May 10, 2001(Computerworld)
Arizona Gov. Jane Dee Hull vetoed a bill yesterday that would have established the first state-level IT infrastructure protection center in the nation (see story). But a key proponent of the bill, which some touted as a model for coordinating cyberdefense efforts across the country, isn't giving up.
"Lightning came down from the mountain," said State Rep. Wes Marsh in reference to the veto. "We're going to do it. We're going to do it without legislation," he added.
The Republican legislator said he met with Rick Zelznak, Arizona's CIO and director of the state's Government Information Technology Agency, for about 90 minutes today and came away from that meeting convinced that some form of state cyberprotection remains possible.
"We're just going to institutionalize it," Marsh said. "It's a win-win. We're going to have something; it won't be codified in law."
Marsh suggested that the plan may be put together by executive order. But a spokeswoman for Hull said that as far as she knew, nothing had changed.
"I don't know what he said, and if Mr. Marsh has decided to do something, that is up to him. He has not informed us about that," the spokeswoman said.
In a letter to the legislature explaining the veto, Hull wrote that she had the following three major problems with the bill, which had passed both the Arizona House and Senate:
The bill mandates measures that aren't among the best practices of infrastructure protection.
The bill would delay measures aimed at protecting the state's information systems.
The bill didn't include funding for the 15 different plans it mandated.
Marsh said that he was disappointed that Hull, a fellow Republican, had vetoed the bill and that he didn't know what her complaints were beyond what appeared in her letter.
"I was disappointed in the governor that they didn't even bother to call me," Marsh said, adding that he didn't understand Hull's concerns that the measure would not abide by "best practices."
"I saw that, and ... I am going to ask them for the support documentation," Marsh said. He speculated that Hull might have objected to using freeware and older components for some systems.
Despite the setback, Marsh said he is confident that he has the support of Zelznak and that Arizona will eventually take the lead in cybersecurity among the 50 states. "I've seen standards," Marsh said of his talks with Zelznak. "It isn't like they are just telling me what I want to hear."
He acknowledged, however, that whatever plan emerges now won't be as extensive as the one outlined in his bill and won't link the state of Arizona to the U.S. Department of Defense.
As originally proposed, the bill would have created a Statewide Infrastructure Protection Center (SIPC) to merge the efforts of a state-run civilian Computer Emergency Response Team with a similar unit proposed by the Arizona National Guard.
The SIPC would also have been linked to the private sector through the FBI's InfraGard program, as well as to the Defense Department and the National Infrastructure Protection Center, a federal security agency based at FBI headquarters in Washington.
Marsh said he wanted to move quickly because Arizona's cyberinfrastructure has been under attack. He alluded to several Web sites in the state that had been attacked and said the attacks went beyond mere defacement of sites.
