Citizen Portal
Sign In

Cowlitz County IT reports widespread suspicious network activity; commissioners authorize up to $150,000 for CrowdStrike incident response

3161368 · April 30, 2025

Loading...

AI-Generated Content: All content on this page was generated by AI to highlight key points from the meeting. For complete details and context, we recommend watching the full video. so we can fix them.

Summary

Cowlitz County IT director reported tens of thousands of suspicious network flows and recommended contracting an incident‑response vendor. After discussing options and procurement constraints, the Board of Commissioners approved authorizing IT to contract with CrowdStrike up to $150,000 to investigate and contain the activity.

Cowlitz County IT Director Travis Suschini told the Board of Commissioners that the county has seen a sharp increase in suspicious network traffic over the past two months and a dramatic spike last Friday "where there were tens of thousands of network flows" to internet destinations with known bad reputations.

Suschini said the activity became more frequent and widespread, coming from dozens to potentially hundreds of internal hosts, and that investigators see signs consistent with lateral movement and command‑and‑control behavior: "we see evidence of information coming from more than 100 addresses on the network." He said the county has increased monitoring and endpoint protections and consulted the Center for Internet Security and MS‑ISAC but still lacks the comprehensive forensic tools to determine the full scope.

Why it matters: elected officials must decide whether to pay for outside incident response immediately or follow a longer procurement process. Suschini said CrowdStrike and other vendors were evaluated; CrowdStrike is a preferred vendor through the county's risk pool but the CrowdStrike proposal exceeded the county's usual threshold for single‑vendor procurement.

Prosecutor's Office staffer Jason Loreen told the board that IT had consulted the county risk pool and presented CrowdStrike because that vendor matched the county's needs and risk‑pool recommendations. Loreen said the county must record the IT director's evaluation and the specific need on the public record because the contract price requires board approval.

After discussion about procurement timing and the need for incident response, a commissioner moved to authorize Travis Suschini to engage CrowdStrike and work with the vendor up to $150,000. The board voted in favor and authorized the IT director to proceed. No roll‑call vote tally attributing individual commissioners' votes was recorded in the public transcript.

The county stated it has taken immediate containment steps, installed additional endpoint protections, and is pursuing forensic support. Officials advised the board that MS‑ISAC had curtailed detailed alerts because of the high volume of events and that an outside incident‑response engagement would provide forensics, containment, and remediation that county staff cannot fully perform with existing tools.

Board members asked for updates as the work proceeds. Suschini said he would provide status reports on request and that the county was balancing speed against procurement requirements when selecting a vendor.