Lombardo on cyber attack: ‘It’s not clear what the motive was’

“We know there was an intrusion, we’re evaluating how the intrusion occurred, and currently (the Cybersecurity and Infrastructure Security Agency), from the federal government, is evaluating whether there’s a demand,” Gov. Joe Lombardo said Thursday. (Photo: Hugh Jackson/Nevada Current)

The state does not know what the cyber attackers who crashed multiple state systems and stole some data from those systems want, Gov. Joe Lombardo said Thursday.

Asked if the attackers had contacted the state, Lombardo said “we know there was an intrusion, we’re evaluating how the intrusion occurred, and currently CISA (the Cybersecurity and Infrastructure Security Agency), from the federal government, is evaluating whether there’s a demand.”

Asked to clarify that there had been no demand, Lombardo said “it’s clear there’s been an intrusion, but it’s not clear what the motive was.”

Lombardo made his remarks during a briefing with reporters in Las Vegas Thursday afternoon.

The governor also addressed his absence at the first public briefing on the attack by public officials, which had been held Wednesday. The absence seemed conspicuous to many, including the Nevada Democratic Party, which issued a statement linking to a social media notice posted by the Elko County Republicans for an RSVP-only meet and greet with the governor Wednesday.

Lombardo said he was attending pre-planned meetings with constituents in Elko, Eureka and Ely for meetings “with local government officials and constituents” and in frequent contact with state agency directors and the experts engaged in the process of recovering and restoring Nevada’s downed systems.

“Listen,” Lombardo said Thursday after being asked multiple questions about his absence the day before, “this press conference is not intended to address my absence. I’m here, I’m taking care of business, and I’ve never strayed from my responsibility as your governor.”

Lombardo also addressed earlier statements from his office early in the week that the state was unaware of any personal information released into the public. “That’s what we knew at the time,” he said.

On Wednesday, the Governor’s Technology Office’s Timothy Galluzi announced data had in fact been removed from the state networks, though officials aren’t sure exactly what the data was. 

Several state agency directors Thursday reiterated updates they had made the day before about the status of their services.

But unlike Wednesday, the state has created a website designed to provide Nevadans with daily “service status” updates and functioning contact information for state agencies and departments. The website’s content is to be updated frequently, Lombardo said.

Ransoms, and a bill that didn’t become a law

“I’m absolutely confident in our level of preparedness,” Lombardo said Thursday, noting that cyber intrusions are increasingly common worldwide. 

“Of course you can’t prevent everything from happening” including mitigation and preparedness exercises, and having third parties testing systems. “We have done that,” Lombardo said.

“Unfortunately,” he added, the cyber attackers “had access into our systems, and we’re evaluating why.”

Earlier this year legislation was introduced by Las Vegas Republican Assemblymember Toby Yurek to create a state “Security Operations Center” (SOC) to better protect the state of Nevada from cyber threats.

“Every voter record, every tax record, every tax form, every school form, every email sent, every transaction is an opportunity for a threat actor to move from a Nevadan to a visitor to a local entity, and beyond,” Galluzi, the executive director of the Governor’s Technology Office and the state’s chief information officer, said while making a presentation in support of the legislation in March.

Galluzi praised increased collaboration between state agencies on cyber threat awareness and prevention, but “collaboration is not a substitute for structure. Nevada lacks a centralized backbone for cybersecurity,” Galluzi told the Assembly Government Affairs Committee.

Also, “many of our agencies are running on aging infrastructure, and tight budgets.”

Galluzi in March also referenced several instances of cyber attacks carried out against state and local governments, including a 2008 ransomware attack in Atlanta where recovery costs were estimated at $17 million, and a 2023 ransomware attack on Oakland, California.

Oakland didn’t pay the ransom. That resulted in class action suits filed on behalf of at least 13,000 Oakland city employees. Oakland reached a settlement earlier this year agreeing to provide compensation, including $350 per person for credit report and credit monitoring costs, $175 cash for every Oakland police officer, and up to $10,000 per claimant for extraordinary losses connected to identity theft and fraud.  

At least two states, North Carolina and Florida, have banned public ransomware payments. 

Ohio earlier this year enacted legislation by which any public government agency cannot pay ransomware before first getting approval, publicly, from the legislative body with oversight of the agency.

And New York enacted legislation this summer requiring state and local governments to disclose to the state’s Division of Homeland Security and Emergency Services if they have paid ransomware.

“There is no absolute policy” on paying ransoms in Nevada, Lombardo said Thursday, saying the options “are under consideration.”

“We do have an insurance policy that helps us,” he added. 

In addition to creating a Security Operations Center within the chief information office, which is under Galluzi’s direction, the legislation, AB 432, would have authorized that office to apply for additional federal grants to finance state security enhancements. The bill also would have extended SOC coverage to school districts, and required the SOC to provide annual accountability reports.

After that March 24 committee hearing, the bill was referred to the Assembly Ways and Means Committee, where funding determinations and allocations are made, and which is colloquially referred to as “where bills go to die.” No further action was taken on the bill. 

The cyber attack on the state occurred less than three months after the end of the legislative session. Even if progress began immediately on creating an SOC, and a state investigation that is still ongoing, it is impossible to know if the legislation might have helped prevent the attack.