With the introduction of legislation this week in the Arizona House of Representatives to prohibit many public entities from using public funds to pay for ransomware attacks, AZ Free News recently spoke with Sen. David Gowan about the security of the Legislature’s own computer systems.
Gowan says that the dedicated IT staff of the Arizona Legislature have ensured that its system protections are up to date and meet or exceed industry standards. This would allow the legislative session to continue with little impact if hit with the type of ransomware attack suffered by the Virginia Legislature last month.
“Nothing is 100 percent guaranteed, but we try to figure it out before a hacker can,” he said. “And we have the ability to move forward and maneuver, even if we have to do some things on paper.”
The Dec. 10 ransomware attack on servers used by Virginia lawmakers led to the disabling of the legislature’s voicemail system, its budgeting portal, and the platform used to draft bills. Even access to the Virginia Constitution and state code normally accessible online had to be taken down after the attack, which one state official blamed on an “extremely sophisticated malware.”
For a short time the website serving Virginia’s Division of Capitol Police was also down but there was no report of impacts to critical functions.
Whoever hacked the Virginia Legislature’s system left a ransom note, although it did not include a ransom price nor due date, according to a senior staff member. It is the first reported cyber security attack on a state legislature, although at dozens of public entities across the country were hit in 2021.
Gowan is pleased that Arizona’s legislative staff has safeguards in place which will allow lawmakers to “quickly move forward with our work” if hit by an attack like Virginia experienced. He credits the fact that the legislature’s IT personnel conduct refresher training for lawmakers and staff about suspicious emails, which is the easiest way for a cyber attacker to get into a system.
There is also frequent spot checks of the legislature’s systems. And it helps, Gowan noted, that Arizona has one of the nation’s premiere cybersecurity programs, with the Arizona Department of Homeland Security, the Arizona Department of Public Safety, and the Department of Emergency and Military Affairs all major players, along with local and federal agencies.
Two controversial bills recently introduced by a state representative would make significant changes to Arizona’s laws related to cyberattacks. One would tie the hands of public officials in responding to a ransomware attack, while the other seeks to require anyone who does business in Arizona to report a computer security breach or face a civil penalty from the Arizona Attorney General’s Office.
HB2145 would bar the State and any political subdivision of the state (such as a county, city, town, or school district) from making ransomware payments to secure the release of data. It would also require immediate notification of such an attack to the Director of the Arizona Department of Homeland Security.
Meanwhile, HB2146 would mandate anyone who “conducts business in this state and that owns, maintains or licenses unencrypted and unredacted computerized personal information” to report any security system breach to the Director of the Arizona Department of Homeland Security within 45 days.
A willful violation of the notification statute could lead to a civil penalty of up to $500,000, according to the bill.
Gov. Doug Ducey has secured the funding necessary to launch Arizona’s new Cyber Command Center, and during a ceremony at the Arizona Department of Public Safety’s Arizona Counter Terrorism Information Center (ACTIC) on Monday he equated cybersecurity with homeland security.
“Our society is becoming increasingly interconnected through technology, and cybersecurity has become one of the most important issues facing Arizona,” Ducey said Monday. “This new command center will be critical in protecting Arizonans and ensuring our cyber infrastructure remains safe and secure.”
According to the governor, the state has spent nearly $15 million in the last year to address cyber threats and implement best practices. The results are impressive, with the Arizona Department of Homeland Security detecting and alerting on about 68 million threats and protected state websites from over 800,000 attacks in September.
The new Cyber Command Center will be Arizona’s headquarters for coordinating statewide cybersecurity operations, and will serve as a central location for cybersecurity professionals and local, state and federal agencies to prevent and respond to cyberattacks. Several programs will be run out of the command center, including the Arizona Counter Terrorism Information Center, a joint effort created in 2004 among DPS, AZ DHS, the FBI, and other agencies to support Arizona’s homeland security efforts.
Ducey has been successful the last few years in securing funding to address cybersecurity threats which impact not only state agencies, but also local governments, the private sector, educational institutions, and citizens.
In Fiscal Year 2020, the governor secured legislative approval to add $2.9 million to the Arizona Department of Administration’s Statewide Information Security and Privacy Office. The money was earmarked to enhance the operations of the office and purchase additional cybersecurity controls to combat cyberthreats on state IT assets, according to Ducey’s office.
He has also tapped $9 million in FY2020 and FY2022 to improve the Department of Education’s school finance system which distributes billions in state and federal funding to Arizona’s public schools. In addition, nearly $500,000 of funding will be available to the Arizona Department of Emergency and Military Affairs (DEMA) in FY2022 to establish a cyber task force to perform cybersecurity prevention and response activities on behalf of the state, according to the governor’s office.
That is on top of a one-time $300,000 credit to the National Guard Cyber Response Revolving Fund to allow the National Guard to engage in cyberattack prevention, response, and support activities for the state and other public entities.
Arizona is not the only state making cybersecurity a priority, and public records show many of the projects across the country are being paid for by federal funds under the CARES Act.
According to the Center for Digital Government, the CARES Act provided more than $150 billion in March 2020 to state and local governments to address cybersecurity issues brought about by IT budget constraints, modernization issues, and new challenges such as remote work and distance learning. In December, Congress later extended the deadline for utilizing the funding after some states complained of not being able to get projects quickly operational due to time and staff constraints.
“This extension is critical because our research indicates state, local and county governments still have billions of federal dollars left to spend,” according to a briefing by the Center for Digital Government, a national research and advisory institute on information technology policies and best practices in state and local government. “Doing so will increase their resilience, streamline constituents’ access to critical services, and safeguard critical government systems and all the valuable public data they collect.”
In North Carolina, $4.5 million of CARES funding was allocated to create a shared cybersecurity infrastructure for its Department of Public Instruction. The project also facilitates district cybersecurity monitoring and support,, which according to the briefing “has become even more essential as the schools in the state experience a surge in ransomware attacks.”
Meanwhile, the briefing notes Oklahoma has used its federal aid for a secondary data center with higher availability and advanced disaster recovery capabilities. State officials call the investment “critical” to ensuring the capability to deliver core public services in an emergency.
Idaho, Montana, and Texas are examples of other western states utilizing CARES funds for cybersecurity projects.
