Lawmakers hold back on cybersecurity deal | Herald Community Newspapers | Daily News Byte


Efforts to obtain even the most basic details of a taxpayer-funded contract designed to protect computer networks within Nassau County government remain under wraps after officials in Mineola declined a request to see it.

Members of the Nassau County Board of Rules unanimously approved the contract earlier this month, but did not disclose the name of the company providing the services or how much such a contract would cost taxpayers.

The Herald filed a request through New York’s Freedom of Information Act, only to be denied a few days later, arguing that releasing the information — including the seller’s name and how much they were paid — would “compromise the security of the technology.”

The Herald is appealing that decision.

Shoshana Bevlai, executive director of the state’s Open Government Committee — which is intended to serve as a government transparency watchdog — agreed that specific details of the contract, if made public, could provide hackers with key information to mount a cyber attack. However, the broad details of the agreement do not enjoy that level of protection and should be made available to the public in accordance with state law.

“Although part of the contract may be exempt from disclosure for one or more legal reasons, in my opinion, certain parts of the records should be available,” said Bevlay, who can only serve in an advisory capacity and cannot compel Nassau County to adheres to.

As for the county’s justification for keeping all contract details secret? Bevlai disagrees.

“To the extent that the district retains records entirely in reliance on FOIL’s ‘critical infrastructure’ exemption,” Bevlay said, “it is difficult to imagine how that exemption could be applied to protect, for example, vendor names, contract price or the basic terms of the contract.”

Experts praised the county’s efforts to strengthen cybersecurity, especially after a damaging attack in Suffolk County last September that cost officials there millions to fix.

Maintaining a level of cybersecurity-related secrecy is an obvious and important part of network protection. But it is not absolute.

“I’m fine with not knowing right away, as long as there’s a roadmap for accountability,” said Kees Leune, chief information security officer and associate professor at Adelphi University.

“In a year, I would like to know how this money was spent, what it was spent on and why it was spent.” I’m fine with giving them that much runway to get their system in order.”

The total cost of the contract could put the district at risk, Leune said, but the name of the company providing the cybersecurity most likely would not.

“The amount of money involved could be at least an indirect indicator of where the network security gaps are,” he added. A smart cybercriminal could make assumptions based on contract amounts and exploit that information.

“If it’s a relatively small amount of money, it’s most likely a consulting contract, not an infrastructure upgrade,” Leun said. “Someone familiar with the field will likely deduce what technology is required for the upgrade.” It gives a somewhat indirect indication of what might be wrong.”

Leune praised Nassau’s efforts to improve cybersecurity, saying municipalities are particularly vulnerable because of their fragmented nature. Local governments, he added, don’t necessarily share cybersecurity experts or methods, meaning each village, town and county must build its own security system.

“It’s good that the district is aware that cybersecurity needs to be addressed,” Leun said.

Cybercriminals will often look for weak defenses and not necessarily the value of information maintained on any particular network. Government agencies are attractive targets, Leune said, not because of the data, but because of weaker defenses compared to private businesses.

“What makes them a target is their lack of preparation,” he said. “The reality is that they are too easy to attack, and politicians in particular are very sensitive to headlines.”

Cyber ​​attacks are generally crimes of opportunity.

“It’s not ‘Let’s target Nassau,'” Leun said. “Criminal groups will go after the softest targets first.” Like any other criminal, they go for the easiest and softest targets.”

Because there is little or no coordination between local governments when it comes to cybersecurity, hackers are able to probe until they find networks with weaker defenses.

“Each school district is pretty much on its own,” Leune said. “There is no such thing as a one-stop provider for schools and governments.”

Federal agencies, however, are protected by the Cybersecurity and Infrastructure Agency, which provides what Leune says is “probably the best guidance anywhere in the world.”

But that’s little assurance for local governments — even one as large as Nassau County. That’s why, Leune said, agencies must follow four basic principles of cybersecurity: prevention, detection, response and recovery.

“No organization is invulnerable to cyber attacks,” he said. “You should always assume you are under attack, and you may be under attack right now.”


Source link