Suffolk County cleared tech path for officials traveling to India before cyberattack

Suffolk County’s former technology commissioner granted special access to the county’s computer network for four people planning to travel to India in 2022 and for another to Peru, even though internet traffic from the countries was blocked under normal internal rules, according to emails obtained by Newsday.

The access was granted a day before the officials, including former Chief Deputy County Executive Lisa Black, were leaving for the weeklong India trip, and required a cybersecurity team member to do research on an online forum into how to open access via the county’s firewall using a secure connection called a virtual private network.

Discussions of officials' computer access on the trip first arose in the weeks after the Sept. 8, 2022, cyberattack and resurfaced in June as the Suffolk Legislature's special cyber committee was concluding its two-year investigation.

The attack shut down Suffolk County's main website for more than five months; exposed the personal information of about 500,000 people, including 470,000 drivers and 26,000 Suffolk employees and retirees; shut down county email and phone systems; and affected county 911, payment and traffic-agency systems.

The legislative committee report, which was scheduled to be released last week but was delayed to the end of the month pending last-minute changes, did not conclude that the India trip, which began two weeks before the cyberattack, played a role in it. Nor has anyone produced evidence that the two events are related. Officials in the former Bellone administration have strongly denied any connection. 

But the recently released documents, received in response to Newsday's Freedom of Information Law requests filed in 2022, show for the first time that officials requested special access to the county network for the four officials traveling to India and that the access required a change to the firewall rules to unblock traffic from India. A forensic probe concluded cyber attackers were in the county system for months prior to the September attack.

"Yes, we do block traffic from India," Joanne Fisk, a member of Suffolk’s cybersecurity team, wrote to Scott Mastellon, then-commissioner of Suffolk's Department of Information Technology, in an Aug. 22, 2022, email. "We can open it up if that is what you want." The trip began on Aug. 23.

In reply, Mastellon thanks her and says, "We just got another request . . . to open up Peru for an employee working in Peru." He asks about her research into the best way to do so, and whether she's conferred with the county's new firewall vendor, Palo Alto Networks. "I'm just curious on what you find out in your research and/or what Palo [Alto] comes back" with. 

Mastellon, Black and former County Executive Steve Bellone didn't immediately respond to messages seeking comment. 

David Kelley, a Manhattan attorney who represented Black during her recent county testimony, also didn’t respond to a request for comment.

Suffolk District Attorney Raymond Tierney said his office’s investigation of the cyberattack continues.

The legislature’s special cyber committee, which is now expected to release its final report by the end of the month, didn’t mention the India trip in a copy of the report revealed last week by Newsday.

A spokeswoman in Bellone's administration previously indicated network rules were not changed for the trip. And Newsday's requests for documents related to computer access from India, first filed in October 2022, were denied because they could not be accessed due to the cyberattack, officials said. The emails were provided earlier this month by the administration of current County Executive Edward P. Romaine. 

"There is no prohibition on international VPN access or anything that confines VPN to the contiguous 48 states," former spokeswoman Marykate Guilfoyle wrote in response to Newsday's questions in April 2023. At the time, Suffolk acknowledged one employee accessed the network "while on a work trip to India."

In emails provided to Newsday, Suffolk officials before the trip said they were going to attend an annual business exposition there and to "introduce Suffolk County’s delegation and its business leaders to counterparts in India." The hope: to "meet with India-based organizations interested in relocating to Suffolk."

It’s unclear if any businesses ever relocated as a result. A spokesman for Suffolk County didn’t respond to questions about the trip.

Even while on the trip, officials said in response to Newsday questions, employees out of the office "on county time are, of course, expected to work which may require offsite access to the county network."

A visit to Amity University in New Delhi, which also hosted a trip to the Taj Mahal, was only part of the voyage, most of which centered on the trade show and meetings with state counterparts.

Access could lead to vulnerabilities

Experts say international travel generally or to India specifically doesn't necessarily raise red flags of potential cyberattacks so long as protections are in place, though an entity's infrastructure shortcomings or policies could heighten risks. 

Experts say traveling internationally with computers and cellphones can expose users to risks of physical theft or even cloning of drives as officials travel through customs. They say altering firewall rules to allow access to a secure network from abroad, while not necessarily considered dangerous, can lead to vulnerabilities. 

"In an ideal world, you never have to change the rules," said Nick Nikiforakis, a cybersecurity expert and an associate professor of computer science at Stony Brook University who emphasized that he was speaking generally and not about the Suffolk attack. "It is a problem only if you are running software with vulnerabilities." 

For entities that do it, Nikiforakis said, allowing international access is an individual risk calculation. "Do you really need international access to the VPN server to the point where we're willing to change our own policy?" he said, calling the decision a "gray area." 

Stanford University, for example, lists travel recommendations for its staff that suggest bringing only a new or "wiped" laptop without data that can be compromised, use temporary mobile devices and to disable Wi-Fi, Bluetooth and GPS when not needed.

