A first-of-its-kind Legislative Commission on Cybersecurity began work this month on identifying vulnerabilities in Minnesota's cyberdefenses and potentially drafting new policy fixes.

The bipartisan group of eight legislators — evenly split between the House and Senate — was born out of a bill passed during the 2021 special session.

"This is probably one of the most important areas in need of focus both now and in the future," said Sen. Mark Koran, a North Branch Republican who serves as the commission's first chair.

Rep. Kristin Bahner, DFL-Maple Grove, was appointed vice chair by the commission. Members will serve two-year terms with the chair and vice chair positions alternating between the House and Senate.

On some occasions, the commission will likely meet out of public view: a provision in the law that created the group gives it the ability to close meetings when necessary to safeguard sensitive cybersecurity information. If that happens, the Legislative Coordinating Commission must keep minutes, recordings and documents from the closed meetings and keep them private for eight years after a closed meeting.

Much of the Nov. 16 inaugural meeting centered on establishing a plan to get up to speed before the 2022 session. Rep. Jim Nash, R-Waconia, one of multiple commission members who also work in the technology sector, called for briefings on the state of cybersecurity in Minnesota. That could include assessing vulnerabilities at state agencies, constitutional offices, local or county governments and the private sector.

"The work that we will get done in this commission is going to be very hand in glove, both with the needs of citizens because we force them to give us their data and the need to do a better job of protecting it," Nash said.

Sen. Melissa Wiklund, DFL-Bloomington, said one priority for the group should be elevating the topic of cybersecurity as a key piece of future budget negotiations.

"How do we make sure that cybersecurity is considered at that level when we're making decisions about projects and budgets and considering it as critical infrastructure in our state?" Wiklund said.

Under the law that produced the commission, it must meet at least three times per year beginning in 2022. The commission would expire at the end of 2028 under the current law.

This year, it is only required to meet twice. Koran said that the commission would likely reconvene in mid-December and that he would like state IT professionals to brief the group. Koran wants the commission to reconvene again in January just before the Legislature gavels back in on Jan. 31 for the 2022 session.

January's meeting could include a focus on critical infrastructure activities in the private sector, Koran added.