Suffolk system lacked recovery plan for cyberattack, memo says

Suffolk County's central financial management system lacked a “definitive written plan for recovery” from the Sept. 8 ransomware attack, according to a confidential assessment by a county contractor obtained by Newsday.

The memo also said the county faces broader conflicts of interest over security decisions because there are “no dedicated security professionals with the appropriate level of responsibility and accountability.”

Among the "high-level risk considerations" mentioned in the four-page memo by computer software and services firm CGI, which provides the county's core financial management software for the comptroller's office, is that there was "no guarantee" that as of early October that cybercriminals or other hackers had been "completely identified or eradicated" and that the county's "prior vulnerability management processes may not have been well articulated or evident." 

The findings and recommendations followed CGI meetings with staff and officials at Suffolk County and the comptroller's office in early October. The report came as Suffolk was still working on a forensic audit and investigation into its computer servers following the attack, which shut down computer services across a broad swath of county departments.

Last Wednesday, for example, the county announced that certain personal information tied to 470,000 moving violations dating as far back as 2013 in Suffolk's Traffic and Parking Violation Agency may have been compromised. The county is offering free ID-theft protection to those who may be impacted, at www.suffolkcounty.kroll.com. 

The memo provides a rare window into the county's work to recover a portion of the network relating to vendor payments at a time when some have criticized the administration for a providing little information about the attack and its impacts.

CGI spokespersons didn't immediately respond to a request for comment on the memo. 

Marykate Guilfoyle, a spokeswoman for Suffolk County, noted that the CGI is a county vendor "utilitized by the comptroller's office" and that the firm is "not performing any type of forensic assessment regarding the county's preparedness or response to the cyberattack." 

She acknowledged county technology staff met with CGI officials on Oct. 4 to discuss efforts to "quickly restore" the county's financial management system, which was has been returned to operation. Chief Deputy County Executive Lisa Black said she was among those who met with CGI, but noted the meeting "focused specifically on financial management" system issues. 

Suffolk Comptroller John Kennedy on Monday noted it was the county IT department that "hosted my software on their servers" and that it's the county's obligation to secure and protect them. 

"My scope of supervision is limited," said Kennedy. Suffolk's IT department "hosted my software on their servers, and in fact refused to give me my own server." 

But Black disagreed, saying the comptroller’s office staff “are the ones responsible for controlling their own security and data management.”

The findings come as Kennedy has been advocating for transitioning the financial management system to an online "cloud-based" system after it was hobbled following the cyberattack. Both the prior and cloud-based systems are offered by CGI. The financial program automates hundreds of millions of dollars in payments to many thousands of county vendors.

CGI wrote that shifting to the cloud "could reduce the risk of potential reattack and re-emergence" of the ransomware, while allowing Suffolk’s technology staff to “focus on other vital priorities.” CGI noted other Suffolk departments already have transitioned to the cloud. 

Guilfoyle said the county is "currently reviewing" such a shift, but said, "before we migrate a fully functional, cleared and secure system to the cloud, we must first restore all outstanding critical systems." 

CGI noted Suffolk had already implemented some system improvements by early October, including identity access management, also known as two-factor authentication, but said Suffolk’s “prior vulnerability management processes may not have been well articulated or evident.”

CGI’s memo makes several recommendations for having written plans for staff to follow.

“There was not a definitive written plan for recovery from ransomware operations,” CGI said, while noting the current plan, using new or rebuilt/repurposed equipment, “seemed somewhat flexible in approach.”

If the county were to move to a cloud-based system temporarily, CGI offered a list of recommendations it might follow before placing the financial management system back “on premises” at Suffolk.

Top among them is to appoint a chief information security officer, a person who would be “responsible and accountable to the county for the entire county IT program." As Newsday reported, the county’s IT coordinator retired in 2021 and has since been performing that role as a “coordinator,” even after moving to Florida earlier this year. The Bellone administration plans to hire a security chief in its 2023 budget.

Noted CGI: “There is a possibility for conflicts of interest in decision-making regarding security matters, given that there are no dedicated security professionals with the appropriate level of responsibility and accountability within the organization." 

CGI also advised Suffolk to establish codified Cyber Security Program based on the National Institute of Standards Technology. The program would contain written policies, procedures and standards that are updated and reviewed annually at a minimum.

And the memo advises the county to consider establishment of a “strong security governance, risk and compliance program,” one that would be presented to county leadership every three months. 

As Newsday has previously reported, a 2018 Suffolk law required the county to conduct annual assessments of the county’s cyber risk exposure. Since then, only one such report has been completed. 

By Mark Harrington

mark.harrington@newsday.comMHarringtonNews

Mark Harrington, a Newsday reporter since 1999, covers energy, wineries, Indian affairs and fisheries.