Suffolk County cyberattack recovery costs hit 25M final tab still being tallied Newsday
pSuffolk County approved more than 25 million in spending in the aftermath of one of the nations most devastating ransomware attacks against a US municipality a figure more than four times higher than past official figures according to a county analysis and a Newsday review of hundreds of pages of billing documentsppCounty officials frequently cited 54 million in additional spending in the aftermath of the Sept 8 2022 attack which took down critical county systems exposed the personal information of about 470000 residents and 26000 past and current employees crippled police dispatch services for weeks and shut down the countys main website for months Payment systems public records access and online testing systems were impacted and some officials say the effects are still being feltppThenCounty Executive Steve Bellone declared 16 consecutive monthly states of emergency after the attack lasting until his final days in office in December The declarations allowed the county to suspend the normal competitive bidding process for most government contractsppWhile the final tab for the cyberattack is still being tallied county officials have been working off a detailed internal review that puts the spending at just over 257 million including multiyear contracts through the end of this year Suffolk County Comptroller John Kennedy in a preliminary review earlier this year accused the Bellone administration of spending 138 million on products that either were not needed or never deployedppIn an interview earlier this month firstyear Suffolk County Executive Edward P Romaine a Republican who took office in January said his office is looking to see what we can do legally to claw back some of the moneyppWe got nothing for this money said Romaine who criticized the signing of multiyear contracts during a time of government transition We have issues with the prior administration signing contracts above and beyond the life of that administrationppBellone a Democrat didnt respond to a request for comment and no Bellone administration official has been accused of wrongdoing Suffolk District Attorney Ray Tierney earlier this year launched a probe to look into claims of document and file destruction near the end of Bellones tenureppLast month Lisa Black Bellones top deputy defended the countys response at a legislative hearing We did a lot of very important work together she said asserting that all backups are retained or restored or rebuilt and this county did not pay a ransom to criminal actorsppBellone has publicly blamed vulnerabilities before the attack on a former IT director in the County Clerks office who is suing him for defamation In 2022 he said the county paid 32 million on the restoration and 2 million in the forensic investigationppKennedy a Republican and longtime political rival of Bellone said in an interview the 257 million figure includes money already spent and future contractual obligations entered into under nobid contractsppKennedy said the cost of the attack could go higher given his recent findings that problems with the Department of Health Services computer systems after the attack led to delays in seeking federal and insurance company reimbursements His office has found the cost to the county in this case appears to be between 12 million and 17 millionppKennedy said his office has begun a comprehensive review of all cyber spending at the request of Romaine I agreed to go ahead and do a formal review of all expenditures associated with the hack Kennedy said including consulting services hardware and software and overtimeppMike Martino Romaines spokesman disputed any notion that reviewing the spending was politically motivatedppThe 257 million total doesnt include thousands of hours of employee overtime across departments in the aftermath of the attack Kennedy noted nor does it include other nontechnology services incurred including more than 1 million in legal expenses tied to document production and a legislative investigation into the cyberattackppA legislative report on the cyberattack is due in coming weeks though its expected to focus more on the reasons for the attack and the effectiveness of the response than the costs Still said Legis Anthony A Piccirillo RHoltsville who chairs the cyber committee said Not only did the cyberattack cripple us for a long period of time but it forced the county to spend tens of millions of dollars on a recovery without legislative oversightppPiccirillo led an unsuccessful legislative attempt to stop the states of emergencyppLegis Jason Richberg DWest Babylon argued the 257 million was justified ppWere responsible for a 4 billion budget he said so spending 257 million to get us restored and get us back in the right way I think is importantppWe made sure county documents and county information was secured and we didnt pay any money to the ransomware group Richberg added I think 25 million out of 4 billion is an important way to spend the moneyppA Newsday review of the county spending analysis and more than 670 pages of invoices and purchase orders received through a Freedom of Information Law request by Newsday shows that around a third of the spending or 81 million was approved to go to Californiabased security vendor Palo Alto NetworksppThat includes an umbrella support agreement