Last weekend staffers at Virginia’s General Assembly noticed suspicious activity on their IT systems. It turned out to be a ransomware attack.
Thursday evening, Delegate Marcus Simon tweeted that some websites that had been affected were coming back online. Delegate Will Morefield said in a text he understood good progress was being made on restoring the system.
Officials won’t describe the extent of the damage. But it does affect how the legislators make laws.
“We have a system in place where we can track the bills that we turn in and where they are in the process,” said Senator Dave Marsden Thursday afternoon. “But you can't file a bill. I was going to make a joke at some point today that that I'm going to buy quill pens and parchment for folks we'll do a retro - back to 1776.”
Marsden and the rest of Virginia’s lawmakers work part time. The legislative session only lasts 60 days and starts in January. That means the time to file bills is now, so the system outage and delays in drafting bills comes at bad time.
“It gets worse every day in terms of getting final drafts to people and working things through the system,” he said.
Milos Manic, the director of Virginia Commonwealth University’s Cybersecurity Center said hackers could have accessed the system months ago and just waited.
“Unfortunately the timing typically coincides with some other activities in order to, to make the most damage possible,” he said. “Typically where something like this happens, on the defense side, people will try to figure out what has happened, where it came from and how it can be remedied.”
There’s not a whole lot of public information about those details: what’s exactly been affected and which steps were taken. A spokesperson for Mandiant, the company hired to work on the problem, wouldn’t say if the attack was linked to organized crime or a foreign state. The head of The Department of Legislative Automated Systems, the affected agency that that runs the bill tracking system said in an email they’re keeping the details quiet to preserve the integrity of the investigation.
“I think its probably partly to control: damage control. They want to appear like they are handling it properly. They don’t want to put people in a panic,” said Craig Kunitani, the COO and CTO of Security Mentor, which specializes in Cybersecurity Awareness. “And its maybe to their benefit to be able to do their work more behind closed doors so they don’t tip off the hackers.”
Kunitani said disclosures are predominantly dedicated by what type of data is accessed. If personal identifying information that could be used for identity theft was accessed there often a legal responsibility to disclose that to affected parties.
Legislative leaders are trying to keep things quiet as well.
Speaker of the House Eileen Filler-Corn and other legislative leaders met behind closed doors Thursday to talk about the breach. On her way out, a staffer said the speaker wouldn’t discuss the attack.
It's unclear who would have the authority to pay ransom for the legislature, or where the money would come from.
“It's certainly a complicated question,” said Minority Leader Todd Gilbert on who could make that decision. “But I don't think that's obviously where anybody's headed in terms of trying to reward people for this kind of bad behavior.”
Gilbert is slated to become speaker in January, after the Republicans took the House of Delegates back this last election. They’ll be important for enacting Governor-elect Glenn Youngkin’s agenda who won in a massive upset this past fall.”
“We've been fully briefed on the situation,” Youngkin said when asked about the attack’s affects on enacting his agenda. “When we get in on January 15th, we will have a full review and make sure that we are doing everything we can to protect Virginians.”
Governor Ralph Northam proposed $60 million for cybersecurity upgrades across state government in his budget Thursday.
It appears bills are going to keep getting written. They might not be using quills and parchment like the old days, but Delegate David Reid described an alternative.
“It's a more cumbersome process, but it is workable.”
That process: email and Microsoft Word.
This report, provided by Virginia Public Radio, was made possible with support from the Virginia Education Association.
