Nevada’s big cyberattack spurs two new projects
During a legislative session held by Nevada’s interim finance committee last week, the state’s top technology official provided updates on the ransomware attack that disabled the state’s executive branch last August, including a hint of what may have caused the incident, what recovery will cost and new work unfolding in the event’s fallout.
The committee ended up that session advancing some of the new work planned, approving more than $300,000 in funding for two new cybersecurity initiatives, including an expansion of the state’s technical threat analysis program and greater support for an ongoing project to create a statewide security operations center. According to a state document, the former would be funded with $150,000 in federal funding the state is receiving through the State and Local Cybersecurity Grant Program.
Amid a barrage of probes and pontifications by state lawmakers during last Thursday’s session, Timothy Galluzi, Nevada’s chief information officer, explained that because an investigation of the cyberattack is still ongoing, there were many details he couldn’t share, such as how the attack had been initiated. In responding to state Sen. Robin Titus, who erroneously connected the legislature not having been affected with the “really good job” that the branch’s technical staff had done, Galluzi explained not how Nevada’s attack began, but how such cyberattacks usually begin.
“Ransomware attacks are generally either are from a compromise in your environment being brute forced or they come in as victim-initiated,” such as when an employee opens a phishing email or downloads malware, he said, adding that the Governor’s Technology Office quickly isolated the attack and that the legislative branch’s network had already been segmented off from the rest of the state.
The ransomware attack against Nevada disabled or disrupted numerous services for weeks, including the ability of police to conduct background checks, for residents to renew their driver’s licenses or receive unemployment support or for small businesses to apply for permits through the secretary of state’s office. The attack also opened the way for further attacks, which, although unsuccessful, increased roughly 300%, Gov. Joe Lombardo revealed last month.
Despite the cyberattack’s effects, some of which persist, Galluzi said the state’s $7 million cybersecurity-insurance policy will easily cover the state’s direct recovery costs. Titus pointed out during the hearing that the costs haven’t only been financial, and recalled hearing from gun dealers and residents who had been unable to access state systems, hurting their businesses and disrupting their lives. She told Galluzi: “I just want you to be cognizant of that, that you are an employee of the state, but we represent our constituents.”
Galluzi said that the ransomware attack’s wide-ranging effects were “not lost on my team.”
“They worked 18, 20-plus hour days for weeks,” Galluzi said. “They didn’t take days off. They didn’t take vacation. They gave up holidays, they gave up everything just to get Nevada back to work, just to get all of those things back online for Nevadans. It wasn’t required of them. They volunteered it. And it was out of that sacred sense of duty, out of that sacred mission that they all believed in. It’s because they cared.”
Galluzi said the recovery process, which the state is conducting with the Cybersecurity and Infrastructure Security Agency and the FBI, has so far shown that only “a very incredibly small subset of internal data” was exposed to the attackers and that he doesn’t believe the personal data of any residents was compromised. He declined to answer many other questions raised by lawmakers, noting that a vendor the state is working with will help the state publish a more thorough report, after the investigation is over.
He compared the recovery to “draining a Olympic size swimming pool with a garden hose,” a project with limited capacity in which everyone urgently wants their services back online first. He said the state prioritized recovering public safety, followed by economic functions.
At one point during the hearing, state Sen. Rochelle Nguyen asked whether a statewide security operations center might have allowed the state to avert the attack altogether, pointing out that one of the state’s public safety divisions in 2023 requested $34 million to advance such a project, but never received the funding. Galluzi said it was impossible to know, but that because of the state’s IT funding model, receiving funding for such a project can irritate his agency customers, which cover the costs of IT services in bills charged by the Governor’s Technology Office.
“While I do believe that a statewide security operations center is imperative, it requires buy-in from all participants,” Galluzi said.
Adam Miller, deputy director at Nevada’s Office of Information Security and Cyber Defense, also told Nguyen that it’s impossible to know whether a SOC would have allowed the state to avert the cyberattack, but that the state’s resources allowed it to catch the incident quickly, “triage” and “rebuild.”
To frame Nevada’s cyberattack, Galluzi pointed to recent high-profile attacks in the private sector, including the supply chain attack last August against Jaguar Land Rover that led the automaker to seek a $2 billion loan to help with its recovery costs. He also pointed to recent cyberattacks that compromised 1 billion records held by Salesforce customers. Galluzi summarized by pointing out that there’s more to cybersecurity than money, something that both Salesforce and Jaguar have a lot of.
While formulating a follow-up question for Galluzi about the relevance of the Salesforce attack, such as whether it compromised any of Nevada’s data — (it didn’t) — state Sen. Dina Neal seemed to stumble upon the koan at the center of all security matters: “How do you protect a system when everyone is subject to being hackable?”
