New Mexico Gov. Michelle Lujan Grisham on Monday formed a new committee to study the state's cybersecurity preparedness and identify opportunities to apply for federal money to bolster the state's readiness posture.
The Cybersecurity Planning Committee will consist of at least 12 people appointed by Lujan Grisham and will include a mix of state cabinet secretaries or designees, officials from school districts and local and tribal governments that serve in an information security or information technology role and others deemed necessary.
The governor will appoint members to the committee shortly, said Nora Meyers Sackett, Lujan Grisham's press secretary.
“It is more critical than ever to defend New Mexicans against the increasing threats of cyber attacks,” Lujan Grisham said in a prepared statement announcing the executive order creating the committee. "As hackers grow more sophisticated it is vital for the state to safeguard private information and protect against threats to services and infrastructure.”
So far in 2022, multiple cybersecurity incidents have affected New Mexico businesses and governments. In January, incidents shut down Bernalillo County networks and caused Albuquerque Public Schools to cancel classes for two days. Some businesses — such as TriCore Reference Laboratories and Albuquerque-based First Choice Community Healthcare Inc. — became vulnerable after an unauthorized third-party accessed a vendor’s computer system. Others — like Bernalillo County, Albuquerque Public Schools, First Financial Credit Union and Goodwill Industries — felt the effects directly.
La Fonda Holdings LLC, the company that operates the popular La Fonda on the Plaza luxury hotel in Santa Fe, is one of the latest New Mexico businesses to report a data breach. The company announced on Sept. 6 that an incident in August resulted in the removal of certain data from its computer systems after unauthorized access to its network.
As a result, the FBI’s Albuquerque leadership has made an effort to reach New Mexico businesses before malicious actors can.
The committee Lujan Grisham formed will advise the governor regarding necessary cybersecurity legislation and develop the infrastructure necessary to address risks and threats to networks owned by state and local governments. Per the executive order, the committee will — by Nov. 10 — "develop, implement or revise an eligible cybersecurity plan under the State and Local Cybersecurity Grant Program," which is administered by the U.S. Department of Homeland Security.
In forming the committee, Lujan Grisham designated October as Cybersecurity awareness month.
The governor's actions come after the U.S. Government Accountability Office last week issued a report critical of the National Nuclear Security Administration, a U.S. Department of Energy agency responsible for the Sandia National Laboratories and the Los Alamos National Laboratory in New Mexico, among six other sites across the county.
From reporting in The Record, a cybersecurity news publication owned by the Massachusetts cybersecurity company Recorded Future, according to the GAO:
NNSA and its contractors haven’t fully implemented six federally-mandated cybersecurity practices — which include implementing foundational risk management practices and more. For the traditional IT environment used for weapons design, the NNSA partially implemented all of the practices but had not fully implemented a continuous monitoring strategy “because their strategy documents were missing key recommended elements.”
In its 81-page report, the GAO cited a 2021 ransomware attack on Sol Oriens, an Albuquerque-based government contractor that enlisted a forensic firm to try to understand how payroll and other proprietary information appeared on a website affiliated with a Russian-linked hacker group that call themselves REvil.
REvil previously gained notoriety for its high-profile hack on JBS, the world's largest meat producer, and its successful ransom attempt that garnered an $11 million payment. They also hacked a key supplier to Apple, claiming to have stolen blueprints of the computer giant's products.
