As part of a state effort to strengthen school safety in the wake of a shooting last year that left 10 people dead at a high school in Santa Fe, Texas, the Legislature in 2019 considered measures to expand the school marshal program.
The program, established by the 83rd Legislature in 2013, now allows school districts, open-enrollment charter schools, and private schools to appoint qualified employees who are licensed to carry a handgun to serve as school marshals, with the responsibility of protecting students from armed intruders. Marshals are authorized to carry or possess handguns on school premises under certain circumstances, and they must undergo at least 80 hours of training on prevention and mitigation of school shootings.
Lawmakers this year considered measures to expand the program. HB 1387 by Hefner, which was signed by the governor on June 6 and takes effect September 1, removes a cap on the number of marshals in each school. The previous cap for each campus was one school marshal for every 200 students or one for every building, whichever was greater. The bill will apply beginning with the 2019-2020 school year.
Supporters of HB 1387 said allowing schools to increase the number of marshals on campus who were trained to respond to shootings would protect all students by discouraging potential shooters. Opponents said the bill would further a safety strategy that was not evidence-based and that could detract from a positive learning environment.
Lawmakers also considered related measures that did not make it to the governor’s desk. SB 811 by Hughes would have provided liability protections for damages resulting from any reasonable action taken by school districts, schools, and school security personnel to maintain school safety, including action related to possession or use of a firearm. After being passed by the Senate, the bill died in the House Calendars Committee. SB 406 by Birdwell would have allowed school districts to decide whether school marshals could carry concealed handguns on their person or keep them in a secure location. The bill was passed by the Senate and died in the House Homeland Security and Public Safety Committee. HB 1467 by Talarico, which died in the House Public Education Committee, would have required a certain ratio of mental health professionals to law enforcement officials in school districts and open-enrollment charter schools.
Many state legislatures and the U.S. Congress in recent years have amended open government laws in an effort to protect critical energy infrastructure from cybersecurity threats and man-made physical threats, such as vandalism, theft, or attack. Open government or “sunshine” laws include open meetings laws, which allow public access to meetings of governmental bodies, and open records laws, which ensure public access to records maintained by governmental bodies.
Following the 9/11 attacks, Congress in 2002 passed the Critical Infrastructure Information Act as part of the larger Homeland Security Act. The act regulates the use and disclosure of information submitted by public or private organizations to the Department of Homeland Security about vulnerabilities and threats to critical infrastructure (6 U.S.C. secs. 671-673).Critical infrastructure includes physical or virtual systems that are vital to national security, economic security, public health, or safety.
Following the federal example, some state legislatures reassessed the information that could be released through state open records laws, especially critical energy infrastructure information, which includesspecific engineering, vulnerability, or location information about infrastructure used to generate or distributeenergy that could be useful to a person planning an attack.
More than half of U.S. states currently restrict sensitive information about critical infrastructure from release under open government laws. In addition, the Federal Energy Regulatory Commission (FERC) finalized a rule in 2016 that prohibits the unauthorized disclosure of critical electric infrastructureinformation under the federal Freedom of Information Act. Several states amended their open records laws in 2017 to include language similar to the FERC rule.
Texas law currently exempts certain meetings about critical infrastructure from state Open Meetings Act requirements. Under Government Code sec. 551.089, a governmental body is not required to conduct an open meeting to deliberate certain network security information, security assessments or deployments involving information resources technology, or the deployment of security personnel, critical infrastructure, or security devices. Information on critical infrastructure is not specifically exempted from disclosure under the Texas Public Information Act.
In 2015 and 2017, the Texas Legislature considered but did not enact bills that would have created committees and task forces to study electric grid security and would have made the meetings, work, and findings of these bodies confidential and not subject to state open government laws. Another bill would have allowed the Texas Public Utility Commission to conduct a closed meeting to discuss issues related to the security of the electric grid and associated computer systems and networks.
Supporters of proposals to keep information on securing critical energy infrastructure confidential said laws are needed to ensure that such information is protected from unwanted disclosure. Others expressed concern that these proposals would make it difficult for the public, electric customers, and the electric industry to be aware of the activities and findings of the study committees. Lawmakers in the 86th regular session this year may continue to discuss the balance between open governance and the security of critical energy infrastructure as concerns about cybersecurity threats grow.
The electric grid in Texas, which produces and consumes more electricity than any other state, is one of three largely independent grid interconnections that make up the power system in the contiguous United States. The Texas Interconnection, also known as the ERCOT grid, covers about 75 percent of the state and supplies power to about 90 percent of the state’s electric customers. ERCOT stands for Electric Reliability Council of Texas, a nonprofit organization that regulates the state’s electric grid.
The Legislature is likely to consider proposals on grid security during the 86th regular session this year. Two measures filed this year, HB 400 by Tinderholt and SB 76 by Hall, would create a council to evaluate grid security, including strategies to secure the ERCOT grid against certain threats. Other proposals that were considered but not enacted in previous sessions could also re-emerge.
