NYS offered free cyber protection, but Suffolk won't say if it was implemented

Last July, when Gov. Kathy Hochul offered counties across the state free access to a suite of cybersecurity products and services, the threat of ransomware attacks was cited as a key reason.

About two months later, Suffolk County made a request to the state Department of Homeland Security and Emergency Services, which administers the program, to sign up for CrowdStrike Detection and Response. The request came on Sept. 9, one day after the county’s network of computers was shut down because of a ransomware attack, according to Jordan Guerrein, director of communications for Homeland Security and Emergency Services.

In the months since, it remains unclear whether Suffolk has fully rolled out the program, which includes a joint security operations center with computer techs monitoring networks in real time. The Nassau County Legislature opted into CrowdStrike on Feb. 27 and since has implemented it, county spokesman Chris Boyle said.

Deputy Suffolk County Executive Vanessa Baird-Streeter told Newsday in March that “we didn’t decline; we accepted the offer of CrowdStrike.” The Bellone administration on Tuesday declined to discuss CrowdStrike, including whether it's in use.

Suffolk spokeswoman Marykate Guilfoyle wrote in a statement last week that "as a matter of best practice and with the responsibility to ensure the protection of the county's critical infrastructure, network security architecture must be safeguarded and remain confidential.”

The state offered counties CrowdStrike because, “As ransomware attacks become more frequent, it is essential for us to protect sensitive information at local governments across the state,” Lt. Gov. Antonio Delgado said at the time. “The shared services program will provide counties with the assistance and support they need to enhance their cyber defenses.”

More than 40 counties statewide have signed up for the software, Guerrein said.

Suffolk said it already has layers of cybersecurity protection in place, including firewalls from Palo Alto Networks; antivirus, multifactor authentication from Okta, and endpoint protection from Palo Alto's Cortex.

But some public officials said Suffolk should be moving more quickly to take advantage of the state's offer, after the Sept. 8 cyberattack caused the county to shut down dozens of online services for more than five months. While most services, including Suffolk's main website, have been restored, some are still not back up.

Suffolk Comptroller John Kennedy said the county has yet to inform him of any plan to install CrowdStrike on his more than 120 department computers.

"As of April 21, CrowdStrike is not on any of the audit and control computers in my office," Kennedy said. "Why wouldn't we have taken advantage of an opportunity to get another protective piece of software" on the network?

A person with knowledge of the county's systems said CrowdStrike has yet to be fully installed across the network, but a top county official declined to confirm or deny the claim.

Peter Schlussler, the IT director for the county clerk's office, said his office spent $85,000 to contract with Carbon Black, another real-time, tech-staffed security operations center offering — because nothing like CrowdStrike had been installed in the clerk's office before County Executive Steve Bellone suspended him in December. The county has said the cyberattack started in the clerk's office as early as December 2021.

Guilfoyle, after this story was posted to newsday.com on Tuesday, said the county launched a real-time, tech-staffed security operations center in February 2022 that the clerk's office did not participate in. Suffolk also offered "state-of-the-art endpoint protection to all county departments to improve security" before the attack, which the clerk's office chose to install on some systems, she wrote. 

If Suffolk is fully signed on and has deployed CrowdStrike, that’s news to Suffolk County Off-Track Betting, which had hoped to get the software through the county to shore up its cyber defenses.

“We at Suffolk OTB got tired of waiting for them to act and purchased CrowdStrike ourselves to protect Jake’s 58 Casino from hackers,” said Suffolk OTB chief Phil Boyle, a former Republican state senator.

OTB said it paid $45,000 for the CrowdStrike Endpoint Protection and Response, virus protection and a security operations center, which has 24/7 monitoring by a security operations center staffed by live techs.

The county, though, said OTB could not be part of its plan. Guilfoyle, in response to Boyle, said in a statement, “Suffolk OTB is separate from the county and our network. Under no circumstances would they be included under any county deployment.”

Evan Proios, OTB’s deputy information technology director, said, "They are correct that we are not part of the county and they are correct that we would not be part of their cybersecurity deployment, but if they would have moved forward with their deployments, there is a possibility we could have been a part of the grant funding that was allocated for counties and county entities. ..."

In response, Guilfoyle wrote that the state's offer of CrowdStrike did not include any grant funding. 

Suffolk OTB is a public benefit corporation owned by Suffolk County whose three board members are appointed by the Suffolk legislature.

Ben Voce-Gardner, director of the Office of Counter Terrorism for New York's Division of Homeland Security and Emergency Services, said that depending on the size of an entity, it can take a few days to a few weeks to fully implement CrowdStrike. Suffolk has some 10,000 desktops or endpoints.

Voce-Gardner said counties have signed up, but they were "not interested in doing a deployment until [the second quarter] of 2023 because 'we have this other contract that doesn't expire until then, and we're also doing this hardware refresh, so we just don't have the bandwidth to do it.' "

In Nassau, Boyle said CrowdStrike has been installed on all computers, and the district attorney and police department are working to install it on theirs as well.

Nassau has other levels of cybersecurity protection aside from a vendor it hired in December for assistance, he said. County officials have declined to identify the vendor's name or the cost of the service, citing fears of a possible attack.

Voce-Gardner said his agency wants to see a statewide rollout of CrowdStrike, which "prevents an adversary from committing malicious acts" on computer systems. "It can detect and block it." The state is using the product, he said.

Counties that are using it are doing so to varying degrees, Voce-Gardner said, and it can be deployed on some while excluded from other systems. It also can work with existing endpoint protection software and services, such as the Cortex system that Suffolk has deployed through its Palo Alto Networks system. 

"That's one of the reasons we like the product … is that a lot of counties are already using or were using some sort of endpoint protection or continuing to use it,"  Voce-Gardner said. "CrowdStrike can be used concurrently." 

He wouldn't say whether CrowdStrike would have stopped Suffolk's ransomware attack, but noted, "We have faith in the CrowdStrike product … Effectively what it's doing is identifying suspicious behavior and alerting you to it, and going out and quarantining what is causing that suspicious behavior. It stops the suspicious behavior from extending behind where it is currently."

Guilfoyle said in a statement Tuesday evening that "CrowdStrike could not have been utilized in a time frame to have had an impact on the Sept. 8 cyberattack."

Voce-Gardner said at last count 47 counties have CrowdStrike in place, a number that doesn't include the five New York City counties because they already have CrowdStrike through the city.

James Yeager, vice president of public sector at CrowdStrike, did not answer questions about Suffolk's participation in the state's offer, but in a statement said the company's joint Security Operations Center with New York state is "moving forward and smoothly." 

"At present, the vast majority of counties have opted into the program and have started onboarding," he said.

With Scott Eidler

By Mark Harrington

mark.harrington@newsday.comMHarringtonNews

Mark Harrington, a Newsday reporter since 1999, covers energy, wineries, Indian affairs and fisheries.