County approves secretive cybersecurity contract

A cybersecurity services contract unanimously approved by the Nassau County Legislature’s rules committee on Dec. 5 has raised the eyebrows of an open government expert since this approval came in secret.

Yet, such discretion is necessary, county officials, said, since they believe not giving away the game plan is the best way to protect sensitive data from hackers.

At issue is a contract for Nassau County’s massive computer network. But it’s not just how the vendor will operate that remains cloaked, but also how much it will cost — and who the vendor is. All of this, according to the expert, is standard information courts have ruled the public has a right to.

The crippling malware attack on Suffolk County’s network on Sept. 8 sent shockwaves through government offices nationwide charged with protecting computer systems. Nassau officials immediately urged the legislature to act, which is exactly what its rules committee did a few months later.

A full vote of the legislature is not required under county law for contracts.

But why a secret? It’s simple, rules committee vice chair Howard Kopel said: ransomware.

“The vendor suggested (secrecy) would be a very important thing,” the legislator said. “We don’t want the crooks to know who (the vendor is) and what their methods of operation are.”

Ransomware is when someone remotely locks up a computer network or servers, releasing them only after the owners of those networks pays a monetary ransom.

Yet, is computer security enough to keep the details of a taxpayer-funded project secret? Shoshanah Bewlay, executive director of the state’s Committee on Open Government, disagrees. If the contract has been finalized and signed, Bewlay said, there is no reason not to disclose who the vendor is and how much taxpayer money is being paid.

“I can’t imagine what FOIL exemption would apply to permit the county to withhold the name of the vendor and value of the contract,” Bewlay said, referring to the Freedom of Information Law. “‘Cybersecurity’ isn’t on the list of exemptions to FOIL disclosure. But critical infrastructure is.”

Kopel said legislators were advised by Nassau County Executive Bruce Blakeman’s staff it could be against the law to provide more details about the contract.

They “told us not only is it unwise to release this information, but it’s potentially improper — potentially even illegal,” Kopel said. “We questioned the administration very closely for well over an hour, which is very unusual for a contract. We did vet this as closely as we could. We’re satisfied they did follow procedures properly.”

Blakeman spokesman Christopher Boyle defended the secrecy.

“This contract pertains to the cybersecurity of the county, and has been vetted by a committee composed of representatives from the office of the inspector general, county attorney, district attorney and police department to ensure its effectiveness and integrity,” Boyle said, in an email statement. “No further information will be given out due to obvious security concerns.”

Public scrutiny of government contracts is a vital part of maintaining open government, Bewlay said. With the Nassau cybersecurity contract, the public does not know who the vendor is or how much they are being paid, or if the vendor is reputable or insured. Contract negotiations and trade secrets are protected from disclosure. However, once a municipality signs a contract, the details become publicly available.

Governments have a right to keep private proprietary information, Bewlay added, including methodology and pricing schedules. At the same time, the public has the right to basic contractual information that doesn’t pose a risk.

“Nobody wants hackers to compromise anybody’s systems,” she said. “But again, it is difficult to imagine how disclosing the name of a vendor — and the value of the contract for the vendor’s services — reveals the county’s critical infrastructure information such that it would be exempt from FOIL disclosure.”

Kopel agreed government needs better defenses against hackers, but also believes the public should trust the county that it is taking steps to protect the computer systems at the expense of details.

“What the public should know is that this is a huge problem,” Kopel said. “It is an ongoing, ever-present problem. Crooks will typically look for the easiest opportunity, the fastest buck.

“If we make it really, really hard, maybe they will go somewhere else.”