LAS VEGAS (KTNV) — Months before a cyberattack crippled state computers, Nevada lawmakers heard but did not pass a bill to centralize the state's cybersecurity operations to meet emerging threats.
It's not clear whether the bill — Assembly Bill 432, by Henderson Republican Toby Yurek — would have changed anything about the cyberattack first detected by state officials on Aug. 24.
VIDEO: Steve Sebelius reports the latest on Nevada cyberattack
But the bill, the dialogue surrounding it, has taken on new relevance in the wake of the assault on Nevada's computer systems that's now in its ninth day.
The bill would have created a centralized security operations center (abbreviated "SOC" and pronounced "sock") under the state's chief information officer. It would have allowed officials to monitor state networks constantly for signs of intrusion, and even allowed local governments and school districts to opt in, paying for cybersecurity services.
State officials would not have access to data, but primarily monitor network logs and determine who was logging on to the system.
During a March 24 hearing, Yurek outlined the threats from a cyberattack in especially prescient terms.
"Cybercrime is not some abstract threat anymore. It is very personal, it's pervasive, and it is hitting closer to home than ever," he said.
"Make no mistake: We are a high-value target," Yurek added.
"Between our tourism, gaming, financial institutions, government databases, and critical infrastructure, we are not just a neon oasis in the desert. We are a blinking bull's eye for bad actors across the globe."
And it wasn't just Yurek who was concerned. Tim Galluzi, the state's chief information officer, also outlined his concerns.
"If you don't have a central structure in place before the attack, it's already too late," Galluzi told the Assembly Government Affairs Committee. "You cannot fix the plane in flight."
Galluzi outlined cyberattacks in recent years against Colorado, Quincy, Ill., Ft. Lauderdale, Fla., Atlanta, Oakland, Bernalillo County, N.M. and several local governments in Texas.
The attacks cost millions, sparked lawsuits, damaged state reputations and exposed personal information to the dark web, Galluzi said.
And Nevada in 2024 logged 240,000 security incidents, with 17,304 classified as genuine threats, Galuzzi said.
"We cannot continue to practice security through obscurity. They are after us," Galluzi told lawmakers. "We have to scale up, we have to stay ahead, we have to keep moving."
At least two lawmakers asked about reports that the Department of Government Efficiency — also known as "DOGE" — gained access to sensitive personal information while hunting for waste in Washington, D.C., at the behest of the President Donald Trump administration.
Galluzi repeatedly assured lawmakers that state officials could not access the data, but rather would scan network logs to detect suspicious actors trying to log into systems.
Another lawmaker asked if data could be used to target children if school districts participated in the program. Galluzi said that data and emails would not be accessed by network sentinels.
Ultimately, the bill was amended and passed out of the Government Affairs Committee. But instead of getting a final vote on the Assembly floor, it was referred to the budgeting Ways & Means Committee, although the program would have cost no money initially. (Local governments and school districts would have paid a fee to be protected by the state system.)
The bill died in Ways & Means without another vote.
But now, in the wake of the cyberattack, it's likely Yurek's bill or some version of it will come back to the Legislature, perhaps as soon as this year if a special session is called to pass other measures that didn't make it out of the session that ended in June. '
