cyberattack session ncsl base camp

Clockwise from top left: Dan Lohrmann, Ervan Rodgers and James Weaver discuss cybersecurity at NCSL Base Camp 2020.

NCSL Base Camp 2020: Cyberattacks on the Rise During Coronavirus Pandemic

By Kevin Frazzini | Sept. 16, 2020 | State Legislatures Magazine

Since the coronavirus pandemic began, many school districts and employers have responded with the best interests of students and workers in mind. Schools are providing online instruction; businesses are letting employees work remotely.

Not everyone has been so conscientious, however. Cyberscammers are exploiting the health crisis for malicious reasons. School districts, employers large and small, agencies at all levels of government—no one is safe from attempted hacks and other cyberattacks.

The FBI reported earlier this year that complaints of cyberattacks received by its cyber division numbered up to 4,000 a day—a 400% increase over pre-coronavirus numbers. Are state governments in a position to handle these growing threats, and what can lawmakers do to help prevent them?

Those were among the questions addressed in the web presentation “Taking Advantage of a Crisis: Cyberattacks in the COVID-19 Pandemic” during the first day of NCSL Base Camp 2020.

Session moderator Dan Lohrmann, chief security officer and chief strategist at Security Mentor Inc., led a wide-ranging, interactive discussion with a panel that included Ervan Rodgers, Ohio’s chief information officer and the assistant director of the Department of Administrative Services, and James Weaver, Washington state’s CIO and director of Washington Technology Solutions, the state’s IT agency.

The discussion began with a reminder that cyber threats didn’t begin with the pandemic. In fact, last year was a tough one, with at least 1,000 local and state government entities and more than 500 school districts hit with ransomware attacks. There were 1.5 cyberattacks per computer per minute and more than 16,000 records compromised every minute, Lohrmann said.

Ransomware, Phishing on the Rise

Ransomware attacks, in which a criminal threatens to publish a victim’s data or block access to it unless a ransom is paid, and phishing, in which an attacker tries to steal user data such as login credentials often via fraudulent email, are on the rise and getting more sophisticated all the time, Rodgers and Weaver said.

Also increasing is the amount of money being demanded in ransomware attacks, with ransoms last year ranging from the tens of thousands of dollars to several million, Lohrmann said. And most victims are willing to pay. As many as 58% of ransomware victims, from every industry, have paid the ransom, according to a study by the market research firm CyberEdge Group.

Helping government agencies defend against these attacks in the current climate is particularly challenging because remote work puts a growing portion of employees’ work outside the traditional network security system, Weaver said.

That means employees must be trained to act as a human firewall, Rodgers said. Cybersecurity training must be regular—monthly is ideal, he said—and should account for the reality that, while working from home, employees might use personal equipment. They should follow the same cybersecurity practices whether they’re using a personal iPad or an employer-issued laptop.

How can state lawmakers help?

  • Get to know your state chief information officer or information security officer. They are the experts who create and maintain the strategies that ensure your state’s vital information assets are protected.
  • Put in place a strategic technology plan that includes cybersecurity.
  • Be sure the plan functions efficiently at the state and local levels. A good plan prevents territorial battles among agencies, Weaver said. It should be based on a holistic, interagency response to security threats—“one team, one goal,” as Rodgers put it.
  • Ensure that your technology plan is adequately funded.

If anyone doubted the urgency of cyber threats during this pandemic era, Weaver tried to make the risk clear.

“Cybersecurity is everybody’s responsibility,” he said. “It’s not a question of if (an attack) happens but when.”

Kevin Frazzini is an editor in NCSL’s Communications Division.

Additional NCSL Resources