Suffolk legislators seek answers on late, missing cybersecurity reports

The 2018 Suffolk law that required annual assessments of the county’s cyber-risk exposure is coming into sharper focus in the aftermath of the Sept. 8 ransomware event, as late and missing reports have become the norm and questions linger about the county’s preparedness.

On Monday, two Suffolk legislators who are part of a newly established committee to investigate the cyberattack told Newsday they planned to get to the bottom of the scarcity of the reports, and one said he’d introduce legislation to hold the county administration’s feet to the fire.

“We’ll subpoena all documents related to any report that was to be given to the legislature,” said Legis. Anthony Piccirillo (R-Holtsville), chair of the committee, who added that he expects cooperation without a subpoena. “If we have to file further legislation” to assure the mandate to file reports is followed, he said, “we will.”

Legis. Sarah Anker (D-Mt. Sinai), the law’s author, said the committee will “get to the bottom” of why so many reports are missing.“I’ve demanded it every year,” she added. Newsday received a 12-page confidential report last month through a Freedom of Information Law request.

Suffolk has completed only one report  since the law was passed in 2018, and the only legislative action to address the lateness was an amendment to push back the completion dates for the annual reports from March 1 to Sept. 1. A draft of a second, 2022 report reportedly was circulating when a ransomware event crippled the county’s computer systems Sept. 8, according to Anker. Piccirillo said he only received a copy of the 2020 report this week, and hasn’t seen the 2022 draft.

Suffolk County spokeswoman Marykate Guilfoyle said the COVID pandemic is partly to blame for the tardy reports. After the first was produced in 2020, she noted, “Suffolk County was confronting a global pandemic and all county resources, including [information technology], were prioritized for the crisis at hand.”

The 2018 resolution requiring the annual assessment noted ominously: “Cyberattacks are a very real and significant threat which have the potential to undermine and paralyze governments at all levels.“

Many Suffolk systems services remain hobbled by the cyberattack nearly two months later, and little has been said about the attack’s origins and steps taken to restore services.

While the 2020 report recommended hiring a high-level chief information security officer, the existing, lower-level role of coordinator has remained and the person who filled the role, Brian Bartholomew, ultimately transitioned to a consultant, Suffolk confirmed.  

Guilfoyle noted Bartholomew retired from the full-time job in May, 2021 after 13 years with Suffolk. He was retained as a consultant after his retirement, she said, because, “At the time there was no Civil Service list from which to hire a new employee.”

By January, she said, Suffolk was already planning to appoint a chief security officer for 2023. Bartholomew didn’t respond to requests for comment.

Guilfoyle said the 2020 report was informed by a confidential October 2019 “After Action Report” by consulting firm RedLand Strategies, which had conducted a cyber-checkup and cybersecurity tabletop exercise for Suffolk in 2019.

Ken Varrone, chief product officer of Sourcepass, a cybersecurity and technology consulting company based in New York City, said such assessments are vital to keep pace with tech changes. He found Suffolk’s risk assessment report lacking.  

“This isn’t a very comprehensive document. There’s a lot to be desired,” he said.

Varrone said the review of policies and protocols was limited in the report. That could be because the county had few policies and protocols to review, he said.

Guilfoyle noted the 2018 resolution calls for the report to "outline the county’s current cybersecurity policies and protocols, and [note] any changes that have been made in the preceding year.”