Answers and accountability are needed in Suffolk cyber hack

Imagine someone broke into your house, shut down your essential devices, tapped into all your personal records, and then held them hostage until you paid an exorbitant amount of money to stop this criminal act.

When done over the internet, it’s known as ransomware. And increasingly, American municipalities have fallen victim to this outrageous act of cybercrime, including Suffolk County’s official website and those of some Long Island school districts.

But in Suffolk, nine months after its computer systems were broken into, some vexing questions remain: How long will it take to get bottom-line answers to the root causes of this attack? And who is really to blame?

Certainly, there were plenty of warnings. In March 2022, the FBI alerted local governments like Suffolk that they were particularly vulnerable to cyberattacks which could cause huge disruptions to computer operations, endanger health and public safety, and cost millions to fix. Citing examples around the nation, the FBI recommended against paying ransom demands, and urged municipalities to follow several detailed steps to upgrade their software defenses to prevent future attacks. Because the public relies on open municipal websites for vital services, they are “attractive targets for cyber criminals,” said the agency.

DEVASTATING ATTACK

Nevertheless, Suffolk suffered a devastating cyberattack in September, with hackers demanding $2.5 million in ransom that the county refused to pay. The county’s main website and related services were shut down for nearly six months. Both the FBI and the Suffolk district attorney continue to investigate this attack by cyber thieves who are still unknown to the public.

In its wake, Suffolk County Executive Steve Bellone blamed the computer breach primarily on the county clerk’s IT director, Peter Schlussler, and put him on paid leave in December. At a cost of $6 million, Bellone hired experts for restoration and recovery of the county’s computer system. In the meantime, the county legislature tapped Richard Donaghue, a former top U.S. Justice Department official, to help conduct its own review of circumstances surrounding the attack.

Now Suffolk’s cyber saga takes a new step. This month, the legislature is expected to hold public hearings to review what happened and provide more answers about the attack. Legis. Anthony Piccirillo, chair of the government operations committee, plans to hear testimony from Schlussler — who denies blame for the attack — and from other experts. Piccirillo also expressed concern about Bellone’s use of no-bid contracts, issued as part of the emergency declarations made by the county executive since the attack, which will also be a focus of the hearings.

As Newsday reported last month, the special legislative review has already found more than 600 instances in which county computers were infected with malware that apparently went undetected for years. That’s quite concerning. Suffolk DA Ray Tierney said the FBI is looking at malware linked to several cyberattacks around the United States and used by hackers from outside this country.

COOPERATION A MUST

Both Piccirillo and Bellone’s office say they are determined to cooperate in their respective reviews to ensure that Suffolk avoids future attacks. Good. There can be no unfair finger-pointing for politics’ sake. Bellone was right to refuse to pay the $2.5 million ransom, as FBI guidelines suggest. The complexity of such a cyberattack is far beyond the experience of most local leaders. Because attacks often involve foreign-based hackers, local officials must rely on federal agencies like the FBI and Department of Homeland Security to help guide decisions.

But more review is needed of how Suffolk got hacked and its response. If called to testify, Bellone, a lame duck, must provide comprehensive replies about this crisis which happened on his watch and which will surely linger in the public’s memory for years to come. Computer security systems should be defensive but not public officials.

Transparency by all sides — as much as an ongoing criminal investigation will allow — will be crucial to learn lasting lessons from this awful experience. Last October, we listed our own questions about Suffolk’s vulnerabilities, including the configuration of the computer system, oversight by the county’s IT department, and annual reviews of its security methods as required by county law. This legislative review should address these concerns and provide a playbook for future cyber crises that Suffolk may face.

The Bellone administration notes that police and emergency response were returned to service within a week of the attack and says it had been working on improving cybersecurity since 2019. But clearly those efforts were not enough.

The county’s website and computer system provide vital information and services to the county’s 1.5 million residents. It’s important to have the most thorough investigation possible. Ransomware is a new form of terrorism. And the stakes are too high for us, and the rest of the nation, not to get the needed answers.