This public policy session on the activities of the Technology Association of Louisville Kentucky (TALK) was presented in June 2022 at the TALK Cyber Security Summit in Louisville, KY.

1. 6th Annual Cyber Security Summit
2022: A Look At Cyber Policy
Prepared By: Dawn Yankeelov, Executive Director, Technology
Association of Louisville KY & President, Aspectx 6/17/2022
www.talklou.com @talklou dawny@talklou.com

2. THANK YOU TO TODAY’S SPONSORS!!!

4. • Workforce Development Defined
programs
• Development of Tech Talent (Youth)
• Registered IT Apprenticeship in
partnership
• IT Recruitment Fair (virtual or hybrid)
• Entrepreneurship & Innovation—
--Partnership with area organizations (i.e.
Amplify Louisville, Louisville Startup Week,
BLUE, Jamison Ministries, LCCC, and others)
DC Advocacy
– Tech and Business Legislation
– TECNA Public Policy Committee
• State Advocacy
– Working with KY Innovation & KSTC
on Key Tech Initiatives
– Participation with Infragard & Cyber
Work Group (KYDHS) in Cyber steps
-- Techfest
August 2023---5th Techfest, 2 ½ day
education forum covering tech trends
8/2/2022 (c) Copyright TALK. Confidential.
TALK Areas of Focus 2022
• STEAM
-- After school curriculum, including TechGirlz
programs, and Rad Science Skateboard Build
program with partnership from Marwood
Veneer + U of L Speed School/Engineering
Garage
• Monthly Tech TALK Meetups
Eight Live a Year for interested industry
professionals and those working in technology-
centric circles
• Cybersecurity
Efforts tied to workforce development, train-
the-teachers, and adult education
Cyber Collaborative (natl.)
Cyber Readiness Institute (natl.)
• 6th CyberSecurity Summit
June 17th, 2022 - to be held at Bellarmine
University for all cyber professionals
Special projects as desired—i.e. CyberUSA, KY
Dept. of Transportation partnership

8. June 13, 2022

9. https://fiscalnote.com/blog/2022-cybersecurity-legislation-regulation
The 2022 State of Cybersecurity Legislation and Regulation in the US -- Feb. 2022
--
One of the largest concerns for an organization is falling victim to a
cyberattack. A significant breach can result in monetary loss, damaged
reputation, and a drain in resources to remedy the situation. The risks are
apparent: cybercrimes increased 600 percent during the early months of the
global COVID-19 pandemic, and will cost the world an estimated $10.5 trillion by
the year 2025. Email spam folders are filled with phishing schemes, and IT
departments are constantly reporting attempts to breach organizational systems.
--
One key subtopic is whether an organization is allowed to pay in the event of a
ransomware attack. For example, New York (NY S 6806) and Hawaii (HB 2052)
have both introduced legislation to prohibit the payment of ransoms in the event of
a cybersecurity incident.

10. The Strengthening American Cybersecurity Act of 2022 creates reporting
requirements for critical infrastructure and “covered entities” and is intended to
shore up protection of American infrastructure – a critical step in mitigating future
attacks which could be devastating. -- Mar 15, 2022
For incidents, the act requires:
•Notice to be given to CISA within 72 hours
•A full description of the incident and vulnerabilities exploited, along with
what defenses were in place
•If known, contact information or additional details about the responsible
parties to be disclosed
•The type of information that may have been compromised to be disclosed
•Details and contact information from the impacted entity to be shared with
CISA
In addition to disclosing the above information, ransomware
attack disclosure has some other requirements:
•Notice must be given to CISA within 24 hours
•Date of payment, ransom payment demand (including type of virtual
currency), payment instructions and ransom amount must be disclosed

11. While the national government has yet to release comprehensive
security policies, they have published recommended actions. On
March 21, the White House released a cybersecurity fact sheet in
response to rising cyber warfare risks. Businesses should review
these and implement any steps they haven’t already.
These recommended actions include:
• Mandating multi-factor authentication (MFA)
• Using continuous threat-monitoring tools
• Encrypting and backing up data
• Educating employees on best security practices
• Running emergency simulations to train quick responses
• Checking for and patching vulnerabilities like stolen
passwords
• Building relationships with government security offices

12. Yet it is estimated that half a million
cybersecuritypositions across the
public and private sectors remain
unfilled, and that gap is onlyexpected
to grow. To compound these
shortages, public and private sector
cybersecurityneeds are constantly
changingas technology and practices
evolve.