valued at more than 318 million and continuing through 2025 and 167 million in purchase orders for a forensic investigation and remediation effort led by Palo Altos Unit 42 division Unit 42 billed the county at rates up to 425 an hour according to the documents It also partnered with another outside vendor Fenix24 for another 284 million in billings according to the purchase ordersppPalo Alto was the firm called in by the Bellone administration in 2019 to conduct an assessment of the countys cyber preparedness along with consulting and lobbying firm RedLand Strategies RedLand in 2018 filed with the state to lobby for Palo Alto in Suffolk County according to state records and remains a state lobbyist for the company which pays RedLand 24000 a yearppRedLand and its president Michael Balboni a former Republican state senator also contracted with Suffolk to coordinate the response after the cyberattack and to conduct a search for Suffolks first chief information security officer in 2023ppBalboni in a Newsday story in 2022 stressed that Redland Strategies was hired to assist the county with incident response and management for the ransomware attack in September and has not advised on the retention of any vendorsppMichael McKeon a spokesman for RedLand said neither the firm nor Balboni lobbied for Palo Alto or three other firms Okta Oracle and Tenable that Balboni is listed as a lobbyist for in state registration records McKeon further said neither Balboni nor his firm received any nonlobbying consulting payments from any of those firms related to Suffolk CountyppBalbonis consulting work for the county had more to do with emergency management incident command the tabletop exercises McKeon saidppCounty records show Okta received 627165 in 2022 and is scheduled for another payment of 590441 this year as part of its multiyear contract with the county Kennedy in his March review found the county could have saved 438000 if it instead had used Microsoftbased multifactor authentication software Entra at a cost of 153000 ppKennedy previously found Suffolk unnecessarily purchased a product from Palo Alto called Prisma that was not placed into production as there wasis no tangible benefit for it Newsday reported The countys existing virtual private network software was more than sufficient and there was no clear reasoning for the 32 million Prisma purchase Kennedy charged following a preliminary audit conducted earlier this yearppA spokeswoman for Palo Alto declined to comment citing confidentiality reasonsppSuffolk also has begun to replace parts of another Palo Alto security system desktop protection Cortex with a free offering from New York State in conjunction with security firm CrowdStrikeppBalboni did register in Suffolk County in 2021 to lobby for one cyber firm Tenable the only time RedLand appears to have registered in the year before and the years after the attack according to documents provided in response to a Freedom of Information Law request Tenable which makes a suite of security software and was cited during cyber investigations as a tool that detected a software update shortfall across county systems in advance of the attack is estimated to have received 269039 in 2023 and is expected to be paid more than 466000 this year according to county spending data Bellone and Balboni in responses to Newsdays previous stories both repeatedly have said neither had any influence on purchasing decisions following the cyberattackppNobodys hiring anybody because Mike Balboni is saying hire them Bellone told Newsday last year Ive never heard him Balboni say You should hire this personppThose reports arent the first time Balboni and his firm have drawn scrutiny Last month a story in the The New York Times cited a letter by the state Inspector General reporting that the former state budget director Sandra Beattie provided Balboni with open access to state vendors and the opportunity to court future business for his firm No other lobbyists were provided this access or opportunityppNeither the state Inspector General nor the state Ethics Commission would release the Inspector Generals letter to Newsday Neither Balboni nor the former state officials have been accused of any wrongdoingppRomaine in his interview said to understand the full extent of the cyberattack expenses hed prefer the Suffolk County Legislature convene a committee to investigate how the money was spentppI wish I had that 26 million to spend on hardening the current county network said Romaine who is working to shore up Suffolks systems so that they qualify for cyber insurance for the first time in county historyppCyber insurance firms typically wont insure municipalities for perceived deficiencies including lack of a chief information security officer CISO and multifactor authentication which the county added months after the attackppNewsday has reported that the New York State Association of Counties of which Suffolk is a member in 2022 surveyed its more than 60 members about cyber insurance It found that of the 26 entities that responded 21 had cyber insurance 12 had 1 million in cyber coverage five had 5 million worth two had 2 million in coverage and one each had 500000 and 3 million Five had no coverageppThe CISO hired by Bellone Kenneth Brancik was fired by Romaines team earlier this year after around a year on the job and the post remains vacantppThe