New York State

What makes New York vulnerable to Russian cyberattacks?

The federal government has urged local governments and private businesses across the country to step up cybersecurity measures.

Gov. Kathy Hochul and NYC Mayor Eric Adams announce the Joint Security Operations Center.

Gov. Kathy Hochul and NYC Mayor Eric Adams announce the Joint Security Operations Center. Darren McGee/Office of Governor Kathy Hochul

George Latimer is pretty sure that Westchester County’s critical infrastructure isn’t at the top of the Kremlin’s list of targets for cyber warfare. But as cybersecurity experts and federal leaders warn of an increased threat of cyberattacks on Western targets – including local governments – following Russian President Vladimir Putin’s invasion of Ukraine, the Westchester County executive isn’t looking to take any chances. 

“The Ukrainian situation has, I think, raised the stakes in people’s minds,” Latimer told City & State. “Do I think they’re going to pick Westchester County out of the crowd? I don’t know. But you can’t assume anything. I think we’re heading into a period of time of greater jeopardy, greater vigilance.”

Following Russia’s provocations and now invasion of Ukraine, local and state officials are stepping up their vigilance and talking about bolstering defenses of critical infrastructure and other high-interest targets, including transportation networks, power grids and financial institutions. “Pretty much anything that they can do that will cause disruption and perhaps damage,” said Justin Cappos, a professor in the Computer Science and Engineering department at New York University, when asked what kinds of systems attackers would want to target. “Imagine dropping a bomb on something as part of a war, the kinds of things you'd want to target for that – water treatment facilities and power dams and other systems like that.”

The United States Cybersecurity and Infrastructure Security Agency (CISA) has issued guidance imploring public and private institutions to be on high alert. “While there are no specific or credible cyber threats to the U.S. homeland at this time, Russia’s unprovoked attack on Ukraine, which has involved cyber-attacks on Ukrainian government and critical infrastructure organizations, may impact organizations both within and beyond the region, particularly in the wake of sanctions imposed by the United States and our Allies,” CISA’s website now reads. “Every organization – large and small – must be prepared to respond to disruptive cyber activity.” 

Last week, Gov. Kathy Hochul, New York City Mayor Eric Adams and several other local mayors announced a new joint cybersecurity command center that will pool resources and coordinate responses to threats between the state and local governments. A day later, Latimer held a press conference announcing a new cybersecurity task force that will facilitate civilian and private sector involvement with the county’s cyber defense efforts. Both initiatives were in the works before Russia’s invasion of Ukraine; dedicating more money and attention to cybersecurity is something experts will tell governments they can never do enough of, even outside of the threat of a revived Cold War. And both initiatives build on existing cybersecurity defenses. But like Latimer, Hochul pointed to the state’s new joint defense center as particularly timely given the heightened cyber threat landscape. 

“Given the increasingly volatile geopolitical circumstances with Russia and Ukraine … we can no longer act independently,” Hochul said last Tuesday. Hochul outlined the vast landscape of targets that foreign actors seeking both money and political disruption would want to target, including the New York Power Authority, the Metropolitan Transportation Authority, the Port Authority and more. “You think about all your transactions. You know, how you access money, how you pay your bills, how you make purchases and medical records,” she said. “They're all vulnerable to cyberattacks if we don't take precautionary measures.”

Those targets were already vulnerable to cyberattacks, and some have already been victims. From major pipelines to local schools, bad actors can profit from all sorts of organizations by holding their data ransom or disrupting their operations. The Metropolitan Transportation Authority’s computer systems were breached last year by a group thought to have links to the Chinese government; the New York Times reported at the time that no employee or customer information was compromised and vital operations weren’t disrupted. 

And just last week, New York’s public ethics agency – the Joint Commission on Public Ethics – reported a cyberattack that it dubbed “malicious,” and that forced the agency’s disclosure filing systems to be taken offline as a precaution. “We do not have any information at this time about who may have been behind the cyberattack, and although we do not know yet if there was an actual breach of user or other agency information, we will be working with law enforcement, including the New York State Police and the Office of the Attorney General, as well as the Department of State’s Consumer Protection Division, to further investigate this incident and meet all legal obligations triggered when a system breach occurs,” the agency said in a statement late on Friday.

