§9–2901.

    (a)    (1)    In this subtitle the following words have the meanings indicated.

        (2)    “Council” means the Maryland Cybersecurity Council.

        (3)    “Executive Order” means Executive Order 13636 of the President of the United States.

    (b)    There is a Maryland Cybersecurity Council.

    (c)    The Council consists of the following members:

        (1)    the Attorney General, or the Attorney General’s designee;

        (2)    the Secretary of Information Technology, or the Secretary’s designee;

        (3)    the Secretary of State Police, or the Secretary’s designee;

        (4)    the Secretary of Commerce, or the Secretary’s designee;

        (5)    the Adjutant General, or the Adjutant General’s designee;

        (6)    the State Administrator of Elections, or the State Administrator’s designee;

        (7)    the Executive Director of the Governor’s Office of Homeland Security, or the Executive Director’s designee;

        (8)    the Director of the Maryland Coordination and Analysis Center, or the Director’s designee;

        (9)    the Secretary of Emergency Management, or the Secretary’s designee;

        (10)    the People’s Counsel, or the designee of the People’s Counsel;

        (11)    the Chief Executive Officer of the Maryland Technology Development Corporation, or the Chief Executive Officer’s designee;

        (12)    the Chair of the Tech Council of Maryland, or the Chair’s designee;

        (13)    the President of the Fort Meade Alliance, or the President’s designee;

        (14)    the President of the Army Alliance, or the President’s designee;

        (15)    four representatives of cybersecurity companies located in the State, with at least three representing cybersecurity companies with 50 or fewer employees, designated by the Cybersecurity Association of Maryland;

        (16)    the Chief Executive Officer of the Maryland Chamber of Commerce, or the Chief Executive Officer’s designee;

        (17)    the Executive Director of the Cybersecurity Association of Maryland, or the Executive Director’s designee;

        (18)    nine representatives from institutions of higher education located in the State with expertise in cybersecurity, with at least four representatives with expertise in artificial intelligence and quantum computing, including:

            (i)    the President, or the President’s designee, of:

                1.    Bowie State University;

                2.    Johns Hopkins University;

                3.    Morgan State University;

                4.    the University of Maryland, Baltimore Campus;

                5.    the University of Maryland, Baltimore County; and

                6.    the University of Maryland, College Park Campus;

            (ii)    the Dean of the University of Maryland Global Campus School of Cybersecurity and Information Technology, or the Dean’s designee; and

            (iii)    two additional representatives designated by the Chancellor of the University System of Maryland;

        (19)    the Director of CASH Campaign of Maryland, or the Director’s designee;

        (20)    the Executive Director of Economic Action Maryland, or the Executive Director’s designee;

        (21)    one bank chief information security officer, designated by the Maryland Bankers Association;

        (22)    one hospital chief information security officer, designated by the Maryland Hospital Association;

        (23)    one water systems chief information security officer who works for a water system located in the State, designated by the National Association of Water Companies;

        (24)    one electric company chief information security officer who works in the State for an electric company serving customers in the State, designated by the Edison Electric Institute;

        (25)    the Executive Director of The Electronic Privacy Information Center, or the Executive Director’s designee;

        (26)    the Executive Director of the Center for Democracy and Technology, or the Executive Director’s designee;

        (27)    the Chief Executive Officer of the Technology Advancement Center, or the Chief Executive Officer’s designee;

        (28)    the Director of the Center for Governance of Technology and Systems, or the Director’s designee; and

        (29)    any other stakeholder that the chair determines appropriate.

    (d)    The President of the Senate may appoint up to two members of the Senate to serve on the Council.

    (e)    The Speaker of the House of Delegates may appoint up to two members of the House to serve on the Council.

    (f)    The chair also shall invite, as appropriate, the following representatives of federal agencies to serve on the Council:

        (1)    the Director of the National Security Agency, or the Director’s designee;

        (2)    the Secretary of Homeland Security, or the Secretary’s designee;

        (3)    the Director of the Defense Information Systems Agency, or the Director’s designee;

        (4)    the Director of the National Institute for Science and Technology, or the Director’s designee;

        (5)    the Director of the Intelligence Advanced Research Projects Activity, or the Director’s designee; and

        (6)    any other federal agency that the chair determines appropriate.

    (g)    (1)    Subject to paragraph (2) of this subsection, beginning October 1, 2025, and every 2 years thereafter, the Council shall elect a chair and vice chair from among the members of the Council.

        (2)    One shall be a State employee and one shall be a non–State employee.

    (h)    The University of Maryland Global Campus shall provide staff for the Council.

    (i)    A member of the Council:

        (1)    may not receive compensation as a member of the Council; but

        (2)    is entitled to reimbursement for expenses under the Standard State Travel Regulations, as provided in the State budget.

    (j)    The Council shall work with the National Institute of Standards and Technology and other federal agencies, private sector businesses, nonprofits, and private cybersecurity experts to assess and address cybersecurity threats and associated risks from artificial intelligence and quantum computing to:

        (1)    for critical infrastructure, review and conduct risk assessments to determine which local infrastructure sectors are at the greatest risk of cyber attacks and need the most enhanced cybersecurity measures;

        (2)    use federal guidance to identify categories of critical infrastructure as critical cyber infrastructure if cyber damage or unauthorized cyber access to the infrastructure could reasonably result in catastrophic consequences, including:

            (i)    interruption in the provision of energy, water, transportation, emergency services, food, or other life–sustaining services sufficient to cause a mass casualty event or mass evacuations;

            (ii)    catastrophic economic damage; or

            (iii)    severe degradation of State or national security;

        (3)    assist infrastructure entities that are not covered by the Executive Order in complying with federal cybersecurity guidance;

        (4)    assist private sector cybersecurity businesses in adopting, adapting, and implementing the National Institute of Standards and Technology cybersecurity framework of standards and practices;

        (5)    examine inconsistencies between State and federal laws regarding cybersecurity;

        (6)    recommend a comprehensive State strategic plan to ensure a coordinated and adaptable response to and recovery from cybersecurity attacks;

        (7)    address sensitive privacy interests of State residents related to cybersecurity and associated risks;

        (8)    address emerging threats posed by artificial intelligence, including:

            (i)    adversarial artificial intelligence;

            (ii)    cyber attacks;

            (iii)    deepfake technologies;

            (iv)    unethical use; and

            (v)    fraud; and

        (9)    recommend any legislative changes considered necessary by the Council to address cybersecurity issues.

    (k)    Beginning July 1, 2017, and every 2 years thereafter, the Council shall submit a report of its activities to the General Assembly in accordance with § 2–1257 of this article.