Cyberattack hearing raises questions about Suffolk's computer security

With the one-year anniversary of its crippling ransomware attack approaching, Suffolk County faces new questions about the state of its computer security in the months leading up to and following an intrusion that still has the county under a state of emergency.

Last week, in sometimes-tense testimony before a Suffolk legislative committee investigating the Sept. 8 attack, a veteran county computer systems manager described a “hollowed-out” computer department that was so understaffed and overwhelmed by intrusion-detection notices in the months before the attack that workers diverted alerts to a spam-like folder.

Vincent Cordiale said the alert system, known as Cortex, had not been installed on an unspecified number of computers, while failing to detect intrusions on others. He also revealed that a known computer vulnerability tied to the intrusion at the County Clerk's Office also had not been patched at other county departments before the attack, and that some of them weren't fully patched until after the fall 2022 remediation.

The cyberattack shut down of a broad swath of county online services, from civil-service testing and traffic and parking violations functions to police dispatch to certain functions of the comptroller and clerk's office, with personal data of nearly 500,000 people potentially exposed. The county didn't pay the initial $2.5 million ransom that hackers sought, but remediation kept some vital services offline until February. It's unclear how many are still out.

In addition to the Suffolk Legislature's investigation, there are federal and Suffolk district attorney probes. On Thursday, Suffolk District Attorney Ray Tierney said the probe is continuing but declined to comment on it. 

Legis. Anthony Piccirillo (R-Holtsville), who is chairman of the investigative committee, said testimony before the committee has established that there were now “dueling narratives” about the events surrounding the ransomware attack — those presented by County Executive Steve Bellone and his team, which blames the clerk’s office, and the picture presented by witnesses to the committee.

“It calls into question the whole story that’s been told up to this point,” Piccirillo said.

Asked for comment on Wednesday's testimony, county spokeswoman Marykate Guilfolye wrote that Cordiale “confirmed under oath that the Clerk’s office network and infrastructure were segregated from the County environment, they were informed about the illegal Bitcoin operation in their system prior to the arrest of Chris Naples, and that they prevented access during the recovery of the cyberattack.”

Asked why the county remains under a state of emergency months after declaring it was “back online,” Guilfoyle said the status, which allows for no-bid contracts, “remains in effect to help facilitate and manage a complete recovery.”

During his testimony, Cordiale, a 27-year county employee who appeared before the committee with a union lawyer after the committee issued a subpoena for his testimony, raised the issue of whether another witness in the investigation had been subjected to retaliation after he’d declared whistleblower status to give testimony this summer.

“Yes, there are certain things that have happened with regard to Mr. [Jack] Bloom that could be considered retaliatory,” Cordiale said. Bloom, another computer department systems administrator, gave closed-door testimony to the committee later Wednesday.

Piccirillo expressed concern about Cordiale’s testimony alleging that an employee had been retaliated against. “No employee should feel bullied or harassed for speaking to our committee,” he said. “Intimidation is not going to be tolerated in this county.”

Asked if Suffolk would look into Cordiale's report of retaliation, Guilfoyle said the county "expects every employee to appropriately assist the cyber committee, but cooperating with the committee will not, however, excuse employee misconduct." She said the county "is not aware of any complaints of retaliation and if any are made, they will be thoroughly investigated."

Cordiale said he sought whistleblower status after revealing in an interview with investigators that technology staff in Bellone's administration had reviewed employee emails using the search terms "Bitcoin mining" and "Pete Schlussler," the director of the clerk’s IT department whom Bellone suspended in December. Schlussler has denied knowledge of the mining, which resulted in the arrest of his assistant director, Christopher Naples.

In one exchange, Cordiale took exception to characterizations from testimony and his own communications that appeared to show he had conducted searches of elected officials' emails. That pitted him against former U.S. Deputy Attorney General Richard Donoghue, special counsel to the committee, who attempted to jog Cordiale’s memory by presenting him with paper copies of texts and notes from their June interview.

“I’m asking you right now, when we were in that interview, I asked you whether you had searched any elected officials’ email accounts, and what did you answer?” Donoghue pressed.

“I know I didn’t search an elected officials’ email account,” Cordiale responded, in an apparent contradiction from notes taken by the committee.

“What did you say in the interview?” Donoghue asked.

"I don’t recall what I said in the interview,” Cordiale answered. 

Stunned, Donoghue pressed, “You don’t remember whether you answered that question correctly?”

“No,” Cordiale said.