bulk of the cyberattack spending 946 million took place in 2022 according to the county analysis ppIn 2023 according to the county 51 million was spent by the countys main IT department but upward of 16 million was spent in other departments while the county took on 248 million in encumbered purchases that year and 157 million in true future needs Just over 6 million is planned to be spent this year over and above the roughly 5 million sought in capital projects by the Romaine administration for technology this yearppSuffolk spent 13 million for Microsoft 365 software licenses that employees testified during the legislatures investigation actually slowed recovery of the email systems to deploy the new one rather than restore the thenexisting Microsoft Exchange system The purchase orders list Dell computer as the third party through which the county made a threeyear purchase of Microsoft 365 software licenses starting at 138 million in 2022 and continuing for two more years at 174 million eachppRomaine said getting to the bottom of the full cost of the cyberattack may be difficult noting his administration has been hampered by a lack of records including some that allegedly were removed or destroyed before his team took over Tierneys office continues to investigate those allegations his office has saidppWhen I heard they had spent 27 million between September of 2022 and December of 2023 I said Well what did you get for your money Where is it Romaine said Its hard to find because a lot of the records were erasedppSuffolk County approved more than 25 million in spending in the aftermath of one of the nations most devastating ransomware attacks against a US municipality a figure more than four times higher than past official figures according to a county analysis and a Newsday review of hundreds of pages of billing documentsppCounty officials frequently cited 54 million in additional spending in the aftermath of the Sept 8 2022 attack which took down critical county systems exposed the personal information of about 470000 residents and 26000 past and current employees crippled police dispatch services for weeks and shut down the countys main website for months Payment systems public records access and online testing systems were impacted and some officials say the effects are still being feltppThenCounty Executive Steve Bellone declared 16 consecutive monthly states of emergency after the attack lasting until his final days in office in December The declarations allowed the county to suspend the normal competitive bidding process for most government contractsppWhile the final tab for the cyberattack is still being tallied county officials have been working off a detailed internal review that puts the spending at just over 257 million including multiyear contracts through the end of this year Suffolk County Comptroller John Kennedy in a preliminary review earlier this year accused the Bellone administration of spending 138 million on products that either were not needed or never deployedppFirstyear Suffolk County Executive Edward P Romaine criticized the Bellone administrations signing of multiyear contracts as a result of the attack during a time of government transition He has asked for a review of the spendingppThe cyberattack took down county systems exposed the personal information of about 470000 residents and 26000 past and current employees crippled police dispatch services for weeks and shut down the countys main website for monthsppIn an interview earlier this month firstyear Suffolk County Executive Edward P Romaine a Republican who took office in January said his office is looking to see what we can do legally to claw back some of the moneyppThe biggest news politics and crime stories in Suffolk County in your inbox every Friday at noonppppBy clicking Sign up you agree to our privacy policyppWe got nothing for this money said Romaine who criticized the signing of multiyear contracts during a time of government transition We have issues with the prior administration signing contracts above and beyond the life of that administrationppBellone a Democrat didnt respond to a request for comment and no Bellone administration official has been accused of wrongdoing Suffolk District Attorney Ray Tierney earlier this year launched a probe to look into claims of document and file destruction near the end of Bellones tenureppLast month Lisa Black Bellones top deputy defended the countys response at a legislative hearing We did a lot of very important work together she said asserting that all backups are retained or restored or rebuilt and this county did not pay a ransom to criminal actorsppBellone has publicly blamed vulnerabilities before the attack on a former IT director in the County Clerks office who is suing him for defamation In 2022 he said the county paid 32 million on the restoration and 2 million in the forensic investigationppKennedy a Republican and longtime political rival of Bellone said in an interview the 257 million figure includes money already spent and future contractual obligations entered into under nobid contractsppKennedy said the cost of the attack could go higher given his recent findings that problems with the Department of Health Services computer systems after the attack led to delays in seeking federal and insurance company reimbursements His office has found the cost to the