New York City is on alert too. “Russia’s invasion of Ukraine raises the threat of cyberattacks on New York City, our country’s most-populated city and capital of finance, media, and culture,” Robin Levine, a spokesperson for the city’s Office of Technology and Innovation, said in an emailed statement. “We are closely monitoring developing events in Ukraine and working closely with public and private partners to identify and mitigate any cyber threats to our city’s critical infrastructure and essential services.”

Along with unveiling the state’s new Joint Security Operations Center last week, Hochul announced funding to help the state and local governments prevent and respond to attacks, including any carried out by Russian or other foreign actors, in the future. The state will invest $62 million in cybersecurity, hiring 70 new cybersecurity professionals in the state, along with a plan to put together another $30 million to help local governments invest in cybersecurity, she said.

“The best time to have done this would have been about five years ago,” Cappos said of the state’s new operations center and investments, noting that a plan to hire new cybersecurity professionals won’t necessarily prevent an attack from striking tomorrow. “But in some sense, it’s better late than never.”

As long mounting tensions between Russia and Ukraine came to a head last week, Russia continued to wage its years-long cyber offensive against Ukraine. In addition to misinformation campaigns, Ukraine’s government and financial institutions have been targeted with denial-of-service attacks and so-called data-destroying “wiper” attacks. The immediate damage of those attacks is in Ukraine, but Russia-linked attacks have targeted the United States before. The SolarWinds and Colonial Pipeline cyberattacks are two of the more major ones in recent history. And the devastating 2017 attack known as NotPetya targeted Ukraine computer systems but caused spillover financial damage in the United States and elsewhere; the United States later attributed that attack to the Russian government. 

Some cybersecurity experts warn that the United States and Ukraine’s other allies should be on the lookout for new offensives if the Kremlin lashes out in response to sanctions the West is now placing on Russia. 

James Lewis, a former diplomat and now director of the Strategic Technologies Program at the Center for Strategic and International Studies, said that attacks originating from Russia are usually carried out not directly by the Russian government, but by hackers working with the government’s tacit approval. “It's independent actors, but it's independent actors who are operating with the blessing of the Kremlin,” Lewis said. 

For these cybercriminals, the main motive for launching these kinds of attacks is money, Lewis said. Last year, the federal government reported an increase of sophisticated ransomware attacks against a range of critical infrastructure sectors. But cyberattacks can also cause political and economic disruption that the Russian government has a shared interest in seeing. “If the sanctions start to hurt Putin, he’ll be tempted to do that,” Lewis said, when asked whether we might see the Kremlin more directly carry out cyberattacks on U.S. critical infrastructure and other targets, or direct independent actors to do so.

Three of the state authorities that Hochul mentioned as potential targets last week – the Metropolitan Transportation Authority, the New York Power Authority, and the Port Authority of New York and New Jersey – either did not respond to emails from City & State or declined to comment when asked about what would make them vulnerable to Russian attacks. Neither public nor private institutions have much to gain from sharing any sort of details about their own vulnerabilities when it comes to cybercrime.

But what makes those assets attractive targets is clear. “They’re trying to target and hack things that will cause the maximum amount of disruption,” Cappos said of Russian hackers. Latimer, the Westchester County executive, said that that risk of damage still exists at the more local level. “Every government has certain assets that provide essential services, and if those essential services go down, it creates a major problem. The county runs an airport. The county runs a sewage treatment system. We're not the only one that does,” Latimer said. “If a bad actor can figure out how to shut down one of those services or get into our financial system, they can cause tremendous havoc.”

Governments, private companies and other organizations wanting to bolster their defenses in the wake of warnings about increased threats can look to the federal government’s guidance, which includes confirming incident response protocols, ensuring the use of tools like multi-factor authentication and keeping software up-to-date. 

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.