Suffolk County cyberattack recovery costs hit $25M; final tab still being tallied

Suffolk County approved more than $25 million in spending in the aftermath of one of the nation’s most devastating ransomware attacks against a U.S. municipality — a figure more than four times higher than past official figures, according to a county analysis and a Newsday review of hundreds of pages of billing documents.

County officials frequently cited $5.4 million in additional spending in the aftermath of the Sept. 8, 2022, attack, which took down critical county systems; exposed the personal information of about 470,000 residents and 26,000 past and current employees; crippled police dispatch services for weeks; and shut down the county's main website for months. Payment systems, public records access and online testing systems were impacted, and some officials say the effects are still being felt.

Then-County Executive Steve Bellone declared 16 consecutive monthly states of emergency after the attack, lasting until his final days in office in December. The declarations allowed the county to suspend the normal competitive bidding process for most government contracts.

While the final tab for the cyberattack is still being tallied, county officials have been working off a detailed internal review that puts the spending at just over $25.7 million, including multiyear contracts through the end of this year. Suffolk County Comptroller John Kennedy, in a preliminary review earlier this year, accused the Bellone administration of spending $13.8 million on products that either were not needed or never deployed.

In an interview earlier this month, first-year Suffolk County Executive Edward P. Romaine, a Republican who took office in January, said his office is "looking to see what we can do, legally," to claw back some of the money.

"We got nothing for this money," said Romaine, who criticized the signing of multiyear contracts during a time of government transition. "We have issues with the prior administration signing contracts above and beyond the life of that administration."

Bellone, a Democrat, didn’t respond to a request for comment, and no Bellone administration official has been accused of wrongdoing. Suffolk District Attorney Ray Tierney earlier this year launched a probe to look into claims of document and file destruction near the end of Bellone's tenure.

Last month, Lisa Black, Bellone's top deputy, defended the county's response at a legislative hearing. "We did a lot of very important work together," she said, asserting that "all backups are retained or restored, or rebuilt, and this county did not pay a ransom to criminal actors."

Bellone has publicly blamed vulnerabilities before the attack on a former IT director in the County Clerk's office who is suing him for defamation. In 2022, he said the county paid $3.2 million on the restoration and $2 million in the forensic investigation.

Kennedy, a Republican and longtime political rival of Bellone, said in an interview the $25.7 million figure includes money already spent and future contractual obligations entered into under no-bid contracts.

Kennedy: Cost could go higher

Kennedy said the cost of the attack could go higher, given his recent findings that problems with the Department of Health Services computer systems after the attack led to delays in seeking federal and insurance company reimbursements. His office has found the cost to the county in this case appears to be between $12 million and $17 million.

Kennedy said his office has begun a comprehensive review of all cyber spending, at the request of Romaine. "I agreed to go ahead and do a formal review of all expenditures associated with the hack," Kennedy said, including consulting services, hardware and software, and overtime.

Mike Martino, Romaine's spokesman, disputed any notion that reviewing the spending was politically motivated.

The $25.7 million total doesn’t include thousands of hours of employee overtime across departments in the aftermath of the attack, Kennedy noted, nor does it include other nontechnology services incurred, including more than $1 million in legal expenses tied to document production and a legislative investigation into the cyberattack.

A legislative report on the cyberattack is due in coming weeks, though it’s expected to focus more on the reasons for the attack and the effectiveness of the response than the costs. Still, said Legis. Anthony A. Piccirillo (R-Holtsville), who chairs the cyber committee, said: "Not only did the cyberattack cripple us for a long period of time, but it forced the county to spend tens of millions of dollars on a recovery without legislative oversight."

Piccirillo led an unsuccessful legislative attempt to stop the states of emergency.

Legis. Jason Richberg (D-West Babylon) argued the $25.7 million was justified. 

"We're responsible for a $4 billion budget," he said, so spending $25.7 million "to get us restored and get us back in the right way, I think is important.

"We made sure county documents and county information was secured, and we didn't pay any money" to the ransomware group, Richberg added. "I think $25 million out of $4 billion is an important way to spend the money."

$8.1M goes to California firm

A Newsday review of the county spending analysis, and more than 670 pages of invoices and purchase orders received through a Freedom of Information Law request by Newsday, shows that around a third of the spending, or $8.1 million, was approved to go to California-based security vendor Palo Alto Networks.

That includes an "umbrella" support agreement valued at more than $3.18 million and continuing through 2025, and $1.67 million in purchase orders for a forensic investigation and remediation effort led by Palo Alto’s Unit 42 division. Unit 42 billed the county at rates up to $425 an hour, according to the documents. It also partnered with another outside vendor, Fenix24, for another $2.84 million in billings, according to the purchase orders.

Palo Alto was the firm called in by the Bellone administration in 2019 to conduct an assessment of the county’s cyber preparedness, along with consulting and lobbying firm RedLand Strategies. RedLand in 2018 filed with the state to lobby for Palo Alto in Suffolk County, according to state records, and remains a state lobbyist for the company, which pays RedLand $24,000 a year.

RedLand and its president, Michael Balboni, a former Republican state senator, also contracted with Suffolk to coordinate the response after the cyberattack and to conduct a search for Suffolk’s first chief information security officer in 2023.