Newsday has reported that 12 different county IT employees signed nondisclosure agreements to review emails, including Cordiale, IT commissioner Scott Mastellon and assistant IT commissioner Ari McKenzie. Bellone's office, in February, explained it needed "all hands on deck to assist with restoration of county services; therefore the Incident Response Team needed enhanced access to information they previously did not have access to."

Piccirillo said the committee will continue its work to discover just how extensive the IT department’s review of employees’ emails was. “It’s troubling anyone’s emails are looked at outside the proper channels of a court order or a subpoena,” he said in an interview Friday.

Cordiale, who is the top systems and infrastructure tech for the county, is in charge of the county’s email systems, yet he had not been asked to oversee a transition to an entirely new email system that took place after the ransomware attack.

Pressed by Legis. Rob Trotta (R-Fort Salonga), Cordiale told legislators had the county stayed with the former system, called Microsoft Exchange, it could have been restored in days or two weeks. Instead, a process of “hydrating” old emails onto the new cloud-based system Microsoft 365 continues, and even elected officials, including Legis. Sarah Anker (D-Mount Sinai), at the hearing complained, "I'm still frustrated I haven’t gotten my past emails when you said that could have happened much earlier."

Cordiale said Mastellon and McKenzie in advance of his interview with investigators gave him a copy of an unredacted report showing why the decision was made not to restore the prior email system. Mastellon told him “these machines were dead and we were going the route of a cloud solution,” Cordiale said. He said he believed it was “odd” that he was excluded from the rollout of the new mail system, and instead was ordered to work on “forensic collections of compromised machines” as part of the investigation of the attack.

The larger substance of Cordiale’s testimony involved issues within the IT department and its security preparedness prior to the cyberattack, which Newsday has reported required more than $17 million in new equipment and services to repair and investigate. The county has said some of that equipment was slated to be replaced anyway. Under questioning by Donoghue, Cordiale said the county did not have a cyber disaster recovery plan, "not that I'm aware of," to help in the restoration of systems impacted by the outage.

Further, Cordiale noted that it wasn’t just the clerk’s office that had not fully implemented patches for the so-called Apache Log4j exploit, which investigators identified as the root of the attack. He said an unspecified number of other departments across the county’s system also had been working to patch it, but had not completed it.

“It was still being worked on steadily,” he said of the countywide Log4j patchwork, which was completed in the aftermath of the attack. He noted individual departments were not permitted to bring their systems back online unless they’d patched the Log4j, Cordiale said. It’s now completed, he noted.

Cordiale described a technology department that was chronically short-staffed and largely on the defensive when it came to computer security, with little chance to proactively stop threats. Short staffing was a major problem when an abundance of so-called Cortex alerts, warning officials of ongoing threats, had to be diverted to a spam-like Slack channel because they were so numerous, he said.

“We are not sufficiently staffed on the systems side,” he said, noting that his group of four employees is responsible for 700 large computer servers and thousands of desktops. Understaffing “prevents us from doing proactive work because we’re always responding to the needs of other groups … Putting out fires describes it perfectly.”

As for the security staff of three people, Cordiale noted, “I can speak with knowledge that they are indeed in need of more staff and more specialized staff,” he said. The county since has hired Kenneth Brancik to be chief information security officer.

Asked to describe the volume of Cortex alerts of suspected computer threats in the months leading up to the attack, Cordiale said, “There were a lot of them. We were at risk of information fatigue, when you have so many alerts that it just becomes a blur, from my point of view.”

Worse, he said, officials discovered that the Cortex protection system was absent from an unspecified number of county machines, making them potentially vulnerable to attack.

“It was my understanding that Cortex was to be deployed to the entire county and we found that it had not been, that’s correct,” Cordiale said, adding, “My understanding is that they [machines lacking Cortex] were everywhere.” 

Even some systems that had Cortex were found to be vulnerable, according to a memo Cordiale referenced during the hearing. In the June 13, 2022, memo — three months before the attack — systems administrator Bloom wrote he was “very nervous” that Cortex and another program called Varonis failed to detect “several viruses and one pirated piece of software” on county Health Department systems. “I'd assume one of those [security applications] would have caught this, as opposed to my $5 copy program,” wrote Bloom, according to the testimony. 

Part of the alleged retaliation against Bloom was to prevent him from using “very advanced tools” to do his job while being subjected to “a difficult work environment with the DOIT leadership,” Cordiale testified.

Additional witnesses are expected to be called before the committee, which has subpoena power to compel testimony but cannot bring charges, in coming months before Donoghue produces a report, which is expected in the fall.

By Mark Harrington

mark.harrington@newsday.comMHarringtonNews

Mark Harrington, a Newsday reporter since 1999, covers energy, wineries, Indian affairs and fisheries.