Lawmakers not budging on cybersecurity contract

Efforts to get even the most basic details of a taxpayer-funded contract intended to protect the computer networks inside the Nassau County government remain hidden after officials in Mineola denied a request to see it.

Members of the Nassau County Legislature’s rules committee unanimously approved the contract earlier this month, but did not disclose the name of the company providing the services, or how much such a contract would cost taxpayers.

The Herald submitted a request through New York’s Freedom of Information Law, only to be denied a few days later claiming that information — including the name of the vendor, and how much they were being paid — was released, it would “jeopardize the security of technology assets.”

The Herald is appealing that decision.

Shoshanah Bewlay, executive director of the state’s Committee on Open Government — intended to serve as a watchdog on government transparency — agreed that specific details of the contract, if made public, could provide hackers with key information to mount a cyberattack. However, broad details of the agreement don’t enjoy that level of shielding, and should be made available to the public under state law.

“While a portion of the contract may be exempt from disclosure for one or more statutory reasons, in my opinion, certain portions of the record should be made available,” said Bewlay, who can only operate in an advisory capacity, and cannot force Nassau County to comply.

As for the county’s justification for keeping all contract details secret? Bewlay disagrees.

“To the extent that the county is withholding the record in its entirety in reliance on the ‘critical infrastructure’ FOIL exemption,” Bewlay said, “it is difficult to imagine how that exemption could apply to protect, for example, the name of the vendor, the cost of the contract, or the basic contract terms and conditions.”

Experts lauded the county’s efforts to bolster cybersecurity, particularly in the wake of the crippling attack on Suffolk County last September that is costing officials there millions to fix.

Maintaining a level of secrecy about cybersecurity is an obvious and important part of keeping a network protected. But it’s not absolute.

“I’m OK with not knowing right away, as long as a roadmap for accountability exists,” said Kees Leune, chief information security officer and associate professor at Adelphi University.

“A year from now, I would want to know how this money was spent, what it was spent on, and why it was spent. I’m OK with giving them that much runway to get their system in order.”

The total cost of the contract might possibly expose the county to risk, Leune said, but the name of the company providing cybersecurity most likely wouldn’t.

“The amount of money involved could be at least an indirect indicator of where the” network security deficiencies are, he added. A savvy cyber-criminal could make assumptions based on the amount of the contract, and exploit that information.

“If it’s a relatively low amount of money, it’s most likely a consulting contract and not for infrastructure upgrades,” Leune said. “Someone familiar with the field will probably derive what technology is needed for upgrading. It gives a somewhat indirect indication of what might be wrong.”

Leune praised Nassau’s efforts to improve cybersecurity, saying that municipalities are especially at risk because of their fragmented nature. Local governments, he added, don’t necessarily share cybersecurity specialists or methods, which means each village, town and county must build its own security system.

“It’s good that the county is aware that cybersecurity needs to be addressed,” Leune said.

Cybercriminals will often look for weak defenses and not necessarily the value of information maintained on any particular network. Government agencies are attractive targets, Leune said, not because of the data, but rather because of weaker defenses compared to private businesses.

“What makes them a target is their lack of readiness,” he said. “The reality is that they are too easy to attack, and politicians in particular are very sensitive to headlines.”

Cyberattacks, in general, are crimes of opportunity.

“It’s not, ‘Let’s go target Nassau,’” Leune said. “Criminal groups will go after the softest targets first. Like any other criminal, they go for the easiest and softest targets.”

Because there is little to no coordination between local governments when it comes to cybersecurity, hackers are able to probe until they find networks with weaker defenses.

“Every school district is pretty much on its own,” Leune said. “There is no such thing as an overarching provider for schools and governments.”

Federal agencies, however, are protected by the Cybersecurity and Infrastructure Agency, which provides what Leune says is “probably the best guidance anywhere in the world.”

That’s little assurance, however, to local governments — even one as large as Nassau County. Because of that, Leune said, agencies must follow four basic tenets of cybersecurity: prevention, detection, response and recovery.

“No organization is invulnerable to cyberattacks,” he said. “The assumption should always be that you are being attacked, and maybe you are being attacked right now.”