county in this case appears to be between 12 million and 17 millionppKennedy said his office has begun a comprehensive review of all cyber spending at the request of Romaine I agreed to go ahead and do a formal review of all expenditures associated with the hack Kennedy said including consulting services hardware and software and overtimeppMike Martino Romaines spokesman disputed any notion that reviewing the spending was politically motivatedppThe 257 million total doesnt include thousands of hours of employee overtime across departments in the aftermath of the attack Kennedy noted nor does it include other nontechnology services incurred including more than 1 million in legal expenses tied to document production and a legislative investigation into the cyberattackppA legislative report on the cyberattack is due in coming weeks though its expected to focus more on the reasons for the attack and the effectiveness of the response than the costs Still said Legis Anthony A Piccirillo RHoltsville who chairs the cyber committee said Not only did the cyberattack cripple us for a long period of time but it forced the county to spend tens of millions of dollars on a recovery without legislative oversightppPiccirillo led an unsuccessful legislative attempt to stop the states of emergencyppLegis Jason Richberg DWest Babylon argued the 257 million was justified ppWere responsible for a 4 billion budget he said so spending 257 million to get us restored and get us back in the right way I think is importantppWe made sure county documents and county information was secured and we didnt pay any money to the ransomware group Richberg added I think 25 million out of 4 billion is an important way to spend the moneyppA Newsday review of the county spending analysis and more than 670 pages of invoices and purchase orders received through a Freedom of Information Law request by Newsday shows that around a third of the spending or 81 million was approved to go to Californiabased security vendor Palo Alto NetworksppThat includes an umbrella support agreement valued at more than 318 million and continuing through 2025 and 167 million in purchase orders for a forensic investigation and remediation effort led by Palo Altos Unit 42 division Unit 42 billed the county at rates up to 425 an hour according to the documents It also partnered with another outside vendor Fenix24 for another 284 million in billings according to the purchase ordersppPalo Alto was the firm called in by the Bellone administration in 2019 to conduct an assessment of the countys cyber preparedness along with consulting and lobbying firm RedLand Strategies RedLand in 2018 filed with the state to lobby for Palo Alto in Suffolk County according to state records and remains a state lobbyist for the company which pays RedLand 24000 a yearppRedLand and its president Michael Balboni a former Republican state senator also contracted with Suffolk to coordinate the response after the cyberattack and to conduct a search for Suffolks first chief information security officer in 2023ppBalboni in a Newsday story in 2022 stressed that Redland Strategies was hired to assist the county with incident response and management for the ransomware attack in September and has not advised on the retention of any vendorsppMichael McKeon a spokesman for RedLand said neither the firm nor Balboni lobbied for Palo Alto or three other firms Okta Oracle and Tenable that Balboni is listed as a lobbyist for in state registration records McKeon further said neither Balboni nor his firm received any nonlobbying consulting payments from any of those firms related to Suffolk CountyppBalbonis consulting work for the county had more to do with emergency management incident command the tabletop exercises McKeon saidppCounty records show Okta received 627165 in 2022 and is scheduled for another payment of 590441 this year as part of its multiyear contract with the county Kennedy in his March review found the county could have saved 438000 if it instead had used Microsoftbased multifactor authentication software Entra at a cost of 153000 ppKennedy previously found Suffolk unnecessarily purchased a product from Palo Alto called Prisma that was not placed into production as there wasis no tangible benefit for it Newsday reported The countys existing virtual private network software was more than sufficient and there was no clear reasoning for the 32 million Prisma purchase Kennedy charged following a preliminary audit conducted earlier this yearppA spokeswoman for Palo Alto declined to comment citing confidentiality reasonsppThenSuffolk County Executive Steve Bellone gives an update on the cyberattack with Lisa Black deputy county executive in Hauppauge on Dec 21 2022 Credit James CarboneppSuffolk also has begun to replace parts of another Palo Alto security system desktop protection Cortex with a free offering from New York State in conjunction with security firm CrowdStrikeppBalboni did register in Suffolk County in 2021 to lobby for one cyber firm Tenable the only time RedLand appears to have registered in the year before and the years after the attack according to documents provided in response to a Freedom of Information Law request Tenable which makes a suite of security software and was cited during cyber investigations as a tool that detected a software update shortfall across county systems in advance of