Alaska’s top cybersecurity official quietly left his job last month, as the state was grappling with a pair of cyberattacks that forced systems operated by the court system and the Department of Health and Social Services offline.
Mark Breunig had worked as Alaska’s chief information security officer since January 2019, according to his LinkedIn profile, which says he now works as an advisor at the U.S. Department of Homeland Security.
He did not respond to a request for comment placed through LinkedIn. Dave Donley, a spokesman for the Department of Administration — where Breunig worked — said personnel matters were confidential and declined to release details about Breunig’s departure.
The state is “actively recruiting for the position,” Donley wrote in an email. The salary for the job is roughly $135,000, he said.
There’s no indication that Breunig’s departure was directly connected to the cyberattacks against the state. But it comes as concerns around the security of state computers and networks are growing, just as cybersecurity has become an increasing problem at the national level.
And Alaska’s top information technology positions have experienced significant turnover in recent years.
At least five people held the job of chief information officer between 2018 and 2019, according to the tech news site StateScoop. Kelly Tshibaka, the administration department’s commissioner, left her job earlier this year.
Meanwhile, the Department of Health and Social Services has hired a top cybersecurity contractor to help it address the attack that knocked its public website, and some of its computer systems, offline last month.
The department signed a $460,000 purchase order for “incident response” and other services with Silicon Valley-based Mandiant last month, according to documents released to Alaska Public Media through a public records request.
The work, at an hourly rate of $425, could include digital forensics, “remediation assistance,” status updates and reports on the company’s findings and recommendations, according to a statement of work released by the department. It also includes “vulnerability scanning” of the agency’s internet-connected and internal systems.
Health department officials did not respond to questions about the purchase order. A Mandiant spokeswoman declined to comment.
The company’s hiring underscores the costs faced by the state when its computer systems are compromised.
The court system also works with technology contractors, and Chief Justice Joel Bolger said that his agency “engaged a cybersecurity consultant” after it was attacked. But he declined to release details about the cost.
“At this point, I am concerned that talking about the magnitude of our response could provide information that would be valuable to someone who might be contemplating a ransomware attack,” he said in an interview Wednesday.
The court system denied a public records request for documents describing any arrangements with cybersecurity consultants, citing exemptions in the state’s public records law and in the agency’s own regulations that allow records to be withheld if they jeopardize the state’s security.
