Virginia needs more IT security personnel to defend against cyberattacks, new report says
RICHMOND, Va. (WRIC) — Service was restored to state agencies after another network outage Thursday, but a new report finds more resources are needed to prevent future issues, especially cyberattacks.
On Friday, the Virginia Information Technologies Agency confirmed the outage was caused by a fiber cut during an external construction project and lasted about 90 minutes. It was first reported around 12:34 p.m. Thursday and could potentially have reached a wide range of agencies before staff could reroute network traffic, according to VITA.
“We anticipate that the permanent repairs to the fiber line will be complete this afternoon,” VITA communications director Lindsay Legrand said in an email Friday. “Once complete, our team will closely monitor the state of connectivity today and over the weekend, and return network traffic to its original pattern once permanent restoration is confirmed.”
Two similar issues publicly reported last year were also caused by cut fiber lines, including an incident that shut down the Department of Elections website on the last day to register to vote.
As early voting rolls around again, a new report reveals concerns about the state’s ability to protect itself against intentional attacks.
The Joint Legislative Audit and Review Commission, the state’s nonpartisan watchdog group, said VITA needed more IT security staff to handle growing responsibilities.
“Security staff consistently raised concerns about staffing levels when we interviewed and interviewed them. Less than 7% said current security staffing levels are sufficient for the current workload,” JLARC Chief Legislative Analyst for Ongoing Monitoring, Jamie Bitz, said during a presentation to lawmakers on Monday.
A manager expressed concern that staff were rushing through security reviews and making mistakes, according to the report.
The report added that VITA lacks sufficient resources to monitor the 4,000 to 5,000 pieces of computer equipment that could be targeted for potential security vulnerabilities. As it stands, the state can only prioritize about 600 pieces of equipment.
“VITA’s security group is unable to keep pace with all the infrastructure changes requested by agencies and ensure they meet state security standards, which increases ultimately the risk of a cybersecurity breach in the Commonwealth,” Bitz said.
The update comes as the cybersecurity threat grows and becomes more complex, according to JLARC.
The report details multiple attacks on state agencies in recent years. One targeting computer company SolarWinds hit at least a dozen federal and state government agencies, including the Virginia State Corporation Commission. Another hacked into two state government web domains to sell fake e-books with the possible aim of stealing credit card information.
These issues have occurred despite VITA having more than doubled security staff over the past decade, from 11 to 28 people as of 2020. A director quoted in the JLARC report estimated that 4 to 5 people additional staff should be hired to meet demand. .
VITA declined to do an interview on Friday.
However, Virginia Chief Information Officer Nelson Moe told General Assembly members on Monday that continued investment is needed to address what he sees as their biggest challenge.
“The capacity of the network and also its ability to protect it,” Moe said.
A staff increase plan is due to be presented to the General Assembly and JLARC on December 15, 2021 in preparation for the 2022 legislative session.