State and Federal Response to COVID-19 Cybersecurity

By Casandra Hockenberry, Policy Analyst, The Council of State Governments Overseas Voting Initiative


Cybersecurity is the measures taken to secure electronic data and systems against criminal attacks, including malware, phishing, spearphishing, denial-of-service, etc. In most companies and businesses, there is some level of internal cybersecurity steps that have been take to stop these attacks. COVID-19 means we are seeing unprecedented levels of teleworking, including telemedicine. Suddenly, these systems are significantly more open for cyber-attacks. Additionally, actors both foreign and domestic have been working on misinformation and disinformation campaigns.

Addressing the Problem

Misinformation and disinformation have been ongoing issues in the 2020 Elections, but more and more we have been seeing them surround any topic that rises to national attention.

We are also seeing a huge increase in cyber scams surrounding COVID-19, from fraudulent charities or causes to tricking victims into revealing personal or sensitive information. Iran and (suspected) Chineses government-backed hackers have been linked to capaigns targeting victims with COVID-19 based messages to spread spyware and malware.[1] This includes fake emails that are made to look like business issuing information about how they are are responding to the virus’s spread.

Cyber-attacks happen frequently, but most organizations supply computers that are networked in the office. That organization/business takes steps to secure the network and to stop the cyberattacks. When people are working from home they are significantly more vulnerable to attacks. Your average American isn’t aware of all of the vulnerabilities that arise just by logging into a wireless connection. Most have not changed the password for their wireless router. Luckily many organizations require Virtual Private Network (VPN) access. Unfortnunately, most of these networks were not prepared for the unprecedented levels of teleworking that we have seen.

We are seeing also seeing a large number of organization using video calling platforms such as teams and Zoom to conduct meetings. The FBI issued a warning about “Zoombombing,” which is when unauthorized users hijack teleconferences. We have seen this in schools, where internet trolls disrupted online classes to shout profanities at teachers. Additionally we have seen sporadic outages on these sites and Microsoft servers as companies adjust to this high influx of usage.

How are States Impacted?

States are impacted by their cyber infrastructure not being able to keep up with the traffic they are seeing on sites like Unemployment pages.[2] They are also going to see an uptick in cybercrime and prosecutions. States have also had to spend big to mobilize their state government employees for teleworking for extended periods of time. John Evans, fromer chief information security officer of Maryland noted, “You typically don’t anticipate there’s going to be 100 percent of your workforce that’s going to be telecorking for an extended period of time. You don’t think about something at this scale for this long.”[3]

Action in the States

  • The Cybersecurity and Infrastructure Security Agency (CISA) created a page encouraging certain precautions that individuals can take to protect themselves from cyber scams. This apart of CISA’s National Cyber Awareness System which provides up to date information on security activity. Available here:
  • Attorney General William Barr directed Department of Justice U.S. Attorneys to prioritize prosection of individuals who are capitalizing on COVID-19 by selling fake cures for COVID-19 as well as engaging in phishing campaigns and malware attacks.
    • As a result of Attorney General Barr’s priority announcement, Virginia and the DOJ combined forces and created the Virginia Coronavirus Fraud Task Force. They will focus on scams by bad actors posing as health officials and charities. They also cited a phishing campaign targeting personal information where the attackers are posing as the WHO and CDC.
  • Microsoft has expanded its cybersecurity offereings to state and local election officials including a free service offering threat detection and specialized services from Microsoft’s incident-response group. [4] Microsoft also said it will make members of its Detection and Response Team, or DART, its incident-response group, available to election officials at discounted rates through a program the company’s calling “Election Security Advisors.”
  • Ohio CIO Ervan Rodgers has said his team and the state government’s 51,000 employees have been heavily leaning on its VPN and Microsoft Office 365 suite of online productivity applications.
  • The Colorado Office of Information Technology spent nearly $2.4 million purchasing 1,800 laptops for the surge in remote workers. They also ramped up their VPN capacity from 10,000 users to 30,000 users.[5]
  • The stimulus package included money for broadband expanision through the US Dept. of Agriculture’s ReConnect program, which is offers loans and grants to rural governments, businesses, and nonprofits.
  • The Election Assistance Commission (EAC) has stated that the $425 million and $380 million that was granted to states for cybersecurity may be used for coronavirus security.
  • The FBI issued a warning about Zoom teleconference meetings being vulnerable to hijacking. Zoom is currently spending 90 days shoring up their security on the back end to work to prevent these hijacks.

What is the Expected Outcome?

States and private enterprise are working collaboratively to find solutions to some of the challenges working from home can cause. We will see the most agile state government workforce in our history. States will have to continue to remain vigilent against these cybersecurity threats and prosecutions against these bad actors will increase. Ongoing reliance on VPNs will mean that states will likely need more money to shore up these systems and make sure they are as secure as possible. State workers will likely need to be trained (virtually) on how to work from home in a more secure fashion.

Resources for State Leaders:

[1] Cybercriminals, Nation-States Increasingly Tailoring Coronavirsu Spearphishing Campaigns, By  Shannon Vavra, March 12, 2020,

[2] States’ Unemployment Systems Are Failing Their Stress Test, by Colin Wood, April 1, 2020

[3] Coronavirus Tests States’ Cybersecurity, IT Supply Chain, by Benjamin Feed, March 16, 2020

[4] Protecting Demcoracy, Especially in a Time of Crisis, by Jan Neutze, April 2, 2020

[5] States Spend Big on Remote-Working Tech, Brace for Unemployment, by Colin Wood, March 24, 2020