Suffolk County Executive Steve Bellone last week signed the 13th “local emergency order” tied to the September 2022 ransomware attack, delaying the county operating budget by a week while also declaring states of emergencies tied to the migrant crisis and Hurricane Lee.
The latest cyberattack-related emergency declaration cites the “continuing threat to the public health, safety and welfare of Suffolk County residents and visitors posed by the cybersecurity event," which Bellone in February had signaled the county had largely recovered from.
One page of the order suspends the county charter mandating that the county’s annual budget be submitted on or before the third Friday in September, pushing it instead to “on or before” Sept. 27.
The order also suspends the requirement that a four-year financial plan be filed no later than 60 days after the adoption of the county budget, pushing it instead until 60 days following the end of the emergency.
WHAT TO KNOW
- Suffolk County Executive Steve Bellone last week signed the 13th “local emergency order” tied to the September 2022 ransomware attack.
- The order delays the county operating budget by a week and suspends the county charter's mandates on the submission of the annual budget.
- Bellone also issued an emergency order pertaining to the migrant crisis.
Bellone spokeswoman Marykate Guilfoyle, in a statement, explained, "Due to the need to suspend use of technology and the diversion of county resources, in consultation with the legislature, the submission date for the budget and four-year plan has been extended."
The Sept. 8, 2022, cyberattack locked down a cross-section of county services — from civil-service testing and traffic and parking violations functions to police dispatch and functions of the comptroller and clerk's offices. Officials acknowledged the breach may have exposed personal data of some 500,000 people. Certain remote functions of the clerk’s office remain offline, as does the vendor self-service function of the comptroller’s office.
The emergency declaration allows all county departments, agencies and divisions and law enforcement agencies to take “whatever steps are necessary to assist in performing such emergency measures." It gives Bellone the ability to extend the order and notes that failure to obey it is a criminal offense.
A section of the emergency declaration suspends several county procurement-related laws, regulations and rules and gives Bellone or his designees the authority to “enter into any contract deemed necessary to address the threat posed by the cybersecurity event." Competitive bidding and legislative review is suspended.
Critics say the Bellone administration has taken the powers too far.
“The legislative branch must be allowed to exercise its ability to have oversight over contracts,” said Legis. Anthony Piccirillo (R-Holtsville), chairman of the legislature’s cyberattack investigative committee, who previously has proposed legislation that would end the state of emergency. “We must return to regular order.”
Some of the executive orders include a cover sheet that declared them “privileged and confidential” and said they are not subject to the Freedom of Information Law. Newsday has filed FOIL requests seeking numerous documents tied to the cyber intrusion, including copies of all contracts and purchase orders entered into as a result of the attack, but has yet to receive them.
The latest cyberattack emergency order also continues to allow the “temporary reassignment” of “certain information technology employees” in the County Clerk’s office, which Bellone empowered his Department of Information Technology to take control of in December. The County Clerk is a separately elected office with an internal IT department.
Bellone in December put the County Clerk's IT director, Peter Schlussler, on paid administrative leave and installed a new team as part of a plan to centralize county computer security. "Due to the Clerk’s office operating a segregated IT environment and the former Clerk IT Director’s obstruction which has resulted in a significant cost to taxpayers, the emergency order ensures a cohesive and unified response to the cyberattack," Guilfoyle said.
Schlussler and former Clerk Judy Pascale have denied Bellone's characterizations, and Newsday has reported that Schlussler was first to warn county officials of the cyberattack and first to shut down systems to protect them. Pascale in the months before the attack made appeals to legislators and a county IT steering committee for a secure hardware firewall to protect her systems but was rebuffed. Schlussler submitted a 157-page report noting numerous red flags missed by the Bellone administration in advance of the cyberattack, including lack of cyber insurance and a chief information security officer. Bellone appointed a cybersecurity officer in March.
Amy Marion, a lawyer for Schlussler, said in response to Guilfoyle's comment: "Statements about the Clerk's IT’s office being obstructionists are false and have been proven to be false at the investigative hearings that have taken place to date and by the investigation’s findings to date."
Bellone's order explains that the “local emergency caused by the recent cyberattack can be addressed more efficiently and effectively through the temporary reassignment of all information technology employees in the clerk’s office” to the main IT department.
Bellone on Sept. 14 also declared an emergency “due to the severe tide conditions” resulting from Hurricane Lee, and the “over-wash” it caused at 42 Dune Road in Hampton Bays and the vicinity. That order lasts for up to 30 days. County records show 42 Dune Road appears to be a private residence owned by 42 Dune Road LLC. Asked why that specific address, Guilfoyle said, "The wash occurred in the vicinity of 42 Dune Road."
On the migrant crisis, Bellone declared a local emergency order to allow the county to “quickly respond to the potential arrival of asylum-seekers,” temporarily suspending applicable laws, rules, orders or regulations that would “prevent, hinder or delay action necessary to assist or cope with” the state of emergency tied to migrants.
In connection with the suspension, Bellone created an “intergovernmental team,” including chief deputy County Executive Lisa Black, to “coordinate with the state of New York” to address the “subject migrant population,” and coordinate with local not-for-profits for resources to assist them.
The order bars owners of hotels, motels, shelters or multiple dwellings from contacting or otherwise engaging in business with “any other municipality” without permission from or coordination with the county or state to provide housing or accommodations to asylum-seekers, according to the order.
Paul Sabatino, a Huntington Station lawyer who was former counsel to the Suffolk County Legislature, said that while he agreed that the migrant crisis may have legitimately triggered a state of emergency for the county, he questioned Bellone’s use of the cyberattack declaration to delay the budget, calling it “a power grab.”
“It will reduce any ability of the Legislature to exercise real scrutiny” over the budget by reducing the amount of time lawmakers have to review it, he said. Sabatino said he was perplexed that the county continues to declare an emergency regarding the cyberattack given Bellone’s declaration of Feb. 17 that the county was “back online.”
“What’s the factual predicate for the state of emergency?” Sabatino said. “I don’t see it.”