How is New York protecting itself from cybercrime?

Malicious computer viruses have been snaking their way through New York towns, school districts, hospitals and more for years. And ransomware – when hackers breach computer systems, lock out the owners, and then extort the owners for access to their systems and their data – is having a moment. In 2014, the 8,000-person village of Ilion in Herkimer County paid $800 in ransom to regain access to its computer system after innocent-looking emails delivered malware to unsuspecting village employees. In 2019, cybercriminals set their sights on the much larger Albany, successfully hacking the city’s computer system. The city avoided paying ransom to the hackers, but recovery from the breach – including updating security infrastructure and restoring data – amounted to around $300,000. Earlier this year, Buffalo Public Schools was hit with ransomware, exposing students’ and families’ personal information to the intruders. And that’s just a fraction of the entities, small and large, that have been victims of cybercrime in New York.

The threat posed by ransomware has become painfully clear in a year when such offenses took down a major U.S. fuel pipeline and now threaten to cripple hundreds of entities at once. And while the hackers undoubtedly have their sights set on big fish like fuel pipelines, New York’s small towns, government agencies, schools and more are at risk too. Thanks to generally weak security measures and the volume of highly valued data that they hold, the computer systems of small governments, school districts and hospital systems are among those particularly vulnerable.

And as the coronavirus pandemic shifted work and school to a largely remote basis, cybercriminals may have had even more opportunity to take advantage of those organizations’ security weaknesses.“The number and severity of ransomware incidents that are happening across sectors has reached crisis proportions,” said Douglas Levin, national director of the K12 Security Information Exchange, a nonprofit aimed at sharing information on cyberthreats among school districts. “In some respects, the response to the pandemic has exacerbated the cybersecurity problems,” Levin added, noting that schools may have deployed more devices and loosened cybersecurity controls to enable remote learning. Levin said that school districts have become a popular target for ransomware since 2019, though lax reporting requirements mean that it’s hard to tell whether the attacks on schools have really ramped up since then.

The increase in attempted cyberattacks in general over the past year and a half is apparent in New York specifically. “As is often the case, cyber criminals do not miss an opportunity to capitalize on an opportunity and the pandemic is no exception,” a spokesperson for the state Office of Information Technology Services wrote in an email. “Like others, we’ve seen an increase in attempted attacks related to the pandemic generally.”

It’s incredibly easy to let malware in. Government workers, teachers and anyone else with access to the system who aren’t educated about cybersecurity or when the entities themselves aren’t deploying best practices, may inadvertently download a file, or open an email attachment giving bad actors an entry. Sometimes, it’s a matter of resources. Schools, for example, don’t always have enough funding to commit to technology, let alone to making sure that that technology is secure by taking important steps including installing software updates and creating data backups. There’s already a shortage of skilled cybersecurity workers, and low-paying government jobs might not be at the top of the list for those who are able to help organizations advise and craft safe infrastructure and practices. “There are millions of unfilled jobs in computer security,” said Justin Cappos, a computer science professor at New York University. “If you're going to have your choice of one of those jobs, it's probably not going to be to go do computer security for an elementary school.”

And it’s not just ransomware that a lack of funding or lax security measures open the door to, but other varieties of cybercrime. New York government agencies have been affected by breaches – some identified as ransomware, others not. This June, hackers infiltrated the New York City Law Department, reportedly through one employee’s stolen email password. The New York Times reported that the department failed to implement multifactor authentication, despite being required by the city to do so.

While New York City has a dedicated agency for cybersecurity – called NYC Cyber Command – and has published security standards that all city agencies, employees, contractors and vendors are required to implement and follow, the Law Department hack suggests that there may be an issue with enforcement of those guidelines. A spokesperson for City Hall and Cyber Command did not comment on how the attack happened or how the city’s standards are enforced. “Our investigation is ongoing,” Laura Feyer, the deputy press secretary of the NYC Mayor’s Office, said of the Law Department hack. “We take cyberthreats extremely seriously and constantly enhance our defenses based on the evolving threat landscape. Our agencies work closely with Cyber Command and (the city Department of Information Technology and Telecommunications) to address cybersecurity issues on an ongoing basis.”

The Law Department isn’t the only New York agency to be hit lately. The Metropolitan Transportation Authority was hacked earlier this year by a group thought to have links to China, reportedly as part of a more widespread campaign. No ransom was demanded, transit functions weren’t affected and no personal information was compromised. The Times reported, however, that the breach was facilitated through vulnerabilities in a technology used to give workers remote access to their organization’s network. A spokesperson for the MTA declined to comment on whether investigations into the breach are still ongoing, or on whether the agency implemented any additional security protocols during the pandemic. “The MTA works closely with the (Federal Bureau of Investigation) and (the Cybersecurity and Infrastructure Security Agency) on a regular basis,” Raf Portnoy, the agency’s chief technology officer, said in an emailed statement. “Our response to the attack, coordinated and managed closely with state and federal agencies, demonstrated that while an attack itself was not preventable, our cyber security defense systems stopped it from spreading through MTA systems.”

Cybersecurity experts and local government leaders both look to the federal government to take action – increasing reporting requirements, creating security standards and funneling more money to local governments to protect from these kinds of threats. Republican Rep. John Katko is among those advocating for more investment in the federal government’s Cybersecurity and Infrastructure Security Agency. But preventative measures can start in New York too.

State Sen. Diane Savino, who chairs the Committee on Internet and Technology, introduced a bill that would prohibit the payment of ransom by government, business and health care entities in the face of an attack. Though, in an interview with City & State, Savino said her intention in introducing the bill was really to get New York thinking about cybersecurity. “We introduced the bill almost as a shot across the bow, recognizing that maybe this is more of a blunt instrument to start a conversation,” Savino said. “What do we do to get the attention of, especially, government and health care institutions? How do we reduce ransomware attacks, improve people’s cyber hygiene and force a federal discussion?” Those are questions lawmakers, federal, state and local officials still need to find the answers to. The FBI, Savino said, typically just tells victims not to pay ransom – an answer she called “simply insufficient.”

In the meantime, however, Savino said part of the answer has to include setting clear security standards for government that apply across the board. Some of these do exist. New York City has its standards, and the spokesperson for ITS said that the agency also has security requirements that all state entities must adhere to. And the state Education Department last year adopted regulations that implement new security standards across schools. But enforcement of the requirements has to happen too. “It seems to be somewhat haphazard,” Savino said of government cybersecurity standards. “They're supposed to run security screens, they're supposed to do regular testing. Some agencies are better than others.”

It’s not just a matter of New York City and the state having these standards. Many attacked entities are much smaller local governments, and prevention is a matter of each of them maintaining and enforcing standards. “This is a real crisis, and people are just not focusing on it,” Savino said.