New York State Joint Commission on Public Ethics (JCOPE) has provided an update on the cyberattack reported at the end of February. The commission reported that it had learned that it had been the target of a deliberate malicious cyberattack, specifically to the web server that houses, among other systems, JCOPE’s Lobbying Application and Financial Disclosure Statement Online Filing System.

 

JCOPE officials released a statement on Friday, Feb. 25, confirming the commission’s systems were taken down as a precaution earlier that week by the State Office of Information Technology Services (“ITS”) when the agency received an alert of suspicious activity on the commission’s web server.  The cyberattack was only confirmed after several days of preliminary forensic analysis by ITS.

 

State officials had said on Feb. 25 that the systems would remain offline until they could be brought back up safely. There was no initial timeframe for a resumption of online filings.

 

“We do not have any information at this time about who may have been behind the cyberattack, and although we do not know yet if there was an actual breach of user or other agency information, we will be working with law enforcement, including the New York State Police and the Office of the Attorney General, as well as the Department of State’s Consumer Protection Division, to further investigate this incident and meet all legal obligations triggered when a system breach occurs,” State officials said in a press release on Friday, Feb. 25.

 

“Our first and highest priority is the safety and integrity of the data entrusted to the Commission by the regulated community,” said JCOPE executive director, Sanford Berland. “We are working with our partners in information technology and law enforcement to identify the scope of the attack, to ensure that the incident response is comprehensive, and to bring each system back online as soon as safely possible,” he said.

 

According to State officials, JCOPE was separately working to notify the regulated lobbying community and financial disclosure statement filers. Extensions were to be automatically granted for any filings that were due, and could not be submitted because of the outage; those extensions were to be determined once the systems were brought back online.

 

On July 28, 2021, as reported by Reuters, U.S. President Joe Biden had warned, that if the United States ended up in a “real shooting war” with a “major power” it could be the result of a significant cyber attack on the country, highlighting what Washington saw as growing threats posed by Russia and China. International tensions have risen in recent days, following the invasion of Russian military forces of Ukraine which, to date, has resulted in the deaths of 137 Ukrainian civilians and many more Ukrainian and Russian military personnel.

 

On Feb. 20, Gov. Kathy Hochul addressed the threats of imminent cyberattacks, saying, “In light of current geopolitical uncertainty, earlier today I convened cabinet members from relevant areas to review our ongoing cybersecurity preparedness efforts and make sure that New Yorkers, our institutions, and our critical infrastructure are protected from cyber-facilitated disruptions.”

 

She added, “We are in regular touch with the White House and the U.S. Department of Homeland Security to ensure coordination.” The governor said her administration had taken significant steps to prepare for what had become increasingly sophisticated cyberattacks, including her recent budget proposal to invest $62 million in State cybersecurity protections, more than double the amount for the previous year.

 

 

 

On Saturday, March 5, JCOPE officials announced that the commission was continuing its investigation and response to the cybersecurity attack. Barring any additional findings by the State Office of Information Technology Services (ITS), the
commission officials said they anticipated that the electronic lobbying reporting and financial disclosure statement (FDS) systems would be back online by the week ending March 11.

 

They said any filings due during the outage will be automatically granted a 21-day extension. Additionally, the March 15 lobbying bi-monthly report deadline was extended to March 31.

 

They added that the information security officials at ITS are nearing the completion of the forensic review process, which is attempting to retrace the malicious activity step-by-step. While not yet complete, they said the review has established that the incident was the result of an attack on the JCOPE Legacy Lobbying Filing System (used from 2005 to 2018).

 

This system had been retained to provide public access to those records and for lobbyists to submit amendments resulting from JCOPE audits and investigations. Officials said the legacy system would not be returned to service until further notice.

 

The commission also shared that all underlying data that populates JCOPE systems is housed on a separate database server, and all credit card transactions are carried out via a third-party payment processing gateway – JCOPE stores no credit card numbers on its own system.

