Dealing with the massive Sept. 8 cyberattack on the computer system of Suffolk
County government is still a work in progress, according to county legal notices published last month.
The hacking of the county system included the exposure of personal information about a
large number of people—including the driver’s license numbers of 470,000 individuals issued
moving violations by Suffolk County Police between 2013 and 2022—as well as 26,000 Social
Security numbers of county government employees and retirees.
Suffolk County Executive Steve Bellone held a press conference on Feb. 17 at
which he said the main website of Suffolk government, offline for almost six months, had been returned to service along with other county government online functions.
Declared Bellone: “Suffolk is back online.”
But, said County Comptroller John M. Kennedy, Jr., in an interview last week:
“Everything is not wonderful.” Kennedy said: “We’re still playing catch-up ball.” And among
other county online services, its “vendor self-service” function is “still not up.”
Published as county legal notices, meanwhile, on Feb. 15 was a “Proclamation of A
Local State of Emergency”—and “Local Emergency Orders”—all part of a series of such
proclamations and orders Bellone has issued since shortly after the cyberattack.
The “Proclamation of A Local State of Emergency” begins: “A State of Emergency is
hereby proclaimed to continue in Suffolk County, New York, for a period of time beginning at
2:00 p.m. on Feb. 8, 2023 and continuing in effect for a period not to exceed thirty (30)
days.” It goes on: “A State of Emergency has been declared due to emergency conditions caused
by a cyber security event in the County resulting in an inability to access emails, internet and
other web-based applications. Such conditions imperil the public safety of the residents of the
County of Suffolk.”
“As Chief Executive of Suffolk County, I, Steve Bellone, have exercised the authority
given to me under New York State Executive Law, Article 2B, to preserve the public safety and
hereby render all required and available assistance vital to the security, health and property of the
citizens of the community.” The proclamation is dated Feb. 8.
One order states: “In accordance with a Proclamation of a State of Emergency issued on
September 11, 2022, and continued on October 11, 2022, November 10, 2022, December 20,
2022 and January 9, 2023…to use any and all facilities, equipment, supplies, personnel and other
resources of the County in such manner as may be necessary or appropriate to cope with the
local emergency caused by the recent cyberattack,” the county executive directs “the temporary
reassignment of all information technology employees in the Suffolk County Clerk’s office to
the Department of Information Technology, so as to enable the County to have a cohesive and
successful cybersecurity incident response under the leadership of one team.” It is dated
Another order is titled: “Extending the date for the submission of the County’s Multi-
Year Financial Plan.” That plan is supposed to be submitted “no later than 60 days” after the
county budget is adopted, it is noted. It is dated Feb. 7.
And another is titled: “Ordering the suppression of local procurement laws, rules and
regulations.” It says “the following procurement-related regulations and rules are suspended as I
deem necessary to expedite procurement of anything related to technology resolving the cyber-
security event and procurement that is otherwise dependent on County technology and cannot be
purposed until the event is resolved.” It is dated Feb. 8.
A special committee of the Suffolk County Legislature has been investigating the
cyberattack. Kevin McCaffrey, presiding officer of the Suffolk County Legislature, in December
announced the formation of the six-legislator bipartisan panel. It is chaired by Anthony Piccirillo
of Holtsville. “The best disinfectant is sunlight,” Piccirillo said following the committee’s
establishment. “We’re going to open the windows and let that sun in here to shine and make sure
that we get the truth.”
Meanwhile, there are several law enforcement agencies investigating the cyberattack. It
has been attributed to an entity calling itself APLPHV or BlackCat that demanded a $2.5 million
ransom which the county did not pay.
Among the areas the legislative committee is looking into are the Bellone
administration’s actions before the cyberattack. Comptroller Kennedy faults the Bellone
administration for, among other things, not fully installing a firewall called WildFire which the
county purchased for $1 million from California-based Palo Alto Networks. The county’s
Department of Information Technology “didn’t know how to do it,” said Kennedy.
Presiding Officer McCaffrey told The New York Times—which ran a full-page spread in
November on the Suffolk cyberattack—“They’ve tried to characterize this as just yet another
kind of catastrophe they had to confront, not unlike Hurricane Sandy or even Covid. Hurricane
Sandy and Covid were acts of nature. This is a failure to go ahead and be proactive.”