As a leading voice in policy and legislation, Donald Gainsborough, at the helm of Government Curated, brings unparalleled insight into the intersection of state governance and cybersecurity. With Nevada reeling from a significant cyberattack announced on August 24, his expertise offers a critical perspective on the state’s recovery, the impact on residents, and the broader implications for government transparency and security. In this interview, we explore the ongoing recovery efforts, the scope of the attack’s disruption to vital services, the challenges of balancing transparency with investigation integrity, the nature of the compromised data, and the lingering questions surrounding potential ransom payments. Join us as we dive into these pressing issues with a true political savant.
How has Nevada progressed in recovering from the cyberattack announced on August 24, and what challenges remain in getting everything back to normal?
The recovery process has been a massive undertaking. From what I’ve observed, the state has made significant strides since the initial announcement, with the governor’s office reporting that all state agency websites are back online as of the latest updates. That’s a critical milestone, especially for public-facing services. However, there are still intermittent back-end issues that agencies are working through. These aren’t always directly tied to the attack itself but sometimes to other system upgrades meant to bolster security. The challenge lies in addressing these lingering problems without disrupting services again, and it’s a slow process to ensure everything is stable and secure.
Can you walk us through the scale of this cyberattack and how it disrupted essential services for Nevada residents?
The scale of this attack was staggering, often described as one of the largest state-focused cyberattacks in recent history. In the initial days, nearly every state agency was affected—offices like the DMV and social services had to shut down physically for at least two days, and their websites went offline as a precaution. This meant critical programs like Medicaid and SNAP reverted to paper forms, firearm background checks were halted, and even businesses like car dealerships faced delays due to inaccessible DMV databases. The ripple effect on residents was profound, disrupting daily life and access to essential support.
What’s behind the limited updates from the state since the initial announcements about the cyberattack?
The scarcity of updates isn’t entirely unexpected. Nevada is collaborating with federal partners like the FBI and the Department of Homeland Security on the investigation, and these agencies often take the lead in such cases. Releasing information prematurely could jeopardize evidence or compromise the process, which naturally slows down public communication. There’s also a need to balance transparency with protecting the integrity of the investigation, and I suspect the state is erring on the side of caution until they have a complete picture of what happened.
There’s been mention of data being taken during the attack. Can you shed light on what kind of information might have been compromised?
The state has confirmed that data was exfiltrated, meaning it was copied and moved off their systems. However, specifics remain unclear. What we do know is that there’s no evidence yet of personally identifiable information being accessed—at least not under Nevada’s strict legal definition, which requires certain combinations of data like names with driver’s license numbers. It’s possible the data taken was encrypted or doesn’t meet that threshold, or it could be related to system architecture rather than personal records. Until more details emerge from the investigation, it’s hard to say definitively.
A lot of speculation surrounds whether Nevada paid a ransom to the attackers. Can you explain the complexities of this situation and what factors might influence such a decision?
The question of ransom is a sensitive one, and the state hasn’t confirmed whether a demand was made or if any payment occurred. Ransomware attacks often involve financial demands, and while some states have laws against paying ransoms, Nevada does not. The decision, if it came to that, would weigh multiple factors—potential legal ramifications, the risk of encouraging future attacks by paying, and the urgency of restoring systems or protecting data. There’s also the political angle; any decision could impact public trust, especially with elections on the horizon. It’s a tough spot for any administration to navigate.
Looking ahead, what is your forecast for how Nevada and other states can better prepare for and respond to cyberattacks of this magnitude?
I believe we’re at a turning point where states must treat cybersecurity as a core function of governance, not just an IT issue. Nevada’s experience highlights the need for robust, proactive defenses—think regular system audits, employee training on phishing and other threats, and investment in modern infrastructure. Collaboration with federal agencies will remain crucial, but states also need clear communication strategies to maintain public trust during crises. My forecast is that we’ll see more legislative focus on cybersecurity in the coming years, possibly including laws around ransom payments and mandatory breach reporting timelines. The question is whether funding and political will can keep pace with the growing sophistication of these threats.