 

Officials said the forensic review process was ongoing, but other than the intrusion into the pre-2019 legacy system, there had been no direct evidence of any unauthorized access to user data or to the third-party credit card system. That said, officials said they are continuing to look for any circumstantial evidence or other indicator that would suggest unlawful use of user information.

 

Once the forensic review is complete, JCOPE officials said they will return the lobbying and FDS systems – but not the pre-2019 legacy lobbying system – to service. “We expect operations to resume next week, but we will not sacrifice security and integrity in the name of speed,” said JCOPE executive director, Sanford Berland.

 

At the same time, JCOPE officials said ITS is engaging in ongoing prophylactic exploit testing in order to identify and eliminate any security vulnerabilities beyond those in the since-deactivated pre-2019 lobbying filing system. They said this is a comprehensive long-term exercise, and any findings can be remediated while lobbying and FDS filing activity has resumed.

 

“Forensics will help us understand this incident and prevent a recurrence, but cyber-security is a constant game of cat-and-mouse,” said Berland. “This continuing test-and-fix process is crucial to our staying one step ahead of the next attack.” When the cyber-attack was first discovered through a suspicious activity alert on February 21, early forensics suggested it came in through U.S.-based public IP addresses. However, experts say those easily could have been just the final stop on a global circuit.

 

At the time, commission officials said they brought the incident to the attention of additional state Agencies, including the Office of the Attorney General and the Department of State Division of Consumer Protection. Once final forensics are complete, commission officials said they will work with these organizations to ensure that any affected users are contacted and all legal obligations are met.

 

Additionally, they said any information that can be gleaned from the review will be shared with law enforcement for investigative purposes. “This has been a trying time for JCOPE, ITS, and the regulated community,” said Berland. “We thank everyone for their understanding and look forward to safely resuming operations as soon as possible.” Commission officials added that additional guidance will be distributed to Lobbying and FDS filers before the systems are returned online. Lobbying filers should send questions to helpdesk@jcope.ny.gov. FDS filers should send questions to ethel@jcope.ny.gov.

 

As reported, in September 2021, Hochul announced the appointments of Commissioner James E. Dering and the Honorable C. Randall Hinrichs to serve on the Joint Commission on Public Ethics (JCOPE). Dering was previously appointed to JCOPE by Cuomo and formerly served in the Cuomo administration as general counsel of the Department of Health.

 

Hochul later announced she was appointing Jose Nieves and Sharon Stern Gerstman to serve on the Commission, with the two appointees filling-in the seats vacated by Robert Cohen and James E. Dering, who would be stepping down from their roles. “Restoring trust in government is a top priority for my administration, and that includes strengthening ethics oversight,” Hochul said at the time. “Jose Nieves and Sharon Stern Gerstman are well-respected and talented professionals who will uphold our commitment to open, ethical governing and help to transform not just state government, but more importantly, people’s image and perception of their state government.”

 

On Nov. 4, 2021, the JCOPE announced it had reached a settlement agreement with a former Metropolitan Transportation Authority (“MTA”) employee for alleged violations of the Public Officers Law, including disclosing confidential information during a competitively-bid procurement and failing to disclose outside income.

 

Alexander Elegudin, who was a senior adviser and chief of systemwide accessibility for New York City Transit, resigned following an investigation by the Office of the MTA Inspector General, which found that he disclosed confidential selection committee information related to a request for proposal (“RFP”) to a bidding vendor. The Commission’s investigation also found that he failed to report outside income from his position as president of the board of a not-for-profit corporation, and failed to accurately disclose this position on three years’ of financial disclosure statements.

 

As part of the settlement agreement, Elegudin admitted to both the improper disclosure during a competitively-bid procurement and failure to disclose outside income on his financial disclosure statements. He agreed to pay the Commission $5,000 – the amount of outside income he did not report in 2019. He also agreed to file accurate amended financial disclosure statements for the three years in question.

 

The case was referred to the Commission by the Office of the MTA Inspector General following its own investigation and report.