As Virginia struggles to control a ransomware attack on its legislative branch of government, an agency in the state’s executive branch also has been hit in a second attack that is global in scope.
The Department of Behavioral Health and Developmental Services said Tuesday that its IT system for managing employee payroll and time sheets has been “paralyzed” by a ransomware attack on the global network of the Ultimate Kronos Group, a digital cloud-based human resources management company.
“At this time, we do not know if this is related to the ransomware attack over the weekend on Virginia’s legislative agencies,” said Lauren Cunningham, a spokesperson for the state agency. “There is no indication that information was compromised or that any DBHDS systems have been compromised, but it is clear that the operation of the KRONOS system has been paralyzed. What we do know is staff WILL be paid their normal compensation and on time.”
The crippling of the behavioral health agency’s payroll system comes as Virginia State Police investigates a criminal attack on the IT systems serving the General Assembly a month before the legislature will convene its biennial 60-day session to adopt a new two-year state budget and legislation that depends on the legislative agencies directly affected by the ransomware attack.
People are also reading…
“They’re investigating the scope of the intrusion,” said Brian Moran, secretary of public safety and homeland security.
The state police Bureau of Criminal Investigation’s High Tech Crimes Division is working with the FBI and the Virginia Information Technologies Agency to investigate the ransomware attack, which was discovered late Sunday on the computer and IT systems of three critical agencies that draft legislation, run computer services for the assembly and secure the Capitol and surrounding seat of government in Richmond.
Virginia State Police are “diligently working to identify and pursue the source of the ransomware, and to aid the impacted state agencies with regaining control of their systems,” spokesperson Corinne Geller said in a statement Tuesday afternoon.
David Burhop, director of the Department of Legislative Automated Services, told legislative leaders on Monday that hackers broke into the system late Friday, “using extremely sophisticated malware.” The attackers provided a ransom note “with no specific amount (or date) to get our data back,” he said.
Burhop said in an email that the attack affects all internal computer servers in the legislative agencies, “including bill drafting, our regulatory system, budget system, file servers and General Assembly voicemail.”
Gov.-elect Glenn Youngkin, who will be inaugurated Jan. 15, was briefed twice on Monday by VITA, according to a source associated with the transition.
But the cyber attack on the Department of Legislative Automated Systems, the Division of Legislative Services and the Division of Capitol Police is raising vexing questions for state policymakers about how the IT agency for the executive branch of government can help protect agencies in a separate branch of government from ransomware and other cyber threats.
“Everyone talks about it, but people don’t realize you need it until you need it,” said Del. David Reid, D-Loudoun, who has been working for months on proposed budget amendments to broaden state protection against cyber attacks at every level of government, down to local school divisions. “And now we need it, and it’s unfortunate that we’re not prepared.”
One of the four budget amendments Reid has prepared to propose in the General Assembly next year would hire 13 cybersecurity support staff at the Fusion Center that state police runs at its headquarters in Chesterfield County to bring together state, local and federal law enforcement agencies to detect and respond to a wide variety of security threats. Another would formally incorporate cybersecurity operations into the Fusion Center “to provide a more coordinated cybersecurity response team,” he said.
The other proposed amendments would fund efforts to boost cybersecurity for local school divisions through the Virginia Department of Education and enable the Virginia National Guard to conduct cybersecurity assessments for local governments to prevent ransomware attacks.
Staffing to protect against cybersecurity attacks already is a problem at VITA, even though it’s a high priority for the leader of the operation that provides IT services and protection for more than 60 agencies in the executive branch of state government.
“Ransomware is at the forefront of my mind,” Chief Information Officer Nelson Moe told the Joint Legislative Audit and Review Commission in September after the presentation of a JLARC staff study that raised concerns about staffing to protect against cybersecurity threats.
VITA has nearly doubled the number of cybersecurity staff over the past decade — from 11 in 2011 to 20 in 2020 — but JLARC said it’s not enough to address what chief legislative analyst Jamie Bitz described as “the increasingly complex cybersecurity threats that the state faces.”
“Because it doesn’t have enough security staff, VITA’s security group is not able to keep pace with all of the infrastructure changes that agencies are requesting and make sure those changes are consistent with the state’s security standards,” Bitz said in the presentation on Sept. 20. “And that ultimately raises the risk of a cybersecurity breach in the commonwealth.”
The JLARC study recommended that VITA produce a plan by Dec. 15 for how it will increase staffing.
But even with more staff at VITA, that doesn’t necessarily help the legislative agencies that support the General Assembly because they are beyond the scope and authority of the executive branch agency.
VITA produced a report earlier this year about ransomware threats against the state and local governments. The report, ordered by the assembly last year under a resolution that Reid introduced, made a series of recommendations to improve state and local cybersecurity programs, establish formal reporting requirements for ransomware attacks and provide more funding to expand staffing.
The report also calls for establishing one organization “to handle cybersecurity incident reports for all government entities,” increasing training for all government employees and sharing more information with local governments and school divisions to protect them against ransomware.
The attack on the legislative IT systems “highlights overall the security risks and vulnerabilities of state and local government,” said Sen. Jeremy McPike, D-Prince William, a member of the Senate Committee on General Laws and Technology. “No one’s immune.”
However, McPike cautioned that any solution has to recognize “there are separate branches of government” while improving protection for IT systems in all branches of state government.
Senate Clerk Susan Schaar acknowledged that the legislative agencies are relying on help from two executive branch departments — state police and VITA — that have no authority over assembly IT systems that are separate from the larger state network.
But Schaar said, “They have forensic experience in tracking stuff like this down, so it’s everybody working together.”
The clerk also has an answer for legislators who are frantic about their ability to draft and introduce legislation for the assembly session that will begin on Jan. 12.
“We did all this before there was technology,” said Schaar, who began working for the Senate in 1974. “It’s called paper.”