Suffolk County, N.Y., Hack Shows Ransomware Threat to Municipalities

Lisa Black,

chief deputy county executive for Suffolk County, N.Y., received a call in early September that government leaders and company executives dread: A suspected attack of tech systems was under way. 

Immediately after the midday call on Sept. 8, county workers began to isolate financial databases and disconnect the network from the internet to prevent the spread of what would later be discovered as ransomware. That evening, Ms. Black gathered department heads and commissioners to announce a new challenge.

“I need you to pivot to, basically, 1990,” she told the assembled staff. 

Offices that had become comfortable with working digitally during the Covid-19 pandemic had to revert to pen and paper. Email wouldn’t be available. Court proceedings, waste collection and other vital infrastructure services needed to be delivered to the county’s 1.5 million people—the state’s largest county by population outside of New York City’s five boroughs—but without internet access. 

The hack in Suffolk County is no isolated incident. 

More than 3,400 state, local, tribal and territorial governments in the U.S. suffered ransomware attacks between 2017 and 2021, according to data from the Multi-State Information Sharing and Analysis Center, a threat intelligence group for municipalities. This year, high-profile attacks against local authorities included a strike on the Los Angeles Unified School District shortly before the start of the academic year; an attack on Bernalillo County, N.M., in January that forced office closures; and a similar incident in Fremont County, Colo., in August.

Municipal hacks are expensive, often forcing technology upgrades that had…