Preparing New York for evolving cyber threats

New York is one of the few states in the nation to have a dedicated Cyber Office, which centralizes cybersecurity management efforts. The office, led by New York’s first Chief Cyber Officer Colin Ahern, works to protect the state’s critical infrastructure, digital assets and individuals’ information from cyber threats.

Ahern and Deputy Chief Cyber Officer for Operations Michaela Lee will be speaking at City & State’s “Information Security Summit” on Oct. 7. Ahead of the event, Lee spoke about what her office does and how the state is preparing for evolving cyber threats. This interview has been edited for length and clarity.

What are currently the biggest concerns for New York state regarding cyber threats and cybersecurity? 

We know that adversaries are targeting critical infrastructure and are looking to exploit vulnerabilities that we might have in our system, so thinking about ways in which we can better protect New York state systems as well as critical infrastructure, local governments, and municipalities and small businesses has been really top of mind for us. A big part of that is raising the baseline and making sure that people are doing the industry-standard practices that we know to work against common adversarial attacks, whether that’s criminal groups, ransomware groups or nation-state adversaries. That’s things like multifactor authentication, ensuring that there’s good segmentation, that there’s endpoint detection and response – those types of things that make sure that businesses and critical infrastructure owners and operators have a good handle on their cybersecurity.

As technology is evolving rapidly, how can government prevent cyber threats before they happen? 

Much of what our office does is split between two modalities. One is thinking about responding to incidents and ensuring that critical infrastructure entities and state entities can get back up and operational as soon as possible. There are great teams within the state of New York that focus on incident response and making sure that we have the tools and capabilities that we need to get people back up and working. 

But then, we also have to think about the longer-term strategic resilience of our systems, whether that means doing assessments and prioritization with New York state agencies (or) building cyber resilience and preparedness by building up those cyber muscles at each agency, and that requires resources and tools and capabilities. We want to take that longer-term view as well, and a lot of the tools that we have at our disposal, including the Joint Security Operations Center, help us create and maintain a state-wide picture of our risk, and that’s really helpful as well. 

What policy and legislative initiatives is the state looking at now in regard to cybersecurity? 

One of the things that we’re implementing right now is legislation that Gov. Hochul passed on requiring the timely notification of cybersecurity incidents and ransomware payments that impact local government. This is really essential to ensure that the state has situational awareness of statewide cyber threat activity, and it helps us create that more comprehensive threat picture that I was talking about that defends government services and protects New Yorkers. 

The other thing that we have been working on is draft cybersecurity regulations for water and wastewater utilities. This follows regulations that we’ve released for hospitals last year to shore up sectors that are disproportionately hit by ransomware and cyber attacks. We’re undergoing analysis of the public comments that have been submitted recently, and we’re also pairing that with a forthcoming multimillion-dollar grant and technical assistance program that the Environmental Facilities Corporation will develop in collaboration with the regulators. That’s to help the critical infrastructure owners and operators have the resources that they need to comply with the regulations that are currently drafting.

What can New York learn from other states in terms of cybersecurity policy? 

One of the things that we are collaborating with other states on is ensuring that we have the federal resources that we need to continue protecting critical infrastructure and central services. That means working with entities like the Multi-State Information Sharing and Analysis Center and sharing best practices and cyberthreat intelligence so that we can learn from some of the threats that other states are facing, share some of the things that we have identified and make sure that we’re all learning from what each other are seeing in their environments. A ransomware actor that’s targeting a state on the other side of the country might be using the same tactics to target New York entities, and that information sharing is really helpful to ensure that we are learning best practices from others.

What is New York doing really well in this space? What does it need to improve on?

New York is doing a lot on the economic development and research side of AI, especially with Empire AI and launching a new high-performance computing facility in upstate New York, but we’re also very aware of the impact that it will have, and is already having, on cybersecurity. It’s a tool that is increasingly being used by cyber adversaries to increase the scope and scale of their attacks, but it is also being increasingly used by defenders, and we want to make sure we are keeping up with the changes there.