By Terri Jo Neff |
With the introduction of legislation this week in the Arizona House of Representatives to prohibit many public entities from using public funds to pay for ransomware attacks, AZ Free News recently spoke with Sen. David Gowan about the security of the Legislature’s own computer systems.
Gowan says that the dedicated IT staff of the Arizona Legislature have ensured that its system protections are up to date and meet or exceed industry standards. This would allow the legislative session to continue with little impact if hit with the type of ransomware attack suffered by the Virginia Legislature last month.
“Nothing is 100 percent guaranteed, but we try to figure it out before a hacker can,” he said. “And we have the ability to move forward and maneuver, even if we have to do some things on paper.”
The Dec. 10 ransomware attack on servers used by Virginia lawmakers led to the disabling of the legislature’s voicemail system, its budgeting portal, and the platform used to draft bills. Even access to the Virginia Constitution and state code normally accessible online had to be taken down after the attack, which one state official blamed on an “extremely sophisticated malware.”
For a short time the website serving Virginia’s Division of Capitol Police was also down but there was no report of impacts to critical functions.
Whoever hacked the Virginia Legislature’s system left a ransom note, although it did not include a ransom price nor due date, according to a senior staff member. It is the first reported cyber security attack on a state legislature, although at dozens of public entities across the country were hit in 2021.
Gowan is pleased that Arizona’s legislative staff has safeguards in place which will allow lawmakers to “quickly move forward with our work” if hit by an attack like Virginia experienced. He credits the fact that the legislature’s IT personnel conduct refresher training for lawmakers and staff about suspicious emails, which is the easiest way for a cyber attacker to get into a system.
There is also frequent spot checks of the legislature’s systems. And it helps, Gowan noted, that Arizona has one of the nation’s premiere cybersecurity programs, with the Arizona Department of Homeland Security, the Arizona Department of Public Safety, and the Department of Emergency and Military Affairs all major players, along with local and federal agencies.
Two controversial bills recently introduced by a state representative would make significant changes to Arizona’s laws related to cyberattacks. One would tie the hands of public officials in responding to a ransomware attack, while the other seeks to require anyone who does business in Arizona to report a computer security breach or face a civil penalty from the Arizona Attorney General’s Office.
HB2145 would bar the State and any political subdivision of the state (such as a county, city, town, or school district) from making ransomware payments to secure the release of data. It would also require immediate notification of such an attack to the Director of the Arizona Department of Homeland Security.
Meanwhile, HB2146 would mandate anyone who “conducts business in this state and that owns, maintains or licenses unencrypted and unredacted computerized personal information” to report any security system breach to the Director of the Arizona Department of Homeland Security within 45 days.
A willful violation of the notification statute could lead to a civil penalty of up to $500,000, according to the bill.