New York City

Is New York cyber-battle ready?

An escalation with Iran has left the country on alert for cyberattacks – and New York is no exception.

NYPD security cameras are in place across NYC.

NYPD security cameras are in place across NYC. Mark Lennihan/AP/Shutterstock

The United States’ surprising killing of Iran’s top commander, General Qassem Soleimani, late last week has prompted many logistical, strategic and constitutional questions, but the most pressing among them is what Iran’s next steps will be. Ayatollah Ali Khamenei, Iran’s supreme leader, promised “forceful revenge,” and that threat has not gone unnoticed in New York.

U.S. officials are on high alert for state-sponsored threats, but many have theorized that an attack leveled by Iran could come in the form of cyberwarfare. Over the years, Iran has proven itself to be a worthy adversary in cyberwarfare with the United States, targeting everything from private casinos to a New York dam with hacks, and leveling repeated distributed denial of service attacks – an offensive that floods internet servers or networks with traffic to disrupt service – on targets like U.S. banks. Some cybersecurity experts are warning that the federal, state and municipal governments – as well as private companies – ought to be preparing for new cyberattacks out of Iran. New York, historically a prime terrorism target as well as home to the country’s financial center, is no exception. City & State rounded up a few of the key things to know about New York’s cyberattack readiness. 

What could potentially be at risk in a cyberattack against New York?

In the event of an offensive against New York City or state, it’s the critical infrastructure that will be targeted, John Hultquist, director of intelligence analysis for the cybersecurity firm FireEye, told City & State. That’s not just a guess. Before the 2015 nuclear agreement, Iran targeted U.S. banks and the Bowman Avenue Dam in Rye Brook, New York. In 2016, the U.S. government indicted seven Iranian actors in the sustained attacks. New York should prepare for similar kinds of attacks, Hultquist said. “We've seen a lot of destructive attacks where they've gone after companies and critical infrastructure, and just simply wipe everything with a hard drive clean in those organizations,” he said. “What I'm most worried about is just that. They’ve been doing that for quite a long time, they’ve been getting better and better at it.”

Cyberattacks on utilities also continue to be an area of concern. “We’ve definitely seen targeting of utilities in the past. It’s very difficult to cause a blackout. We’ve never seen them demonstrate that capability, but a more likely scenario would be them disrupting payments or services or administration,” Hultquist said. “I think we talk about electricity a lot. There are other areas where you can have an effect – transportation, logistics – where you can cause reverberating effects further down the line.”

Has New York City or state taken any steps to fortify critical cyber infrastructure since the Iran attack?

Not long after after the news of President Donald Trump’s ordered strike against Soleimani broke on Thursday, New York City Mayor Bill de Blasio took to the airwaves to discuss the severity of the action. “We know Iran has attacked American corporations, sometimes effectively. This is not to be taken lightly,” de Blasio said on Friday, during an appearance on MSNBC. De Blasio mentioned that the city has a “strong cyber command” in addition to counterterrorism and intelligence gathering resources within the NYPD, but acknowledged that escalated tensions with Iran could present a more serious threat. “We feel confident that we have a lot of capacity here, but that's when there wasn't a state of war,” he said. “The problem here is, if we end up in a shooting war, then you can expect things like cyberattacks on a level we've never seen before. And unfortunately, Iran is a serious, serious adversary when it comes to cyber.”

Gov. Andrew Cuomo, too, has acknowledged the potential threat, releasing a notice on Friday that National Guard and state agencies would step up patrols, as well as advising utilities to be extra vigilant with regard to cybersecurity. “The New York Power Authority is conducting checks and patrols on all utilities, and the New York State Office of Information Technology Services is performing checks on all cybersecurity details,” a statement read.

Who is in charge of protecting New York City against cyberwarfare?

While some New York agencies and utilities like the New York Power Authority have their own cybersecurity resources, a few central agencies coordinate cyber defense efforts across city and state agencies at large. In New York City, one of those agencies is New York City Cyber Command, or NYC3. Created in 2017, NYC3 is tasked with working with the New York City Department of Information Technology and Telecommunications to direct citywide cyber defense and incident response, as well as provide guidance on cyber defense to the mayor and city agencies. “Cyber Command remains vigilant and prepared to respond to (the) evolving threat landscape,” City Hall spokeswoman Laura Feyer said on Monday. “Due to the sensitive nature we are not able to comment on specifics.”

At a press conference on Monday, John Miller, deputy commissioner of intelligence and counterterrorism at the NYPD, said that the department has coordinated with Geoff Brown, who leads NYC3, and DoITT Commissioner Jessica Tisch. Over the weekend, they also worked with the FBI to update the lists of malware – any kind of malicious software – that have been identified as having come from Iranian government actors or proxies, including info like the IP addresses and signatures associated with that malware. “We distributed that not only to our city agencies ... but also to our critical infrastructure partners, whether that’s cellular telephone providers, power, water and so on,” Miller said.

At the state level, New York’s Division of Homeland Security and Emergency Services has a Cyber Incident Response Team to provide cybersecurity support to public authorities and local governments. Meanwhile, within the state Office of Information Technology Services, the chief information security officer coordinates cybersecurity standards and response across the state government. As it happens, New York Chief Information Security Officer Deborah Snyder recently resigned her post and retired from government, and Karen Sorady, a director at the office, is serving as acting CISO.

How well equipped is New York to fend off a cyberattack?

Hultquist’s company, FireEye, has been working with NYC3 in an advisory capacity, and Hultquist said the agency is better prepared than many others across the country. “They’re, I think, one of the most mature organizations in the game, as far as municipalities looking at their own cyber defense,” he said. “We've been working with them before all this happened. So we've already been talking about the Iranian threat.”

Hultquist said that focusing on not just what the latest advancements in cybersecurity are, but on intelligence – about who the actors are, the kinds of attacks they level and what they’re capable of – is one of the strengths of NYC3. “The good news is that our customers have been tracking the actors who are going to be the ones to worry about,” Hultquist said. “We already tracked them. We know who they are, we know how they behave, we know what their tactics look like. And (NYC3 is) already disseminating that stuff within the government and locally, so New York has an advantage in that regard.”

Still, the state has seen some ransomware attacks affect schools districts and other smaller organizations, suggesting that there’s much more to be done at the municipal level to strengthen cyber defenses. As for what either city or state or municipal governments could be doing to be better prepared, Hultquist said it’s about making smarter investments with limited resources. “You can almost always invest more,” he said. “One of the things we can do with intelligence is invest better and more efficiently.”

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.