Ransomware attack: Top Suffolk official offers inside look at response

A top Suffolk official last month provided an insider's "play-by-play" of the Bellone administration's early response to the September ransomware attack, detailing difficulties and successes in a way that has drawn the ire of at least one political rival. 

The account by Chief Deputy County Executive Lisa Black turns a spotlight — at times disparagingly — on other county officials and employees as they attempted to grasp the implications of the Sept. 8 attack and adapt to paper-and-pencil tactics. It also takes a shot at Nassau County's election-results reporting system while acknowledging Nassau County Executive Bruce Blakeman offered Suffolk much-needed help in the aftermath. 

The panel presentation to a counties association, which included top state and federal cyber officials who helped in the response, came as a special committee of the Suffolk County Legislature investigating the attack recently expressed hope that the administration's recent hiring of outside counsel won't slow document production, despite a request to mark some "confidential," according to a committee member.

Black told the panel at the New York State Association of Counties in Albany on Feb. 27 that she was on an economic development Zoom call at 11 a.m. with County Executive Steve Bellone when then-County Clerk Judy Pascale called to alert her to the ransomware attack. Black asked Pascale if she could call her back.

Two minutes later, Black received a call from Scott Mastellon, commissioner of the Department of Information Technology, also alerting her to the attack. “I texted him the same thing. ‘I’m on a Zoom with the County Executive. Can I call you back?’ ” Neither, she said, expressed to her that "it's a fire," but she knew eventually that "it was significant." 

Newsday has previously reported that the clerk's IT director sent an email to Mastellon at 11:18 a.m. reporting, “We are currently experiencing a radical malware attack and we shut down all outside access to the systems." It would be another four hours before the county shut down full outside access to its systems, Newsday reported.

Black told the crowd that Bellone stayed on the Zoom call, and even after she left the meeting to begin response to the ransomware attack, contacting the FBI and Suffolk police leadership, among others. Later, she said, he even asked her if she’d be available for a second Zoom.

“And then I’ll tell you, the county executive … I never turned off my camera on the Zoom. And he calls, and I texted him, I said, ‘I think we’re in the middle of an active event. I’m going to triage and see what we can do. I’m going to have to drop off.’ ”

“He clearly didn’t see his phone and he calls me and says, ‘Can you join this next call?’ ” Black laughed. “And I said, ‘No, I can’t … we’re having an event. And he’s like, ‘Oh, yeah, yeah. Well, you’ll let me know?” She laughed again, but added, “Because it was moving so fast and he was gracious enough to allow me to have the time and not give him answers that I didn’t have yet.”

In a prepared statement, Bellone said he entrusted Black, "who has extensive emergency-management experience, to begin triaging the incident and coordinating our response. Lisa's outstanding leadership and dedication were absolutely critical to maintaining services and protecting vital infrastructure." 

In the days and weeks that followed, Black, who assured the conference she is “not an IT professional," said she took over hour-to-hour and day-to-day management of the response, describing meetings with top deputies and elected officials, and the work she had to do managing commissioners, the media and the restoration.

“One of the best conversations I had was with our county comptroller," Black said, a reference to John Kennedy, a frequent critic of the county's response. “We had to obviously shut down all wire transfers to confirm with the banks nothing was taken. Fortunately, nothing was. And he [Kennedy] was like, ‘Well, how am I going to pay bills?' And I said, ‘You know, there’s a thing called a checkbook.’ ”

Kennedy took issue with Black's "yukking it up" at the NYSAC conference while aspects of county government are still "falling apart." 

Effects from the cyberattack, he said, "are not over. We have not emerged." Recently, he said, he had trouble getting critical staff access to "basic county services."

He also took exception to Black tutoring him on what a checkbook was. "The functions of my office continued because of the fact that I had instituted separate, secure systems," which prevented "greater damage," Kennedy said. He pointed to the months and years of warnings to the county about attempted intrusions before the Sept. 8 attack and said Black's "attempt to portray this as something that was a surprise not previously known is just a lie." 

A week after her meeting with Kennedy, Black said, she called a meeting of all countywide elected officials. “Communicating with them is always fun,” she said. “This one was even more fun because … two of them are managed by the same IT director and they said we’re turning on [computer systems] by the end of the week, and we were like, oh no, no you’re not. Let us try to explain.”

The Board of Elections, by contrast, was “fantastic to work with,” Black said, especially considering the ransomware outage was still in the run-up to the November election. “We went off without a hitch,” Black told the crowd, although "our results were a little delayed,” she added, referring to hourslong delays in getting results to election headquarters in Yaphank.

Driving results to Yaphank from a county 90 to 100 miles long “took time," she said, noting that the normal process of electronically sending the results from designated precinct drops was prohibited by “so many protections,” an apparent reference to a decision to load a new Palo Alto firewall onto the legacy computer systems before the election, as Newsday has reported.

“When Nassau County beats you in getting results in, you know you’re failing,” Black said, laughing. "A little competitive." 

But Nassau played a role in the restoration, officials said. Bellone, during an Oct. 4 podcast for NYSAC members during a period of radio silence about the cyberattack, said Blakeman was quick to reach out with help.

“From Day One on this, I got a call directly from the county executive, [who] said, ‘Anything that you need?’ And he has certainly delivered on that and we certainly appreciate that.”

Christopher Boyle, a spokesman for Blakeman, declined to comment on Black's election results comment. In terms of helping out Suffolk, Boyle said Nassau provided "IT personnel," but declined to elaborate further because of the "sensitive nature" of the incident.

Suffolk asked Nassau for analog phones because internet-based phones weren't working, Black said. But even analog equipment presented new challenges.

“Teaching millennials what a fax machine was was a challenge,” Black said. “They were like, ‘What is that? Is that the copier? How does it work?’ ”

New police officers, she noted, were flummoxed at having to rely on radios and lack of caller ID.

“You call 911, the dispatcher takes the call, they see who’s calling on the screen,” but after computers were shut down, “they didn’t have that ability. They had to spell every word. ‘How do you spell that name? Is that an R or a B?” she recounted. “But then they would have to get it to a patrol officer and they couldn’t send it to the mobile terminals. They would literally have to communicate with them. Imagine that. Radios. They had to use those again.”

In December, Bellone called a news conference to discuss the county’s findings and allegations about the origins of the ransomware attack in the county clerk's office.

“It’s mind blowing,” Black told the association members. “We did our first press conference in December … And what happened was, the reporter said, Steve Bellone, do you mean to tell me that you couldn’t just go into the clerk and just unplug it? And he [Bellone] was like, ‘I cannot do that, those are not my staff to tell what to do. They did not want to do that. They wanted to turn back on.”

Black reiterated the county narrative that it was failings in the county clerk’s office following the 2021 discovery of a Bitcoin mining operation that led to vulnerabilities, compounded by the fact that a critical patch for a system vulnerability had not been installed, she said. Clerk IT director Peter Schlussler has denied those claims, noting that Mastellon as chair of a county IT committee had denied the clerk's request for a hardware firewall. 

Bellone at a February news conference acknowledged he could have acted sooner than December, given the claim that other departments had been largely restored by mid-October.

“Had I taken over under emergency authority earlier, a month earlier perhaps, could [that] have sped the process? Certainly,” he said. “But we were going through a process of working to gain the access and to go through these systems that had significant issues.”

By Mark Harrington

mark.harrington@newsday.comMHarringtonNews

Mark Harrington, a Newsday reporter since 1999, covers energy, wineries, Indian affairs and fisheries.