Legislative report: 'Failure of leadership' led to crippling 2022 Suffolk cyberattack

A "failure of leadership" to fortify computer networks and plan for the Sept. 8, 2022, ransomware attack magnified the impact of one of the nation’s longest and most costly cyber intrusions, according to a long-awaited report by a special committee of the Suffolk County Legislature.

The bipartisan report, nearly two years in the making, catalogs a long list of technological deficiencies, ignored warnings and missed opportunities to detect and correct myriad problems, including an FBI alert directed to the county while the attack was underway.

The attack shut down Suffolk County's main website for more than five months; exposed the personal information of about 500,000 people, including 470,000 drivers and 26,000 Suffolk employees and retirees; shut down county email and phone systems; and affected county 911, payment and traffic-agency systems. 

"In 2022, Suffolk County’s cybersecurity system was not sufficiently robust to detect the presence of cybercriminals in, and their movement across, different domains within the overall Suffolk County environment," the 66-page report concludes. "Many of the existing vulnerabilities were made known to county information technology leadership" in warnings delivered years and months before the attack. But "substandard security practices likely made it easier for the perpetrators to move within and gain access to data within Suffolk’s various IT systems," the report said.

Among key findings in the report, set for release Monday, county government and its Department of Information Technology under former County Executive Steve Bellone failed to develop a cyberattack response and recovery plan prior to the attack to help facilitate a smooth recovery, despite several recommendations to do so; allowed the use of outdated firewalls and operating systems and a "patchwork" of endpoint security measures; failed to hire a cybersecurity chief; and failed to coordinate among the county’s myriad information technology teams.

Bellone didn't immediately respond to a request for comment.

"Pass-through" helped facilitate attack

The report also highlighted the existence of a "pass-through" in the security firewall for data traffic in the county clerk’s office as helping facilitate the attack, concluding that despite charges and countercharges by the administration and the clerk’s office over who was at fault, the county should have denied any request for a pass-through and closed the "significant vulnerability."

The report notes that the Bellone administration's response to the attack continued "for well over a year," with states of emergency continuing into December 2023, with a cost estimated from $16 million to $25 million, longer and more expensive than any previously reported in the nation, Newsday has reported.

The legislative report, conducted by former Deputy U.S. Attorney General Richard P. Donoghue and based on more than 35,000 documents and more than 20 public interviews, followed the special committee’s formation in October 2022.

The report gives considerable emphasis to a February 2022 report by security firm CyberDefenses, which cataloged "scores of serious deficiencies" in Suffolk’s cybersecurity posture just six months before the attack, rating nearly every county network domain at "the highest possible risk level."

CyberDefenses found "unsanctioned internet connections" that pose risks "to the entire county," ineffective rules for firewalls that "will not provide an effective barrier or limit threat actors," obsolete and unpatched operating systems and applications and 42 instances of equipment by a prohibited foreign vendor on the county network.

Among other recommendations from that assessment: The county "needs a chief information security officer," yet the Bellone administration didn’t hire one until March 2023, five months after the attack. That officer, Kenneth Brancik, was released earlier this year and hasn’t been replaced.

Dire assessments not shared

Despite the critical findings in the CyberDefenses report, the county’s then-top-ranking information technology official, Scott Mastellon, never shared the dire assessments with county leaders in the legislature or his superiors, with the exception of a single deputy county executive he was "unable" to name, the report said.

At a county legislative session on government operations days after he received the critical report, Mastellon told lawmakers the county had "significant safeguards in place that has [sic] positioned us well against any potential attack," according to the report.

In addition to outdated firewalls, the investigation found Suffolk’s endpoint detection software — to protect individual desktops — to be a “patchwork of different products, some of which were no longer updated or even supported … ”

Implementation of Palo Alto firewalls and other products followed the 2019 cybersecurity checkup by consulting firm RedLand Strategies and Palo Alto and took months and "numerous attempts" to complete, the report found. At times, alerts from the endpoint system, known as Cortex, were so abundant — suggesting high intrusion levels — that county tech employees rerouted them to spam folders to stop clogging their inboxes.

The investigation looked into conflicting claims by the county executive’s office and the clerk's office IT director, Peter Schlussler, about what led to a pass-through that was created in the clerk’s computer environment firewall that allowed unfiltered traffic into the network. Even if requests for a pass-through by the clerk’s office were made, as Bellone officials maintained and Schlussler denied, the report noted they "should have been elevated to the highest levels of county government and denied."

"No matter who requested the ‘pass-through,’ its implementation posed a significant security risk to the entire county, and it likely allowed malware to enter the clerk’s office undetected," the report said.

But the report also cited requests by Schlussler and his boss, former Clerk Judy Pascale, for beefed-up security well in advance of the attack, including one for a hardware firewall that was denied by a county IT steering committee. The clerk’s office ultimately agreed to use a less-costly "virtual" firewall recommended by the county in spring 2022, but it wasn’t put in place until after the attack.

The report takes note of a 2022 draft report prepared by Suffolk’s IT department but never delivered to the legislature that claimed the county had taken "extraordinary steps" to address a computer vulnerability known as Log4j across its computer environment at that time. That assessment seems to have been made while that very vulnerability was being exploited by cybercriminals, the report stated, noting that "instances of un-remediated Log4j files were still being found across the County after the September 2022 ransomware attack."

As the report was being finalized, the legislative committee noted that a concurrent investigation by Suffolk District Attorney Ray Tierney’s office into allegations of improperly deleted data by members of the Bellone administration is ongoing, and that "witnesses" who testified to the legislature "may be implicated." The report also points out that former Chief Deputy County Executive Lisa Black "refused to answer most questions" concerning her knowledge of possible data destruction.

The committee "recognizes that it is possible that relevant evidence was deleted and not provided to this committee," the report said. "If so, the denial of such evidence may have impacted the conclusions and recommendations of this investigation."

By Mark Harrington

mark.harrington@newsday.comMHarringtonNews

Mark Harrington, a Newsday reporter since 1999, covers energy, wineries, Indian affairs and fisheries.