Connecting state and local government leaders
Last year’s ransomware attack showed “cloud averse” employees in New York’s Suffolk County the benefits of moving away from legacy technology.
The cyberattack that crippled part of Suffolk County, New York’s government has accelerated its shift to modernized, cloud-based technology even amid employee resistance, according to the county’s IT commissioner.
The ransomware attack last year resulted in the leaking of personal information from hundreds of thousands of residents and cost the county millions in recovery. After a forensic investigation in December by Palo Alto Networks’ Unit 42, County Executive Steve Bellone said the county’s existing, decentralized IT system “fails county government and the taxpayers.”
Since then, IT Commissioner Scott Mastellon said Suffolk County has looked to accelerate its migration from legacy technology to the cloud, especially as the older technology was most impacted by the cyberattack while the cloud-based applications were unaffected. But the change hasn’t been easy, he said, as some “cloud averse” employees are uncomfortable with the thought of moving to the cloud and prefer the legacy tech they are used to.
“It's the fear of the unknown, and that's ridiculous,” Mastellon said during the Salesforce World Tour conference this week in Washington, D.C. “It's stupid. But it exists, and it is there, and you need to address it.”
Mastellon said some employees appear to suffer from Stockholm syndrome when it comes to legacy tech and processes, even as they acknowledge the systems’ inherent flaws but are still reluctant to change.
At a press conference last week, Bellone announced that the final forensic investigation of the cyberattack found that cybercriminals accessed the county clerk, health and sheriff’s domains, compromised 139 systems and encrypted 71 with ransomware. The analysis found that criminals exposed a vulnerability with Log4j and were inside county systems for around eight months. Mastellon said during the Salesforce conference that “one particular department” promised a vulnerability “was taken care of,” but it was not.
"The main causes of this cyberattack are clear," Bellone said during the press conference. "It's a failure to address the Log4j vulnerability in the clerk's office, the unprotected IronKey folder on the clerk's network, the clerk's segregated IT structure and them withholding information. Everything else is a distraction from the truth.”
Spokespeople for Palo Alto Networks, which owns Unit 42, referred questions on the forensic report’s contents to the county. Representatives for Suffolk County did not respond to requests for further comment. Criminal investigations into the hack are still ongoing.
The attack prompted calls for Suffolk County to centralize its IT systems and move to more secure, cloud-based systems. Mastellon said the county has since “made significant strides” toward centralizing its IT, especially in security, and will continue “picking off these legacy applications that have been around forever.”
The best way to do that, he said, has simply been to tell agencies with systems that were non-operational due to the hack that they will not be brought back as they were, but will be modernized.
“In the past, folks would say, ‘I'm special, I'm an elected official, I have this, I can do my own thing.’ Now, we're saying, ‘No, that's not the case,’” he said.
The cyberattack has helped some agency heads come around, too. When the county implemented a cloud-based procurement system, Mastellon said he encountered a controller who was determined to stick with an on-prem financial system. The two systems had to integrate, which Mastellon said was a “nightmare.” But after the attack, the controller acknowledged the cloud was a better solution.
“You would be amazed at the conversations I would have” with agency leaders regarding technology and the need to ensure that segregated systems work together, Mastellon said.
But after the ransomware attack and the havoc it wrought, he said, “I had an opportunity to say, ‘I'm sorry, that's not coming back up.’”
NEXT STORY: Not all encryption is created equal