Suffolk legislators press IT chief for cyberattack cost

Suffolk Information Technology Commissioner Scott Mastellon, whose department is coping with the worst cyberattack in county history, angered legislators Wednesday by providing answers they deemed insufficient about the cost of preventing future breaches. 

The testy exchange between Mastellon and some Suffolk legislators occurred during what in most years likely would have been a routine committee hearing about the department’s 2023 budget needs.

Mastellon told legislators the department in 2023 plans to hire 19 new staffers including a chief security officer, contract with outside personnel to provide additional cybersecurity, and invest in hardware and software as Suffolk works to harden its cybersecurity infrastructure following the Sept. 8 attack.

When pressed for specifics on next year’s spending plan, the commissioner could not say how much the county would pay for the security measures.

“To think that you didn't come to this meeting prepared for these kinds of questions is wholly disrespectful to this committee,” said Legis. Anthony Piccirillo (R-Holtsville), who chairs the legislature’s government operations, personnel, information technology and diversity committee. “We're not asking questions that can’t be answered on the record. We're asking simple budgetary questions.”

Legislators announced last week Piccirillo would head a bipartisan panel to investigate the source of the attack.

Piccirillo asked the commissioner to return Monday to provide more detailed responses to legislators' questions on the 2023 budget.

County officials said the forensic examination of the cyber hack continues and the cost of the breach is still being tallied.

“The assessment into the cyber intrusion is ongoing while we concurrently are prioritizing a safe and secure restoration process,” said Suffolk County Executive Steve Bellone spokeswoman Marykate Guilfoyle. “Part of that restoration allowed for staff to support the delivery of the County’s recommended operating budget for 2023. We will continue to work with our partners in the legislature to address any questions related to the submission to ensure they can pass a budget on time.”

Suffolk County took down its websites and web-based applications following the Sept. 8 discovery of a cyberattack on county systems. A group has taken credit for the attack in a posting on the dark web and has said it is seeking a “small reward” for revealing vulnerabilities in the county’s systems. They have released county documents like court records and speeding tickets and have threatened to release more.

County officials have said little about how the attack occurred or how wide-ranging the breach was, citing an ongoing law enforcement investigation.

Bellone said his $3.74 billion proposed 2023 budget released earlier this month would raise cybersecurity spending by $8 million.

Spending on the county’s information technology department would rise from about $25 million in 2022 to about $32.5 million in 2023, according to the budget.

The bulk of those increases would fund new salaries as well as hardware and software, Mastellon said.

A line item titled “Microsoft Software Maintenance/Assurance” would be raised from about $350,000 in 2022 to nearly $2.5 million in 2023. About $9.7 million was budgeted for “Supplies, Material & Other” in 2022, while the number grew to $14.3 million for next year. And permanent salaries would rise from the $10.5 million budgeted in 2022 to $12.5 million in 2023.

The proposed budget would add new cybersecurity analysts responsible for monitoring and evaluating all known common vulnerabilities and exposures, also known as CVE, Mastellon said.

The department will pursue a hybrid approach of using county staffers and outside contractors to provide cybersecurity, according to Mastellon.

“We feel this is the best mix of resources internally and externally that will satisfy the needs that we have,” he said.

Mastellon did not provide specific figures, but when pressed by Legis. Trish Bergin (R-East Islip), estimated it would likely cost between $300,000 and $500,000 to hire outside contractors to provide additional cybersecurity.

He also said officials have considered that new cyber threat analyst positions should be staffed at all hours to provide round-the-clock cybersecurity.

“Fortunately, or unfortunately, that position requires a 24/7 response,” Mastellon told legislators.

By Vera Chinese

vera.chinese@newsday.com@VeraChinese

Vera Chinese joined Newsday in 2017 after working as an editor for the East End lifestyle publication northforker and a general assignment reporter for the New York Daily News.