Skip to main content
A cybersecurity bill with generous federal matching funds and unusually broad support appears destined for the scrap heap as the February legislative session grinds to a close—and as the feds issue a warning to local governments across the U.S.
“Rapidly escalating tensions in Eastern Europe have increased concerns about the risk of cyber threats that can disrupt essential services in the United States and potentially result in impacts to public safety,” the Cybersecurity and Infrastructure Security Agency warned last week.
Oregon House Bill 4155 would have established a Cybersecurity Center of Excellence at Portland State University. The center, in conjunction with University of Oregon and Oregon State University, was supposed to train students and provide resources to local governments, which are frequent targets of cyberattacks but lack the resources of large state agencies and private companies hackers often hit.
Most cyberattacks take two forms: the theft of personal information and ransomware attacks, in which hackers encrypt systems and charge owners ransom to unlock them.
Last year’s federal infrastructure bill earmarked $1 billion for cybersecurity, with 80% of that set aside for local governments, provided they supply matching funds. HB 4155, which would provide that match, was the top priority of the Legislature’s Joint Committee on Information Management and Technology, which passed the bill out Feb. 21.
But the bill has moved no further. Oregon League of Cities lobbyist Jenna Jones told a broad coalition of government, university and private-sector supporters in a Feb. 24 email that the bill was unlikely to pass.
“The message that the bill [is] dead came from the Senate President’s Office,” she wrote. (That office did not respond to requests for comment.)
Bills proposing new spending often die for lack of funding (HB 4155 would cost the state about $6.5 million for the next two years but could yield $15 million in federal matching funds). There’s no shortage of money this year. Because of far higher than anticipated tax receipts and federal pandemic-related funding, Salem is awash in cash.
Indeed, on Feb. 28, lawmakers began consideration of the spending bill that will conclude the short, even-year session.
The “go home” bill contains $5.8 billion in new spending ($1.5 billion in general and lottery funds and $4.3 billion in federal and other funds). It features $20 million for fairground infrastructure in 14 rural counties and $2 million for the Portland Japanese Garden.
But for HB 4155, nothing.
State Sen. Brian Boquist (I-Dallas), a member of the technology committee who’s normally loath to approve new spending, lamented the bill’s demise. “Seems strange to me,” Boquist says. “[It] needed to pass.”
Here’s are five of the dozens of examples of previous cyberattacks on local governments that supporters of the bill invoked:
Linn County: The county detected that hackers were encrypting its system on Jan. 24 in hopes of collecting ransom, the Albany Democrat-Herald reported. County officials restored the system Feb. 2. They declined to disclose whether they paid a ransom.
Centennial School District: The East Multnomah County district canceled two days of classes after being hit by a ransomware attack April 26, 2021, The Oregonian reported.
City of Keizer: On June 17, 2020, the city paid $48,000 to unlock access to its data, according to Keizertimes, and regained control after a week.
Treasure Valley Community College: The Malheur County community college learned Aug. 25, 2020, that hackers had penetrated its systems, the college said in a news release. Rather than seeking ransom, the hackers collected personally identifying information, such as Social Security numbers and dates of birth.
Tillamook County: The Bend Bulletin reported March 12, 2020, that Tillamook County had paid $300,000 in ransom after hackers took over part of its computer systems. Restoring the systems without paying ransom, county officials said, could have been far more costly and taken up to a year.