Report on Suffolk County cyberattack says more IT staff and security chief needed

Suffolk County must craft a recovery plan, beef up information technology staff and hire an executive tasked with overseeing cybersecurity to prevent a massive cyberattack like the one it suffered two years ago, according to a newly released report.

The bipartisan Suffolk County Legislature’s Special Cyber Intrusion Investigation Committee, formed to probe the cause of the attack, voted 6-0 on Thursday to adopt the 66-page report’s findings. It concluded the county was ill-prepared to guard against the attack discovered on Sept. 8, 2022, and must still take several steps to fortify its cyber defenses.

"The scale, significance, and duration of the damage inflicted on Suffolk County was largely attributable to inadequate planning, preparation, coordination, and training by and of Suffolk County personnel," the report states. "In sum, the damage sustained by Suffolk County was largely attributable to a failure of leadership."

The report also recommends the county obtain a cyber breach insurance policy which the county lacked at the time of the attack because it did not qualify for one. Such a policy would provide financial protection to remediate a future attack, but the report also notes taking the steps to qualify for and maintain one would ensure "that our systems and practices are regularly updated."

Newsday has reported that Suffolk attempted to obtain cyber insurance but was deemed ineligible because, among other things, it lacked a chief information security officer, or CISO, and certain fundamental protections such as multifactor authentication. The county has since implemented that technology, which verifies user identities using means outside the network.

"My administration has implemented key changes in our IT department and we have seen these changes put into practice this year," Suffolk County Executive Edward P. Romaine, a Republican, said in a statement.

The report also recommends complying with a county law to provide an annual IT risk assessment to county leaders and hiring a CISO with a fixed term. 

The administration of former Suffolk County Executive Steve Bellone, a Democrat, did not hire a CISO until March 2023, five months after the attack. That officer, Kenneth Brancik, was released earlier this year and hasn’t been replaced by Romaine. 

"Hiring a CISO is a top priority and essential in obtaining cyber insurance," Romaine said.

The attack shut down Suffolk County's main website for more than five months, exposing the personal information of about 500,000 people, including 470,000 drivers and 26,000 Suffolk employees and retirees. It also shut down county email and phone systems and affected county 911, payment and traffic-agency systems.

 The report notes that the committee along with its outside counsel, former U.S. Attorney for the Eastern District of New York Richard Donoghue, interviewed more than 20 witnesses and examined more than 35,000 documents in reaching its findings. The cost to produce it was not immediately available Thursday. 

The report said a lack of coordination between various Suffolk IT departments, which are segmented among the independently elected offices, impacted the county’s ability to handle the attack. The Republican-controlled legislature in December rejected a Bellone administration proposal to consolidate cybersecurity under the CISO. 

Of the report, Bellone said "it does finally confirm the accuracy of the County's forensic investigation and also makes security recommendations in line with those proposed by the administration last year, demonstrating that some members of the Committee took their responsibility seriously."

Legis. Anthony Piccirillo (R-Holtsville), the cyber committee chairman, at the time said the county should not adopt a new IT policy until the committee released its report.

"The issue, quite frankly, was there was no trust between DOIT [the Bellone administration's IT department] and the rest of the IT teams across the county," Piccirillo told Newsday on Thursday. He said the next CISO will likely craft the county’s cybersecurity strategy.

The report acknowledges but downplays an unpatched vulnerability known as "log4j" in the clerk’s domain, which a previous forensic report said was a major cause of the attack. 

Instead, the report underscores a "pass-through" in the county’s perimeter firewall that allowed internet traffic intended for the county clerk’s domain to circumvent inspection. The report did not determine who is responsible for the pass-through, but warned against allowing them in the future.

"All internet traffic destined for domains within the County environment must pass through approved firewalls, and no department should use modems or other devices to circumvent County firewalls," it said.

By Vera Chinese

vera.chinese@newsday.com@VeraChinese

Vera Chinese covers Suffolk County government and politics. She joined Newsday in 2017 after working as an editor for the East End lifestyle publication northforker and a general assignment reporter for the New York Daily News.