As Bellone seeks 'centralized' computer network, other Suffolk officials call for autonomy

As Suffolk moves to put a crippling ransomware attack behind it, County Executive Steve Bellone is touting a newly centralized infrastructure as the core of his efforts to secure disparate county networks.

“Never again will the county information technology security team be in a position to ask someone to fix a security concern because they don’t have the credentials to access systems themselves,” Bellone said.

But as Bellone moves to implement the long-planned vision, some other elected county officials, citing the impacts of the ransomware lockdowns and concerns about confidentiality, are pushing for even greater levels of security autonomy. The Sept. 8 cyberattack shut down a broad cross-section of county services for several months.

“We’re getting the hell out of there completely,” Suffolk Comptroller John M. Kennedy Jr. said of the county’s network. By the second week of March, Kennedy said he expects to have his office’s audit software application onto a remotely hosted cloud-based system that will be “completely off any county hardware or servers.”

The structure of the network presents it with long-recognized challenges, with the county's main Department of Information Technology controlled by the Bellone administration and sub-networks with varying levels of autonomy and responsibility, including separate IT staffs, and under elected officials such as the county clerk and sheriff.

Experts said that "siloed" approach can leave the county more vulnerable to attack and more of a challenge to get cyber insurance. But political realities leave others concerned that ceding too much control to the county executive could expose sensitive information to political foes.

Security dome over disparate systems

Bellone, who is term-limited and will leave office by year's end, earlier this month used the news that the county’s main government site was back online to share his plans for the centralized network, one he said would enforce a security dome over disparate systems, even those of separately elected officials.

“We’re never going back to the segregated environment in which the county’s [main Department of Information Technology] doesn’t have visibility into critical [sub]-departmental systems," he said.

Newly elected Suffolk County Clerk Vincent Puleo welcomed the change. “Going forward, we will do everything we can in the clerk’s office to cooperate and get things where they belong and keep the protection so the whole county IT is protected from future attacks," Puleo said.

However, Bellone's promise of greater "visibility" is exactly what troubles some about his plans.

“From a legal and practical standpoint, we have to structure a solution with zero visibility into internal files and emails,” Suffolk County District Attorney Ray Tierney said. “Outsiders must not have access to legally sealed files, confidential grand jury material, upcoming search warrant targets or corruption investigations.”

In Tierney’s optimal scenario, the district attorney’s office would have a “separate server, and no one from outside our agency would have access to our information. That’s where it’s nonnegotiable, that no one has access to sealed files.”

“My experts tell me it makes sense to put data in the cloud and have separate tenancies with separate firewalls,” Tierney added. “This has been done in our neighboring district attorneys’ offices — it should be done here.”

From Tierney’s perspective, it’s “legally required” to protect the integrity of confidential information, including material generated from joint federal task force investigations, wiretaps, sexual assault cases and grand jury proceedings. 

Comptroller's separate plan

Kennedy said it's not just his audit software that soon will be separately hosted. He's making arrangements to have his core financial management system on the cloud as well. “I am using everything in my power to get off the locally hosted system by anybody here in Suffolk County and going over to the cloud,” he said. Many town governments already have made the switch, including Brookhaven.

Kennedy said his issues are threefold: functionality, security and confidentiality. 

But Bellone said Suffolk has begun the process of moving from a “static, lateral security architecture to a zero-trust security framework that will maximize protection of our network and consequently the very data that the public and our employees entrust us with.”

Bellone, in an interview with Newsday, said: “I can’t imagine after having gone through this experience that anyone would endorse a security infrastructure that’s segregated. Addressing individual departmental needs, absolutely. But continuing to do the same thing that obviously resulted in massive issues here would be a catastrophic mistake.”

Privacy concerns are a big factor for those county departments looking to go their own way.

Earlier this month, Legis. Anthony Piccirillo (R-Holtsville) told Newsday that his legislative committee probing the ransomware attack is looking into allegations that county information technology employees reviewed private files and emails using unprecedented nondisclosure agreements.

Kennedy corroborated information from a county source that up to nine county employees signed NDAs to review private county employee emails starting last fall. The source also met with an investigator from Tierney’s office about the nondisclosures.

Tierney declined to comment on whether his office was investigating, but Piccirillo said, “I look forward to investigating the legalities of those nondisclosure agreements."

Bellone’s office on Friday issued a statement noting that 12 nondisclosure agreements were signed, without saying who signed them. “Because of the county’s decentralized [information technology] infrastructure and because county IT follows a policy of least privilege to minimize access, the county needed all hands on deck to assist with restoration of county services, therefore the Incident Response Team needed enhanced access to information they previously did not have access to,” the statement said.

Kennedy’s office has privacy concerns as well.

“We talk to people who are whistleblowers,” he said. “I have to have complete confidentiality about that. People wanting to come forward. Talking about what they see.”

Missed opportunity

Bellone acknowledged he may have missed an opportunity to integrate county computer systems years ago.

A confidential 2019 "Risk Assessment" report by the Department of Information Technology said the administration was embarking on a plan for a “more holistic, enterprisewide, cost-effective and more efficient security architecture,” one that was to provide a “single pane of glass” under a centralized security infrastructure to “more effectively evaluate and respond to threats.” Part of the plan was to upgrade our “entire security architecture.”

Four years and one major cybersecurity event later, the county is seeking to hire its first chief information security officer, a major steppingstone toward the unified security structure. The other major change involved bringing in a new systemwide firewall in Palo Alto Networks starting in 2020.

Bellone said he should have acted after a Bitcoin mining operation was discovered on county systems in 2021 and a clerk’s office assistant director, Christopher Naples, was arrested in connection with the case

“If I had pushed the issue at that time, could I have ended the segregated environment and implemented the best practice of one integrated cybersecurity infrastructure?” Bellone asked. “Looking back now, I would still say that would have been a difficult task, but again in hindsight, knowing what I know now, I would have made the effort.”

Michael Balboni, the consultant who is helping Suffolk search for its first chief information security officer, said the county’s “siloed” structure of networks is “one of the biggest challenges Suffolk faces.” He’s continuing to consult to the county, perhaps to the end of Bellone’s term at year’s end, to put in place the new structure.

Balboni, who also is registered to lobby for several county IT security companies, including firewall company Palo Alto Networks, said the ideal scenario could include “visibility” for protection by the county, but also “sensitivities” to protect confidential data, as the district attorney’s office wants.

But Kennedy said he's unconvinced the administration's latest promise to tighten security will work.

“I have zero confidence in any ability on the part of the current [Bellone] IT staff to protect the integrity of our system, keep it maintained and bring it to where it’s supposed to be,” he said. “I am the chief fiscal officer for the County of Suffolk. My obligation is to protect, maintain, audit and secure all financial transactions. It’s my decision as to how that occurs …."

By Mark Harrington

mark.harrington@newsday.comMHarringtonNews

Mark Harrington, a Newsday reporter since 1999, covers energy, wineries, Indian affairs and fisheries.