Kansas Cybersecurity Update

From 2022 to 2023, ransomware attacks against cities, counties, and state agencies increased by 36 percent.

A ransomware attack is a type of malicious software (malware) that encrypts its files on a victim’s computer or network, rendering them inaccessible until a ransom is paid to the attacker.

Ransomware typically infiltrates a system through phishing emails (emails from a malicious actor that appear to be from a legitimate or trusted sender), malicious downloads, or vulnerabilities in software. After data encryption, the attacker presents a ransom note, usually demanding payment in cryptocurrency, which is digital currency that uses cryptography (encryption) to secure transactions, making it harder to trace. The note typically includes instructions on how to pay and may threaten to permanently delete the files if the ransom is not paid within a specified time frame.

Victims face the dilemma of paying the ransom, which does not guarantee data recovery, or attempting recovery through backups or cybersecurity measures, which can be complicated and costly.

Recent Kansas Incidents

In 2023 and 2024, entities in Kansas have been victims of multiple high-profile ransomware attacks. These incidents include:

• The October 2023 attack on the Kansas Judicial Branch, shutting down online access to the court system for several months;
• The May 2024 attack on the City of Wichita, disrupting city services and reverting to cash-only payments of city services; and
• The September 2024 attack on Franklin County, exposing poll book records containing names, social security numbers, vaccination information, and insurance billing information of the county’s 30,000 residents.

The above list is not exhaustive, and multiple other towns, hospitals, colleges, and governmental entities have dealt with increasing cyber threats.

New Cybersecurity Initiatives

State officials and the Legislature, in cooperation with federal entities like the Cybersecurity and Infrastructure Security Agency (CISA), have been working to improve the security posture of the State for the last several years.

The most recent effort can be seen in the enactment of 2024 House Sub. for SB 291, which contains numerous provisions geared toward improving the State’s cybersecurity posture. Among these provisions is the requirement that the Chief Information Security Officer (CISO) for each branch of government work with their respective agency heads to develop cybersecurity programs compliant with the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) 2.0. These programs must be in place by July 1, 2028.

The NIST CSF was first established in 2014 and provided guidelines and best practices to manage and reduce cybersecurity risk for critical infrastructure. The standards were updated in February 2024 and expanded to be more applicable to governments, small businesses, and nonprofits.

The NIST CSF 2.0 includes the following six core functions:

• Identify—understanding organizational assets, risks, and resources;
• Protect—safeguarding critical assets and data from threats;
• Detect—identifying potential cybersecurity events or incidents;
• Respond—take action during or after a cybersecurity event;
• Recover—restore capabilities and services after a cybersecurity event; and
• Govern—establish and monitor policies, processes, and oversight to manage cybersecurity risks.

The goal of the core functions is to help organizations understand, assess, and prioritize cybersecurity risks, as well as communicate those risks with stakeholders and partners.

At the time of this publication, Kansas is the only state to adopt a requirement for NIST CSF 2.0 compliance. Federal agencies are the only other entities that require similar compliance. Other entities adopt the NIST CSF 2.0 on a voluntary basis.

The legislation also requires cybersecurity staff for each branch of government in Kansas to work at the direction of the branch’s respective CISO. Additionally, beginning in 2028, a mechanism will be in place to certify an amount equal to 5.0 percent of an agency’s total budget that may be lapsed by the Senate Committee on Ways and Means or the House Committee on Appropriations should it be determined by the relevant Chief Information Technology Officer and Director of the Budget that an agency is not in compliance with provisions found within 2024 House Sub. for SB 291.

The provisions will expire on July 1, 2026, and the law will need to be reviewed sometime during the 2025 or 2026 Legislative Sessions.