WAVY.com

Youngkin calls cybersecurity funding ‘wholly inadequate’ as ransomware attacks disrupt state government

RICHMOND, Va. (WRIC)- Days after multiple ransomware attacks were first detected, Virginia’s state government is still feeling the effects. It comes as Governor Ralph Northam is proposing new funding to sure up cybersecurity but Governor-elect Glenn Youngkin says it doesn’t far enough.

As of Friday evening, the FBI and the Virginia State Police were continuing to investigate a criminal ransomware attack disrupting the IT system that serves the General Assembly. Dave Burhop, director of the Division of Legislative Automated Systems, said the suspicious activity was first detected on Sunday, Dec. 12.


At last check, the Virginia Department of Behavioral Health and Developmental Services was also continuing to grapple with what is believed to be a separate ransomware attack targeting the service the agency uses for timekeeping.

“It is clear the global KRONOS ransomware attack and the ransomware attack experienced over the weekend in Virginia are not connected, and there is no indication that information was compromised or that any DBHDS systems have been compromised,” said DBHDS Communications Director Lauren Cunningham in an email on Friday. “State facilities have switched back to manual systems that are very time-intensive, but they will get the job done and ensure staff are paid.”

Stakeholders either didn’t respond to requests for comment or had no further updates when asked if ransoms had been paid out to attackers to resolve the issue.

As both investigations continued on Thursday, Governor Northam announced his two-year budget plan would include $60 million for cybersecurity improvements. Northam’s office said the proposal was drafted before the ransomware attacks occurred.

“It’s something that we take very seriously,” Northam said in an interview on Thursday. “If it takes more resources, we will have that in the budget to help prevent this from happening in the future.” 

Asked about the proposal after Northam’s presentation, Governor-elect Youngkin was not impressed.

“I do believe the $60 million–the number I heard today that is being allocated to cybersecurity–is wholly inadequate and in fact it reflects the under-investment over a consistent period of time,” Youngkin said, adding that he would direct a review of resources after taking office.

A recent report revealed the Virginia Information Technology Agency, which oversees the executive branch, currently lacks sufficient resources to monitor all 4,000 to 5,000 pieces of IT equipment that could be targeted for potential security vulnerabilities.

“VITA’s security group is not able to keep pace with all of the infrastructure changes that agencies are requesting and make sure they are consistent with the state’s security standards and that ultimately increases the risk of a cybersecurity breach in the commonwealth,” JLARC’s Chief Legislative Analyst for Ongoing Oversight Jamie Bitz said in a presentation to lawmakers.

According to Northam’s Spokesperson Alena Yarmosky, the governor’s outgoing budget proposal includes $25 million to increase cyber resiliency and recovery capabilities, $8 million for additional authentication resources, $5 million to establish a second backup data center, $4 million for antivirus tools, and targeted security measures across various state agencies.

Delegate David Reid (D-Loudoun) has been focused on the issue of cybersecurity for years, both in the legislature and professionally.

“If we’re experiencing this problem right now then it probably means that we have not been funding cybersecurity for the legislative branch or, if we have, it probably hasn’t been as robust as it should’ve been,” Reid said.

Reid is planning to propose several budget amendments on the topic in the 2022 legislative session. While he is still reviewing Northam’s proposal, he believes the governor has already included at least one of his requests. He said it would provide funding for the Virginia National Guard to conduct twelve cybersecurity assessments per year for localities to prevent ransomware attacks.

Another proposal would provide the Virginia State Police with additional funding to hire thirteen full-time cybersecurity support professionals. Reid also wants the state to manage a single, robust platform to continuously monitor, manage, and report cybersecurity risks at no cost to local public school districts.

With state revenues at record highs and the threat of ransomware attacks only expected to grow, Reid said now is the time for big investments.

“It definitely should be considered a wake up call,” Reid said. “Cybersecurity is kind of a lot like car insurance in that no one really wants to pay for it but they’re really glad they have it when they have an accident.”