More than eight months after one of America’s richest counties suffered a crippling cyberattack, the painful, expensive fallout still isn’t over.
The Suffolk County legislature in eastern Long Island voted last week to subpoena four county employees with knowledge of the fall 2022 ransomware attack that disabled county websites, servers, and databases. Earlier this month, the county announced the hiring of its first chief information security officer (CISO). It also admitted that the lack of a standalone incident response plan last year likely contributed to the prolonged recovery.
With each new headline, my stomach clenches a little. It’s been so many months, and officials are still piecing together what happened, and why. In my business, I hear about cyberattacks almost every week, but this one was personal.
Last September my mother fell and broke her arm, and I rushed from my New York City apartment back to my childhood home in Suffolk County to help care for her. The cyberattack came two days later, forcing the county to shut down its website and other web-based applications that served the area’s 1.5 million residents. State police had to step in to assist local emergency responders by running plates, arrest history warrants, and other vital data during traffic stops, while 911 dispatchers logged calls by hand. Email for 10,000 civil service workers ceased. Midterm election vote-counting was delayed. And the local real estate market—a big deal anywhere but certainly on Long Island’s tony East End—was gut-punched, unable to process property title searches and other business.
Over the ensuing months, I tended to my feisty mom as she underwent physical therapy, and watched as the county—less feisty, more flailing and failing—limped through its own kind of rehab. A forensics report revealed that hackers entered the system eight months before the actual ransomware attack, in December 2021, via a vulnerability in the county clerk’s office. After gaining access, the undetected intruders installed bitcoin mining software, exfiltration tools, and monitoring systems, created fake accounts, and harvested some 26,000 Social Security numbers and nearly half a million driver’s license numbers.
That report, for all its sobering findings, tells only half the story. A slew of revelations have emerged in the wake of the attack, establishing that Suffolk is a sad case study in not taking cybersecurity seriously.
The cost of doing business
Rather than pay a $2.5 million ransom to hackers, the county elected to restore services on its own. It took more than five months to get the website up and running again, and still today some online services, including property-title searches and sewer-bill payments, remain offline.
The unfortunate reality is that the cybercriminals had more access to the clerk’s network than county IT ever did.
The cost of responding to the breach and restoring services will total $5.7 million, according to the latest county estimates, though security experts say that figure may rise.
Whether the county should’ve just sucked it up and paid the ransom is a matter of (considerable) debate, though many experts contend that paying a ransom puts an enterprise at risk of additional attacks. Once the original (and other) hackers see that you’re willing to pay, they may keep coming back to the trough.
What’s not up for debate? The county’s piss-poor preparedness.
What’s visible, what’s not
A lack of visibility into network endpoints left the county scrambling in the initial weeks after the attack. “The unfortunate reality is that the cybercriminals had more access to the clerk’s network than county IT ever did,” said County Executive Steve Bellone at a press conference in February. Effective endpoint management, including a full asset discovery and inventory, would have assisted security teams once the breach was detected.
Having no CISO in place—an authority who could have alerted local government officials to the lack of preparedness, guided them through the process of making cost-effective improvements, and steered the ship after the hackers struck—didn’t help matters. To many state and local governments that are often cash-strapped and not-so-cyber-savvy, a CISO seems a luxury and a cyberattack a distant and unlikely threat. The latter assumption is flat-out wrong; the former, understandable, but there are workarounds.
Suffolk considered 30 applicants for its inaugural CISO before landing on Kenneth Brancik, a former cybersecurity chief of the Mount Sinai Health System, who will earn an annual salary of $184,214, Newsday reported. Such a price tag may be out of reach for some local governments and other small enterprises, but options like CISO-sharing are growing in popularity as a way to defray the costs of cyber expertise.
Taking part in whole-of-state
Participation in whole-of-state programs is also increasingly providing municipal, tribal, and county entities with information and guidance—and funding!—that they would not have had access to on their own. Forty-eight states have applied for a portion of the four-year, $1 billion cybersecurity grant program that is part of the Biden administration’s $1.2 trillion infrastructure spending law, passed in 2021. As that money has started trickling to states in recent months, state officials are using it to share services with in-state entities.
The day that you get attacked, you [should] have a plan to take off the shelf and respond immediately, as opposed to scrambling around and trying to figure out what needs to be done.
New Hampshire’s state department of information technology, for example, is assisting local governments, school systems, and water districts to implement multifactor authentication and train IT workers. Illinois is sharing services from its statewide security operations center, providing enhanced endpoint detection capabilities to improve network visibility for counties, towns, sheriff’s departments, 911 services and water districts.
“Our goal in Year One is to get as much coverage and as much visibility for shared defense throughout the state,” Illinois CISO Adam Ford recently told Statescoop.
The value of an incident response plan
But arguably Suffolk’s most egregious misstep was the lack of an incident response plan. Cyberattacks are no longer an if but a when. It’s going to happen, no matter how much you plan. So having a breach playbook at the ready is essential and perhaps the most significant tool in an enterprise’s arsenal. Suffolk had no such plan in place, and that significantly contributed to the amount of time and money it has taken for the county to recover.
Although the county has an overall emergency response plan, it was “not specific to cyber breaches,” said Richard Donoghue, counsel for the legislature’s specially appointed Cyber Intrusion Investigation Committee, to Newsday earlier this month. “The day that you get attacked,” he continued, “you [should] have a plan to take off the shelf and respond immediately, as opposed to scrambling around and trying to figure out what needs to be done.”
How much more pain and payouts could have been avoided will become clearer in coming weeks, once the four subpoenaed individuals with knowledge of Suffolk’s IT practices are forced to testify before the investigation committee.
My mom’s arm has healed, but her doctor says she’ll be feeling the effects for months to come. The recovery could easily take a year. Same goes, apparently, for Suffolk County, which is still having to explain and come to grips with its past errors. A final report by the investigation committee is expected around the one-year anniversary of the attack.
No doubt, we’ll be seeing more press conferences with County Executive Bellone, who has a head of thick, white hair. Can it get any whiter? Time—and possibly more subpoenas—will tell.