Suffolk County could have avoided $13.8 million in information technology spending during the Bellone administration by not making unnecessary and redundant purchases, a preliminary review by the county comptroller’s office has found.
Had the county not spent that money as it did, annually recurring savings could have been $3.5 million, the several-month review by Comptroller John Kennedy’s office found, according to a letter summarizing the findings obtained by Newsday.
“The degree of negligence on the part of the prior administration is unprecedented,” said Kennedy in an interview Tuesday, adding that his review is in its early stages. “There’s more to come.”
Kennedy continued: “It’s frightening, not only the extent of the wastefulness, but their refusal to even do the basic routine maintenance” on existing systems. “It’s like not changing your oil.”
- Suffolk County could have avoided $13.8 million in information technology spending by not making unnecessary and redundant purchases, a preliminary review by the county comptroller’s office has found.
- Had the county not spent that money as it did, annually recurring savings could have been $3.5 million, the review found.
- Former County Executive Steve Bellone, in a statement, called the comptroller’s findings “factually inaccurate.”
In addition, he noted that the county experienced a phishing attempt this weekend. “We will double down on our efforts and continue until we have every aspect of the dysfunction eliminated and systems stood back up in good working order,” he said.
Former County Executive Steve Bellone, in a statement, called the comptroller’s findings “factually inaccurate.”
Among the findings:
- The Department of Information Technology “unnecessarily purchased” a product called Palo Alto Prisma, a virtual private network that was “not placed into production as there was/is no tangible benefit” for it, according to the letter. The county’s existing VPN was “more than sufficient” and there was “no clear reasoning” for the $3.2 million purchase.
- The county “unnecessarily spent” $1.5 million on another Palo Alto product known as Cortex for individual desktop protection, even though New York State offered a free product known as CrowdStrike with a statewide security operation center. The county expects to save $766,000 annually by replacing Cortex with CrowdStrike, which has already been deployed on 6,800 county desktops.
- The county made an “unnecessary” purchase of Microsoft 365 software and could have saved $5.7 million by restoring its former MS-Exchange email software, which would have returned emails much sooner. It’s taken more than a year to restore emails from the old system to the new, the comptroller found.
- The administration’s purchase of a new two-factor authentication software known as Okta, at $1.2 million, could have been done for $153,000 by using a competing Microsoft Entra, with annual savings estimated at $438,000.
Bellone said the analysis “should be understood in its proper context, since it came from a self-proclaimed cyber-idiot who gets his IT advice from the guy whose office was at the center of both an illegal crypto mining operation and a cyberattack.”
Bellone didn’t immediately respond to a request that he name the people he referred to in his statement. Bellone since December 2022 has blamed former County Clerk IT director Peter Schlussler for vulnerabilities prior to the attack, but Schlussler has denied the claims and sued Bellone and other administration officials for defamation. Schlussler now works for the comptroller’s office.
In a statement, County Executive Ed Romaine said, “This comes as no surprise as my administration continues to find evidence of wasteful spending and unfulfilled obligations.” Romaine called Kennedy’s findings “just the tip of the iceberg, and we will continue to identify and claw back taxpayer dollars to make sure Suffolk County is a safer and more affordable place to live.”
Romaine will hire an outside firm to conduct a “deep-dive audit” into the cyberattack and money that was spent in response, his office said.
County Legis. Anthony Piccirillo (R-Holtsville) said the findings justify prior calls for an end to 16 consecutive states of emergency declared by the Bellone administration in the months after the cyberattack, which allowed for no competitive bidding for contracts and purchases.
“As I suspected when you take the legislature out of the regular order process, taxpayer money gets wasted,” said Piccirillo, who is chair of a committee looking into the cyberattack. “I really need to know how all that money was spent.”