the attack is estimated to have received 269039 in 2023 and is expected to be paid more than 466000 this year according to county spending data Bellone and Balboni in responses to Newsdays previous stories both repeatedly have said neither had any influence on purchasing decisions following the cyberattackppNobodys hiring anybody because Mike Balboni is saying hire them Bellone told Newsday last year Ive never heard him Balboni say You should hire this personppThose reports arent the first time Balboni and his firm have drawn scrutiny Last month a story in the The New York Times cited a letter by the state Inspector General reporting that the former state budget director Sandra Beattie provided Balboni with open access to state vendors and the opportunity to court future business for his firm No other lobbyists were provided this access or opportunityppNeither the state Inspector General nor the state Ethics Commission would release the Inspector Generals letter to Newsday Neither Balboni nor the former state officials have been accused of any wrongdoingppRomaine in his interview said to understand the full extent of the cyberattack expenses hed prefer the Suffolk County Legislature convene a committee to investigate how the money was spentppI wish I had that 26 million to spend on hardening the current county network said Romaine who is working to shore up Suffolks systems so that they qualify for cyber insurance for the first time in county historyppCyber insurance firms typically wont insure municipalities for perceived deficiencies including lack of a chief information security officer CISO and multifactor authentication which the county added months after the attackppNewsday has reported that the New York State Association of Counties of which Suffolk is a member in 2022 surveyed its more than 60 members about cyber insurance It found that of the 26 entities that responded 21 had cyber insurance 12 had 1 million in cyber coverage five had 5 million worth two had 2 million in coverage and one each had 500000 and 3 million Five had no coverageppThe CISO hired by Bellone Kenneth Brancik was fired by Romaines team earlier this year after around a year on the job and the post remains vacantppThe bulk of the cyberattack spending 946 million took place in 2022 according to the county analysis ppIn 2023 according to the county 51 million was spent by the countys main IT department but upward of 16 million was spent in other departments while the county took on 248 million in encumbered purchases that year and 157 million in true future needs Just over 6 million is planned to be spent this year over and above the roughly 5 million sought in capital projects by the Romaine administration for technology this yearppSuffolk spent 13 million for Microsoft 365 software licenses that employees testified during the legislatures investigation actually slowed recovery of the email systems to deploy the new one rather than restore the thenexisting Microsoft Exchange system The purchase orders list Dell computer as the third party through which the county made a threeyear purchase of Microsoft 365 software licenses starting at 138 million in 2022 and continuing for two more years at 174 million eachppRomaine said getting to the bottom of the full cost of the cyberattack may be difficult noting his administration has been hampered by a lack of records including some that allegedly were removed or destroyed before his team took over Tierneys office continues to investigate those allegations his office has saidppWhen I heard they had spent 27 million between September of 2022 and December of 2023 I said Well what did you get for your money Where is it Romaine said Its hard to find because a lot of the records were erasedpp
Mark Harrington a Newsday reporter since 1999 covers energy wineries Indian affairs and fisheries
pp Suffolk cyberattack investigation How will Nassau enforce mask ban 100 years of 4H Get the latest news and more great videos at NewsdayTVppGet more on these and other NewsdayTV storiespp Suffolk cyberattack investigation How will Nassau enforce mask ban 100 years of 4H Get the latest news and more great videos at NewsdayTVppGet more on these and other NewsdayTV storiesppThe Newsday app makes it easier to access content without having to log inppCYBERMONDAYIN AUGUST26 for 5 6 monthsppPrivacy Policy Terms of service Subscription terms Your ad choices Cookie Settings California Privacy Rights About Us Contact Newsday Reprints permissions Advertise with Newsday HelpppCopyright 2024 Newsday All rights reservedp
Mark Harrington a Newsday reporter since 1999 covers energy wineries Indian affairs and fisheries
pp Suffolk cyberattack investigation How will Nassau enforce mask ban 100 years of 4H Get the latest news and more great videos at NewsdayTVppGet more on these and other NewsdayTV storiespp Suffolk cyberattack investigation How will Nassau enforce mask ban 100 years of 4H Get the latest news and more great videos at NewsdayTVppGet more on these and other NewsdayTV storiesppThe Newsday app makes it easier to access content without having to log inppCYBERMONDAYIN AUGUST26 for 5 6 monthsppPrivacy Policy Terms of service Subscription terms Your ad choices Cookie Settings California Privacy Rights About Us Contact Newsday Reprints permissions Advertise with Newsday HelpppCopyright 2024 Newsday All rights reservedp
