How prepared was Nevada to handle a cyberattack?

Just months before a massive cyberattack hit the state of Nevada, lawmakers made policy changes aiming to strengthen its cybersecurity response.

Nevada’s state government continues to reel from a ransomware attack that experts say appears to be the most serious ransomware attack against a state. The incident was discovered last week, shuttering offices and forcing delays in critical services.

Gov. Joe Lombardo said the state was well-prepared to handle the crisis, which has stretched into seven days of ongoing outages.

“I am absolutely confident in our level of preparedness,” Lombardo said at a Thursday news conference. With previous attacks against casinos and other small businesses, he said, the state has been prepared to implement its emergency responses.

Cybersecurity experts said the state is following standard protocols when it comes to handling an attack.

Most states follow cybersecurity guidelines and directions created by the federal government, according to Gregory Moody, director of UNLV’s cybersecurity program. If the state accepts federal Medicare dollars, there are certain controls in place, for instance. States have to comply with that federal guidance, he said.

The guidance also includes audits, Moody said. For example, Nevada’s health department, which administers the state’s Medicaid reimbursements, would be audited by Medicaid, Moody said.

Galluzi said in a news conference that the state’s cybersecurity systems have been audited by several federal entities.

Public entities are often not as well-equipped to handle cyberattacks compared with private companies because of the expense, according to Nir Perry, CEO of the global company Cyberwrite.

“They have a focus on serving their public, and so cyber is not necessarily their No. 1 concern, and even if it is, they don’t necessarily have the means to actually protect themselves,” Perry told the Las Vegas Review-Journal.

The governor’s recommended budget for the Office of Information Security was about $4.7 million in the 2025-2026 fiscal year and about $5.5 million in the 2026-2027 fiscal year, an additional $2.4 million from 2023.

“If you are a small organization or an organization without a very large cyber budget, your chances of actually preventing it … is very limited,” Perry said.

Even the most sophisticated agency is not necessarily the most sophisticated in its response to an attack, said Cynthia Cole, an attorney specializing in privacy and data security at the Palo Alto law firm Baker McKenzie.

Cole said it is common to see confusion and a lack of information come from the organization that was under attack.

“You don’t have all the answers, but you feel pressured to give answers,” she said.

Legislation to stream cybersecurity passes

The Legislature passed Senate Bill 467, which created a singular, cohesive cybersecurity unit in the state and improved communication, according to Tim Galluzi, executive director of the Governor’s Technology Office, who presented the bill.

The law implemented the transition of the Office of Cyber Defense Coordination from the Department of Public Safety to the Office of the Chief Information Officer within the governor’s office. It combined the cyber defense office with the Office of Information Security, creating the singular Office of Information Security and Cyber Defense.

Galluzi told lawmakers in May that the Office of Information Security was focused inwardly on the executive branch, while the Office of Cyber Defense was externally focused, coordinating activities with municipal entities. The separate offices historically caused confusion, he said.

Galluzi said technological advancements have changed since the Office of Cyber Defense Coordination was first envisioned in 2017. If the office saw what technology was available today, “they would be both in awe of the amazing tools that we have available and terrified of what our adversaries have at their fingertips.”

“We need to adapt and evolve with it,” he said.

Implementation of the new law is underway, according to Tim Robb, Homeland Security adviser in the Office of the Governor.

The law strengthens alignment between statewide cybersecurity strategy, enterprise IT operations and incident response, he said. During the cyber incident, the reorganization supported threat intelligence sharing, policy and partner management, Robb said in a statement to the Review-Journal.

The bill also required the merged Office of Information Security and Cyber Defense to continue to prepare and make publicly available a statewide strategic plan outlining best practices and recommendations for mitigating risks of cyber threats. The plan includes guidelines, not mandates, Galluzi told lawmakers.

Records that are not public under the law are those that identify the detection or investigation, or a response, to a cyberattack or threat.

The state provided the Review-Journal a copy of the 2022 State of Nevada Cybersecurity Plan, a 41-page, three-year strategic planning document that includes recent projects for improving cybersecurity across the state, how to attract more cybersecurity staff, and best practices recommended for governments to follow.

2022 Nevada Cybersecurity Plan Revised_FINAL_07.31.2023 by hill23602

Another bill failed

While one cybersecurity bill saw success, another failed.

Assembly Bill 432, sponsored by Assemblymember Toby Yurek, would have created the Security Operations Center in the Office of the Chief Information Officer.

The Security Operations Center would have provided state agencies and elected officers with cybersecurity services, including real-time monitoring of cyber infrastructure, threat mitigation, incident response and cybersecurity enforcement, according to the bill’s text.

The bill also would have required the Security Operations Center to develop policies and procedures to combat the increasing threats to state and local agencies posed by cybercriminals and protect sensitive data in an agency’s possession.

It also would have ensured a “coordinated and rapid response to any cybersecurity incident” that affects a state or local agency, according to the bill’s text.

Robb said a centralized security operations center model can add value, such as 24/7 monitoring and a unified threat response but its absence did not delay the state’s response.

The state detected anomalous activity early Sunday, activated its cyber incident plan that afternoon, isolated affected systems to contain the threat, and engaged federal partners and third-party forensics, Robb said in a statement to the Review-Journal.

“Coming out of this incident, we’ll work with the Legislature on resourcing and structure, including (security operations center)-like capabilities, informed by the after-action review,” Robb said.

Yurek told the Review-Journal that he could not say with certainty his legislation would have prevented the recent and ongoing cyberattack, but that it would have strengthened Nevada’s defenses and put the state in a better position to respond.

The bill would also have established a fund and fee system for state agencies to use those services.

He attributed the reason to its failing as partisan politics.

“My hope is that this crisis will remind all of us that when it comes to the security of our state, we need less politics and more partnerships,” Yurek, R-Henderson, said in a statement.

Contact Jessica Hill at jehill@reviewjournal.com. Follow @jess_hillyeah on X.