Virginia needs more IT security staff to defend against cyber attacks, new report says

News

RICHMOND, Va. (WRIC)- Service has been restored at state agencies after another network outage on Thursday but a new report reveals more resources are needed to prevent future problems, particularly from cyber attacks. 

On Friday, the Virginia Information Technologies Agency confirmed the outage was caused by a fiber cut during an external construction project and that it lasted about 90 minutes. It was first reported around 12:34PM on Thursday and could have potentially reached a wide range of agencies before staff was able to reroute network traffic, according to VITA. 

“We expect that permanent repairs to the fiber line will be completed this afternoon,” VITA Director of Communications Lindsay Legrand said in an email on Friday. “Once complete, our team will closely monitor the connectivity status today and into the weekend, and return network traffic to its original configuration once permanent restoration is confirmed.”

Two similar publicly reported issues in the last year were also caused by cut fiber lines, including one incident that shut down the Department of Elections website on the last day to register to vote.

With early voting underway once again, a new report is revealing concerns over the state’s ability to protect against intentional attacks. 

The Joint Legislative Audit and Review Commission, the state’s nonpartisan watchdog group, said VITA needs more IT security staff to handle growing responsibilities. 

“Security staff consistently raised concerns about staffing levels when we surveyed and interviewed them. Less than 7 percent said current security staffing levels are sufficient for the current workload,” said JLARC’s Chief Legislative Analyst for Ongoing Oversight Jamie Bitz in a presentation to legislators on Monday. 

One manager expressed concern that staff may be rushing through security reviews and making mistakes, according to the report. 

The report furthered that VITA lacks sufficient resources to monitor all 4,000-5,000 pieces of IT equipment that could be targeted for potential security vulnerabilities. As it stands, the state is only able to prioritize about 600 pieces of equipment. 

“VITA’s security group is not able to keep pace with all of the infrastructure changes that agencies are requesting and make sure they are consistent with the state’s security standards and that ultimately increases the risk of a cyber security breach in the commonwealth,” Bitz said. 

The update comes as the threat of cybersecurity is growing and becoming more complex, according to JLARC.

The report details multiple attacks on state agencies in recent years. One targeting the IT firm SolarWinds affected at least a dozen federal and state government agencies, including the Virginia State Corporation Commission. Another hacked two state government web domains to sell fake e-books in a possible effort to steal credit card information.

These issues have occurred despite the fact that VITA has more than doubled security staffing in the last decade from 11 to 28 people as of 2020. One director cited in the JLARC report estimated that 4 to 5 additional people would need to be hired to meet demand. 

VITA declined to do an interview on Friday.

However, Virginia’s Chief Information Officer Nelson Moe told members of the General Assembly on Monday that a continued investment is needed to cope with what he considers their biggest challenge. 

“The capacity of the network and also being able to protect it,” Moe said. 

A plan to increase staff is due to the General Assembly and JLARC on Dec. 15, 2021 in preparation for the 2022 legislative session. 

Copyright 2021 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.

Trending Stories

Don't Miss

More Don't Miss