHORITY.
BUT, these standards could become incorporated into procurement processes and operations. If you want to sell in Texas (and they do buy a lot of stuff and services), you will follow these rules. Will companies like Amazon, Google, Microsoft and Oracle just through a bunch of hoops to do business there? I think it depends on what it costs and how much is in it for them.
Again, the private sector is NOT required to participate and as we have seen with CMMC in the defense contracting sector, 14 years after DoD started to implement the requirements we are just now getting started. That is a national standard. The ENTIRE state of Texas budget is about $170 billion for everything. That is only state level, not local. Of that the TX DIR budget is $669 million, again for every bit of IT the state needs, not just security. The TXCC budget through 2027 is $135 million. This includes things like a planned staff of more than 100 people. The Pentagon’s budget for everything from toilet paper to tanks is about a trillion dollars. Even given those large numbers we can’t get defense contractors to move forward with security, so I think Texas has its work cut out.
But, if the private sector wants a seat at the table they will eventually need to comply. Texas calls itself business friendly; if the regulations are onerous, business will find other places to sell their wares. That is going to be a challenge because if the security standards are weak, they are useless and in fact, give you a false sense of security.
Will other states cough up their own $100 million and copy what Texas is doing? Maybe, and if they do, that would be great. The bigger the pie the more likely industry will want a part of it.
They do have a director and they have temporary space, but of course, they want to build a fancy building, so we will see what comes of it and if it makes a dent in the cyberattacks I keep reporting about.
If they are smart they will align themselves with existing standards like NIST SP 800-53 and FedRAMP, which have been around for decades. Smart? Government? In the same sentence?
Credit: Pillsbury Law Firm
by 