Suffolk cyberattack: County consultant also lobbies for vendor hired to fortify system

A consulting firm hired to help manage Suffolk County's response to a ransomware attack also has served as a lobbyist for the computer security company brought in more than three years ago to analyze and fortify Suffolk's networks, according to a Newsday analysis of records.

Computer security experts and a government watchdog group said consulting firm RedLand Strategies and founder Michael Balboni's roles as state lobbyist for the company — and consultant to Suffolk County — could present potential conflicts of interest in the cleanup of the Sept. 8 cyberattack.

Separately, computer experts raised concerns that Palo Alto Networks, the company that provided the front-line firewall of Suffolk's defense against cyberattacks, is acting as the primary forensic auditor to analyze what happened when the county's system was breached.

RedLand and Palo Alto, both responsible for helping safeguard Suffolk's computer system since 2019, recently were awarded new contracts to manage the county's response to the attack, determine how the breach occurred and to help fix it.

Suffolk has yet to publicly say how ransomware attackers infiltrated its system — potentially hundreds of times in the days and weeks leading up to the attack — but no one is blaming RedLand or Palo Alto. The attack has hobbled telephone and email systems and impacted the police department, Department of Health Services, and the Traffic and Parking Violations Agency as the county is still making repairs. Newsday has reported the county was alerted to a possible ransomware event nearly three months beforehand.

Balboni, a former state senator from East Williston, first inked a lobbying contract with Palo Alto in November 2017, a $2,000-a-month agreement that remains in effect, according to state lobbying records. In addition to his state lobbying registration, records show he registered in Suffolk as a lobbyist for Palo Alto in 2018, and again in 2021 but for no specific vendor.

State records show RedLand has lobbying relationships with other computer vendors used by Suffolk, including Okta, a recently approved computer security company.

Balboni, who has not been accused of any wrongdoing, served as New York State's deputy secretary for public safety from 2007 to 2009, is a former state adviser for Homeland Security and is a New York Power Authority trustee.

In an emailed statement, Balboni wrote, "Redland Strategies was hired to assist the County with incident response and management for the ransomware attack in September and has not advised on the retention of any vendors.”

Palo Alto didn't respond to requests for comment about its relationship with RedLand or potential conflicts, and declined to comment on the Suffolk breach specifically. 

Awarded $55,000 contract in 2019

Balboni and Palo Alto first went to work for Suffolk in 2019, when they were awarded a $55,000 contract for what the county described as the state’s first “cyber checkup” — to root out computer vulnerabilities. The contract was funded by a state Homeland Security grant, Suffolk said. Palo Alto went on to become the county’s primary vendor of firewalls and related services against cyber intruders.

Balboni and Suffolk announced in 2019 that RedLand and Palo Alto had been awarded the contract to “review our existing cybersecurity response policies, plans and procedures and develop recommendations that will make our systems and data more secure against cyberattacks,” County Executive Steve Bellone said at the time.

RedLand and Palo Alto’s “thorough security assessment of our current network will serve as a ‘cyber checkup,’ helping us understand our current abilities and identifying areas that could use improvement," Balboni said in 2019.

On March 18, 2019, Balboni donated $1,250 to the Suffolk County Democratic Committee, a week before his contract with Suffolk was announced. Statewide, he has given more than $124,000 in donations to political campaigns and committees over the past decade, including $6,250 to the Suffolk County Democratic Committee since 2015.

State records show RedLand has been a registered lobbyist for Palo Alto since at least 2017. In 2018, RedLand filed a statement with the state amending its registration to provide "additional governmental affairs services to Palo Alto Networks in the County of Suffolk." Suffolk rules require lobbyists to register with the county. Records show that neither Balboni nor RedLand is now listed as registered with the county.

"Let's be honest: This problem arose under his [Balboni's] watch," said Susan Lerner, director of the watchdog group Common Cause New York. "He was hired [in 2019] to prevent this kind of breach. … Why would you go back to the same person who didn't do the job correctly the first time and give them more money to see if they could get the job right the second time, on something as important as a county website and online system? It's truly astonishing."

Palo Alto won a county contract for firewall services following the cyber checkup, replacing a system by Cisco Systems, according to emails and a person familiar with the county's systems. The value of the contract is unknown because a county web page devoted to disclosure of Suffolk contracts has been unavailable since last month's attack, and Suffolk declined to provide it to Newsday.

Suffolk County, in an email, wouldn't say whether it was aware of RedLand's lobbying relationship with Palo Alto when it awarded the contract or whether it constituted a potential conflict, but noted that Palo Alto was selected following a 2019 procurement process for "a number" of security initiatives. "Due to existing knowledge of the systems, Palo Alto, an industry leader, was uniquely positioned to assist with the assessment," the email said. 

County spokeswoman Marykate Guilfoyle added in a statement: "As the county continues to navigate the cyber intrusion, we have contracted with a number of leading industry vendors to conduct a comprehensive forensic assessment. In line with best practices, the county is continuing its rolling restoration of services and is making security upgrades to county systems to better protect against any potential future attack."

Suffolk: Palo Alto 'uniquely positioned'

Palo Alto has received millions of dollars in new contracts since the Sept. 8 breach — at rates exceeding $400 an hour for teams of auditors — through its Unit 42 division to "lead and coordinate all incident command efforts" and to "identify gaps and provide remediation for such gaps," according to a contract. The Unit 42 contract is valued at nearly $3 million and could be higher, according to a person familiar with the county's response to the attack.

