Is your data safe? Lawmakers say it’s time for a Texas Cyber Command

AUSTIN (KXAN) — In March 2024, an IT team at Texas Retina Associates noticed abnormal activity on one of their company’s servers.  

The company's anti-virus system detected a lateral movement — a sign that an attacker had gained credentials and was actively infiltrating their systems. The team quickly disabled their accounts and kicked out the intruder. But it was too late. 

“Immediately after that, we got notification from the hacker that they had accessed our systems and had potentially removed some of our data,” said Charles Vasquez, the company’s chief information officer. “They claim to have taken a lot of our data, impacting up to 300,000 of our patients.”

Texas Retina Associates, based in Dallas and with 15 locations across the state, was the victim of a cybercrime. Its patients add to the list of over 15 million Texans whose sensitive personal information was compromised in data breaches in 2024, according to Texas Rep. Giovanni Capriglione.   

In the current legislative session, Texas could take steps to lead on cybersecurity for the state’s critical infrastructure.

House Bill 150 would establish the Texas Cyber Command, a component of the University of Texas System, to safeguard the state's vital infrastructure and government agencies from attacks. The establishment of the Cyber Command was listed as one of Governor Greg Abbott’s seven emergency items this session, making it a legislative priority.

“What the FBI told us was, for most organizations, it's not a matter of if, it's a matter of when.”

Richardson City Manager Don Magner

The cyber threat

According to the Texas Comptroller's Office, two of the most common cyberattacks include phishing and ransomware. In a phishing attack, the attacker gains access to secure systems by leading an unsuspecting target to click a fake link or attachment. Ransomware is software that locks an organization's system, requiring a ransom to be paid before restoring the data.

“It used to be low odds propositions, about 5% of ransomware attacks resulted in the victim paying the money. Now that number is as high as 48% of ransomware victims are paying the terrorists the money,” said David Dunmoyer, Texas Public Policy Foundation's campaign director for Better Tech for Tomorrow.

These attacks take an increasingly significant financial toll on Texas cities and businesses. The FBI estimated in 2020 that victims of cybercrime in the state lost $313.6 million that year, an increase of 307% since 2016.

The cleanup and verification process after a breach is also time-consuming and resource-intensive.

The City of Richardson, with a population of about 120,000 people, experienced a ransomware attack in September 2024. Though they had a security plan in place and acted quickly, the recovery still took weeks and involved the FBI and investigators. 

“We were able to respond almost immediately. Within less than 120 seconds, the breach was identified,” said Don Magner, the city manager for Richardson. “But even that was still disruptive for weeks because you have to go through and verify that you understand the full extent of the breach.”

Texas is a common target for cyberattacks. As of 2017, Texas ranked third nationally in its number of cyber attack victims, possibly because of its large population. The state also leads in oil and gas production, features 15 major military installations, and is an emerging technology hub -- which state leaders said makes Texas attractive for those seeking highly sensitive data.

Along with its major corporations and urban centers, Texas is home to remote rural communities. According to Dunmoyer, this diversity offers foreign adversaries a wide range of potential infiltration points.

“What will happen is, because we have so many of those wonderful small rural cities, that gives foreign adversaries a pattern to learn from,” Dunmoyer said. “We call it threat detection, and so they can learn, ‘Where are the weak points in the system?’ And they'll scale that and emulate that across the state.”

Dunmoyer says two-thirds of attacks on Texas’s critical infrastructure have been linked to foreign adversaries. Vasquez and Magner both said they suspect their data breaches were the result of a foreign attacker.

What is at stake here for us as Texans? Vasquez put it in the context of healthcare data, which stores information such as social security numbers, birth dates, and insurance information.

“All that information is even more valuable than the financial services information, because that information can be used to promote or conduct identity theft, which can be used to commit fraud,” Vasquez said.

As cyber attacks grow more common and advanced, it’s becoming increasingly difficult to escape that reality.

“I think the sad thing about it is we've all been victims of identity breaches,” said Vasquez, referencing an April 2024 AT&T security breach that affected 73 million current and former customers.

“From government, I would think that putting baseline protections in place — baseline recommendations for the type of protection you should be having — providing that instant response for smaller institutions who don't have that to be able to reach out and get advice or assistance," he added.

For local governments like the city of Richardson, Magner said he encourages investing in actionable plans in preparation for an attack and gathering internal and external partners to be able to respond quickly. 

“I had several city managers that reached out after this to say, ‘Hey, what can you share, what lessons learned? Because we want to, if this occurs, we want to be ready to go,'” Magner said. “What the FBI told us was, for most organizations, it's not a matter of if, it's a matter of when."

The Texas Cyber Command

The aim of the Texas Cyber Command is to be that resource, especially for small municipalities and companies that handle sensitive data, so they aren’t left to face threats alone when it happens.

The cyber command bill, HB 150, is authored by Rep. Giovanni Capriglione, R–Southlake. State Sen. Tan Parker, R–Flower Mound filed identical legislation in the Senate. Both lawmakers have promoted technology- and privacy-focused bills throughout their tenures. 

State agencies will be eligible to utilize the command’s resources, as well as local governments and private companies that house critical infrastructure who enter into contract with the command. The following are considered critical infrastructure under HB 150:

• Chemical facilities
• Commercial facilities
• Communication facilities
• Manufacturing facilities
• Dams
• Defense industrial bases
• Emergency services systems
• Energy facilities
• Financial services systems
• Food and agriculture facilities
• Government facilities
• Health care and public health facilities
• Information technology
• Nuclear reactors, materials, and waste
• Transportation systems
• Water and wastewater systems

The command will assume cybersecurity responsibilities currently under the Texas Department of Information Resources, an agency chartered in 1989 to help government agencies adopt modern technology and IT guidelines. While cybersecurity was grouped into their mission, Parker said the “threat environment has outgrown” the agency’s scope.

