Nearly $14 million in unnecessary expenses were made by Steve Bellone when he was county executive in the wake of the 2022 cyberattack that paralyzed Suffolk government for months, with another $3.5 million lost in annual recurring costs, according to Comptroller John Kennedy in a report released last week.
“Please be advised, over the past several months, my office and the Department of Information Technology (DoIT) have met on a weekly basis to discuss various technology matters throughout the county,” Kennedy said in reporting his findings to Bellone’s successor, county Executive Edward Romaine. “Please be further advised, this letter serves to apprise you of current county technical developments and findings as follows, which in summary could have resulted in a total cost avoidance of $13.8 million with an annual recurring savings of $3.5 million.” Kennedy also forwarded the report to Suffolk District Attorney Raymond Tierney.
| Suffolk County Comptroller John Kennedy Robert Chartuk |
Another review of the cyber hack by a special county legislative committee looking to pinpoint how the attackers got in and make recommendations on cybersecurity is pending. According to the committee’s chairman, county Legislator Anthony Piccirillo, the investigation is on hold pending the testimony of Bellone’s former deputy, Lisa Black, who has yet to line up legal representation.
Kennedy argues that Bellone had no basis to continue the 16 months of emergency declarations that gave him the authority to make purchases without going through the normal bidding process or legislative review. “He acted without any element of oversight, scrutiny, or engagement of any other branch of government, which led to what appears to have been rampant, wasteful expenditures with Suffolk County taxpayers left holding the bag,” Kennedy said.
“Let’s be real clear about what is going on here,” Bellone said. “The information released by John Kennedy is not a report at all, but a blatantly political document issued by a self-proclaimed ‘cyber idiot.’ This is just the latest chapter in a coverup and whitewash being orchestrated by the individual most directly responsible for allowing the cyber attack.”
The reference is apparently to Peter Schlussler, the former IT chief in the county clerk’s office Bellone says is responsible for the 2022 hack. In testimony before the special legislative committee, Schlussler placed the blame for the attack on the Bellone administration. He’s currently pursuing a libel case against the former county executive and members of his staff for comments they made about him as the massive scope of the disruption unfolded.
Shortly after the release of Kennedy’s report, news broke of the hiring of Bellone’s former DoIT chief, Scott Mastellon, by SVAM, a Great Neck company that was previously contracted by the county for computer technology work. Romaine reported that an outside auditor has been retained to look into SVAM invoices and other expenditures by Bellone, especially those made under his emergency declaration. “The optics of this certainly don’t look good,” said Romaine, who supports a legislative proposal to prohibit county employees from working for organizations that they were responsible for giving taxpayer funds to for at least a year.
Romaine last week replaced Mastellon as head of DoIT with John McCaffrey, a former chief information officer for Westchester County and Orange counties, among other roles in the IT field. The chief information security officer hired by Bellone months after the cyberattack, Kenneth Brancik, has been let go by the new administration.
“We are working in earnest in order to unwind and examine, end to end, every element of dysfunction under the former county executive and will not stop until it is found, until it is remedied, and until Suffolk County systems are put back in working order,” Kennedy exclaimed.
Among his findings was that the Bellone administration unnecessarily purchased $3.2 million in Virtual Private Network (VPN) software that was not placed in production since there “was/is no tangible benefit.” Existing software, he concluded, “was/is a more than sufficient solution. No clear reasoning was offered on the rationale for this purchase.”
The Comptroller also rapped Bellone for implementing a system for the collection of Hotel/Motel taxes that “lacks the accounting functionality required for auditing purposes.” The annual cost of $269,000 for the system will be reduced to under $20,000 with the implementation of alternative tax collection software, Kennedy noted.
The system for Methadone Clinic Billing reimbursement from the state was discontinued after the cyberattack, leaving money owed to the county uncollected, Kennedy also disclosed. “There was no discernable plan on how this money was going to be submitted to the state for payment; therefore, nothing was done by the previous administration,” he said. “It should be noted there are deadlines for reimbursement submissions, so there is no real accounting of how much of the outstanding amount will not be reimbursed.”
Kennedy recommended that a Vendor Self Service system that was shelved after the cyberattack be put back into operation. It would allow county vendors to submit electronic invoices, initiate Electronic Fund Transfer payments, and check the status of submissions without having to contact county staff. “This will yield a major paperless process improvement in addition to improved constituent service,” he said.
Replacing Microsoft Exchange with Microsoft 365 would have allowed the county to get its email system running again in weeks after the cyberattack rather than months, Kennedy said, adding that his efforts to move operations to a cloud-based system where they would be safer were hampered by Bellone staffers.