Legislature Puts Bellone Cybersecurity Plan on Hold

A plan advanced by outgoing county Executive Steve Bellone to address Suffolk's cybersecurity system has stalled in the legislature, with lawmakers preferring to wait until a report is released by the special committee looking into the ransomware attack that caused the shutdown of the county's computer network. The plan also raised the eyebrows of countywide elected officials not wanting to lose autonomy over the systems in their offices.

Bellone's plan would put the county's chief information security officer in charge of overseeing cybersecurity policy and compliance for all county departments. It directs the officer to submit a "Cybersecurity Risk Assessment Report" twice a year and generate "overall compliance risk scores." It also calls for monthly meetings of technology personnel involved in county cybersecurity. The security officer was appointed by Bellone following the September 2022 attack and is part of an effort, along with the security plan, to qualify for cyberattack insurance.

The tabling of the measure in a 16-0 vote will likely put the matter on the agenda of county Executive-Elect Edward Romaine, current Brookhaven Supervisor who takes office the first of the year. All eyes will be on Bellone December 8 when he has the option to renew an executive order giving him emergency powers in dealing with the cyber issue, an authorization he's been continually renewing since the attack. Under the emergency authority, Bellone was able to ink contracts with security firms and take other actions without normal legislative oversight. Romaine can renew the emergency order or work with the legislature to advance their own plan, presumably with the findings of the special committee.

Legislator Anthony Piccirillo (R-Holtsville), who chairs the committee, pushed for waiting until the findings of its recommendations are made public before adopting an overall plan. Piccirillo stressed that the members are looking to both find out how the cyber breach occurred and make recommendations on how to prevent future attacks. Also noted were the concerns of the countywide officials, including the comptroller, who may be hesitant to relinquish full control over the cybersecurity responsibilities of their offices. The special committee is being assisted by Special Counsel Richard Donoghue, a former U.S. attorney specializing in cybersecurity.

"I wasn't approached by the Bellone administration for my input into these guidelines," Comptroller John Kennedy said. "We have a new county executive coming in, and we are awaiting the special committee report. The legislature made the right decision in putting this off. I don't see the need to do it while the administration who created this mess has one foot out the door."

Special Counsel Richard Donoghue, left, and Suffolk Legislator Anthony Piccirillo, chairman of a committee investigating the September 2022 cyberattack, discuss the issue at a recent hearing. Robert Chartuk

Bellone, who was prohibited from running for a fourth term under Suffolk's term limit law, blamed the cyberattack on security flaws in former county Clerk Judith Pascale's IT operations. Hearings before the cyber committee elicited testimony from the clerk's Internet Technology director, Peter Schlussler, that put the blame on Bellone's Department of Information Technology. A $2.5 million ransom demand by hackers who took over Suffolk's system was rejected by Bellone, who instead turned off the county network, a shutdown lasting months and costing the taxpayers millions. The hack exposed the personal information of thousands of residents, employees, and retirees and disrupted the operations of every department, from the police to child protective services. Romaine had sharply criticized the county's security operations, pointing out that Brookhaven, unlike Suffolk, stored its information in the Cloud and had obtained cyber insurance.

A separate measure for $1.6 million in software upgrades for the county's system was unanimously approved by the legislators.