Stop the Suffolk County cyber blame game

It’s now more than a year since Suffolk County’s computer system was hacked by unknown assailants, causing a huge and costly disruption to vital services. And yet we still don’t have a satisfactory understanding of what went wrong.

The Sept. 8, 2022 attack shut down the county’s main online system for its 10,000 employees for months. It affected everyday services like police calls and potentially exposed the personal data of some 500,000 citizens contained in county records. Some county officials say their computer systems still aren’t working fully.

So far, the county has spent $6 million investigating and fixing its system, with millions more in expected expenses on things like purchasing new tech programs to protect against another attack.

During the past year, local drama and accusations surrounding the ransomware attack — one of the nation’s longest and most costly — have weakened the county’s ability to provide some of its important services. Fundamentally, it has underlined the vulnerability of Suffolk — like many other municipalities around the country — to sophisticated attacks by hackers like BlackCat, part of a wider group of Russia-linked and other foreign ransomware crews that employ hard-to-trace methods to exploit local systems.

Yet at this late date, it is frustrating to say there are still contrary accounts of how this huge breach of security happened and who is to blame.

BELLONE’S MIXED RECORD

At the top of that responsibility list is County Executive Steve Bellone. From the outset, Bellone acknowledged problems might have been avoided if he had hired a top computer watchdog before the attack happened. “If we had a chief information security officer in place, with security authority across the entire network, then that could have changed the outcome here as well,” he admitted in a news conference last year.

Though Suffolk lacked cyber insurance — something it should have had — Bellone did the right thing by refusing to give in to the initial $2.5 million demand by the unknown hackers. With the FBI called in to investigate as a criminal matter, this demand wasn’t an easy choice for Bellone — or any municipal leader in his shoes. After all, some experts say negotiating a payment on ransomware in other cases has provided a better outcome than facing a complete shutdown.

To find out what happened, Bellone relied on the county’s outside security firm, Palo Alto Networks, to conduct a forensic investigation. As a result, Bellone largely blamed a computer information technology official in the county clerk’s office for ignoring security concerns and placed him on administrative leave with pay. But the problem was bigger than that. In May, Newsday reported that a special legislative committee reviewing this investigation found more than 600 instances of malware on county computers that went undetected for years. Clearly, Suffolk was a sitting duck.

By mid-2023, the county appointed a much-needed chief information security officer and was adding new technology to prevent future attacks. Bellone blamed the clerk’s office and other departments for operating in their own “silos” about computer security. He has since moved to better unify the county’s IT system.

But as more evidence emerged, the legislature’s panel increasingly shifted the blame back to Bellone and his administration’s Department of Information Technology, overwhelmed by red-flag security alerts weeks and months before the attack. “There’s no way that you can point to one person or even one department and say they were the cause of this,” Richard Donoghue, a former acting U.S. deputy attorney general and special counsel to the Suffolk legislative panel, told Newsday this month. He blamed the slow recovery on thecounty’s lack of a plan for a technology disaster like this one.

SUFFOLK NOT UNIQUE

There are also questions about how things were handled after the attack. Some in the legislature have expressed concern that the crisis has prompted Bellone to issue repeated emergency orders allowing contracts and other purchases without competitive bidding. While Bellone defends them as necessary, legislators and Comptroller John Kennedy are right to insist on a review of how this money was spent and the real cost of this huge problem.

Unfortunately, this sad saga will likely continue to unravel in the coming months, but officials must not miss the bigger picture here. For the past year, Bellone has been in a defensive crouch, caught in the blame game with political opponents. But he and other leaders should not forget that such cyber assaults are a national problem.

Many municipalities, including Baltimore and Atlanta, have suffered similar cyberattacks. Often these are perpetrated by foreign hackers using complex programs and approaches beyond the reach of local law enforcement. In May, the U.S. Justice Department indicted a Russian national for wide-ranging ransomware attacks against hospitals, schools, nonprofits and law enforcement agencies. These demands totaled as much as $400 million — half of which was paid by the victims.

The blame game in Suffolk must stop, with appropriate transparency for all records and clear findings of fact. Bellone, whose tenure ends this year, says the facts about what really happened will eventually emerge. That’s when we will know what his legacy in Suffolk will be.