POLITICS: State still mum on whether it paid ransom to cyber attackers – USSA News

The governor’s office did not directly respond to questions about additional details on the cyber attack, including what ransom was demanded by the attackers, and whether a ransom was paid by the state. (Photo: April Corbin Girnus/Nevada Current)

More than six weeks have passed since Gov. Joe Lombardo’s office announced the State of Nevada had been breached by cyberattackers and Nevadans are still in the dark about the scope of the damage done, or whether the state has paid a ransom.

Cybersecurity professionals say investigations of incidents of this scale will likely take months, so it’s expected that additional information is not available, but some worry information might be downplayed or delayed for political purposes.

On Aug. 24, the governor’s office announced a “cyber incident.” All state agencies, including the Department of Motor Vehicles and social services offices, were physically shuttered for at least two days. All state agency websites were taken offline in what the governor’s office described as a proactive and precautionary measure.

For weeks: The agency that processes Medicaid, SNAP and TANF applications reverted to having new applicants fill out paper forms; mandatory background checks for firearms were unavailable, halting legal sales and transfers for anyone without a concealed carry permit;  law enforcement databases containing information about criminal records and registered sex offenders were  inaccessible; and businesses like car dealerships and smog check shops that use DMV databases experienced delays and issues.

Greg Moody, director of the cybersecurity program at UNLV, called it “the largest state-focused attack in modern history.” Others in the cybersecurity world have described it as an unprecedented attack.

On Sept. 12, the governor’s office announced that “90%” of public-facing state agency websites had been restored. Since then, the governor has provided no additional updates.

On Monday, the recovery update page set up by the state displayed a banner stating all state agency websites have been restored and the recovery page will no longer be updated. It’s unclear when that banner went up, and the governor’s office did not directly respond to the Nevada Current’s question asking when the last state website was restored.

“All major constituent-facing services are back online, and Nevada is operational again,” said Josh Meny, the governor’s press secretary, in an emailed statement. “Our agencies are diligently working to resolve any intermittent back-end issues, but the majority of these issues are not directly attributable to the cyber incident but are instead linked to other recent enhancements aimed at strengthening and securing our cyber environment.”

Some specific features of agency websites may still be down, but no full accounting of that is publicly available. As Meny put it, “it may be challenging to precisely quantify the minor adjustments currently being implemented by agencies” but the state “is actively compiling an inventory of these efforts.”

The governor’s office did not directly respond to questions about additional details on the cyber attack, including what ransom was demanded by the attackers, and whether that ransom was paid by the state.

“The state remains committed to transparent communication and will share a final update once all efforts have been successfully completed,” said Meny in the statement.

Moody from UNLV says it’s not surprising there hasn’t been additional information released. Nevada is working with the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and the FBI on the investigation, and one or both of those agencies is likely the lead, he says.

It takes a lot of time and effort to retrace electronic actions, says Moody, and investigators must preserve evidence for possible prosecution.

“It makes the process go slower,” he added.

Meny, for the governor’s office, emphasized that the state still “has not seen evidence of any constituent PII (personally identifiable information) being compromised in this attack.”

He added, “As Governor Lombardo has previously said, if investigators eventually discover otherwise, the state will follow Nevada’s strict statutes about personal data breaches by notifying any affected individuals promptly and providing resources to help protect them.”

The state has previously said that data was exfiltrated — meaning taken off the state’s system and moved elsewhere. But it has not said what that data entailed.

Moody notes Nevada Revised Statute includes a strict definition for “personal information.” To meet the definition, the data must include a full or partial name as well as another element, such as a driver’s license number or password information.

If the information was encrypted, it would not meet the state definition, he added, because there’s “some reasonable assurance” that attackers would not have access to it.

Moody says the attackers could have gotten information that does not meet the state’s definition of personal identifiable information, or they could have been exploring how the state’s centralized IT system is set up in hopes of replicating an attack elsewhere.

“Who knows,” he said, “Until we know the hacker and the motivation it’ll be hard to know what they were looking for.”

Lombardo in an earlier press conference has described the incident as a ransomware attack, and he has suggested the motivation was a financial ransom.

While some states have passed laws banning the paying of such ransoms, Nevada has no such law.

“They could have cut a deal or paid a ransom,” said Michael Leonard, a former IT professional and publisher of Mike’s Reno Report who’s been following the cyberattack. “‘Keep quiet and we’ll give you money.’”

Leonard is critical of the lack of info, acknowledging that while the investigation must be taken into account, the state still needs “to come forward with enough information to ensure us they’re investigating and credible.”

He suspects the silence is as driven by politics as much as by the investigation itself.

“I would say it’s equal motivation,” said Leonard. “To protect the reputation of government officials and elected officials.”

“There are unanswered questions and we should be asking them,” he added.

Lombardo is up for reelection next year and considered one of the most vulnerable governors in the nation. Candidate filing does not begin until March, but Attorney General Aaron Ford is currently considered the frontrunner to challenge him, though Ford faces a Democratic primary first.

Democratic legislative leaders expressed criticism of Lombardo in the days immediately after the cyberattack but have remained relatively quiet on the issue since.

Assembly Speaker Steve Yeager on Sept. 9 announced he would form a legislative working group on cybersecurity. His caucus did not respond to the Current’s request Thursday for an update on that effort.