Bellone Administration Points Cyberattack Blame Back at Clerk

The finger of blame for the cybersecurity hack that shut down Suffolk's computer network was pointed back at the county clerk's office by the head of the Department of Information Technology (DoIT) during a contentious hearing last week before a committee investigating the attack. Appearing with his attorney under subpoena, Scott Mastellon's testimony was in stark contrast to previous assertions by the clerk's IT Director, Peter Schlussler, that lax security in the DoIT shop was responsible for the breach that cost taxpayers millions.

According to Mastellon, "There were inherent weaknesses in our cybersecurity defenses owing largely to the lack of centralization of the nearly dozen different IT departments that existed across the county and, in particular, the longstanding technology silo created by the clerk's office." These vulnerabilities, the Steve Bellone administration official said, "became abundantly clear when, in September 2022, we were confronted by a ransomware attack that was a direct result of the clerk's office's failure to take appropriate cybersecurity measures against threats that quickly spread throughout the system."

Bellone spokeswoman Marykate Guilfoyle was more direct: "Schlussler's negligence and misconduct are the direct causes of the cyberattack with the committee having the actual 'smoking gun' in the forensics report for months, but instead they continue to ignore the evidence and play politics by mischaracterizing an internal cyber document while refusing to release the Schlussler report." Schlussler has filed notice in state Supreme Court that he will sue Bellone and members of his staff for "defamatory" statements.

Guilfoyle was referring to two reports: a security review solicited by DoIT after an alleged illegal Bitcoin mining operation in the county's Riverhead data center by a clerk employee was uncovered, and a 157-page report provided to the committee by Schlussler. In it, the clerk's office IT director pointed to numerous warnings of an impending attack that were ignored by Mastellon, and said the failure to employ a Chief Information Security Officer and put the safeguards in place to obtain cyber insurance were also to blame.

Suffolk Department of Information Technology Director Scott Mastellon File Photo

Introducing the findings of the internal report, the existence of which was not revealed to the investigatory committee until the week before the hearing, drew the ire of Special Counsel Richard Donoghue, the former U.S. attorney retained by the legislature to help get to the bottom of what went wrong. Mastellon and his lawyer argued that showing the findings of the report would jeopardize the security of the system and give hackers a roadmap to the county's vulnerabilities. Legislator Anthony Piccirillo, chair of the committee, disagreed, as did Donoghue, who upbraided the DoIT director for his performance over the last five years.

"You had 100 employees, vendors, the largest IT team available, the greatest responsibility," Donoghue told Mastellon. "Who had more responsibility than you?" Donoghue asked Mastellon. "I'll give you the answer. The answer is no one." Donoghue said the committee received the internal report less than 24 hours before interviewing the DoIT chief. "This is a significant piece of evidence in this case we've been asking for for months. That report is as close as you get to a smoking gun in a case like this, and you sat on it until the day before your interview," he said, to which Mastellon responded, "That is absolutely untrue." He stressed that his department had been working consistently to implement a new security system and the enormity of the project required time and significant staff resources.

"The evidence shows that the clerk abandoned initial efforts to patch the Log4j vulnerability in January 2022 and then waited nearly six more months to finally remediate it," Mastellon went on. "Even then, its leader, Peter Schlussler, failed to sound the alarm and prevented the county from waging an appropriate response." Both Schlussler who is on paid administrative leave, and former Clerk Judith Pascale declined to comment further on the issue.

Mastellon also contended at the hearing that the alleged perpetrator of the Bitcoin mining, Christopher Naples, had stored extremely sensitive passwords in plain-text form in an unencrypted folder that was accessed by the hackers, allowing them to escalate privileges, establish rogue administrator accounts, and, ultimately, unleash the ransomware attack. He said that forensic evidence shows that accounts from this folder were embedded into the ransomware used to lock up the county system in exchange for a $2.5 million payment, which Bellone refused to make and instead shut down the county's entire computer network.

Another member of the special committee, Legislator Sarah Anker, reported at the hearing that her office's computer system was hacked in 2017, moving her to introduce legislation requiring DoIT to provide an annual cybersecurity report to the legislature. She said they received one in 2019 and nothing since. Anker joined Piccirillo and the other members of the committee, including Legislator James Mazzarella, in stressing that their task is not just to assign blame but to also steel the county from future attacks.