After Jan. cyber alert, some Suffolk officials call for more transparency

Amid conflicting reports of another attempted cyber incursion on Suffolk County systems in January, some public officials are raising questions about the levels of secrecy that have characterized the Bellone administration’s response from the early days of the initial Sept. 8 cyberattack.

Last month, Newsday received reports from three county employees, including two public officials, of an alert about a hacker exploit known as Golden Ticket on county systems.

“I’ve seen what appears to be direct evidence of two Golden Ticket attacks,” said Suffolk County Comptroller John Kennedy, who said he was told the exploit was picked up by a piece of software known as Tenable and not the county’s firewall. Another public official said he’d been told of the exploit but was unable to confirm it.

Suffolk County spokeswoman Marykate Guilfoyle on Jan. 24 issued a statement to Newsday that appeared to deny what officials had been told.

“We can confirm that there was no attempted cyber breach by a Golden Ticket hack earlier this month,” she wrote on Jan. 24. “For reference, the county's security measures block hundreds of different types of possible suspicious activities on a daily basis and tens of thousands on a monthly basis.”

A week later, after being told by Newsday that other public officials had received word of the Golden Ticket alert, Deputy County Executive Vanessa Baird-Streeter added to the prior statement to say, "There was an active-directory  alert that was triggered" last month. "Once it was investigated it was deemed not valid." Baird-Streeter declined to name the alert.

While none of the reports of a cyber alert in January suggest that data was encrypted or stolen or that any alert was on the order of the Sept. 8 attack that continues to impact online county services, the matter reflects both the heightened cautiousness that has characterized the county’s response and the frustration of other officials who continue to be impacted by it.

In a rare public briefing about the attack in December, County Executive Steve Bellone explained his reticence to provide information about the initial cyberattack.

“At the beginning of this emergency, one thing cybersecurity experts said and emphasized was that in a cyberattack, you need to carefully measure your comments, because the criminal actors are monitoring the media for clues about what you are seeing and what actions you may be taking,” Bellone said, in a briefing that laid the full blame on the County Clerk's office while lauding his administration officials.

“They will also use the media as a means to communicate with you and also to threaten," he added. "This is why early on, I emphasized with my colleagues in this government, the need to be very careful about what we are communicating.”

But Kennedy and others say citing the threat of bad actors to shut down all discussion of the cyberattack may have been overstated. At some point after September, Kennedy said, “I called the FBI directly” to find out what he could and couldn't say, and he was told “their investigation had nothing to do with our day-to-day operations, absolutely freeing me to speak.”

Kennedy has been critical of Bellone’s handling of the attack and its aftermath, saying he’s been locked out of information and strategy sessions and disclosures, deprived of technology fixes he’d prefer, and left to question the county’s findings.

“Bellone right from the beginning to tried to insinuate that [speaking about the attack] was enabling the bad actors,” Kennedy said. “I was put in a cone of silence. Still to this day I have not been given any indication of what happened, except that three-page tissue of a report,” from Palo Alto Network’s forensic team, despite his concerns of potential conflicts because Palo Alto supplied the firewall and other tools that appear to have been breached.

An FBI spokeswoman didn't return a messages seeking comment. A Palo Alto spokeswoman said, "As a matter of policy and confidentiality, we cannot disclose details about the cybersecurity event experienced by the county."

In an interview this week, Suffolk District Attorney Ray Tierney made clear that he has never requested public officials to remain silent when it comes to public discussion of the county’s mitigation and restoration efforts following the ransomware event.

“As far as mitigation and getting back online, there’s no law enforcement reason for that to be secret or to remain off limits, because I have nothing to do with that,” Tierney said. “As far as our investigation being handled by the Suffolk County Police Department, the DA, the FBI, they will maintain any grand jury and investigative secrecy, but as far as mitigation and returning service, that has nothing to with the investigation, and I didn’t tell any lawmakers” to remain silent on those matters.

Tierney stressed that he wasn’t taking a position on what the Bellone administration decided to release or not to release.

“There may be many good reasons why they are not disclosing it,” he said of ongoing mitigation and restoration work, “but it’s got nothing to do with me from a law enforcement perspective. I really can’t” demand silence. “I’m not the king.”

Suffolk Legis. Sarah Anker (D-Mount Sinai) last week expressed frustration with the amount of information provided by the county five months after the attack, but also said she understood the security considerations. 

"I have not been given an overall update — I'm waiting to get that," said Anker, a member of a legislative committee looking into the attack. "I've been told that due to security issues there's a limited amount of information we can be given." 
She added, "I have so many questions, and until I'm in a place where I can get answers, I'm frustrated." 

Legis. Leslie Kennedy (R-Nesconset), who is married to the comptroller, said she was among those lawmakers told not to speak about the ransomware event, and took it seriously early on, but more recently has been doubtful.

“We were told, ‘Do not speak about the event. This is the way bad actors find out what’s going on,’” she said. More recently she’s come to ask herself, “Don’t speak about what’s going on? Why? What are you hiding? We’re not giving away secrets.” She said she still doesn’t have access to her pre-September emails and prior work files. “It makes it harder and take longer for me to get tasks done.”

By Mark Harrington

mark.harrington@newsday.comMHarringtonNews

Mark Harrington, a Newsday reporter since 1999, covers energy, wineries, Indian affairs and fisheries.