Ethics and cybersecurity experts raised questions about potential conflicts between Palo Alto’s role as vendor to the county while Unit 42 serves as a primary investigator of the attack. Some, however, said the county's current state of emergency provides for the awarding of such no-bid contracts, and noted Palo Alto's status as an industry leader. 

Unit 42 is investigating the origins of the intrusion, providing forensic and computer-log analysis, "threat hunting" and malware analysis.

Suffolk, explaining the contract award, said Palo Alto is "uniquely positioned" to conduct the probe, and noted that it has a contract "with a separate technology company to assist with the forensic assessment as needed."

The county didn't name that vendor or say whether it has been needed.

Computer experts said Suffolk should turn to independent companies for the forensic audit and investigation, given its affiliation with Palo Alto. 

Tyler Farrar, chief information security officer for Exabeam, a computer security company, said hiring a third-party forensic auditing company is considered the best practice to ensure a "complete, independent and objective forensic investigation." 

"Simply using the forensic arm of the vendor company whose product may have been breached is a risky option," he said. "Industry best practice would require hiring a separate, independent company to conduct their own investigation. In these circumstances, it is not a matter of one versus the other, but taking full advantage of the key strengths of both third parties." 

Palo Alto spokeswoman Kelly Kane didn't respond to questions about the relationship, but in response to Newsday questions for a story last month, she said, “For this story, we're not going to be able to assist with your questions.”

Common Cause's Lerner said: “You need to have unrelated cyber experts involved in this situation. If you’re going to stay with the same people whose firewall failed in the first place, then you have to have somebody outside to check."

The September attack was particularly troubling for Suffolk Legis. Sarah Anker (D-Mount Sinai). Anker in 2018 authored legislation requiring annual cybersecurity analysis and reports by the county after her office computer was hacked.

Anker said the county has failed to file cybersecurity reports with the required frequency and by deadline — only “one and a half” have been filed since the law passed. She said she had to amend the legislation to require reports to be available by September rather than the originally required March, because of missed deadlines.

She said only one final 12-page report has been completed beyond its draft state. A draft of a 2022 report had been circulating in the weeks before its Sept. 1 deadline, but the Sept. 8 cyber breach held it up. She also expressed frustration that Newsday received a copy of the report, which is marked confidential on each page and requires anyone not on an authorized distribution list to destroy it.

“I’m incredibly frustrated their reports were not coming out in the time frame they were supposed to,” said Anker, who is now on a new legislative committee investigating the breach. She said production of the document to Newsday under the Freedom of Information Law was likely “an error.” She declined to discuss any information in the report.

One of the reasons cited in the report for the “additional time” it took to submit the first completed edition was Suffolk’s desire for a “formal, independent assessment” by RedLand, including the “solicitation and eventual award of these services.” 

RedLand lobbyist for new vendor, too

RedLand also is listed as a $3,000-a-month state lobbyist for another newly contracted Suffolk security vendor, Okta, a provider of services that help authenticate the identity of computer users.

Suffolk, in a statement, said, "Prior to the selection of Okta, the county researched and vetted a number of vendors and it was determined that Okta was a global industry leader." A spokesperson for Okta declined to comment. 

Lerner's Common Cause and other experts on good government said the intersecting lobbying and consultant roles raise red flags. 

"The conflict of interest is so glaring [that] it's really shocking," said Lerner, who questioned whether RedLand's emergency management, health care and government affairs specialties run deep enough into cybersecurity to serve Suffolk in that realm.

"As a lobbyist, by definition, he [Balboni] is being paid to put the companies' interests above the public interest," Lerner said. "Why in the world has Suffolk County hired a lobbyist to handle cybersecurity?" 

Paul Sabatino, a former chief deputy Suffolk executive and counsel to the Suffolk Legislature, said it doesn't matter if Balboni's firm is no longer lobbying for vendor clients already hired by the county. 

“It’s a distinction without a difference," Sabatino said.

“It’s a conflict because a lobbyist representing a third party has a fiduciary obligation to the client to maximize the economic benefits to that client," he added. "As a contractor for the county, he or she has a fiduciary responsibility to the county to maximize the economic benefits to the county for the taxpayers. Those are mutually exclusive obligations."

But Samantha Segal, an attorney who is former executive director of the Suffolk County Board of Ethics and is now in private practice, said the circumstances may provide for an exception, despite Balboni's dual roles as Palo Alto lobbyist. They do not appear "nefarious in this situation, given the gravity of what’s occurred," she said. 

“Life and safety are affected,” she added, referring to the impact of the attack on the county's emergency 911 systems. “I think that supersedes an emergency conflict of interest.”

A copy of Suffolk's 2020 risk-assessment report required by Anker's legislation and provided to Newsday this month lists among other recommendations that the county hire a chief information security officer. The position would significantly expand the duties of an existing cybersecurity coordinator to give the higher-level post "authority over departments that have their own technology units" across county government, while coordinating "all security-related activity" across systems.

But the county never hired a chief information security officer. Instead, the coordinator position not only continued but transitioned to an outside contractor, according to county documents and a person familiar with the post. Only in recent weeks has the county included the chief cybersecurity post in its 2023 budget, among other security positions and upgrades. 

Some public officials and their staffs, including County Clerk Judy Pascale, had urged county computer network officials and the legislature to release funding and help them do more to protect their systems, starting at least in the spring of this year. Pascale said she repeatedly requested access to the Palo Alto firewall for the clerk's office, but her requests were rebuffed.

With Vera Chinese