How NYC fends off hackers

In July, New York City Mayor Bill de Blasio signed an executive order establishing the New York City Cyber Command to lead city agencies in cyber defense and response. As chief information security officer at the city Department of Information Technology and Telecommunications, Geoff Brown was tapped to lead this new task force. Brown talked about the cybersecurity threats New York is facing, and how the city is working to mitigate these risks.

RELATED: An interview with DoITT Commissioner Anne Roest

C&S: What are the job duties of the chief information security officer?

GB: Chief information security officer, just as a function, is something that you would find in many enterprises, whether public or private. At a very high level, the CISO is a reflection of the program. The program duties are to really defend the city’s information security assets, its systems and that very much to me is balancing your risk. But the next piece of it is to guide the agencies in any incident response, and also guide the agency strategy as we try and buy down the risk that’s displayed by our technology footprint and actors that are trying to take advantage of that for their own means. Then finally to advise City Hall, because in aggregate City Hall has to think about the risk of its domain and how that can be impactful to the great services that are provided each and every day to the citizens, businesses and the travelers that visit our city.

C&S: You’re also the head of New York City Cyber Command. Is there any difference between this position and your role as CISO?

GB: The head of New York City Cyber Command is the chief information security officer for the city of New York. So, the duties to defend the city, to guide agencies and advise City Hall in the overall information security risk presented by threats and vulnerabilities are the duties of the head of New York City Cyber Command. What’s interesting though is the city has recognized that it needed the next natural step in its evolution in addressing these threats, in addressing this domain, was to organize centrally. That really is what New York City Cyber Command is, it’s that it is a sign of the city itself. It’s centrally organizing its effort so that it can see what’s going on across this technology landscape and it can respond to threats and, from a central place, it can have a governance mission so there can be security policies and programs to help the agencies in total – help the agencies address concerns. It uniquely creates a reporting line from that agency and from my office to the first deputy mayor, and we will do all our work and collaboration with the citywide (chief information officer) and with DoITT.

C&S: There have recently been several incidents of foreign hacking to interfere with political systems, whether in the U.S. or abroad. Does New York City face a particular risk of foreign interference in its cyber systems?

GB: I wouldn’t necessarily say that the probability around the risk has changed. I would say that the types of attacks that we’re seeing globally are causing significant levels of concern. Hackers have existed and hackers have always – whether white hat, gray hat, black hat – attempted to manipulate, change, work on systems to produce results that aren’t the intended results. And that’s been going on for many, many years, since the beginning of computing. With that said, as we look across the global landscape, we see the things that have occurred in the last couple years, and these are things that New York City is highly cognizant of. We see exfiltration of data and breaches. We see large ransomware events, we see even data destruction events. If New York City is going to be successful in the future providing great technology just like it has in the past, it has to take those threats seriously, especially as we move towards a more interconnected future. I’m referring to the threat landscape globally, not necessarily locally.

C&S: What is Cyber Command doing to mitigate these risks?

GB: There is a continual process within cyber risk management where you have to understand your technology landscape. You have to be able to see what’s going on out there. You have to be able to then have mature response processes. Then you have to be able to publish policies and check to see if people are following the best practices. There’s also other disciplines like education and awareness where you say, “Well, let’s make sure that we’re taking an approach where we’re educating the citizens, the workforce, the people of New York City are making smart decisions.” Because everybody has to think about this domain the way they might think about other security disciplines. So some initiatives are really focusing on seeing what we can see technically, being able to provide a unified response to what we see and publishing a fresh set of policies that we can then have everyone work towards.

C&S: What are the biggest challenges you face in your positions at DoITT?

GB: Challenges are opportunities. So, one of the things that’s interesting is technology itself is moving so quickly, and the technology expectations in the services that a great city like New York City provides. When you think of all the amazing things that we do on behalf of our citizens, businesses and travelers, there’s a lot of technology behind that. The technology itself evolves if you think about the cloud, if you think about (internet of things) and smart devices. I think that making sure that we’re thinking around the corner, to make sure that those services that will be expected in the future are also safe, secure, with respect to privacy – I think that’s the greatest challenge, but there’s also great opportunity, because those very technologies give us incredible new ways of executing out our mission.

C&S: How has DoITT’s approach to cybersecurity evolved during your tenure?

GB: I’ve been here for a little bit over a year, and I think the Department of Information Technology and Telecommunications, DoITT, set an incredible IT security foundation. In the last year and a half, what I’ve seen is not only the continuity of the defense and the great security strategy that was already there, but I’ve seen fresh focus. I’ve seen embracement of where technology is going, certainly under significant and admirable leadership of Commissioner (Anne) Roest, and we’re applying those same things within the security domain.

I think the (executive order establishing New York City Cyber Command) is a very thoughtful document. And I think that that can only show the community and the city itself how thoughtful our leadership is around this domain.

C&S: Are there any initiatives you’re overseeing that aren’t just reactive to potential external threats, but proactive?

GB: Let me move kind of away from a technology answer to that, although I think there’s some really interesting things we’re doing and building from a technology aspect. But let me move away from those answers and talk really about another kind of pivotal component in the success of a cyber mission, and that’s how you’re addressing critical partners. So, one of the things also reflected in the executive order, one of the things that we will be working even more diligently again – how are we mapping and collaborating? Because very much the success that the citizens expect out of New York’s cyber mission is not only owned by what is within the purview of cyber command and mayoral agencies and its executive orders. What has to be successful is the relationship that we have with our critical other communities. Whether that be utility, energy, financial services, health, media. We have to raise the water level everywhere. I think one of the things that we’ll be doing a lot of work on in the next year is building the connectivity between those communities and the new and impactful way that will also help. Because a big piece of cybersecurity is information sharing, and you have to be able to not only have relationships but also have organizational mapping so that people know who to turn to and who to provide appropriate information about to.

C&S: What do you think New Yorkers should know about the efforts by New York City Cyber Command?

GB: I would want New Yorkers to know that we’re taking this exceptionally seriously because it deserves to be taken very seriously. I would want New Yorkers to know that not only do we have an incredible team, but we are building an incredible team. I would want New Yorkers to know that cyber in New York City is something that we will build so that they are proud about it, same way they are proud about so many other great things that make New York City a great place.