Suffolk IT director defends himself in cyberattack
The director of the Suffolk County clerk’s computer department on Friday presented a counternarrative to County Executive Steve Bellone’s attempts to blame him for the September ransomware attack.
During a two-hour session of a special legislative committee probing the attack, Peter Schlussler, the information technology director for the clerk whom Bellone suspended with pay in December, noted the long absence of a chief information security officer for the county and his repeated efforts to alert Bellone’s main IT department about intrusion attempts in the months before the attack.
Schlussler rebuffed Bellone’s assertions that the clerk's office had blocked access to its systems during a forensic investigation and remediation, told legislators it took the county three separate attempts to install its firewall in 2019-20 and read from a long email from former Clerk Judy Pascale, a Republican, seeking a stronger firewall to protect her department from cyber intrusions.
A Suffolk County spokeswoman disagreed with Schlussler's assertions and pointed again to a forensic report, released by Bellone's office, that said the problems started in the clerk's office. Bellone, a Democrat, has alleged that Schlussler failed to implement a critical update that could have thwarted the attack.
Schlussler said Bellone's office was trying to make him a scapegoat for errors made by the IT department.
Schlussler's testimony suggested the core vulnerability known as log4j, listed in the forensic report as providing the pathway to the intrusion in December 2019, apparently was widespread across county systems, not just the clerk’s office.
“Do you know, after the cyber breach, whether there was a finding that log4j remediation across the county was deficient?” asked former deputy U.S. Attorney General Richard Donoghue, counsel to the special committee. Schlussler said yes.
Donoghue later told Newsday the special committee is investigating the assertion.
There were other differences between accounts by Schlussler and investigators working for Bellone. Schlussler said stored passwords in the clerk's system were encrypted and not readable. Bellone spokeswoman Marykate Guilfoyle has said they were unsecured and written in plain text.
Presiding Officer Kevin McCaffrey (R-Lindenhurst) pressed Schlussler about why his department didn't patch a vulnerability a forensic firm has identified as the likely cause of the attack for months after the county was alerted in 2021.
"Why did you wait so long?" McCaffrey said.
"You acknowledged it was a problem," including on social media, McCaffrey said. "It appears you alerted everybody else but not your own team to download the patch and fix the problem."
Schlussler said he had his team and an outside vendor working on the issue soon after the federal alert about the log4j vulnerability, but that the work was “highly technical” and took months. Schlussler could not provide a date for when the vulnerability was patched but said it was in early to mid-2022.
McCaffrey later acknowledged a unified county computer security department and a chief information security officer would have made sure all departments had patched the vulnerability. He noted a legislative report had recommended the hiring in 2020. Bellone appointed a chief information security officer last month.
The ransomware encryption attack “unequivocally could and should have been prevented had appropriate action been taken by Suffolk County Department of Information Technology and my incessant warnings been heeded,” Schlussler testified.
He appeared before the special committee without a lawyer and testified without a subpoena. He was surrounded by family members and more than half a dozen co-workers from the county clerk’s office.
UnitedHealthcare CEO shot ... Christmas tree farm ... Rain, snow on the way ... Get the latest news and more great videos at NewsdayTV
UnitedHealthcare CEO shot ... Christmas tree farm ... Rain, snow on the way ... Get the latest news and more great videos at NewsdayTV