The recent ransomware attack against the Suffolk County government has raised important questions about the relationship between citizens, governments and technologies.
A confirmed ransomware event took place in early September. The hack crippled the county’s information technology infrastructure, and recovery efforts remain ongoing.
In the wake of these events, the hack prompted critics to question the digitization of sensitive information and how governments can better secure their IT networks.
What is ransomware?
Nick Nikiforakis is an associate professor in the Department of Computer Science at Stony Brook University. His research focuses on web security and privacy. In an interview, he described how ransomware works.
“Ransomware is, effectively, malicious software that infiltrates a machine, starts encrypting all sorts of private documents, spreadsheets, anything that is of value, and then leaks out to the attacker the encryption key and potentially the data that was encrypted,” he said.
Some forms of ransomware affect only a single machine, according to Nikiforakis. Other strains may spread into several devices, potentially infecting an entire network.
Ransomware is the confirmed vector of attack for Suffolk County. However, how hackers first entered the county’s system is unknown to the public.
While the details of the county hack are scanty, Nikiforakis said cyberattackers commonly use emails with malicious attachments. In other instances, they can locate vulnerable software within a network, exploit that weakness and breach that system. Once hackers gain access to the system, they hold sensitive information for ransom.
“The original idea behind ransomware is that if you don’t pay the attacker the money that they ask, then you lose access to your data,” Nikiforakis said.
Backup software was developed, in part, to mitigate this concern. Regardless, as technologies have evolved, so has cybercrime.
“Even if you have the ability to restore your data from backups, now you have to deal with the attacker having access to your data and threatening you with making that data public, which is what’s happening in this case,” Nikiforakis said.
Based on the information available, Nikiforakis said the attackers likely gained access to speeding tickets and various titles, among other sensitive materials. “This is definitely a cause for concern, and that is why, in certain cases, people decide to pay, to avoid this blowback that will come from the data being made publicly available.”
A question of payment
Ransomware raises an ethical dilemma for government officials, namely whether to use public funds to pay a ransom.
“People can take a philosophical approach and say, ‘We don’t negotiate with terrorists,’ and I understand that,” Nikiforakis said, “But then the rational thing for the attacker to do is to make that data available to the public. Because if he doesn’t, then the next victim will also not pay him.”
The profitability of the ransomware operation depends upon the victim trusting that the criminals will comply with the conditions of the transaction. The ransomware business model would fail if cyberattackers generally went against their word.
For this reason, Nikiforakis said payment and compliance could sometimes be in the interests of both parties.
“I think it’s a very rational decision to say, ‘Let’s pay and accept this as a financial loss and let’s make sure that this doesn’t happen again,’” he said.
In Suffolk County, however, putting this theoretical framework into action is more complicated. Responsibility for paying ransomware payments would be vested in the Office of the Comptroller, which oversees the county’s finances.
During an election interview last month with county Comptroller John Kennedy Jr. (R), he hinted that compromising with cybercriminals is off the table.
“There is no predicate in the charter, in the New York State County Law, in the Suffolk County code, to take taxpayer money and give it to a criminal,” he said.
‘Technology is moving so quickly that it is incredibly challenging for government to keep up.’
— Sarah Anker
The effect on the county’s government operations
The ransomware attack has also aggravated concerns over securing the county’s IT apparatus. Kennedy likened the problem to a fire code, saying fire codes often include provisions for masonry walls and other buffers that reduce the spread of a fire.
“If a fire starts, it doesn’t take down the whole complex. It stops at the masonry wall,” he said. “Our system was not configured with those hard breaks, other than some separation of function out in Riverhead in the County Clerk’s Office.”
Suffolk County Legislator Sarah Anker (D-Mount Sinai), whose office was attacked by ransomware in 2017, has advocated for serious IT reform for some time. She followed the county’s technology closely and expressed frustration over how the initial attack occurred.
“I could tell, and I could feel, that there needed to be more done,” she said. “It has hampered the government, it has affected our constituents. Maybe it could have been worse, but it should have never happened.”
Suffolk County Sheriff Errol Toulon Jr. (D) explained his office’s many challenges since the hack. Though communications systems are slowly returning online, the initial attack disrupted both external and internal communications within the Sheriff’s Office.
“From a jail and police perspective, it really hindered us in the beginning,” he said. “Emails that we received from other law enforcement agencies or any communication with our community was stopped for a significant amount of time.”
New York State’s Division of Homeland Security and Emergency assisted the Sheriff’s Office as Toulon’s staff worked without an operational communication network. Because of this coordination, Toulon maintained that the functions of the jails were more or less appropriately executed.
“We wanted to make sure that any individual that was supposed to be released from our custody was released on time,” the county sheriff said. “No one was incarcerated longer than they had to be.”
Preparing for the future
Toulon suggested the existing IT network is too centralized and interconnected. To prevent future failure of the entire network, he proposed creating separate silos for each department.
“I feel that the District Attorney’s Office, the Sheriff’s Office, the [County] Clerk’s Office and the Comptroller’s Office should be totally separate from the County Executive’s Office,” Toulon said, “So if, god forbid, this were to happen again in the future, we wouldn’t be directly impacted like everyone else.”
Anker said she and a newly formed panel of county legislators are beginning to explore ways to harden the network and apply strategies that work elsewhere.
“As we move forward, we need to see what the other municipalities and corporations are doing,” she said. “What types of programs and software do they have that prevent these attacks?”
The rate of software development, according to Anker, is outpacing the ability of governments to respond effectively. While IT departments must remain ahead of the cybercriminals to keep their digital infrastructure safe, staying out front is easier said than done.
“Technology is moving so quickly that it is incredibly challenging for government to keep up,” she said. “I would like to see more accountability in all respects and from everyone as we move forward with new technology.”
While the recent cyberattack focuses on the government, Anker believes ordinary citizens are also at risk from hostile online actors. The county legislator contended more work should be done to alert community members of these dangers.
“Not enough is being done regarding community outreach,” she said. “There needs to be more education on preventing an attack even on your home computer.”
Nikiforakis proposed that greater attention be given to digitizing personal records. According to him, those records in the wrong hands could unleash great harm.
“Ransomware was a big game-changer for attackers because it allows them to monetize data that would not be traditionally monetizable,” he said. “Through ransomware, suddenly everything that is of value can be monetized.”
The SBU associate professor supports software upgrades, cybersecurity protocols and other measures that protect against ransomware. But, he said, a broader conversation needs to take place about the nature of digitization and whether individuals and governments should store sensitive files online.
“More and more things that didn’t used to be online are suddenly available online,” he said. “We have to reassess the eagerness with which we put everything online and see whether the convenience that we get out of these systems being online is a good return on investment, given the risks.”