Previous proposals. During previous legislative sessions, lawmakers proposed creating committees to study ERCOT grid security, along with associated computer systems and networks, to assess whether further efforts were needed to secure the state’s grid against a potential electromagnetic pulse and other physical and cybersecurity threats. Electromagnetic pulse is a naturally or artificially generated burst of high-intensity electromagnetic energy that could cause major power outages. Other proposals would have required a cost assessment ofmeasures to protect the transmission and distribution system, urged Congress to provide the Department of Homeland Security with funds for the protection of the state’s electric grid, or provided an appropriation from general revenue to the Texas Public Utility Commission, which regulates ERCOT, to pay for certain expenses and investments for grid security, including a security audit.
Some have called for certain state agencies to develop response plans for incidents affecting critical grid infrastructure. A previous measure would have required the state’s Homeland Security Council, in cooperation with the Department of Information Resources, to study cyber incidents affecting state-owned, operated, or controlled critical infrastructure and to develop a model response plan in the event of a cyber incident.
Earlier proposals also would have created a task force of certain Department of Public Safety employees to evaluate emergency planning and responses related to electromagnetic, physical, and cybersecurity threats. The task force would have been required to develop a comprehensive threat protection and recovery plan for critical energy infrastructure and vital utility facilities. Transmission and distribution utilities, owners of power generation facilities, and electric cooperatives, river authorities, and municipally owned utilities operating in the ERCOT power region would have had to assess and report the vulnerabilities of equipment, facilities, and systems to high-altitude electromagnetic pulse devices, geomagnetic storms, intentional electromagnetic interference, physical attacks, and cyber attacks.
Supporters of previously proposed legislation say states should be proactive about grid security, especially in Texas, where most of the state is on its own grid. They say the Legislature should enhance oversight of the state’s electric industry and determine the best ways to harden the ERCOT grid against potential threats. The U.S. grid is increasingly interconnected, which may increase vulnerability to cyber attacks and other threats. With documented intrusions into the grid’s control systems and concerns about reported threats to critical infrastructure, some experts warn that the U.S. power sector is underprepared. Supporters say current efforts to address grid security lack transparency and that further analysis would help both the electric industry and the Legislature make more informed decisions about long-term investment.
Although legislative action may have a cost for the state, supporters say, an underprepared electric industry may be a bigger cost. A major disruption to electric service could leave millions without power and harm the state economy. If security deficiencies in the ERCOT grid were found, the Legislature could determine whether upgrades would be funded with general revenue, through a ratepayer cost-recovery mechanism, or both. Supporters of legislative action say it would not be intended to prevent a utility from taking independent measures to secure the grid.
Critics of legislative action on grid security say securing the ERCOT grid is an industry-specific and technological issue, not a legislative one. They say technology moves so fast that prescriptive measures in legislation likely would be outdated quickly. The industry already has mandatory, enforceable security standards set by the North American Electric Reliability Corporation (NERC). Critics say electric companies in Texas are performing several security audits a year, participating in a biennial grid security exercise, and collaborating on studies to understand and mitigate the impacts of geomagnetic disturbances and other potential threats.
Critics also say some proposals could be costly to the state and that these costs could be passed down to customers through higher state government spending or personal electricity costs. Any proposals that could increase costs to consumers should ensure that the PUC and study committees justify costs to the Legislature, they say. Still others say such legislative action is unnecessary as the industry is already prepared for threats, and the likelihood of the most disruptive event, an electromagnetic pulse, is low.
As enrollment has increased in dual-credit programsin Texas, state lawmakers have raised concerns that some high school students may be taking college courses that will not count toward their degree programs. Proposals could emerge during the regular session of the 86th Legislature in 2019 to require more advising and degree planning for high school students who enroll in dual-credit coursework.
Dual-credit courses, typically offered under agreements between school districts and local community colleges, are college-level classes that allow high school students to earn both college and high school credit. Education Code, sec. 28.009 requires all school districts to implement a program in which students may earn the equivalent of at least 12 hours of college credit while in high school. That credit may be earned through dual-credit courses, advanced placement (AP) courses, and certain other courses.
Legislators in 2015 removed limits on the number of dual-credit courses in which high school students could enroll, touting their potential to save time and money in earning college degrees. In the 2017 fall semester, 151,669 students were enrolled in dual-credit courses, an increase of 57 percent over a 10-year period, according to the Texas Higher Education Coordinating Board.
