Last Thursday, the special committee of the Suffolk County Legislature investigating the crippling September 2022 cyber attack that took down County services for months released their final report on the incident.
We commend the leadership of Chairman Anthony Piccirillo (R-Holtsville), Presiding Officer Kevin McCaffrey (R-Lindenhurst), Minority Leader Jason Richberg (D-West Babylon), and the rest of the bipartisan panel investigating the matter. We also commend the countless County employees who were rigorously interrogated by the committee, as well as the employees who had to deal with the nightmare scenario in which Suffolk was left in the wake of the attack. We can’t imagine working in such a scenario and their resilience in keeping the County running with severely limited resources and a compromised Information Technology (IT) department should be recognized.
But the report is as detailed as it is lengthy: sixty-four pages of how the County’s IT heads spectacularly missed all the red flags and whose seemingly apathetic conduct led to the worst cyber-attack in our County’s history.
If this was a surprise attack conducted with state-of-the-art software that fooled every staff member and circumvented every failsafe, then we could just say that that’s an unfortunate circumstance and what doesn’t kill us makes us stronger.
Unfortunately, for the sake of the County employees whose personal information was compromised, and for the sake of the taxpayers who had to foot a $25 million bill in recovery and remediation efforts, that’s not the case.
Warning signs developed as early as 2019, when the County became aware of the Log4j free-to-download software used to collect and manage data about system activity. The software ended up being used to comb the County’s systems for activity and was perhaps the hackers’ prime tool in holding the data for ransom. The fact that then-IT Commissioner Scott Mastellon and company were not preparing the County’s network for Log4j vulnerabilities is an “IT 101” failure.
The other rookie mistake made by the IT department was creating a “pass-through” for external Internet traffic destined for the County Clerk’s office, then led by Clerk Judy Pascale (R-Moriches). The report outlines “bitter disagreement” between who commissioned the pass-through, either IT or the Clerk’s office, but what remains certain is that only the IT Department could have configured it. In layman’s terms, a pass-through is basically a great way to ensure web traffic is not properly vetted and going through the perfect channels. It’s one thing if you’re managing systems for a small office with traffic going from one department to another, but to implement the same change between the IT center and the Clerk’s office of the largest suburban county in the nation is not just egregiously irresponsible, it’s unconscionable altogether.
Only to add another squeeze of lemon juice over the paper cut was that the firewall device circumvented by the IT Department-created pass-through had been out-of-date since 2019. Keeping such equipment in place for so long after it had reached end-of-life is another rookie mistake for any IT department, but to sanction a pass-through to allow external web traffic around that device simply reeks of incompetence.
Only in the days leading up to the September breach did IT and communications executives notice things didn’t quite look right, with a suspicious set of files downloaded for which no member of the IT staff could account.
However, the damage was already done and the hackers were in. It was only a matter of seconds until they started encrypting and stealing data, initially asking for a $2.5 million ransom, later reducing it to $600,000.
Legislator Rob Trotta (R-Fort Salonga) told The Messenger ahead of Thursday’s committee hearing that the County “should have just paid the ransom.” He posits that if the County had done so, it’s likely that the systems could have been up and running sooner and it would have avoided nearly $25 million in recovery efforts.
We don’t have the expertise to agree or disagree with Trotta, but it’s worth mentioning as he is a member of the select committee that investigated the hack.
Then-County Executive Steve Bellone (D-West Babylon) also vicariously benefitted from his own emergency declaration, which allowed him to award no-bid contracts during that period. It’s a rather fortunate byproduct of the hack, but one that clearly didn’t invoke a reason for lifting the declaration until over a year after the hack. Granted, County systems were down for months, but it’s an interesting facet nonetheless.
Overall, the fact that the County’s systems were essentially wide open for as long as they were, with massive vulnerabilities throughout, is inexcusable and former officials need to answer now that the final report is out. We’re thankful for the County Legislature’s investigative committee and the current administration’s prioritization of obtaining cyber insurance for the County.
It’s an ugly saga that now seems more behind us than in front of us, but constant vigilance will be required going forward. It’s at least the bare minimum for any respectable IT department.