Suffolk cyberattack report calls for fixes; Romaine says progress being made

The litany of missed warnings and computer security deficiencies detailed in a final legislative analysis of the 2022 ransomware attack on Suffolk County has put new focus on the current government's readiness to head off future attacks.

The report by a special committee of the Suffolk County Legislature released last week outlines a long list of threat assessments and red flags, now dating back to 2017, to detail the many opportunities the county had to fortify its systems and potentially thwart the intrusion. 

The county office of the chief information security officer remains vacant, after the prior CISO was released in January, and Suffolk hasn't yet secured cybersecurity insurance. It's also late in filing an annual risk assessment report to the county legislature, which was due on Sept. 1, and there are questions about the lack of a cyberattack response and recovery plan, which the report said was missing and therefore hobbled the county's recovery. 

"They still have more work to do, clearly," former acting deputy U.S. Attorney General Richard Donoghue, special counsel to the legislature's committee, said in an interview Friday. "They do need a chief information security officer, a county employee who is responsible for this. I think they have more upgrades to do, certainly more hiring to do." 

County Executive Ed Romaine, a Republican who took over from Democrat Steve Bellone in January, said progress has been made and more is coming soon. 

Romaine on Friday said the county has hired a chief information security officer and the person will be on the job by mid-October. He said the county is also working with Dell to employ a “virtual CISO” to backstop the role with high-tech computer security, is in the process of doubling the computer security staff, currently at three people, and is filling other IT staff positions.

"We're scrambling to overcome the deficiencies of the past," he said. 

In addition, Romaine said, the county has scheduled a penetration test by an outside contractor that is needed for the risk assessment report required for the legislature under county law, and the county will provide the results of that test in the report by November.

Romaine said the moves will work toward the county securing cybersecurity insurance, which he expects to be in place by the end of the year. “We are checking off the boxes for what we need to do to get cyber insurance, and we’re pretty confident that by the end of the year the county will be able to secure" it, he said.

Romaine added: “We’re taking the report that the committee issued to heart. We think a lot of the failure of the past administration was a failure to act or a failure to lead. We get it. We don’t want to suffer from the same habits.”

Bellone in a statement said the report confirms the findings of the county’s own forensic investigation and makes security recommendations “in line with those proposed” by his administration.

One of the central findings of the report was that the lack of a cyberattack response and recovery plan impeded the county's ability to quickly bounce back. Donoghue said that based on the "annex" to a broader emergency response plan prepared in the final months of the prior administration, the county still doesn't have one. 

"It's more like a plan to have a plan," Donoghue said of what's on file. "It's not, if this happens, what do you do now, how many servers do you have, where are they located, what data is on them and what priority order should they be brought back up. Those are the kinds of very concrete things you have in a recovery plan. Those things are not in that plan."

Romaine said the county does not intend to rely on the “annex” left by the Bellone administration. His administration, he said, has “most of the elements” of a response and recovery plan already in place. By Nov. 1, he said, the plan will be formalized and made available to department heads across county governments.

One former county official, in testimony before the committee, had disputed the claim that the lack of such a plan hobbled the county’s response.

Former chief deputy county executive Lisa Black during testimony before the committee in June took exception to the notion that a response and recovery plan was a “basic and essential” part of a cyber defense program. “I think it is yet another tool that you can have in your toolbox, but it depends on how much other information is already in your toolbox,” she said, according to a transcript of her testimony. 

In the legislative report, Donoghue consistently stressed that the county not having a response and recovery plan was a major failing.

Experts say the need for a recovery plan is just as imperative now as it was two years ago. 

"In 2022, to not have these plans in place and also have regular tabletop exercises performed by the IT team for an organization of this size and complexity is unacceptable," said Michael Nizich, director of the Entrepreneurship & Technology Innovation Center at the New York Institute of Technology. 

As first reported by Newsday in August, the legislative report found there were assessments showing red-alert levels of vulnerabilities across county systems six months before the intrusion. The FBI also alerted the county to the attack while it was underway in the summer of 2022, but none led to actions that recognized and neutralized the threat.

"It's amazing this attack didn't happen sooner given that all these reports were telling us, 'Hey, you have a problem here. Fix it,' " Suffolk Leg. Anthony Piccirillo (R-Holtsville), who chaired the cybersecurity committee, said Friday. He said he's now working on a resolution that would require the county to share heightened threat-level information, like the FBI tip received before the attack, with lawmakers to help formulate coordinated action.

Newest to the litany of warnings disclosed last week was a previously unreported assessment conducted by Microsoft in 2017, just after Suffolk appointed Scott Mastellon as commissioner of the Department of Information Technology. That warning found “numerous deficiencies” and a “critical risk of compromise” in Suffolk’s active directory, a core part of the network that controls lists of authorized users and gateways for access. 

The Microsoft report found that while each problem it discovered was a “critical risk, collectively these risks mean that an attacker has multiple avenues to compromise the directory and gain access to every resource in the Suffolk County Department of IT environment."

The legislative report noted that the 2017 assessment “provided only a limited view into Suffolk County’s cybersecurity posture,” and while “some, but not all, of the remediation steps set out in the Microsoft Assessment were subsequently implemented, the assessment made [computer network] leaders aware that the county had significant cybersecurity deficits that needed to be remedied.”

In his report, Donoghue asserted the attack was "not the result of a single point of failure," but rather a "combination of fragmented and in some cases outdated systems, inadequate staffing, planning and training, and insufficient attention to the warning signs of the attack that was underway." 

On Friday, Donoghue said the discovery of the 2017 assessment was one of the reasons the report was delayed a month this summer.

The committee offered seven recommendations as part of its report, including that the county's disparate computer tech teams work "closely and collaboratively," that the county hire an experienced chief information security officer, and that the person should formulate a cross-county cyber incident response and recovery team versed in a much-needed response and recovery plan "for the entire county."
Recommendations also included that the county seek cyber-breach insurance.

Suffolk officials acknowledged in 2023 that the county's decentralized networks had lacked key security components deemed essential to obtain cyber insurance. Last month, the county responded to a Newsday Freedom of Information Law request saying "there were no applications for cybersecurity insurance," for at least the 12 years before the attack. 

Newsday has reported the equipment, remediation and investigative costs related to the cyberattack amounted to more than $25 million, according to internal county estimates. Bellone last month said the number was far lower, just $5.8 million, chiefly the cost for forensics and recovery.

Replacement equipment and new software costs “represent long-term technology investments" and are needed "irrespective of any particular cyber incident." he said, and labeling that total as the cost of the cyberattack is "not accurate.”

Costs aside, Donoghue said he hopes the county heeds the committee's warnings. 

"I certainly hope they've learned these lessons and they take this report and use it to make sure they are doing everything they need to do to make sure it doesn't happen again," he said.

With Sandra Peddie

By Mark Harrington

mark.harrington@newsday.comMHarringtonNews

Mark Harrington, a Newsday reporter since 1999, covers energy, wineries, Indian affairs and fisheries.