Suffolk, without a cyberattack recovery plan, hires chief to create one
Suffolk County’s new chief security information officer, announced Monday by County Executive Steve Bellone, will be charged with creating a recovery plan for potential cyberattacks in the future, administration officials said.
The lack of a stand-alone recovery plan before a breach was discovered Sept. 8 likely contributed to the amount of time it has taken the county to recover, said Richard Donoghue, counsel for the legislature’s Cyber Intrusion Investigation Committee.
Donoghue's remarks Monday during the panel’s first meeting came after Bellone's announcement of Kenneth Brancik, former cybersecurity chief of the Mount Sinai Health System, as the county's first chief information security officer.
“The county currently has an overall emergency response plan. But that emergency response plan was not specific to cyber breaches,” Donoghue, a former U.S. Attorney for New York's the Eastern District, said after the meeting.
"The purpose is, the day that you get attacked you have a plan to take off the shelf and respond immediately, as opposed to scrambling around and trying to figure out what needs to be done," Donoghue said.
Hackers gained access to the county's computer system by exploiting vulnerability in the county clerk’s system in December 2021, according to a forensic report commissioned by the county.
The attack forced the county to take down its website and other web-based applications, which weren't restored until February. The hackers initially demanded a $2.5 million ransom, but the county didn't pay it, Bellone has said.
A handful of online services, including property title searches and sewer bill payments, remain offline.
The county's most recent estimate for the cost of response and restoration of services was $5.7 million, although cybersecurity experts have said the amount could rise.
Bellone announced Monday that Brancik, of East Northport, will be responsible for the development, oversight and enforcement of policies and programs to protect the county, according to a news release. That includes crafting a cyber breach recovery plan, according to county spokeswoman Marykate Guilfoyle.
Brancik will receive a salary of $184,214, Guilfoyle said.
Brancik, who started work Monday and will report to Suffolk Information Technology Commissioner Scott Mastellon, was not immediately available for an interview Monday.
Brancik earned a doctorate in computing from Pace University and a master’s degree from New York University. He received technical education from Columbia University in the analysis and design of information systems, according to the county.
County officials said 30 people applied for the position and 15 were interviewed.
“As we work to move away from the decentralized IT structure that failed this county, our new chief information security officer will be absolutely critical to creating an enterprise-wide security architecture that will be responsible for a stronger and more resilient network,” Bellone said in a statement Monday.
Donoghue said the committee had not determined whether segmentation of the county’s IT systems made it vulnerable.
Donoghue, who said the committee has interviewed nine witnesses and obtained 20,000 documents, also said that before the attack Bellone's office had not complied with a law requiring the administration to update the County Legislature on Suffolk's cyber risk exposure.
Guilfoyle said the first IT cyber risk assessment report was dated January 2020, and no other reports were prepared because of the COVID-19 pandemic.
“Suffolk County was confronting a global pandemic, and all county resources, including [Department of Information Technology], were prioritized for the crisis at hand,” Guilfoyle said.
The bipartisan legislative committee, headed by Legis. Anthony Piccirillo (R-Holtsville), is investigating the source of the cyber breach and could meet for several more months before issuing a final report.
The committee is expected to meet again at the William Rogers Legislative Building in Hauppauge on May 8 at 9 a.m.