14. The recommendations
include securing
remote access
applications,
enforcing multifactor
authentication, and
developing and
exercising incident
response and recovery
plans.

15. The President’s Budget
increased cybersecurity funding
for fiscal year 2023 by
nearly 11%, but funding for K-12
cybersecurity education
continues to lag behind, as the
nation faces a shortfall of
over 714K cybersecurity
professionals.
With the support of
policymakers and the
involvement of industry leaders
from CISA, the Department of
Homeland Security (DHS), the
National Initiative for
Cybersecurity Education
(NICE), and the National
Science Foundation (NSF),
National Cybersecurity
Education Month is helping
improve access to K-12
cybersecurity education
nationwide and diversify the
talent pipeline with students
from all backgrounds.

16. The U.S. isn’t getting ahead of the cyber threat, experts say
June 6, 2022
https://www.washingtonpost.com/politics/2022/06/06/us-isnt-getting-ahead-cyber-threat-experts-say/
….the U.S. is either just as vulnerable to cyberattacks or even more
vulnerable today than it was five years ago.
That assessment, from a group of experts polled by The Cybersecurity 202, reflects a
half-decade during which government and industry have supercharged their efforts to
defend against devastating hacks from foreign governments and criminals — but the
bad guys have upped their game even more, most experts say.
--
“We become ever more vulnerable with each passing day,”
warned Lauren Zabierek, executive director of the Cyber
Project at the Harvard Kennedy School’s Belfer Center. “I don't
know where the bottom is.”

17. Heightened
Threat
Environment –
June 7, 2022

18. Cybersecurity needs to be top priority in
nation’s water utilities
https://thehill.com/opinion/cybersecurity
cybersecurity-needs-to-be-top-priority-
utilities/
5-16-2022
There are about 3,300 electric
utilities in the United States. The water
sector, however, has about 50,000
individual community systems, more
than half of which serve fewer than 500
customers.

20. ESTABLISHMENT OF CYBER UNITS, COMMITTEES,
TASK FORCES, AND STUDIES
Another shift in how legislators are approaching cybersecurity
is by creating government groups to study, implement, and
manage cybersecurity policies. Implementation of grant
programs (US HR 4910), establishment of cyber preparedness
teams (MD SB 754) or cyber civilian corps (IN HB 1274), and
investment in cyber workforces (US HR 6588) will bolster the
institutional knowledge organizations need to counter growing
threats.

21. Major cyber events, especially recently, have
changed how legislators approach policy.
Illinois has expanded the definition of a
“disaster” in the state’s Emergency
Management Agency Act to include
cybersecurity events (HB 3523), and New
York is considering whether ransomware
should be considered larceny (SB 8296).

22. May 24, 2022 -- Elections
https://www.ncsl.org/research/elections-and-campaigns/the-canvass-june-
2022.aspx
In recent years, states have also implemented cyber navigator programs—an
individual or team at the state level tasked with helping local election officials take
cybersecurity precautions. At least seven states—Florida, Illinois, Iowa,
Massachusetts, Michigan, Minnesota and Ohio—have such programs in
place. Illinois became the first state to establish a cyber navigator program after the
2016 election, and it did so through legislation.
https://www.pewtrusts.org/en/research-and-analysis/blogs/stateline/2021/08/25/facing-foreign-
election-foes-states-hire-cyber-navigators