Credit Illinois Attorney General Kwame Raoul with this: Faced with an embarrassing and costly failure by his office to protect itself against a cybersecurity attack, he at least has been open about the breakdown and its costs.
The cleanup operation alone has run to $2.5 million, Raoul said last week. His office has created a new security-analyst position and plans to staff it adequately to build a comprehensive cybersecurity program.
Raoul paid no ransomware, he told reporters for the Chicago Tribune and the Better Government Association in an interview. And he acknowledges uncertainty about how much information the cyberthieves stole—anything from private data about state residents to the confidential findings of AG investigations to who knows what else.
The candor is laudable. But it doesn’t begin to answer all the questions that still hang over the successful hack of Raoul’s office, apparently by a major Russia-based criminal cabal.
In January, Raoul received a bald warning from the state’s Auditor General. In the draft of a report that would be released in February, the state-government auditor found “weaknesses in cybersecurity programs and practices” that included “significant deficiency and noncompliance.”
Raoul’s official reaction at the time, as indicated by the written response to audit findings, was less than urgent. “The office emphasizes that it maintains a highly secure computer environment that safeguards confidential and personal information from attacks and unauthorized disclosure,” it said. And also, “the office administers its cybersecurity system as though all data in is possession is at high risk and susceptible to attack.”
Eight weeks later to the day, those systems were breached.
And nearly four months now since the breach, many of the computer systems in Raoul’s office are still shut down. One of the reasons, Raoul explained, is that to move too fast might create vulnerabilities that future hackers could exploit. Besides, he needs to avoid destroying evidence as federal investigators seek to discover how the hack occurred.
The lack of an urgent and effective response by Raoul’s office came against the backdrop of a fire alarm that has rung across the state of Illinois. Back in January, he was told his office was on a list that would grow to include 29 state agencies and universities with significant cybersecurity weaknesses.
Since then, the auditor general has reported breaches at the Department of Human Services and the Department of Healthcare and Family Services, too.
The lack of an effective response by Raoul’s office, particularly after the audit warning, was on the mind of state Rep. Brad Holbrooke, a Republican from downstate Shelby County, during a legislative hearing into the hack.
“I’m just curious what we’re doing, why we didn’t anticipate this, why we didn’t have redundant systems in place to be ready to roll in case something happened like this?” Halbrook asked, according to coverage by Capitol News Illinois.
“I don’t know what the satisfactory answer that you’d want to your question,” Raoul responded. He went on to express pride in his staff for its post-breach cleanup efforts.
The satisfactory answer might be for Raoul to report the specific steps taken between the warning and the breach, as well as an analysis of why those steps were not effective.
And taking the question beyond just Raoul’s office, a satisfactory answer from state government might include an explanation of why 29 government units in Illinois remained vulnerable as of the auditor general’s most recent reckoning.
The warnings have been clear for years.
Five years have passed since the Illinois Board of Elections in 2016 suffered the most damage from a Russian government effort to infiltrate election systems in numerous states. The hackers gained access to private information about 76,000 Illinois voters.
Since 2019, Rockford’s public schools, LaSalle County and Heartland Community College have been hacked, the BGA and Tribune reported. Southern Illinois University even paid a $472,000 ransom in order to get the computer system at its Edwardsville campus back online.
And at the height of the COVID pandemic last summer, the Illinois Department of Employment Security suffered a massive breach, in which cybercriminals put unemployment payments owed to thousands of state residents at risk.
Raoul has said that a silver lining may attach to the attack on his office: Other agencies can learn from the cleanup effort, he said.
Some lessons about the cleanup effort will be a good thing. Even more valuable would be for Raoul and all the others with vulnerabilities to detail how they responded in efforts to prevent the break-ins in the first place.