Suffolk cybersecurity measure stalls as officials call for autonomy
A plan to better coordinate cybersecurity across Suffolk County departments has been put on hold after some elected county officials voiced concerns the measure could jeopardize independent control of their departments.
The Suffolk County Legislature voted 16-0 Tuesday to table a resolution that would have unified cybersecurity policy enforcement as the county fortifies defenses following a Sept. 2022 cyberattack. Lawmakers unanimously approved separate legislation that includes $1.6 million for software upgrades.
The stalled measure directs technology personnel across county departments to meet at least once per month to discuss cybersecurity. It also puts the county's new chief information security officer in charge of overseeing cybersecurity policy and compliance for all departments, and directs him to prepare and submit a “Cybersecurity Risk Assessment Report” twice a year to the county executive, legislative leaders and others, with an “overall compliance risk score."
The county's IT systems are segregated, with its main Department of Information Technology controlled by the administration of Suffolk County Executive Steve Bellone and independent sub-networks under elected officials such as the county clerk and sheriff.
Bellone said delaying the measure makes it more difficult for the county to obtain a cybersecurity insurance policy, which it did not have at the time of the attack and still does not have.
"The longer we wait to give the CISO authority over cyber security across the entire network, we continue to perpetuate a broken system that leaves us vulnerable and prevents the county from obtaining cyber insurance," he said in a statement.
Legis. Anthony Piccirillo (R-Holtsville) said other elected officials had expressed concerns the directive could jeopardize autonomy of their agencies.
Piccirillo has said a new policy should wait until after a separate legislative committee probing the source of the cyberattack issues its final report.
“Let’s gather all the information to try and make this bill better,” he said.
The county did not have a chief information security officer at the time of the hack, which shut down county services for months, delayed payments to vendors and exposed the Social Security numbers of about 26,000 county employees.
In May, the county hired Kenneth Brancik as its first chief information security officer to develop, oversee and enforce cybersecurity policies and programs.
Suffolk County Comptroller John Kennedy, a Republican and frequent Bellone critic, said the administration did not approach him about the new guidelines. He said he thought it was best to wait until Suffolk County Executive-elect Ed Romaine, a Republican, takes office in January before making policy decisions. Bellone, a Democrat, is term-limited after 12 years in office.
“Being proactive regarding cybersecurity is an important thing,” Kennedy said. “However, I certainly am not going to go ahead and compromise, abandon or diminish my independence based on county executive appointees.”
Suffolk County Clerk Vince Puleo said he thought requiring the departments to meet was a positive step. Representatives of Sheriff Errol Toulon Jr. and District Attorney Ray Tierney declined to comment.
Tierney has previously told Newsday he would prefer a separate server that no one outside his department could access.
The legislature could tweak and pass the measure during one of its two meetings scheduled in December. Otherwise, the resolution will expire at the end of the year, Piccirillo said.
Legis. Jason Richberg (D-West Babylon), the legislature’s minority leader, was hopeful the measure could still pass.
“All of us have to give a little so we can get a lot for the county,” he said during the meeting.
Bellone's administration has blamed the county clerk’s office and its IT director, Peter Schlussler, for failing to patch a security breach in the clerk’s network, which it said led to the attack.
Schlussler, who was put on paid leave after the hack, has testified the county missed numerous opportunities to prevent it months before it happened and blamed the lack of a chief information security officer as a root cause.