Column: The Suffolk Cyberattack
Dealing with the massive September 8 cyberattack on the computer system of Suffolk County government is still a work in progress, according to county legal notices published last month.
The hacking of the county system included the exposure of personal information about a large number of people, including the driver’s license numbers of 470,000 individuals issued moving violations by Suffolk County Police between 2013 and 2022, as well as 26,000 Social Security numbers of county government employees and retirees.
County Executive Steve Bellone held a Feb. 17 press conference where he said the main website of Suffolk government, offline for almost six months, had been returned to service along with other county government online functions.
Declared Bellone: “Suffolk is back online.”
But, said County Comptroller John M. Kennedy Jr., in an interview last week: “Everything is not wonderful.” Kennedy said: “We’re still playing catch-up ball.” And among other county online services, its “vendor self-service” function is “still not up.”
Published as county legal notices, meanwhile, on Feb. 15 was a “Proclamation of A Local State of Emergency” — and “Local Emergency Orders” — all part of a series of such proclamations and orders Bellone has issued since shortly after the cyberattack.
The “Proclamation of A Local State of Emergency” begins: “A State of Emergency is here-by proclaimed to continue in Suffolk County, New York, for a period of time beginning at 2 p.m. on Feb. 8, 2023 and continuing in effect for a period not to exceed thirty (30) days.” It goes on: “A State of Emergency has been declared due to emergency conditions caused by a cyber security event in the County resulting in an inability to access emails, internet and other web-based applications. Such conditions imperil the public safety of the residents of the County of Suffolk …
“As Chief Executive of Suffolk County, I, Steve Bellone, have exercised the authority given to me under New York State Executive Law, Article 2B, to preserve the public safety and here-by render all required and available assistance vital to the security, health and property of the citizens of the community.” The proclamation is dated February 8.
One order states: “In accordance with a Proclamation of a State of Emergency issued on Sept. 11, 2022, and continued on Oct. 11, 2022, Nov. 10, 2022, Dec. 20, 2022 and Jan. 9, 2023 … to use any and all facilities, equipment, supplies, personnel and other resources of the County in such manner as may be necessary or appropriate to cope with the local emergency caused by the recent cyberattack,” the county executive directs “the temporary reassignment of all information technology employees in the Suffolk County Clerk’s office to the Department of Information Technology, so as to enable the County to have a cohesive and successful cybersecurity incident response under the leadership of one team.” It is dated Feb. 4.
Another order is titled: “Extending the date for the submission of the County’s Multi-Year Financial Plan.” That plan is supposed to be submitted “no later than 60 days” after the county budget is adopted, it is noted. It is dated Feb. 7.
And another is titled: “Ordering the suppression of local procurement laws, rules and regulations.” It says “the following procurement-related regulations and rules are suspended as I deem necessary to expedite procurement of anything related to technology resolving the cyber-security event and procurement that is otherwise dependent on County technology and cannot be purposed until the event is resolved.” It is dated Feb. 8.
A special committee of the Suffolk County Legislature has been investigating the cyberattack. Kevin McCaffrey, presiding officer of the Suffolk County Legislature, announced in December the formation of the six-legislator bipartisan panel. It is chaired by Anthony Piccirillo of Holtsville. “The best disinfectant is sunlight,” Piccirillo said following the committee’s establishment. “We’re going to open the windows and let that sun in here to shine and make sure that we get the truth.”
Meanwhile, there are several law enforcement agencies investigating the cyberattack. It has been attributed to an entity calling itself APLPHV or BlackCat that demanded a $2.5 million ransom which the county did not pay. Among the areas the legislative committee is looking into are the Bellone administration’s actions before the cyberattack.
Comptroller Kennedy faults the Bellone administration for, among other things, not fully installing a firewall, called WildFire, which the county purchased for $1 million from California-based Palo Alto Networks. The county’s Department of Information Technology “didn’t know how to do it,” said Kennedy. Presiding Officer McCaffrey told The New York Times, which ran a full-page spread in November on the Suffolk cyberattack, “They’ve tried to characterize this as just another kind of catastrophe they had to confront, not unlike Hurricane Sandy or even COVID. Hurricane Sandy and COVID were acts of nature. This is a failure to go ahead and be proactive.”