Is New York cyber-battle ready?

The United States’ surprising killing of Iran’s top commander, General Qassem Soleimani, late last week has prompted many logistical, strategic and constitutional questions, but the most pressing among them is what Iran’s next steps will be. Ayatollah Ali Khamenei, Iran’s supreme leader, promised “forceful revenge,” and that threat has not gone unnoticed in New York.

U.S. officials are on high alert for state-sponsored threats, but many have theorized that an attack leveled by Iran could come in the form of cyberwarfare. Over the years, Iran has proven itself to be a worthy adversary in cyberwarfare with the United States, targeting everything from private casinos to a New York dam with hacks, and leveling repeated distributed denial of service attacks – an offensive that floods internet servers or networks with traffic to disrupt service – on targets like U.S. banks. Some cybersecurity experts are warning that the federal, state and municipal governments – as well as private companies – ought to be preparing for new cyberattacks out of Iran. New York, historically a prime terrorism target as well as home to the country’s financial center, is no exception. City & State rounded up a few of the key things to know about New York’s cyberattack readiness. 

What could potentially be at risk in a cyberattack against New York?

In the event of an offensive against New York City or state, it’s the critical infrastructure that will be targeted, John Hultquist, director of intelligence analysis for the cybersecurity firm FireEye, told City & State. That’s not just a guess. Before the 2015 nuclear agreement, Iran targeted U.S. banks and the Bowman Avenue Dam in Rye Brook, New York. In 2016, the U.S. government indicted seven Iranian actors in the sustained attacks. New York should prepare for similar kinds of attacks, Hultquist said. “We've seen a lot of destructive attacks where they've gone after companies and critical infrastructure, and just simply wipe everything with a hard drive clean in those organizations,” he said. “What I'm most worried about is just that. They’ve been doing that for quite a long time, they’ve been getting better and better at it.”

Cyberattacks on utilities also continue to be an area of concern. “We’ve definitely seen targeting of utilities in the past. It’s very difficult to cause a blackout. We’ve never seen them demonstrate that capability, but a more likely scenario would be them disrupting payments or services or administration,” Hultquist said. “I think we talk about electricity a lot. There are other areas where you can have an effect – transportation, logistics – where you can cause reverberating effects further down the line.”

Has New York City or state taken any steps to fortify critical cyber infrastructure since the Iran attack?

Not long after after the news of President Donald Trump’s ordered strike against Soleimani broke on Thursday, New York City Mayor Bill de Blasio took to the airwaves to discuss the severity of the action. “We know Iran has attacked American corporations, sometimes effectively. This is not to be taken lightly,” de Blasio said on Friday, during an appearance on MSNBC. De Blasio mentioned that the city has a “strong cyber command” in addition to counterterrorism and intelligence gathering resources within the NYPD, but acknowledged that escalated tensions with Iran could present a more serious threat. “We feel confident that we have a lot of capacity here, but that's when there wasn't a state of war,” he said. “The problem here is, if we end up in a shooting war, then you can expect things like cyberattacks on a level we've never seen before. And unfortunately, Iran is a serious, serious adversary when it comes to cyber.”

Gov. Andrew Cuomo, too, has acknowledged the potential threat, releasing a notice on Friday that National Guard and state agencies would step up patrols, as well as advising utilities to be extra vigilant with regard to cybersecurity. “The New York Power Authority is conducting checks and patrols on all utilities, and the New York State Office of Information Technology Services is performing checks on all cybersecurity details,” a statement read.

Who is in charge of protecting New York City against cyberwarfare?

While some New York agencies and utilities like the New York Power Authority have their own cybersecurity resources, a few central agencies coordinate cyber defense efforts across city and state agencies at large. In New York City, one of those agencies is New York City Cyber Command, or NYC3. Created in 2017, NYC3 is tasked with working with the New York City Department of Information Technology and Telecommunications to direct citywide cyber defense and incident response, as well as provide guidance on cyber defense to the mayor and city agencies. “Cyber Command remains vigilant and prepared to respond to (the) evolving threat landscape,” City Hall spokeswoman Laura Feyer said on Monday. “Due to the sensitive nature we are not able to comment on specifics.”

At a press conference on Monday, John Miller, deputy commissioner of intelligence and counterterrorism at the NYPD, said that the department has coordinated with Geoff Brown, who leads NYC3, and DoITT Commissioner Jessica Tisch. Over the weekend, they also worked with the FBI to update the lists of malware – any kind of malicious software – that have been identified as having come from Iranian government actors or proxies, including info like the IP addresses and signatures associated with that malware. “We distributed that not only to our city agencies ... but also to our critical infrastructure partners, whether that’s cellular telephone providers, power, water and so on,” Miller said.

At the state level, New York’s Division of Homeland Security and Emergency Services has a Cyber Incident Response Team to provide cybersecurity support to public authorities and local governments. Meanwhile, within the state Office of Information Technology Services, the chief information security officer coordinates cybersecurity standards and response across the state government. As it happens, New York Chief Information Security Officer Deborah Snyder recently resigned her post and retired from government, and Karen Sorady, a director at the office, is serving as acting CISO.

How well equipped is New York to fend off a cyberattack?

Hultquist’s company, FireEye, has been working with NYC3 in an advisory capacity, and Hultquist said the agency is better prepared than many others across the country. “They’re, I think, one of the most mature organizations in the game, as far as municipalities looking at their own cyber defense,” he said. “We've been working with them before all this happened. So we've already been talking about the Iranian threat.”

Hultquist said that focusing on not just what the latest advancements in cybersecurity are, but on intelligence – about who the actors are, the kinds of attacks they level and what they’re capable of – is one of the strengths of NYC3. “The good news is that our customers have been tracking the actors who are going to be the ones to worry about,” Hultquist said. “We already tracked them. We know who they are, we know how they behave, we know what their tactics look like. And (NYC3 is) already disseminating that stuff within the government and locally, so New York has an advantage in that regard.”

Still, the state has seen some ransomware attacks affect schools districts and other smaller organizations, suggesting that there’s much more to be done at the municipal level to strengthen cyber defenses. As for what either city or state or municipal governments could be doing to be better prepared, Hultquist said it’s about making smarter investments with limited resources. “You can almost always invest more,” he said. “One of the things we can do with intelligence is invest better and more efficiently.”