Dave Burhop had bad news for the clerks who run the two chambers of the General Assembly as they prepared in December for a legislative session that would begin in less than a month.

Malware had been discovered the previous evening in the computer system that runs much of the legislative branch of government - the bill drafting system, file services, regulatory and budget systems and the assembly's voice mail. The attacker left a ransom note, but without a set financial demand.

"Currently the bad guys have most of our critical systems locked up," Burhop, director of the division of legislative automated systems, told Senate Clerk Susan Schaar and then-House Clerk Suzette Denslow in an early morning email on Dec. 13.

The "extremely sophisticated malware" temporarily crippled legislative agencies, but never spread to the rest of state government. The legislative IT agency didn't pay a ransom to restore the system but found ways to work around the malicious malware to run the assembly on backup networks to ensure the "continuity of government" in case of disaster.

But the attack made clear the stakes for Virginia lawmakers and newly inaugurated Gov. Glenn Youngkin. They are looking to make big investments in cybersecurity in the face of threats that were mounting before Russia invaded Ukraine, with cyber-attack a weapon that U.S. lawmakers fear will hit close to home.

The House made a big splash in its version of the state budget, proposing $150 million for cybersecurity initiatives the next two years, although most of that spending already was in the two-year budget that then-Gov. Ralph Northam proposed in December, four days after discovery of the ransomware attack.

"I think people recognize that priority," Youngkin said recently.

Burhop certainly does. He said he can't comment on an ongoing State Police investigation into the attack on the legislative IT system or the extent of the damage.

"But I will say that the increase in 'bad actors,' the availability and readiness of ransomware 'services,' the levels of sophistication and the lucrative nature of it all, pose a tremendous challenge for many organizations," he said in an email.

Burhop welcomed a legislative debate over investments in the state budget that "will help strengthen the defenses that protect the assets the public entrusts to us."

The Virginia Information Technologies Agency estimates that the state experienced more than 66 million attempted cyber-attacks last year and its undermanned security teams blocked more than 50,000 pieces of malware. VITA, as it is known, provides IT services to 65 executive branch agencies and more than 55,000 state employees.

Many attacks in Virginia are not reported. The House and Senate have passed legislation to require all public bodies to report cyber-attacks to the Virginia Fusion Center for intelligence gathering within 24 hours. The U.S. Senate adopted legislation last week that would require private companies responsible for critical infrastructure to report all cyber-attacks to the federal government.

"At a time when we are facing significant threats of Russian cyber-attacks against our institutions and our allies, it's more important than ever that the government have an idea what those threats are," said Sen. Mark Warner, D-Va., chairman of the Senate Intelligence Committee.

It doesn't help that VITA has lost its top two leaders in the past month. Phil Wittmer, former chief information officer in Kansas, left as CIO less than a month after Youngkin appointed him to replace Nelson Moe as the state's top IT officer. Jon Ozovek resigned a few weeks later as chief operating officer.

Michael Watson, the agency's chief information security officer, is serving as acting CIO, Youngkin spokesperson Macaulay Porter confirmed. Demetrias Rodgers, the deputy chief operating officer, is acting as COO.

"Cybersecurity needs continue to change and evolve," Porter said in an email Friday. "This administration is committed to ensuring the commonwealth has the capabilities, staff and the latest innovation to remain competitive and address ongoing needs."

Youngkin asked the General Assembly budget committees to dedicate $40 million over the next two years to new Secretary of Administration Margaret "Lyn" McDermid, who previously had served as chief information officer at Dominion Energy and the Federal Reserve Bank of Richmond, two of the top cyber targets in Virginia.

The governor didn't get that much - the House of Delegates included $20 million over two years and the Senate provided $10 million the first year - but the competing budgets that the two bodies will try to reconcile this week make cybersecurity a priority as McDermid analyzes the state's options.

"I do have some confidence in her analysis, but I have not yet seen a final product," said Sen. Adam Ebbin, D-Alexandria, a member of the Senate Finance & Appropriations Committee.

VITA asked last fall for almost $70 million over two years, including money to hire more staff and more than $25 million for "cyber resilience and recovery capacity."

About half of the $150 million for cybersecurity initiatives in the House budget would come from state tax dollars, with the rest coming from outside sources, including federal grants that Virginia hopes to receive through the Infrastructure Investment and Jobs Act that President Joe Biden signed last fall.

Both budgets include about $5 million for the state to use in conjunction with $21.4 million expected from the federal government for a new program to issue cybersecurity grants for local and state governments, with 80% devoted to localities.

They also propose to bolster Burhop's legislative IT system with more than $1 million this year and between $2.6 million and $3.2 million over the next two years.

The House spending plan also includes about $3 million to hire 11 additional security staff at VITA, on top of the 11 positions included in Northam's parting budget.

Front-line security staff is an issue at VITA, especially in its Commonwealth Security and Risk Management Group, which currently employs 36 full-time workers and three contractors.

The Joint Legislative Audit and Review Commission said the VITA security group is understaffed to handle the heavier workload that accompanied the transition in 2018 from Northrop Grumman as a single supplier of IT services to eight different companies with different roles to play.

The JLARC report, issued three months before the ransomware attack on legislative agencies, also warned that the state is "facing increasingly complex cybersecurity threats, which further increases the workload for the security group."

It cited the 2020 attack on the SolarWinds IT company that it said affected at least a dozen federal and state agencies, including the Virginia State Corporation Commission.

"The lack of sufficient staffing in [Commonwealth Security and Risk Management Group] increases the risk of a cybersecurity break of a state IT system," JLARC said.

VITA responded with a staffing plan in December that acknowledged the expanding scope and risks in managing the state's IT system.

"Due to the increasing threats from malicious parties, Virginia is at a critical juncture for the cybersecurity system," the agency said. "Successful attacks on public bodies and critical infrastructure impact both the function of state government and the lives of citizens."

"Additional staff is necessary for prevention of and response to the constant cyber-attacks on the commonwealth's IT environment," it added. "Absent adequate staffing, further preventable compromises can be expected."