At least three Virginia government entities — Albemarle County, Gloucester County, and the Office of the Attorney General — were subjected to ransomware attacks in 2025. In my most recent Oinkonomics podcast, Secretary of Finance Steve Cummings touched upon the Youngkin administration’s approach to cyber-security. — JAB

Cummings: My former life was a banker. My last stop was I was CEO of a $6 billion revenue bank owned by the Japanese, highly regulated by the Fed, by the OCC, by the SEC. And I spent most of my regulatory time on cyber. And as you can imagine, that is top of the priority list. If you look at finance, what I would say to everybody as I was pulling my team together, hey, folks, we’re going to do things differently. We are the bank. We collect the revenues. We manage those funds when they come in to optimize them, and we pay all the bills through DOA.

Why do you rob a bank? It’s because where the money is. We are the number one target. And we had those three agencies, which is the core, all doing it differently, completely independently, different tools, different standards, different tracking, and at much different levels of maturity of execution. So, I said, I don’t care what you say about the incidents. We got to get this fixed.

This started 18 months ago. We did a full assessment. What I wanted was a single leader to make sure we built a steady, consistent ring around our bank, and that we shared resources, we had common tools, blah, blah, blah, blah, blah. And over that 18-month period, we did that and we staffed, we were supported. We briefed money committees on this two years ago and said, we’re going on this journey. You know this is a risk. Everybody talks about it, but they don’t do anything about it. And we’re gonna now do a real plan to be able to show you this is where we are. And it’s going to scare you. And this is where we got to get to.

Long story short, we’ve made huge progress. And it really wasn’t that expensive because VITA has all the capabilities. It just didn’t have that unified plan. And so we brought in some really good talent and we’ve closed so many gaps. You’re always chasing the Holy Grail because it’s always a moving target. But we’re in really good shape. And the thought on this, working with VITA, is that this is a model that could be applied in different high-risk areas. Many of our agencies, they’re just not high risk. But for those that are collecting funds or dispersing funds or paying big vendors, all are now going to be following a playbook, assuming that this will continue with the next administration.

Bacon: I guess it’s reassuring to know that you feel the system is safer. It might be too terrifying to describe exactly what the holes were that you filled in.

Cummings: You’ve seen a couple [of incidents] where there was ransomware and shut down some very important parts of Virginia government for some time. That’s indicative of some exposure. It’s not uncommon to see other states where tens of millions of dollars have gone to Nigeria overnight through cyberattacks. We all said we’re not going to be a headline.