Committees on higher education in the House and Senate were charged this interim with evaluating the effectiveness of dual-credit courses in reducing time to earn a degree and making college more affordable for students and the state. The Senate Committee on Higher Education in its interim report recommended the 86th Legislature require high school students to file degree plans upon completion of 15 semester credit hours of academic or career and technical dual credit. The report also recommended incentives be created to better advise students about how to best align dual-credit courses with their planned college majors. The House Committee on Higher Education’s interim report recommended dual-credit students receive advising and support to prepare for college, including help with degree planning and financial aid. The report also recommended the committee continue exploring the rigor, content, and outcomes of dual-credit programs.
In addition to the committee interim charges, the Higher Education Coordinating Board was required by the 85th Legislature (SB 802 by Seliger) to identify best practices in transferring course credit between institutions of higher education to ensure that courses, including dual-credit courses, apply toward a degree program.
The coordinating board’s study, published in October, focused on a cohort of 12,823 students who earned college credit between fall 2011 and summer 2013, graduated from high school, enrolled in a two-year or four-year public institution of higher education in fall 2013, and obtained a bachelor’s degree by 2017. Of the cohort, 73 percent graduated without any excess credit hours and 27 percent graduated with excess credit hours. The study found that those who earned the most credit hours while in high school were likely to graduate with the most excess credit.
As a result of the study, the coordinating board recommends the Legislature require dual-credit students to file degree plans after earning 30 semester credit hours. This would be similar to a requirement enacted last session (HB 655 by Clardy) for students enrolled in a community college degree program.
The Texas Association of Community Colleges (TACC) also is promoting earlier planning for students earning dual credit. It recommends the 86th Legislature require dual-credit students to declare a meta-major or field of study upon completion of 12 semester credit hours in core academic subjects or declare a career path upon completion of 12 semester credit hours in career and technical education.
In writing the state budget for fiscal 2020-21, the 86th Legislature will consider proposals to increase spending on cybersecurity. Appropriations for cybersecurity are not contained in a single line item but spread across state agencies and included in various strategies, projects, and programs. These appropriations pay for state agency staff, ongoing IT maintenance, payroll systems, data center services, major information resources projects, and other items. Cybersecurity costs make up about 2 percent of a state agency’s IT expenses, according to the Legislative Budget Board (LBB).
The Department of Information Resources’ (DIR) funding request for fiscal 2020-21 in all funds, including exceptional items, for cybersecurity-related projects is about $33.6 million, a 56 percent increase from fiscal 2018-19. DIR, which manages government information technology and provides guidance on cybersecurity for state entities, was appropriated $21.5 million in all funds in fiscal 2018-19 to provide security policy and related services, including assisting state entities in identifying security vulnerabilities. This included $3.4 million in new funding from general revenue, the only general revenue related funds currently appropriated to DIR, for additional cybersecurity assessments and vulnerability testing, requirements established by the 85th Legislature in 2017.
For fiscal 2020-21, DIR has requested $12.3 million in additional general revenue funds for four new cybersecurity-relatedprojects. The projects, listed as exceptional items in the agency’s Legislative Appropriations Request, are:
a risk-based, multi-factor authentication tool that would require certain users to provide multiple means of identity verification at login to reduce improper or unauthorized access to state data;
a cloud-based email filtering service through Microsoft Office 365 to help protect against malware and viruses;
secure coding methods training for certain agency employees; and
security benchmarking for state agencies’ public-facing websites by a security rating service.
A main source of cybersecurity-related spending in the state budget comes from the Data Center Services program, which was created by the 79th Legislature in 2005 to reduce overall costs by consolidating IT infrastructure, products, and services across state agencies. DIR oversees the program, and participating agencies receive services that include upgraded technology, managed servers and networks, and enhanced security and disaster recovery. The program is available to all state agencies, institutions of higher education, and local governments.
DIR is funded primarily by fees it assesses for services provided by vendors to state agencies. Appropriations to DIR provide payments to vendors for those services.As a result, appropriations for the Data Center Services program are reflected both in DIR’s budget and in those of participating state entities. Fees for the program are deposited into the Statewide Technology Account for program operation and other functions. The Data Center Services program accounts for about 65 percent of DIR’s total budget.
Appropriations to DIR for the Data Center Services program increased from the previous biennium by $29.5 million in fiscal 2018-19, and DIR has requested an increase of $54.6 million, for a total of almost $545 million, for fiscal 2020-21. DIR estimates revenue in the Statewide Technology Account will be $549.7 million in fiscal 2020-21, up $60.8 million from fiscal 2018-19. The increase in both appropriations and revenue is due to program growth, as both the number of customers and the services consumed have increased. According to DIR, agencies are using more cloud services and showing more interest in shared, managed IT services.
As required by the General Appropriations Act for the 2018-19 biennium, DIR submitted a report to the LBB outlining the priority of state agencies’ cybersecurity and modernization projects. The report provides information on 67 projects from 28 agencies totaling an estimated funding request of $482 million. Other cybersecurity-related discussions during the upcoming legislative session could include cloud computing, IT delivery services, and other methods of securing the state’s electronic information.