Testing finds new vulnerabilities in Suffolk computer networks, officials say

A third-party contractor found new vulnerabilities in Suffolk County’s computer networks after performing a standardized cyber-penetration test in December, according to sources and county officials who say they are working to shore up defenses.

In recent days, Suffolk information technology teams have moved to implement a computer defense system known as CrowdStrike to help close the vulnerabilities and link Suffolk to a state-operated security operations center that monitors vulnerabilities 24/7. The state has offered the defense package for free since the summer of 2022, just months before Suffolk was hit by a crippling ransomware attack.

Toward the end of 2023, the county contracted with an outside consultant to perform what’s referred to as a penetration test of county systems using a national standard known as NIST CSF, the National Institute of Standards and Technology's Cyber Security Framework. A Dec. 27 report of the test showed previously unknown vulnerabilities on both user desktops and the networks of county departments, including the district attorney's office,  the sources and officials said.

In an interview on Tuesday, County Executive Ed Romaine, who took office in January, acknowledged the report’s existence but declined to specify its findings, citing security reasons.

“We’re concerned,” said Romaine, who took over from outgoing County Executive Steve Bellone in January. “We don’t think the previous administration addressed this problem in an adequate manner. We’re trying to address it as quickly as we can to prevent any vulnerabilities that are out there. We are very focused on this.”

Bellone in a statement on Thursday said, “Despite significant resistance, we made real progress enhancing [information technology] operations, but vulnerabilities will continue to appear until the county ends the segregated IT environment," a reference to the numerous disparate computers operating with varying levels of autonomy under the county's main IT department. 

Vulnerabilities found in the December report follow a tumultuous 16 months during which Suffolk County operated under a state of emergency from the Sept. 8, 2022, cyberattack. The attack crippled many of the county's online systems for months and impacted police dispatch, email and vendor payment systems, among dozens of other functions. It also may have compromised the personal data of some 500,000 Suffolk residents and county workers.

Newsday filed a Freedom of Information Law request for documents on the December penetration testing, but the county denied it, citing law that allows a government agency to “withhold records which, if disclosed, would jeopardize the capacity of an agency … to guarantee the security of its information technology assets, such assets encompassing both electronic information systems and infrastructures.”

Suffolk County Comptroller John Kennedy acknowledged he has been informed of the report and is “working at warp speed” to correct the vulnerabilities.

“I’ve been told there are rampant compromises and exposures,” Kennedy said. “My staff is already taking steps to install protections, including CrowdStrike … The enhanced measure of security from CrowdStrike, including their security operations center, is far superior to our current protections.”

The CrowdStrike offer includes real-time monitoring of computer systems by a state-run center, which can shut down parts of a network when intrusions are detected. Newsday reported last year on the absence of CrowdStrike on county systems, but the county declined to discuss the matter at the time, citing security issues.

Suffolk Legis. Anthony Piccirillo (R-Holbrook), who chairs a committee on the 2022 cyberattack, said he had received a brief summary of the December report's contents. He declined to comment  on the specifics other than to say, “The report is concerning. I’m glad we have fresh eyes on the deficiencies that still exist in our IT department.”

Piccirillo pointed to recent figures he had been briefed on that estimated the county has spent upward of $27 million on computer products, security and consultants in the aftermath of the attack. “I’m interested to see what $27 million of cybersecurity dollars went to fix,” he said.

Piccirillo’s committee has been preparing a report on the cyberattack, one led by former U.S. Deputy Attorney General Richard Donoghue. The report, or an executive summary of it, could be released in a matter of weeks, he said.

Bellone, in the waning days of his administration, released a report of his own findings on the cyberattack that largely amplifies his administration's yearlong narrative that then-Suffolk County Clerk IT director Peter Schlussler was largely to blame for not preventing the attack. 

Schlussler on Monday filed a lawsuit in State Supreme Court in Riverhead alleging Bellone and his top deputies, including Vanessa Baird-Streeter and spokeswoman Marykate Guilfoyle, defamed and retaliated against him in statements they made following the attack. Schlussler is seeking unspecified damages.

According to the complaint, “… Not only was Mr. Schlussler not responsible for the attack, but he was one of the few County employees who warned county executives of vulnerabilities in the county’s systems and requested assistance and security upgrades before the attack ever happened.”

The suit  says county officials' allegedly false statements about Schlussler “wrongfully informed the public that [Schlussler] was not competent to perform his job, and had a devastating effect on [his] career prospects.”

Bellone didn't provide a comment in response to the suit, and attorneys for Guilfoyle and Baird-Streeter didn't respond to messages seeking comment. Michael Martino, a Suffolk County spokesman, said he could not comment on pending litigation. 

Schlussler, who since has been reinstated and now works for the county comptroller’s IT department, declined to comment.

One expert in NIST cybersecurity testing said the urgency of responding to findings in the December report depends on the level of vulnerability detected. 

“Finding vulnerabilities is not uncommon,” said Vinny Troia, chief executive of Night Lion Security, a St. Louis-based cybersecurity firm that specializes in NIST testing. “It comes down to whether or not there were high or critical vulnerabilities.” 

Officials declined to say what level of vulnerability was found in the December test. 

One department mentioned in the  report as potentially among those with detected vulnerabilities was the Suffolk DA’s office, according to a person familiar with the report. DA spokeswoman Tania Lopez declined to comment on any findings but said the DA is moving swiftly to separate itself from county IT.

“The DA has repeatedly demanded the production of the final action plan to separate [the DA] from county information technology, as directed by the County Legislature and required by law,” Lopez said in a statement. “After several months of delays at the close of 2023, we are now working with the new administration and legislature to make this a fast reality.”

By Mark Harrington

mark.harrington@newsday.comMHarringtonNews

Mark Harrington, a Newsday reporter since 1999, covers energy, wineries, Indian affairs and fisheries.