Suffolk cybersecurity coordination, compliance set for changes
A resolution before the Suffolk Lgislature directs IT personnel to discuss cybersecurity monthly. Credit: Newsday/Thomas A. Ferrara
Suffolk County officials are planning to better coordinate cybersecurity across departments and unify policy enforcement as the county continues to fortify defenses following the September 2022 cyberattack.
A resolution before the county legislature directs information technology personnel across county departments to meet at least once per month to discuss cybersecurity. The county’s IT networks are segregated, with its main Department of Information Technology controlled by the administration of Suffolk County Executive Steve Bellone and independent sub-networks under elected officials such as the county clerk and sheriff.
The new Office of the Chief Information Security Officer is expected to now oversee cybersecurity policy and compliance for all departments. The legislature is set to vote on the measure Tuesday, along with IT funding requests totaling $1.6 million for software upgrades. A public hearing is set for another measure requiring vendors to notify the county if they sustain a security breach.
"The evidence has made clear how the September 8th cyberattack happened and the vulnerabilities the preexisting decentralized IT structure presented," Bellone said in a statement. "It is critical we ensure we are not in the position to allow history to repeat itself and with this legislation, for the first time, the CISO [chief information security officer] will have both the authority and responsibility to take any and all necessary actions to ensure compliance with cybersecurity policy for all departments and agencies.”
The county did not have a chief information security officer at the time of the hack, which shut down county services for months, delayed payments to vendors and exposed the Social Security numbers of about 26,000 county employees.
In May, the county hired Kenneth Brancik as its first chief information security officer to develop, oversee and enforce cybersecurity policies and programs.
A chief information security officer also is needed to qualify for cybersecurity insurance, which the county did not have at the time of the attack and still does not have.
Steve Morgan, founder of Northport-based Cybersecurity Ventures, a cybersecurity market researcher, said not having cybersecurity insurance is "like not having a homeowner's insurance policy."
"Getting one, fast, should be a top priority," he said.
The resolution directs the chief information security officer to prepare and submit a “Cybersecurity Risk Assessment Report” twice per year to the county executive, legislative leaders and others. It will include an “overall compliance risk score” for the county, according to the resolution.
Bellone's administration has blamed the county clerk’s office and its IT director, Peter Schlussler, for failing to patch a security breach in the clerk’s network, which it said led to the attack.
Schlussler, who was put on paid leave after the hack, has testified the county missed numerous opportunities to prevent it months before it happened and blamed the lack of a chief information security officer as a root cause.
Suffolk County Clerk Vince Puleo, who took office after the hack, said requiring departments to meet at least once per month was a positive step.
“I think updates on exactly what the bad actors are focusing on, and alerting everybody to the fact that they could be changing the way they're trying to invade our network” is a good thing, he said.
The legislature's Government Operations, Personnel, IT and Diversity Committee voted 7-1 for the measure. Legis. Anthony Piccirillo (R-Holtsville), committee chairman and the only dissenting vote, said a new policy should wait until after a separate legislative committee probing the source of the cyberattack issues its final report.
The new policy would replace one that required an annual cybersecurity report. Suffolk completed only one report between the time the law was passed in 2018 and the September 2022 cyberattack, and Newsday has reported that document recommended the county hire a chief information security officer.
County officials have blamed the lack of regular reports and the delay in hiring a chief information security officer on the COVID-19 pandemic.
Suffolk County officials are planning to better coordinate cybersecurity across departments and unify policy enforcement as the county continues to fortify defenses following the September 2022 cyberattack.
A resolution before the county legislature directs information technology personnel across county departments to meet at least once per month to discuss cybersecurity. The county’s IT networks are segregated, with its main Department of Information Technology controlled by the administration of Suffolk County Executive Steve Bellone and independent sub-networks under elected officials such as the county clerk and sheriff.
The new Office of the Chief Information Security Officer is expected to now oversee cybersecurity policy and compliance for all departments. The legislature is set to vote on the measure Tuesday, along with IT funding requests totaling $1.6 million for software upgrades. A public hearing is set for another measure requiring vendors to notify the county if they sustain a security breach.
"The evidence has made clear how the September 8th cyberattack happened and the vulnerabilities the preexisting decentralized IT structure presented," Bellone said in a statement. "It is critical we ensure we are not in the position to allow history to repeat itself and with this legislation, for the first time, the CISO [chief information security officer] will have both the authority and responsibility to take any and all necessary actions to ensure compliance with cybersecurity policy for all departments and agencies.”
The county did not have a chief information security officer at the time of the hack, which shut down county services for months, delayed payments to vendors and exposed the Social Security numbers of about 26,000 county employees.
In May, the county hired Kenneth Brancik as its first chief information security officer to develop, oversee and enforce cybersecurity policies and programs.
A chief information security officer also is needed to qualify for cybersecurity insurance, which the county did not have at the time of the attack and still does not have.
Steve Morgan, founder of Northport-based Cybersecurity Ventures, a cybersecurity market researcher, said not having cybersecurity insurance is "like not having a homeowner's insurance policy."
"Getting one, fast, should be a top priority," he said.
The resolution directs the chief information security officer to prepare and submit a “Cybersecurity Risk Assessment Report” twice per year to the county executive, legislative leaders and others. It will include an “overall compliance risk score” for the county, according to the resolution.
Bellone's administration has blamed the county clerk’s office and its IT director, Peter Schlussler, for failing to patch a security breach in the clerk’s network, which it said led to the attack.
Schlussler, who was put on paid leave after the hack, has testified the county missed numerous opportunities to prevent it months before it happened and blamed the lack of a chief information security officer as a root cause.
Suffolk County Clerk Vince Puleo, who took office after the hack, said requiring departments to meet at least once per month was a positive step.
“I think updates on exactly what the bad actors are focusing on, and alerting everybody to the fact that they could be changing the way they're trying to invade our network” is a good thing, he said.
The legislature's Government Operations, Personnel, IT and Diversity Committee voted 7-1 for the measure. Legis. Anthony Piccirillo (R-Holtsville), committee chairman and the only dissenting vote, said a new policy should wait until after a separate legislative committee probing the source of the cyberattack issues its final report.
The new policy would replace one that required an annual cybersecurity report. Suffolk completed only one report between the time the law was passed in 2018 and the September 2022 cyberattack, and Newsday has reported that document recommended the county hire a chief information security officer.
County officials have blamed the lack of regular reports and the delay in hiring a chief information security officer on the COVID-19 pandemic.
Vera Chinese covers Suffolk County government and politics. She joined Newsday in 2017 after working as an editor for the East End lifestyle publication northforker and a general assignment reporter for the New York Daily News.
Updated 19 minutes ago Cops back at Heuermann home ... Huntington Station man pulled from pool ... Cohen to testify at Trump trial ... Summer attractions
Updated 19 minutes ago Cops back at Heuermann home ... Huntington Station man pulled from pool ... Cohen to testify at Trump trial ... Summer attractions
