RICHMOND, Virginia (WRIC) – Days after multiple ransomware attacks were first detected, the Virginia state government is still feeling the effects. It comes as Governor Ralph Northam proposes new funding to keep cybersecurity in place, but Governor-elect Glenn Youngkin says that’s not going far enough.
On Friday evening, the FBI and Virginia State Police continued to investigate a criminal ransomware attack that disrupted the General Assembly’s IT system. Dave Burhop, director of the Division of Legislative Automated Systems, said the suspicious activity was first discovered on Sunday, December 12th.
At the last review, the Virginia Department of Behavioral Health and Developmental Services also continued to grapple with what is believed to be a separate ransomware attack targeting the service the agency uses to measure time.
“It is clear that the global KRONOS ransomware attack and the ransomware attack that witnessed this weekend in Virginia are not linked, and there is no evidence that any information or DBHDS systems have been compromised,” said Lauren Cunningham, Communications Director at DBHDS, in an email on Friday. “Government agencies have switched back to manual systems, which are very time consuming, but they will do the job and make sure the staff is paid.”
Stakeholders either did not respond to requests for comment or received no further updates when asked if ransom money had been paid to attackers to help resolve the issue.
As both investigations continued Thursday, Governor Northam announced that his two-year budget includes $ 60 million in cybersecurity improvements. The Northam office said the proposal was made before the ransomware attacks.
“We take that very seriously,” said Northam in an interview on Thursday. “If more resources are needed we will have this on budget to help prevent this from happening in the future.”
When asked about the proposal after Northam’s presentation, Governor-elect Youngkin was not impressed.
“I believe the $ 60 million – the number I heard today that is being assigned to cybersecurity – is completely inadequate and actually reflects the underinvestment over a constant period of time,” said Youngkin, adding that he was doing a review would perform resources after taking office.
A recent report found that the Virginia Information Technology Agency, which oversees the executive branch, does not currently have sufficient resources to monitor all 4,000 to 5,000 IT devices that could be targeted for potential security breaches.
“VITA’s security group is unable to keep up with all of the infrastructure changes required by the authorities and ensure they are in line with state security standards, ultimately increasing the risk of a cybersecurity breach in the Commonwealth,” said JLARC’s chief legislative analyst for the ongoing supervision said Jamie Bitz in a presentation to the legislature.
According to Northam’s spokeswoman Alena Yarmosky, the governor’s outbound budget proposal includes $ 25 million to increase cyber resilience and recovery capabilities, $ 8 million for additional authentication resources, $ 5 million to set up a second backup data center, $ 4 million US dollars for antivirus tools and targeted security measures through various government agencies.
The delegate David Reid (D-Loudoun) has been dealing with the issue of cybersecurity for years, both in the legislature and professionally.
“If this is an issue right now, it likely means we didn’t fund cybersecurity for the legislature, or, if so, it probably wasn’t as robust as it should have been,” Reid said.
Reid plans to propose several budget changes on this issue during the 2022 legislature. As he examines Northam’s proposal, he believes the governor has already taken at least one of his proposals. He said it would provide funding for the Virginia National Guard to conduct twelve cybersecurity assessments per year on locations to prevent ransomware attacks.
Another proposal would provide additional funding to the Virginia State Police to recruit thirteen full-time cybersecurity support experts. Reid also wants the state to maintain a single, robust platform to continuously monitor, manage and report cybersecurity risks to the local public school districts for free.
With record government revenue and the risk of ransomware attacks expected to only increase, now is the time for big investments, Reid said.
“It should definitely be viewed as a wake-up call,” Reid said. “Cybersecurity is very much like car insurance in that nobody really wants to pay for it, but they’re really glad they have it when they have an accident.”