Suffolk County officials are planning to better coordinate cybersecurity across departments and unify policy enforcement as the county continues to fortify defenses following the September 2022 cyberattack.
A resolution before the county legislature directs information technology personnel across county departments to meet at least once per month to discuss cybersecurity. The county’s IT networks are segregated, with its main Department of Information Technology controlled by the administration of Suffolk County Executive Steve Bellone and independent sub-networks under elected officials such as the county clerk and sheriff.
The new Office of the Chief Information Security Officer is expected to now oversee cybersecurity policy and compliance for all departments. The legislature is set to vote on the measure Tuesday, along with IT funding requests totaling $1.6 million for software upgrades. A public hearing is set for another measure requiring vendors to notify the county if they sustain a security breach.
“The evidence has made clear how the September 8th cyber attack happened and the vulnerabilities the preexisting decentralized IT structure presented,” Bellone said in a statement. “It is critical we ensure we are not in the position to allow history to repeat itself and with this legislation, for the first time, the CISO will have both the authority and responsibility to take any and all necessary actions to ensure compliance with cybersecurity policy for all departments and agencies.”
The county did not have a CISO at the time of the hack which shut down county services for months, delayed payments to vendors and exposed the Social Security numbers of about 26,000 county employees.
In May, the county hired Kenneth Brancik as its first CISO to develop, oversee and enforce cybersecurity policies and programs.
A CISO is also needed to qualify for cybersecurity insurance, which the county did not have at the time of the attack and still does not have.
Steve Morgan, founder of Northport-based Cybersecurity Ventures, a cybersecurity market researcher, said not having one is “like not having a homeowner’s insurance policy.”
“Getting one, fast, should be a top priority,” he said.
The resolution directs the CISO to prepare and submit a “Cybersecurity Risk Assessment Report” twice per year to the county executive, legislative leaders and others. It will include an “overall compliance risk score” for the county, according to the resolution.
Bellone’s administration has repeatedly blamed the county clerk’s office and its IT director, Peter Schlussler, for failing to patch a security breach in the clerk’s network, which it said led to the attack.
Schlussler, who was put on paid leave after the hack, has testified the county missed numerous opportunities to prevent it months before it happened and blamed the lack of a CISO as a root cause.
Suffolk County Clerk Vince Puleo, who took office after the hack, said requiring departments to meet at least once per month was a positive step.
“I think updates on exactly what the bad actors are focusing on, and alerting everybody to the fact that they could be changing the way they’re trying to invade our network,” is a good thing, he said.
The legislature’s Government Operations, Personnel, IT and Diversity Committee voted 7-1 for the measure. Legis. Anthony Piccirillo (R-Holtsville), committee chairman and the only dissenting vote, said a new policy should wait until after a separate legislative committee probing the source of the cyberattack issues its final report.
The new policy would replace one that required an annual cybersecurity report. Suffolk only completed one report between the time the law was passed in 2018 and the September 2022 cyberattack, and Newsday has reported that document recommended the county hire a CISO.
County officials have blamed the lack of regular reports and the delay in hiring a CISO on the COVID-19 pandemic.