By Amanda Olsen
aolsen@antonnews.com
With Suffolk County still reeling from the September cyberattack,
Nassau County has begun taking steps to secure its IT infrastructure
Around 236.1 million ransomware attacks were reported worldwide in the first half of 2022. According to the Verizon Data Breach Report, the public administration sector experienced 2,792 incidents, with 537 resulting in confirmed data disclosure. The motivation for the majority of cyberattacks conducted is financial gain and not espionage. This means that rather than trying to gain information itself, bad actors are holding it hostage in order to obtain a ransom. No organization is immune to these attacks.
On September 8, Suffolk County became aware that their systems had been compromised. The ransomware group ‘BlackCat’, also known as ALPHV, took credit for the breach. According to DataBreaches.net, ALPHV released the following statement on the darkweb: “The Suffolk County Government was attacked. Along with the government network, the networks of several contractors were encrypted as well. Due to the fact that Suffolk County Government and the aforementioned companies are not communicating with us, we are publishing sample documents extracted from the government and contractor network.
The total volume of extracted files exceeds 4TB.
Extracted files include Suffolk County Court records, sheriff’s office records, contracts with the State of New York and other personal data of Suffolk County citizens. We also have huge databases of Suffolk County citizens extracted from the clerk.county.suf. domain in the county administration.”
The impact of the breach was immediate and far-reaching. All county offices ground to a halt. Residents and county employees learned that their driver’s license numbers, social security numbers and other personal data had been compromised. Building permits and real estate transactions were delayed or cancelled because of onerous wait times. Offices were forced to employ old-fashioned pen and paper, paper checks and fax machines to get any work done.
A forensic digital investigation determined that a single flaw at the county clerk’s office allowed the hackers to penetrate the system on December 19, 2021. They were in this system for months before they breached the county network in late summer, then revealed themselves in September by posting their ransom note. Suffolk chose to take down their system rather than pay the $2.5 million demand.
Suffolk County Clerk Judith Pascale told News 12 that she warned Suffolk County officials in January that a cyberattack could happen. She brought her concerns to the Ways and Means Committee and asked them to install more computer security and more substantial firewall protection. She says the firewall protection in place during the attack wasn’t enough for a government entity.
“It was only a matter of time. And that’s why we should have taken the precautions,” said Pascale. “…People looked at me like I was crazy…I said ‘when this happens, it’s going to be devastating.’”
Legislator Siela Byone submitted a letter to Nassau County executive Bruce Blakman November 1, urging him to bolster the county’s defenses in light of Suffolk’s plight.
“As Suffolk County continues to struggle in the aftermath of a costly cyberattack that has hobbled its public-facing and internal systems, it becomes clearer by the day that Nassau must proactively strengthen our defenses before we inevitably become the next target. Forward-thinking organizations and corporations dedicate significant resources toward retaining and training full time, in-house cybersecurity staff, “hardening” existing information technology systems, and developing internal controls and rapid response protocols to ensure resiliency in the event of cyberattacks. Nassau County must do the same.”
Nassau county has moved to establish a Deputy Commissioner of Cybersecurity within the Department of Information Technology. This Deputy Commissioner, appointed by the Commissioner of Information Technology, will head up a new cybersecurity team to address the needs of the county government in relation to the increasing threat of intrusion. They will also be expected to maintain the integrity of the County’s information technology infrastructure by proactively protecting sensitive data and systems. One of the key duties of this office will be creating disaster recovery protocols and procedures for every Nassau County department. Another is establishing and maintaining alternative communication pathways in the event of a successful attack.
On Monday, Dec. 5, the Rules Committee of the Nassau County Legislature voted unanimously to approve a contract related to cybersecurity services for Nassau County. Following the affirmative vote, William Biamonte, Chief of Staff for the Minority Caucus of the Nassau County Legislature, issued the following statement:
“Every member of the Minority Caucus remains intently focused on advancing comprehensive strategies for addressing the cybersecurity threats that Nassau County faces on a daily basis,” William Biamonte, Chief of Staff for the Minority Caucus of the Nassau County Legislature, said. “We will continue working toward the implementation of additional common-sense cybersecurity best practices that will benefit all Nassau residents.”
The county has opted not to disclose the name of the company that will be providing this service, stating that they do not want the security company to become a target itself. While this can be an issue with certain information, it should be possible to see the amount the county agreed to pay the vendor without compromising their ability to render the service.
If you were stopped by police in Suffolk County between 2013 and September 2022, your personal information is at risk. The county has set up free identity monitoring services with Kroll. Visit suffolkcounty.kroll.com to sign up.
