Any incident that threatens the security of the state data or communications, exposes data protected by federal or state laws, or compromises the security of public entities or agencies’ IT systems must be reported within the 24-hour time frame.
Aliscia Andrews, Virginia’s deputy secretary of cybersecurity, explained that the legislation stems from bipartisan efforts to address increasing cybersecurity threats against government agencies.
“We have Democrats and Republicans on our capitol hill here in Richmond, who understand the importance of cybersecurity,” Andrews said. “They recognize that in the first 24 hours, it’s critical that we know that an incident has occurred.”
The new reporting mandate also allows for better visibility into whether an incident affected more than one locality at the same time, she added.
The law doesn’t necessarily change the incident reporting process; it only adds a 24-hour turnaround time for agencies to report an incident. “It’s a process that has already been in place,” Andrews said. “It just now has a 24-hour immediate reporting time period; what happens is just like all crimes, you report it.”
Incident reporting is routed through the Virginia Fusion Intelligence Center, which was created as a partnership between the Virginia State Police and the Virginia Department of Emergency Management aimed at improving the state's preparedness against terrorist attacks and other criminal activity.
In addition to the reporting requirement, the bill also mandates that the state’s chief information officer convenes a work group of state and local stakeholders to review the reporting and information-sharing practices. The work group began meeting in May, before the law went into effect, according to a press release from the Virginia IT Agency.
“The importance of that work group is that it makes sure that you capture the localities equities, because that’s really the group that will be the most impacted here,” Andrews said.
The state faced over 66 million cyber attack attempts on its systems last year, equaling a rate of 2.12 attacks every second, CIO Robert Osmond said in the release.
“When we see the intensity and sophistication with which cyber attackers are carrying out these threats, we know that we need every resource available to strengthen our cybersecurity infrastructure,” Osmond said.
