Cybersecurity Update – March 2022

Updates from the Resource Center for State Cybersecurity team, March 31, 2022


Resource Center Announcements

SAVE THE DATE: National Summit on State Cybersecurity – June 22-24 in Columbus, Ohio 

NGA will host its Fifth National Summit on State Cybersecurity from June 22 – 24, 2022 in Columbus, Ohio. As the only national meeting exclusively focused on state cybersecurity, this unique event will convene Governors’ offices, state homeland security advisers, chief information officers, chief information security officers, National Guard leaders, and others from all 55 states and territories. More information, including hotel and registration details, will be forthcoming. 


NGA Request for Information: In 2019, California adopted a dedicated, cyber-specific Emergency Support Function (ESF) annex to its emergency response plan. Has your state considered this approach? Please contact Steve Fugelsang here to elaborate. 


Cybersecurity Resources 

White House Issues Statement and Fact Sheet on Cybersecurity 

On March 21, President Biden issued a statement on domestic cyber threats and a fact sheet reminding companies what they can do now and in the long term to bolster our national cyber defense. Read the full statement here and the fact sheet here.   


NGA One-Pager to Governors on Federal Cybersecurity Resources  

In light of the White House’s recent warning that Russia may be planning cyberattacks against U.S. critical infrastructure in retaliation for economic sanctions countering President Putin’s aggression in Ukraine, NGA issued a memo to Governors outlining federal cybersecurity resources. Contact cyber@nga.org for more information about the memo.


Cybersecurity News 

Governors Tighten IT Cybersecurity Amid Ukraine Attacks 

In response to Russian cyberattacks on Ukraine’s government, several Governors have made a point to address their states’ critical infrastructure security. Specifically, Governors of Texas, Colorado, New York, and New Jersey have issued directives to their respective state agencies. Read more here


California Bar Says ‘Hack’ Exposed Thousands of Attorney Discipline Cases 

The California State Bar has confirmed a data leak of more than 260,000 attorney discipline cases. Bar leaders became aware of the hack on February 24 and promptly removed the confidential case information two days later. The hacked data was discovered on judyrecords.com, a free database which includes over 630 million court cases. The California State Bar has enlisted forensic experts and software vendor Tyler Technologies to investigate. Read more here.    


New Mexico Governor Names Cyber Adviser, Cites Russian Threat 

On March 18, Governor Michelle Lujan Grisham named Annie Winterfield Manriquez as Senior Cybersecurity and Critical Infrastructure Adviser. Manriquez will be enhancing the state’s cybersecurity in response to growing cyber threat from Russia. Read more here.    


China Hacked at Least Six U.S. State Governments 

Hacker group APT41, affiliated with the Chinese government, is reported to have hacked the networks of at least six U.S State governments.  The report from Mandiant does not identify the affected states. The report acknowledges that hackers exploited a previously unknown vulnerability in an off-the-shelf commercial web application and the software flaw ‘Log4j’ that was discovered in December. Read more here.  


Local Leaders ‘Cannot Hide from Technology’ 

The National Association of Counties will be conducting a year-long project aimed at improving communication between county technology leaders and county officials. On February 27, the association released a report that will serve as its first step in this project. Read more here.   


White House to Order Studies on Regulating, Issuing Cryptocurrency 

President Biden has instructed the Justice Department, Treasury Department, and other agencies to study the effects of a U.S. central bank digital currency. These agencies will produce a series of reports on the cryptocurrency market. President Biden’s order follows U.S.-imposed sanctions on Russia, which Russian elites may attempt to circumvent using cryptocurrencies. Read more here.    


Governments Confront Rising Cyber Insurance Rates 

A survey conducted by CompTIA Public Technology Institute (PTI) found that 69 percent of local governments are paying higher cyber insurance premiums. Read more here.  


California-Based Company at Center of Huge Education Hack 

Earlier this year, New York City public schools suffered a cyberattack that compromised roughly 820,000 current and former students’ data and personal information. The Irvine-based organization Illuminate Education was the target of the hack. The data obtained spans four categories: biographic information, special education information, sensitive information, and academic information. Read more here.       


Schools Would Receive Funding for Cyber Education Programs Under Bipartisan Bill 

The Cybersecurity Grants for Schools Act of 2022 passed the U.S. House Committee on Homeland Security earlier this month. The bill would ensure federal grants are dispersed to state and local schools, as well as financial aid to nonprofits, to better educate Americans about the cybersecurity landscape. The grants would be issued through the Cybersecurity Education and Training Assistance Program within CISA. Read more here.    


Utah Adopts Comprehensive State Privacy Law 

On March 24, Governor Spencer Cox signed the Utah Consumer Privacy Act (“UCPA”) into law. Utah is now the fourth state to adopt a statewide privacy law. The law will become effective in December 2023. Read more here.  


Investors Turn to Crypto Funds, Companies as Russia-Ukraine Crisis Escalates 

In response to the Russia-Ukraine conflict, global investors are investing in cryptocurrency funds and companies. Just in the two weeks following March 4, crypto investment products and funds saw $163 million in new institutional money. Read more here.