CHARLESTON — No intrusions of state information systems have been detected in the wake of a major hack of federal agencies, but the West Virginia Office of Technology is monitoring the unfolding situation.
Last week, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency announced that a substantial intrusion into the computer systems of multiple federal agencies by foreign actors with possible ties to the Russian government was discovered.
It’s unclear how long hackers had access to federal computer systems, but the intrusion only came to light after private cybersecurity companies discovered a similar penetration of their own systems according to the Associated Press. According to CISA, hackers found a backdoor into federal servers through software from SolarWinds.
CISA, along with the FBI and the Office of the Director of National Intelligence, issued a joint statement Dec. 16. The agencies announced the creation of a group to coordinate a response to the hack as well as a criminal investigation.
“CISA remains in regular contact with our government, private sector and international partners, providing technical assistance upon request, and making needed information and resources available to help those affected recover quickly from this incident,” according to the joint statement. “CISA is engaging with our public and private stakeholders across the critical infrastructure community to ensure they understand their exposure and are taking steps to identify and mitigate any compromises.”
Joshua Spence, the Chief Technology Officer for West Virginia and leader of the Office of Technology, said breaches of government computer systems — both federally and at the state level — are becoming more and more frequent targets of bad actors.
“The world has changed around us and we all know it has,” Spence said. “We live in a world where everything has an interdependency upon technology. And because of that, nation states are spinning off a significant amount of resources just try to take advantage of that.”
So far, only one state is reporting any penetration of computer systems connected to the federal computer hack. According to the Associated Press, Florida said their state servers were penetrated. Much like the federal hack, users were able to exploit vulnerabilities in the SolarWinds programming code.
West Virginia was unaffected by the federal hack, but there are likely hundreds of attempts by bad actors to get at the personal information the state has for its 1.8 million residents. Last year, a ransomware attack left multiple Harrison County agencies locked out of their computer systems. Also last year, the West Virginia Secretary of State’s Office reported an attempted hack of its online voting system for military and overseas voters.
Spence said his major concern going forward is just how quickly the technology keeps changing. He said cybersecurity technology is often having trouble keeping up with new innovations, causing vulnerabilities that can be exploited.
“The threat in the last 10 years has become so prevalent, and the awareness of that threat is now out there more so than it ever has been. We’re trying to catch up,” Spence said. “The tech industry is born out of innovation. They continue to innovate to drive the market and that drives growth, but the security aspects of it are still trying to catch up. That’s where I see there being a gap.”
To try to narrow the gap the Spence talked about, the West Virginia Legislature passed House Bill 2452 – the Secure WV Act – in 2019. At a cost of $4.2 million and a completion date of 2021, the act created an enterprise service for cyber-risk management. The act allows the state to more nimbly respond to cybersecurity issue by addressing risk.
“We’ve got to keep an eye on and understand all the decisions we make around technology are going incur risk,” Spence said. “Pretend I’m the fire marshal and ask me if the building we are in is fireproof. It’s not really fireproof. It’s not a question of security, it’s a question of risk, right? What are you doing for fire protection? You put preventive measures in and you put responsive measures in. The same thing applies to cybersecurity.”
Spence said monitoring risk and being able to communicate quickly and effectively during a potential breach can help limit the damage a hack can do, and possibly help discourage the next hacker.
Steven Allen Adams can be reached at [email protected]