The Sept. 8 cyberattack that forced Suffolk County to take down its entire computer system continues, with numerous functions still inoperable, including the website of the county Board of Elections. Restoring the system, or rather, the several interconnected, separate systems, to full function has been a delicate, difficult process.
But even as the emergency continues, questions are mounting about the county’s preparations against such attacks. Alarms are being raised about the extent to which Suffolk followed its own rules and consultants’ recommendations on cybersecurity, the financial relationships between those consultants, the county and each other, and how money the county budgeted for cybersecurity was spent.
And residents, worried that their data may have been snatched by criminals and furious that they cannot use county computer systems to perform basic functions like paying tickets, along with vendors who aren’t getting paid, will want, and deserve, detailed answers. What we have for now are questions that must be addressed:
- Why have Suffolk’s officials not combined the five separate computer systems they oversee, which have significant interconnection between them, into one system secured by one security apparatus?
- Why did the county regularly fail to perform an annual security analysis, and issue a report on it, as required by a 2018 county law?
- Why did the county fail to follow the recommendations in the report that was completed in 2020, including that it hire a chief information security officer with authority over all the departments that have their own technology units across county government, tasked with unifying and overseeing all security-related activity?
- Was such a hire required for purchasing insurance against cyberattack?
- Were Suffolk officials alerted to suspicious computer activity in June, and if so, what steps were taken to contain it?
- How did the county spend the $4 million budgeted for cybersecurity this year?
- Do the complex financial connections between two county vendors, former State Sen. Michael Balboni’s RedLand Strategies, which does both lobbying and consulting, and Palo Alto Networks, serve the county properly? RedLand has been paid $2,000 per month by Palo Alto since November 2017. Balboni has both consulted for the county on cybersecurity and worked with Palo Alto, with the two sharing a 2019 $55,000 contract to do a “cyber checkup” to root out security issues. Palo Alto is now the county’s primary vendor of firewalls and related services against cyber intruders.
- Should previous involvement in Suffolk’s cybersecurity, which has failed, disqualify RedLand and Palo Alto from county contracts to recover from the attack?
So far we're left with little information and few answers. The county says secrecy is still needed to help stymie further attacks. The vendors are still operating under nondisclosure agreements.
But once the emergency passes, there is going to be a lot of explaining to do.
MEMBERS OF THE EDITORIAL BOARD are experienced journalists who offer reasoned opinions, based on facts, to encourage informed debate about the issues facing our community.