Legislative hearing to solicit first public testimony on Suffolk County cyberattack

Suffolk County’s central information technology department missed numerous red flags and “repeated warnings” that could have helped avert the Sept. 8 ransomware attack, then blamed the man who tried to warn them, the director of the county clerk’s computer department is expected to testify Friday.

Peter Schlussler, the longtime technology director under former County Clerk Judy Pascale, is expected to push back against allegations by County Executive Steve Bellone that Schlussler is to blame for failing to patch a vulnerability that led to the attack, then obstructed the county’s attempts to restore service.

Rather, Schlussler is expected to testify that he began warning technology officials of multiple intrusions beginning in February of last year, but those officials failed to act on his warnings. He also is expected to say he led an effort to bolster the clerk’s computer security with a requested hardware firewall, but a county IT steering committee ultimately declined the request last summer. Schlussler’s assertions, backed by emails, data and reports, are contained in a 157-page report that he submitted earlier this year to law enforcement and the county legislature’s special committee investigating the origins and the response to the cyberattack.

Schlussler is expected to be the first of a series of county employees to publicly testify before the committee as it holds a hearing on Friday.

A Suffolk County spokesperson, in a written statement, said, “While Pete Schlussler continues to distract and point fingers at everyone but himself, the detailed forensic report irrefutably makes clear that the cyberattack started and was centered in the IT environment he was responsible to manage.”

Richard Donoghue, the committee’s special counsel and a former U.S. deputy attorney general, has raised questions about the Bellone administration’s cybersecurity preparedness. Earlier this year, he said the administration did not have a specific cyber-breach remediation or recovery plan as part of an overall emergency response plan, did not qualify for cyber-breach insurance and did not fully implement recommendations from a 2018 cyber-health check up.

“We’re looking at obviously a variety of issues, technology issues, personnel issues, training issues, policy issues,” Donoghue said earlier this year.

Schlussler is expected to testify that he was the first county employee to detect and notify leadership about the cyberattack just after 11 a.m. on Sept. 8, sending a message to IT commissioner Scott Mastellon and others noting that the clerk’s office had shut down its computer network to limit the damage. It would be at least four more hours before the county itself would shut down its wider networks, which had already infected some servers and databases.

The attack crippled Suffolk’s computer-based services for more than six months, impacting certain police dispatch operations, vendor payments, title searches and the Traffic and Parking Violations Agency.

Schlussler also is expected to point to the county’s yearslong delay in appointing a chief information security officer until last month as a misstep that could have helped thwart the attack, despite a county-commissioned report recommending the appointment in 2020. Bellone has previously acknowledged he should have moved to hire the post sooner but blamed the COVID-19 pandemic and other factors for delaying it.

Bellone suspended Schlussler with pay in December. It would be two more months before the Bellone would declare the county was “back online,” even while some services and websites remained unavailable as recently as last month.

Since December, Bellone has been steadfast in his criticism of Schlussler, even while declining to say his name publicly. Bellone alleges that Schlussler failed to implement a critical update that could have thwarted the attack and that he obstructed the county’s attempts to access clerk systems and get the clerk’s systems back online. Schlussler is expected to deny those claims and assert that he was used by the county as a scapegoat for its own failings.

Newsday has reported that the county’s IT steering committee, chaired by Mastellon, pushed back when Pascale pleaded for a higher level of firewall security last summer, saying Pascale’s office had not justified the higher cost for a hardware firewall and offering instead a software version that’s in place now.

Bellone has said that by the time those requests had been made the clerk’s network had already been compromised.

By Mark Harrington

mark.harrington@newsday.comMHarringtonNews

Mark Harrington, a Newsday reporter since 1999, covers energy, wineries, Indian affairs and fisheries.