Balboni, in a Newsday story in 2022, stressed that Redland Strategies "was hired to assist the county with incident response and management for the ransomware attack in September and has not advised on the retention of any vendors."

Michael McKeon, a spokesman for RedLand, said neither the firm nor Balboni lobbied for Palo Alto or three other firms — Okta, Oracle and Tenable — that Balboni is listed as a lobbyist for in state registration records. McKeon further said neither Balboni nor his firm received any nonlobbying consulting payments from any of those firms related to Suffolk County.

Balboni’s consulting work for the county had "more to do with emergency management, incident command, the tabletop exercises," McKeon said.

County records show Okta received $627,165 in 2022 and is scheduled for another payment of $590,441 this year as part of its multiyear contract with the county. Kennedy in his March review found the county could have saved $438,000 if it instead had used Microsoft-based multifactor authentication software Entra at a cost of $153,000. 

Kennedy previously found Suffolk "unnecessarily purchased" a product from Palo Alto called Prisma that was "not placed into production as there was/is no tangible benefit" for it, Newsday reported. The county’s existing virtual private network software was "more than sufficient" and there was "no clear reasoning" for the $3.2 million Prisma purchase, Kennedy charged, following a preliminary audit conducted earlier this year.

A spokeswoman for Palo Alto declined to comment, citing confidentiality reasons.

Suffolk also has begun to replace parts of another Palo Alto security system, desktop protection Cortex, with a free offering from New York State in conjunction with security firm CrowdStrike.

Balboni did register in Suffolk County in 2021 to lobby for one cyber firm, Tenable — the only time RedLand appears to have registered in the year before and the years after the attack, according to documents provided in response to a Freedom of Information Law request. Tenable, which makes a suite of security software and was cited during cyber investigations as a tool that detected a software update shortfall across county systems in advance of the attack, is estimated to have received $269,039 in 2023, and is expected to be paid more than $466,000 this year, according to county spending data. Bellone and Balboni, in responses to Newsday's previous stories, both repeatedly have said neither had any influence on purchasing decisions following the cyberattack.

"Nobody’s hiring anybody because Mike Balboni is saying hire them," Bellone told Newsday last year. "I’ve never heard him [Balboni] say, 'You should hire this person.'"

Those reports aren't the first time Balboni and his firm have drawn scrutiny. Last month, a story in the The New York Times cited a letter by the state Inspector General reporting that the former state budget director, Sandra Beattie, "provided Balboni with open access to state vendors and the opportunity to court future business for his firm. No other lobbyists were provided this access or opportunity."

Neither the state Inspector General nor the state Ethics Commission would release the Inspector General’s letter to Newsday. Neither Balboni nor the former state officials have been accused of any wrongdoing.

Romaine calls for investigation

Romaine in his interview said to understand the full extent of the cyberattack expenses, he’d prefer the Suffolk County Legislature convene a committee to investigate how the money was spent.

"I wish I had that $26 million" to spend on hardening the current county network, said Romaine, who is working to shore up Suffolk’s systems so that they qualify for cyber insurance for the first time in county history.

Cyber insurance firms typically won’t insure municipalities for perceived deficiencies, including lack of a chief information security officer (CISO) and multifactor authentication, which the county added months after the attack.

Newsday has reported that the New York State Association of Counties, of which Suffolk is a member, in 2022 surveyed its more than 60 members about cyber insurance. It found that of the 26 entities that responded, 21 had cyber insurance; 12 had $1 million in cyber coverage; five had $5 million worth; two had $2 million in coverage; and one each had $500,000 and $3 million. Five had no coverage.

The CISO hired by Bellone, Kenneth Brancik, was fired by Romaine's team earlier this year after around a year on the job, and the post remains vacant.

The bulk of the cyberattack spending — $9.46 million — took place in 2022, according to the county analysis. 

In 2023, according to the county, $5.1 million was spent by the county’s main IT department, but upward of $1.6 million was spent in "other" departments, while the county took on $2.48 million in "encumbered" purchases that year, and $1.57 million in "true future needs." Just over $6 million is planned to be spent this year, over and above the roughly $5 million sought in capital projects by the Romaine administration for technology this year.

Suffolk spent $1.3 million for Microsoft 365 software licenses that employees testified during the legislature's investigation actually slowed recovery of the email systems to deploy the new one, rather than restore the then-existing Microsoft Exchange system. The purchase orders list Dell computer as the third party through which the county made a three-year purchase of Microsoft 365 software licenses, starting at $1.38 million in 2022, and continuing for two more years at $1.74 million each.

Romaine said getting to the bottom of the full cost of the cyberattack may be difficult, noting his administration has been hampered by a lack of records, including some that allegedly were removed or destroyed before his team took over. Tierney's office continues to investigate those allegations, his office has said.

"When I heard they had spent $27 million between September of 2022 and December of 2023, I said, 'Well, what did you get for your money? Where is it?'" Romaine said. "It’s hard to find because a lot of the records were erased."

By Mark Harrington

mark.harrington@newsday.comMHarringtonNews

Mark Harrington, a Newsday reporter since 1999, covers energy, wineries, Indian affairs and fisheries.