Suffolk panel delays cyberattack report, gets briefed on documents probe

With its long-awaited report on the 2022 cyberattack weeks away, a special committee of the Suffolk County Legislature was briefed last week on a potentially related criminal probe by the county district attorney into allegations of improper document destruction by the Bellone administration, officials said.

Legis. Anthony Piccirillo (R-Holtsville), chairman of the committee, said last week that the long-awaited report on the Sept. 8, 2022, cyberattack would be delayed by as much as two weeks as the committee awaits testimony from Lisa Black, the former chief deputy county executive who left office in December. The committee has sought to bring her in for an interview, and has held up release of the report until she does. But Black has either postponed scheduled appearances or sought new terms for appearing, he said.

Black has not responded to Newsday’s requests for comment.

The committee had requested Black’s testimony because she was in charge of the response and recovery efforts to the cyberbreach, and “we’re interested in her responses,” Piccirillo said.

He said the committee has not subpoenaed Black, but hasn't ruled it out, and wants her testimony to make the report balanced and complete. “I’ve said from the beginning I wouldn’t put a time limit on” on release of the report, given “such a voluminous amount of information reviewed.”

Piccirillo added, “Whether through subpoena or not, we are going to follow” information through to its end. “I don’t want anyone to say witnesses weren’t treated fairly. I think the report is going to lay out the deep flaws and systemic issues countywide. I look forward to releasing it.”

The cyberattack crippled many of the county's online systems for months and impacted police dispatch, email and vendor payment systems, among dozens of other functions. It also may have compromised the personal data of some 500,000 Suffolk residents and county workers.

The committee met behind closed doors for an unannounced briefing Thursday for a review of the criminal probe by the district attorney’s office into allegations of document destruction by unnamed officials in the administration of former County Executive Steve Bellone, according to Legis. Rob Trotta (R-Fort Salonga), who declined to comment on specifics. Lawyers for Suffolk County and the committee were present. 

Piccirillo called it a “briefing by legal counsel to members of the committee. The preliminary findings aren’t able to be shared publicly yet.”

Newsday reported on March 26 that District Attorney Ray Tierney’s office received allegations that “during the transition of county administrations, members of the outgoing Bellone administration improperly destroyed and removed data belonging to Suffolk County.”

No charges have been brought to date, and no one in the Bellone administration has been accused of wrongdoing. Bellone has not responded to requests for comment about the probe.

Tierney's office is looking into whether to bring criminal charges under computer tampering or trespass laws, according to the office, which declined to comment on specific charges or potential targets.

The allegations carry weight in part because of a Dec. 27, 2022, directive sent by then-County Attorney Dennis Cohen to “all department heads” that “any and all records” relating to the cyberattack “must be preserved,” at the request of the DA’s office. "The records included emails, memos, notes, bids, payment records, RFPs, contracts and agreements,” according to a copy of the memo.

“Please note that tampering with physical evidence while believing that such evidence is about to be produced or used in an official proceeding is a felony,” according to the memo, which noted that a “litigation hold” was placed on all emails by members of the Department of Information Technology.

“Notwithstanding the litigation hold, employees must be advised that they are not permitted to delete emails relating to the cyberattack and will be subject to discipline if they do,” the memo states.

Destruction of documents and files, if confirmed, could have implications not just for the county legislature’s probe into the cyberattack, but for the county’s lawful obligation to produce documents for lawsuits, Freedom of Information Law requests and the regular functioning of business.

A person familiar with the matter said the district attorney’s office is conducting a full forensic audit of what’s allegedly missing and whether potential deletions or destruction were lawful. The allegedly missing files go beyond the documents related to the cyberattack, with the source calling the subject matter “comprehensive.”

Sources have said there’s evidence of not just first-level deletion of emails (by hitting the delete button), but secondary deletion that could make files harder to recover. There’s also evidence of named file folders relating to milestones in the cyberattack remaining empty on drives, with no data recoverable in the folders.

One observer said missing files could have wide-ranging impacts on a new administration.

“It’s all wrong, but it’s degrees of what the impact is going to be,” said Paul Sabatino, a Huntington Station municipal law attorney who previously served as counsel for the county legislature and as a deputy county executive. “If it’s the destruction of hardware and the physical elements of information technology, then that has widespread implications.”

For one, the county’s ability to respond to or defend against litigation could be hamstrung. “It really hurts the county from the standpoint of pending lawsuits or potential lawsuits,” said Sabatino, who is counsel in suits involving the county. “Think of someone suing the county or being sued.”

The transition of a new county government also could be affected, Sabatino said. “You have to have a smooth transition, but if you can’t look at documents or have access to important files, that makes it even more difficult.”

County Comptroller John Kennedy said he’s directed a team of high-level auditors to “go department by department to assess damaged, deactivated or inoperable software and hardware,” he said.

He called the potential implications “massive.”

“It frustrates the ability to audit, and it conflicts directly with my responsibility as chief fiscal officer to maintain an accurate inventory of county property and equipment,” he said.

Newsday has filed more than a dozen Freedom of Information Law requests for documents relating to the cyberattack, including emails, invoices and no-bid contracts, but almost none have been produced.

While legislators and law enforcement decline to discuss findings in their probe thus far, Richard Schaffer, the Suffolk Democratic leader, said, “ … The things I have been told that have allegedly happened are serious. The DA is under an obligation to investigate these allegations.”

Schaffer said he has been told that documents were destroyed and computer systems were wiped out on the 12th floor of the Dennison Building. That is where the county executive’s suite of offices is located.

“These are all property of the county. They are not the Bellone administration’s property. They belong to the taxpayers,” Schaffer said.

Even as the special committee delays release of its report, Richard Donoghue, a former U.S. deputy attorney general who is special counsel to the committee, has telegraphed findings in public testimony and a Newsday interview that detailed a laundry list of missed warnings and poor preparation. Most center on failings of the administration to prepare a cyberattack response and restoration plan; to hire a chief information security officer; to fortify cyber defenses in ways that would have made Suffolk eligible for cyber insurance (it wasn’t), and to heed the warnings in advance of the attack.

During a 2023 interview with Scott Mastellon, then Suffolk's commissioner of the Department of Information Technology, Donoghue described a report that found vulnerabilities across Suffolk six months before the attack “as close as you get to a smoking gun in a case like this.” He criticized Mastellon for “sitting on it” until a day before his interview, a charge Mastellon denied.

The report by the firm CyberDefenses found that nearly all the computer network domains in Suffolk County show the “highest risk level” of 100 in vulnerability tests in March 2022, six months before the attack.

“All the domains were vulnerable, correct?” Donoghue asked.

“Correct,” Mastellon said.

“Did this alarm you?” Donoghue asked.

“Absolutely,” Mastellon said. He went on to say there were “steps that were being taken to address each one of these particular issues across the entire organization …"