In addition, it focuses on education, research, and both proactive and reactive strategies for addressing cybersecurity threats. This includes developing cybersecurity best practices to train agencies on, creating a Cybersecurity Incident Response Unit to support agencies under attack, collaborating with federal resources to develop a portal for risk and incident management, and set up a Digital Forensics Laboratory to learn how to prevent attacks. 

The command will be managed by a chief who is appointed by the Governor and confirmed with the advice and consent of the Senate. 

It will be administratively attached to The University of Texas at San Antonio to make use of their cybersecurity resources. The school is one of the fewer than 10 universities in the country with the National Security Agency's (NSA) cyber defense education, cybersecurity research and cyber operations designations.

“UTSA is already one of the leaders in cybersecurity education in the country, and so having Texas Cyber Command based out of there I think makes a lot of sense,” said Marc Whyte, a San Antonio City Councilman. “This is Military City USA and it's going to be Cybersecurity USA as well.”

Whyte said the city of San Antonio looks forward to housing the command, especially with its deep-rooted national security presence. This includes the FBI Cyber Squad, the 16th Air Force, NSA’s Texas Cryptologic Center, and the Cybersecurity & Infrastructure Security Agency (CISA) Region 6. 

A legislative priority 

Heading into the last week of Texas’ 89th regular session, the Texas Cyber Command bill awaits approval from the Senate Committee on Business and Commerce. The bill passed in the House last month 130-13. Despite its general bipartisan support, it raised some questions in both its house and senate committees. 

With the presence of federal agencies and third-party companies that already work to regulate and respond to cyber attacks in the state, members on the House Committee on the Delivery of Government Efficiency questioned the need for a centralized, statewide command. 

Vasquez raised similar concerns, questioning if a statewide command would mean more regulation within the private sector. Capriglione addressed these concerns in the context of the state’s electrical grid.

“We’re definitely not making the claim that there’s no cybersecurity protections in the grid or in any of the private companies, for instance, that go and participate on the grid, but this is additional help, responsiveness, training, and other efforts that will go and support those pieces of critical infrastructure,” said Capriglione to the committee. 

Furthermore, only agencies under the direct purview of the state are required to follow the command’s regulations. Local governments and private industries like Texas Retina Associates can choose to opt-in to the command program, only then subjecting them to mandatory security standards.

In the senate committee, members questioned Parker on the need for the command to be attached to a university rather than being a standalone state function. Chairman Charles Schwertner, R–Georgetown, expressed concern over security lapses at universities nationwide, citing espionage threats and describing them as “soft targets” for foreign cyber attacks.

“I question our wisdom that for the last 20 years, we’ve been slowly taking our educational institutions and giving them functions outside of the educational realm,” said Vice Chair Phil King, R–Weatherford, at the committee hearing, sharing Schwertner’s sentiments. 

“UTSA is really incubating this program. It is really incubating for speed,” said Parker in response. “We can be up and running in 18 months as opposed to three to five years with some other option trying to have the same level of capability.”

Parker also highlighted that the chain of command for the program would run directly to the Governor, not through the university system. It would also be physically located in an existing, standalone building downtown already equipped with high-tech security measures. Parker said he’s open to adding more safeguards to ensure the command is secure at the university level. 

Ernie Ferraresso, director of the Florida Center of Cybersecurity, speaks highly of having their cyber center attached to a university.

“We have such a great relationship with our whole university,” Ferraresso said. Similarly, Cyber Florida was established by their state legislature in 2014 and is attached to the University of South Florida.

Unlike the Texas Cyber Command, Ferraresso and his team are technically employees of the university, not the state. While they carry out special projects on behalf of the Florida legislature for the good of the state, a main priority of their center is becoming a leader in cybersecurity academic education and addressing the cyber workforce shortage. 

“Because we are a university, people are more inclined to share information with us because we're not a regulatory agency, we're not an enforcement organization,” Ferraresso said.

Ferraresso notes that the goals of the Texas Cyber Command differ in that it aims to be the cyber operations organization for the state. He says carrying out cyber missions at that scope depends on obtaining both high-level permission and resources, requiring a direct line of approval through the governor’s office. Regardless, he says the resources of a university have been invaluable to their center’s growth.

“You have access to the students, you have access to the faculty membership,” Ferraresso said. “That's the other part that's always interesting around here is, I get to run into and talk to really, really smart people every day. And that's worth its weight.”

Texas as a leader in cybersecurity 

As cyber threats continue to evolve, so too must the state’s response. Following an executive order by President Donald Trump that shifted cybersecurity responsibilities to the states, the legislation before Texas lawmakers aims to position the state at the forefront of this critical challenge.

“It is the policy of the United States that State and local governments and individuals play a more active and significant role in national resilience and preparedness…” read the executive order. 

Regardless of the outcome of the current bill this session, lawmakers, companies and government entities agree that cybersecurity remains a pressing issue that demands action. 

“If we don’t take action, I think we put our vulnerability at great risk and I believe that there is a clock that is ticking,” said Parker to the senate committee. “I would submit that the time is now to take this step to protect the citizens and the livelihoods of 31 million Texans.”