It was like having security cameras in every room of a house but one. That’s how Suffolk County Executive Steve Bellone described to reporters the decentralized, hodgepodge security infrastructure of the county’s computer network, which more than 10,000 government employees, in dozens of departments, depended on.
It was a single unguarded entryway that let hackers in last September, essentially shutting down all operations and reportedly costing Suffolk millions of dollars.
Such an intrusion is enough to scare any business or government entity into fortifying defenses. But is there such a thing as being too scared?
In the days following Suffolk’s revelation that it had been hacked, Bellone’s counterpart, Nassau County Executive Bruce Blakeman, bent over backward to ensure that the same thing won’t happen here. Or at least we think he has, given that the details of those efforts are a closely held secret.
What we do know is that the Legislature has hired a cybersecurity consultant. And that’s about it. Who that consultant is, what they have to offer — and, most important, how much it’s going to cost taxpayers — is information only a very select few know.
Revealing too many details about the new cybersecurity efforts could be troublesome, of course. The more information hackers have, the more likely they can find ways to slip past Nassau’s defenses. Yet county officials refuse to say how revealing simple bits of information — like who the vendor is, and how much they’re charging — would help these cyber menaces. And they aren’t budging.
As well, the Herald learned last week that a closed-doors executive session called by the Legislature produced an emergency cybersecurity declaration — its mere existence classified.
It’s perfectly understandable why county officials are on edge, and they should be commended for acting quickly to build Nassau’s technological defenses. And while many of those details should be kept secret, not all of them should be.
There is a reason why who our government does business with — and at what cost — should be out in the open, for all to see. We bear the financial cost of that business, and have every right to ensure that every dollar is being spent appropriately.
Everything about the county’s contract with this mystery cybersecurity firm could be perfectly fine. And it most likely is. But the taxpayers’ right is absolute assurance, not a preponderance of confidence. We have the right — by law — to make sure the Legislature is doing an arm’s-length deal with the right company for the right price.
How was the firm chosen? How was its compensation negotiated? What is the county getting in return? Even if we can’t have specifics, there’s no reason we can’t be clued in on at least some general aspects.
Shoshanah Bewlay, executive director of the state-funded Committee on Open Government, shared in an advisory opinion last month that details of the contract — like information technology schematics, blueprints, pricing or systems methodologies, and the types of IT monitoring or remediation — can indeed be kept quiet. “However, in our view,” Bewlay added, “it is not clear how the disclosure of other information contained within the contract — such as the name of the selected vendor, or value of the executed contract — would enable a person to adversely impact an agency’s electronic information or IT systems.”
Don’t get us wrong — we honestly believe there is no ill intention on the county’s part to withhold this information. Officials are scared that revealing any of it — even if it’s deemed safe — could upend all their efforts to protect the network. But they have to lift the cloak just enough to let the taxpayers — their true bosses — get a peek to assure themselves that all of this is on the up-and-up.
Nassau County is letting all of its hard work to build these defenses get obscured by this simple request to know who it is working with, and how much they are being paid for that work. That’s basic information that taxpayers shouldn’t even have to ask for.
But they are asking for it, and the county must do the right thing and provide the answers.