A special committee tasked with ferreting out how Suffolk’s vast computer system was hacked leading to a months-long shut down costing millions and inflicting untold grief on the taxpayers was offered clues by the county clerk’s IT chief during a hearing on Friday.
“If a Chief Information Security Officer were in place, we would not be here today,” led off Peter Schlussler, who said he was made a “scapegoat” for the attack by County Executive Steve Bellone. “If the existing county DoIT leadership acknowledged the numerous red flags and my repeated email warnings and calls, we would not be here today,” he said, referring to Suffolk’s Department of Information Technology. “I come here today without counsel, a subpoena, or scores of consultants. I am here with truth, facts, and an unwavering willingness to support this committee’s investigation.”
Schlussler’s testimony drew a quick rebuke from Bellone’s office which had maintained that the cyberthieves, whose ransom demands caused him to shut down the network countywide, came in through the clerk’s office under Schlussler’s watch. “Today, the former Clerk IT Administrator lied before a legislative committee, acknowledged his office was the source of the cyber attack after his boss previously insisted that it wasn't and failed to address or refute any of the detailed evidence from the forensic examination,” said a statement provided by Nicole Russo in Bellone’s press office.
“Without the fanfare of an orchestrated political theater, l have previously submitted to this committee my report outlining numerous and repeated failings of the DoIT leadership,” Schlussler continued. “This, in my opinion, will clearly demonstrate that the ransomware encryption attack unequivocally could have and should have been prevented had appropriate action been taken and my incessant warnings been heeded. These failings are indicative of what l call, Technical Elitism.”
According to Schlussler in a 157-page written report, there were at least 60 red flag malware notifications between February and September prior to the ransomware demand. As evidence of the pending attack ramped up, Schlussler said he sought guidance from the county’s IT staff and went as far as to ask the county clerk at the time, Judy Pascale, to personally contact the district attorney “in an effort to motivate DoIT leadership into addressing our concerns ASAP.”
Schlussler testified that there was an FBI warning of a possible attack a few months prior, “yet DoIT leadership did not offer any guidance, let alone demonstrate any involvement or strategy. No follow-up was received.” He said his designee met weekly with the DoIT cybersecurity staff and nothing of any urgency related to the clerk’s office was addressed.
Pascale’s office was put under immediate suspicion by Bellone as the entry point of the hack, especially given that an illegal Bitcoin mining operation was alleged to have been set up in the clerk’s office by Christopher Naples, a Schlussler staffer who is facing criminal charges. Schlussler denied at the hearing that the Bitcoin setup had anything to do with the attack. Both men are currently on paid administrative leave.
Committee Member Robert Trotta said it was DoIT’s job to advise the clerk to make sure the county’s systems were safe. He referred to a letter from Pascale “essentially begging for help” and said Bellone was attempting to take the onus from his office and put it on the clerk. “Clearly, Bellone is either a liar or incompetent,” Trotta said. He also took issue with the county’s failure to obtain cybersecurity insurance and have an action plan in place if an attack were to occur. “The infrastructure was in such a sorry state.”
 |
|
County Clerk IT chief Peter Schlussler, left, goes over his testimony with Richard Donoghue
at a hearing conducted by the special committee investigating the cyberattack that paralyzed county operations. File Photo
|
Entered into the record as Exhibit 3 was an email chain between Pascale and the county’s IT department. “As one of the largest revenue producers in Suffolk County, this office has transacted over $1.2 billion in municipal user fees over the course of the last two years alone,” Pascale wrote in June 2022 to Scott Mastellon in response to his denial of a request to purchase additional security components. “With this in mind, I was somewhat taken aback by statements that we have ‘not demonstrated an appropriate justification to support this purchase’ referring to our request for the VxRail Environment and Implementation Support as well as the Clerk’s Office Carbon Black/NSX Firewalls,” she said, warning, “Cybercrime is a constant, ongoing real threat. I’m sure you know that, should such an attack occur against the County Clerk’s system, the residual consequences will be devastating and, perhaps, beyond repair.” Pascale concluded: “I respectfully request that additional consideration be made to my requests for the implementation of the best safeguards currently available on the market to maximally protect the County Clerk’s systems against all potential imminent threats.”
Informed of a $2.5 million ransomware demand on September 8, Bellone decided to shut down Suffolk’s network rather than acquiesce to the attackers. The move paralyzed government services and impacted every department from the county police to child protective services. The loss of county data handcuffed local governments and impacted the real estate industry as records became difficult to obtain.
Committee member Kevin McCaffrey, the legislature’s presiding officer, referenced social media posts by Schlussler warning of potential hacks and asked him why he didn’t speed up the implementation of security upgrades or make them a priority within his own staff. Schlussler countered by saying that upgrades were complex and time consuming, noting that while the clerk’s office handles security within its own operations, DoIT is responsible for the overall perimeter of the county’s system. He said he had requested access to the malware reports coming into the county, some pertaining to the clerk’s office, to help interpret them and respond to the threats, but was denied. The presiding officer stated during the hearing he was surprised to learn that the county’s Information Technology department had access to the clerk’s security system. “There’s plenty of blame to go around,” McCaffrey said.
Chaired by Legislator Anthony Piccirillo, the investigatory committee is among a few in county history that have been granted subpoena power. He stressed that the committee is not looking to play politics in the matter, but to find out how the attack occurred and steel the county’s system against further intrusion. “We are taking steps to make sure we are in a better place than we were before,” Piccirillo said, noting that the legislature would be hiring additional experts to assist with its review and provide recommendations.
As the committee was gearing up its investigation after hiring a cybersecurity expert, former acting U.S. Attorney Richard Donoghue last month, Bellone announced the appointment of the county’s first Information Office chief. According to Bellone, Kenneth Brancik will be tasked with setting cyber security policy, procedure, risk management, and governance, along with advancing an enterprise-wide security architecture for the entire county. Brancik will work to “move away from the decentralized IT structure that failed this county.” He will be "absolutely critical to creating an enterprise-wide security architecture that will be responsible for a stronger and more resilient network,” Bellone said at the time.
The county executive did not respond to requests for further comment on Schlussler’s testimony or the ongoing investigation. The agenda for the special committee’s next set of witnesses has not been announced, but may include Pascale, who has already met with investigators and said she would voluntarily testify, and the Bellone DoIT personnel who are under subpoena to provide their part of the story.