After North Carolina cyberattacks, IT officials warn General Assembly of poor preparedness
Ray Tan via Getty Images
The state’s systems face more than 10 billion attack attempts each month, a top cybersecurity official told lawmakers.
This story was originally published by NC Newsline.
Weeks after cyberattacks targeted North Carolina government services during the winter storms that buffeted the state, IT officials warned North Carolina lawmakers that the state is underprepared for digital threats — in part because of recent legislative actions.
The state is the target of more than 10 billion attempted cyberattacks every month, N.C. Chief Information Security Officer Bernice Russell-Bond told the Joint Legislative Oversight Committee on Information Technology on Thursday. That includes attempts to breach government websites, unauthorized network scans, and viruses and malware that could paralyze entire agencies.
“We are a major target for cyber criminals. We are seeing a lot more activity,” Russell-Bond said.
Russell-Bond cited an attack on Nevada’s government last September that took down the state’s Department of Motor Vehicles systems, Health and Human Services public aid services and critical state law enforcement tools. Some systems, she said, were not fully restored until three months later.
“We’re going to constantly need to have support to ensure that we can recover from the different attacks that we know we’re going to get if we can’t prevent them,” Russell-Bond said.
North Carolina IT Secretary Teena Piccione said the recent exemption of many state agencies from the Department of Information Technology’s policies and practices creates vulnerabilities for cyber criminals to target.
Prior to 2025, only the General Assembly, the state courts, and the University of North Carolina system were exempted from the N.C. Department of IT’s policies and procurement process. The General Assembly vastly expanded those exclusions last year, passing legislation that added exemptions for the State Auditor’s office, the Department of the State Treasurer, the State Board of Elections, and the State Highway Patrol.
Piccione conceded that the exemptions arose from a lack of confidence in the department in the past. But the result, she said, is a higher risk of a successful attack.
“That means our visibility wanes across the state, and we don’t have resources embedded in the exempt places where we could see and/or protect,” Piccione said. “Cyber isn’t red, cyber isn’t blue, cyber is purple. It comes for all of us.”
Committee members expressed concern, even those who had voted for the exemptions.
“That, in my opinion, is a huge problem, because they’re not using the same resources,” said Sen. Steve Jarvis (R-Davidson), the committee’s vice chair. “We’re not watching together. We’re not working as a team. What reason would any agency even request to be exempt?”
“Who’s not working with you?” Sen. Jim Burgin (R-Harnett) asked regarding the procurement process. “You’re trying to help people buy stuff. I know they want to buy their own stuff and they don’t want people to tell them what to buy. So, can you send us a list?”
Jarvis and Burgin were among the 30 Republican senators who voted to enact the bill exempting the State Auditor’s Office last July over Gov. Josh Stein’s veto. Other exemptions were added in the October budget bill, which passed the Senate unanimously.
Russell-Bond said another difficulty is funding. North Carolina earmarks less recurring funding for cybersecurity than any other state, causing chronic uncertainty for those who rely on the department’s services.
“A lot of counties may have some hesitation with some of our offerings because it’s, ‘Well, what are you going to do next year? If you don’t get your budget, who’s gonna cover that for us in the future?’” Russell-Bond said. “If we don’t have the budget, we don’t come through.”
NC Newsline is part of States Newsroom, a nonprofit news network supported by grants and a coalition of donors as a 501c(3) public charity. NC Newsline maintains editorial independence. Contact Editor Laura Leslie for questions: info@ncnewsline.com.