Suffolk County’s policy manual for its virtual private network system, made chiefly for users accessing the network while at home in Suffolk, was issued in 2009, and hadn’t been modified since 2008, according to a copy provided to Newsday. The policy, among other things, says users will "not access the system in a public area" and will not connect to the county "utilizing an unprotected wireless router or access point."

The recently released email documents indicate Black was cleared to use a laptop and cellphone while in India. Black was the No. 2 official in the Bellone administration, which ended its term in December. Former officials in 2023 responses to Newsday inquiries said there was "zero evidence … to suggest that the trip to India impacted the cyberattack in any way. The evidence that does exist makes it clear that the India trip could not possibly be related to the cyberattack."

Black, in testimony before the legislature’s special committee on the cyberattack in June, was asked if she used her computer in India.

"I did not," she said.

"You didn’t call up and ask for a password to get in?" asked Legis. Robert Trotta (R-Fort Salonga).

"I did not," Black said.

Black later acknowledged that she did access her email account on her cellphone, not a laptop.

"I had my mobile device and I did email," she testified. "I think I sent a total of 10 emails I responded to," including one to the U.S. Embassy, she said. Black told the committee: "I did not bring my laptop."

In addition, Black told the committee: "For the record, the time frame that I was in India was August through early September, and the cyberattack was already underway before my leaving the country."

Black left India on Aug. 30, 2022, and was back in New York the next day, according to the official agenda provided to Newsday.

Sometime after the trip, the county's cybersecurity department examined the user logs from India, Fisk said in an interview Thursday. She said she didn't recall whether other travelers used their VPN accounts, but said, "I just remember Lisa [Black] did not." She said opening up access to a blocked country "is secure" using the VPN. Many but not all countries are on the block list, Fisk said.

Emails provided by the county indicate it was a special assistant to Black, Karen Contino, who first broached the notion of making sure county officials on the trip had network access in India. "As we plan ahead for the CE and CDCE to travel to India, can you let me know if we need to do anything additional for them to use their devices [cellphones/laptops] while traveling?" Cortino wrote to Mastellon.

The email records don’t indicate the specific location of the network access, such as a hotel or trade exposition, which was part of the reason for the trip.

Others cleared for trip; one didn't go

In addition to Black, other officials cleared to travel with virtual private network access included John Schneidawin, Suffolk’s then-director of business development, for whom the technology staff cleared use of an iPad; Mohinder Singh Taneja, then-director of diversity outreach; and Robert Fonti, who also is listed as co-chair and founder of the Suffolk County Alliance of Chambers, who records show planned to bring a laptop. Fonti ultimately didn't attend. 

Accessing the network via a VPN would be the safest way to do so, but unblocking traffic from India and Peru presented a challenge to the security staff.

"Would you be able to prioritize these requests for today as I do think they are leaving tomorrow," Mastellon wrote to Fisk on Aug. 22, 2022. "Is the best or only way to allow them to VPN from India to open it up?" he said of unblocking India traffic.

Fisk responds with a link discussing other ways to "open to a country securely. I am just reading through them now." The plan would require Suffolk to add "additional rules, but the problem is the [internet protocol address is] constantly changing for the user." 

Mastellon’s request included providing first-time VPN accounts for Schneidawin and Taneja. Schneidawin, who now works for the Port of Albany, didn’t return a request for comment. Taneja, who also left county employment in December, previously declined to discuss logistics around the trip. Fonti didn’t return messages seeking comment.

Ultimately, the county’s newly hired firewall and security vendor, Palo Alto Networks, provided advice on opening up the network, saying the county should add India to its Global Protect outside policy as the "best practice for allowing access for users traveling."

Fisk added India and Peru as a source for network traffic on Aug. 23, 2022, at 9 a.m., and said she’d remove that access one week later, the emails show. "If the time frame is incorrect please let [the security department] know the earliest we can remove the [country] as a source," Fisk wrote.

One of the hosts for the trip was Amity University, a New Delhi-based university that has been seeking a waiver of property taxes for its Oakdale campus, the former LaSalle Military Academy. The county hosted a send-off event at the college, and conducted a symposium in September 2023 in its aftermath.

On an agenda provided with the documents Newsday received, Amity University is listed as providing an "Amity Education Experience," that included a 3.5-hour trip from New Delhi to the Taj Mahal "with Amity University as hosts."

The group, which also included a state-sponsored contingent of Suffolk business groups, including manufacturing consortium Ignite Long Island, also met on the final day of the trip with Amity University’s chancellor, Aseem Chauhan, to tour Amity’s New Delhi campus, listed as a "sister campus in Islip, NY."

The Empire State Development Corp, through its Global New York program, approved a grant of $29,870 to the groups to cover expenses for the trip, according to a copy of their application to the state. 

Suffolk County documents state Black spent $3,486.88 on the trip and Schneidawin spent $3,487.96, but there was no submission of expenses by Taneja, who one former Suffolk official said paid for the trip himself.