What makes New York vulnerable to Russian cyberattacks?

George Latimer is pretty sure that Westchester County’s critical infrastructure isn’t at the top of the Kremlin’s list of targets for cyber warfare. But as cybersecurity experts and federal leaders warn of an increased threat of cyberattacks on Western targets – including local governments – following Russian President Vladimir Putin’s invasion of Ukraine, the Westchester County executive isn’t looking to take any chances. 

“The Ukrainian situation has, I think, raised the stakes in people’s minds,” Latimer told City & State. “Do I think they’re going to pick Westchester County out of the crowd? I don’t know. But you can’t assume anything. I think we’re heading into a period of time of greater jeopardy, greater vigilance.”

Following Russia’s provocations and now invasion of Ukraine, local and state officials are stepping up their vigilance and talking about bolstering defenses of critical infrastructure and other high-interest targets, including transportation networks, power grids and financial institutions. “Pretty much anything that they can do that will cause disruption and perhaps damage,” said Justin Cappos, a professor in the Computer Science and Engineering department at New York University, when asked what kinds of systems attackers would want to target. “Imagine dropping a bomb on something as part of a war, the kinds of things you'd want to target for that – water treatment facilities and power dams and other systems like that.”

The United States Cybersecurity and Infrastructure Security Agency (CISA) has issued guidance imploring public and private institutions to be on high alert. “While there are no specific or credible cyber threats to the U.S. homeland at this time, Russia’s unprovoked attack on Ukraine, which has involved cyber-attacks on Ukrainian government and critical infrastructure organizations, may impact organizations both within and beyond the region, particularly in the wake of sanctions imposed by the United States and our Allies,” CISA’s website now reads. “Every organization – large and small – must be prepared to respond to disruptive cyber activity.” 

Last week, Gov. Kathy Hochul, New York City Mayor Eric Adams and several other local mayors announced a new joint cybersecurity command center that will pool resources and coordinate responses to threats between the state and local governments. A day later, Latimer held a press conference announcing a new cybersecurity task force that will facilitate civilian and private sector involvement with the county’s cyber defense efforts. Both initiatives were in the works before Russia’s invasion of Ukraine; dedicating more money and attention to cybersecurity is something experts will tell governments they can never do enough of, even outside of the threat of a revived Cold War. And both initiatives build on existing cybersecurity defenses. But like Latimer, Hochul pointed to the state’s new joint defense center as particularly timely given the heightened cyber threat landscape. 

“Given the increasingly volatile geopolitical circumstances with Russia and Ukraine … we can no longer act independently,” Hochul said last Tuesday. Hochul outlined the vast landscape of targets that foreign actors seeking both money and political disruption would want to target, including the New York Power Authority, the Metropolitan Transportation Authority, the Port Authority and more. “You think about all your transactions. You know, how you access money, how you pay your bills, how you make purchases and medical records,” she said. “They're all vulnerable to cyberattacks if we don't take precautionary measures.”

Those targets were already vulnerable to cyberattacks, and some have already been victims. From major pipelines to local schools, bad actors can profit from all sorts of organizations by holding their data ransom or disrupting their operations. The Metropolitan Transportation Authority’s computer systems were breached last year by a group thought to have links to the Chinese government; the New York Times reported at the time that no employee or customer information was compromised and vital operations weren’t disrupted. 

And just last week, New York’s public ethics agency – the Joint Commission on Public Ethics – reported a cyberattack that it dubbed “malicious,” and that forced the agency’s disclosure filing systems to be taken offline as a precaution. “We do not have any information at this time about who may have been behind the cyberattack, and although we do not know yet if there was an actual breach of user or other agency information, we will be working with law enforcement, including the New York State Police and the Office of the Attorney General, as well as the Department of State’s Consumer Protection Division, to further investigate this incident and meet all legal obligations triggered when a system breach occurs,” the agency said in a statement late on Friday.

New York City is on alert too. “Russia’s invasion of Ukraine raises the threat of cyberattacks on New York City, our country’s most-populated city and capital of finance, media, and culture,” Robin Levine, a spokesperson for the city’s Office of Technology and Innovation, said in an emailed statement. “We are closely monitoring developing events in Ukraine and working closely with public and private partners to identify and mitigate any cyber threats to our city’s critical infrastructure and essential services.”

Along with unveiling the state’s new Joint Security Operations Center last week, Hochul announced funding to help the state and local governments prevent and respond to attacks, including any carried out by Russian or other foreign actors, in the future. The state will invest $62 million in cybersecurity, hiring 70 new cybersecurity professionals in the state, along with a plan to put together another $30 million to help local governments invest in cybersecurity, she said.

“The best time to have done this would have been about five years ago,” Cappos said of the state’s new operations center and investments, noting that a plan to hire new cybersecurity professionals won’t necessarily prevent an attack from striking tomorrow. “But in some sense, it’s better late than never.”

As long mounting tensions between Russia and Ukraine came to a head last week, Russia continued to wage its years-long cyber offensive against Ukraine. In addition to misinformation campaigns, Ukraine’s government and financial institutions have been targeted with denial-of-service attacks and so-called data-destroying “wiper” attacks. The immediate damage of those attacks is in Ukraine, but Russia-linked attacks have targeted the United States before. The SolarWinds and Colonial Pipeline cyberattacks are two of the more major ones in recent history. And the devastating 2017 attack known as NotPetya targeted Ukraine computer systems but caused spillover financial damage in the United States and elsewhere; the United States later attributed that attack to the Russian government. 

Some cybersecurity experts warn that the United States and Ukraine’s other allies should be on the lookout for new offensives if the Kremlin lashes out in response to sanctions the West is now placing on Russia. 

James Lewis, a former diplomat and now director of the Strategic Technologies Program at the Center for Strategic and International Studies, said that attacks originating from Russia are usually carried out not directly by the Russian government, but by hackers working with the government’s tacit approval. “It's independent actors, but it's independent actors who are operating with the blessing of the Kremlin,” Lewis said. 

For these cybercriminals, the main motive for launching these kinds of attacks is money, Lewis said. Last year, the federal government reported an increase of sophisticated ransomware attacks against a range of critical infrastructure sectors. But cyberattacks can also cause political and economic disruption that the Russian government has a shared interest in seeing. “If the sanctions start to hurt Putin, he’ll be tempted to do that,” Lewis said, when asked whether we might see the Kremlin more directly carry out cyberattacks on U.S. critical infrastructure and other targets, or direct independent actors to do so.

Three of the state authorities that Hochul mentioned as potential targets last week – the Metropolitan Transportation Authority, the New York Power Authority, and the Port Authority of New York and New Jersey – either did not respond to emails from City & State or declined to comment when asked about what would make them vulnerable to Russian attacks. Neither public nor private institutions have much to gain from sharing any sort of details about their own vulnerabilities when it comes to cybercrime.

But what makes those assets attractive targets is clear. “They’re trying to target and hack things that will cause the maximum amount of disruption,” Cappos said of Russian hackers. Latimer, the Westchester County executive, said that that risk of damage still exists at the more local level. “Every government has certain assets that provide essential services, and if those essential services go down, it creates a major problem. The county runs an airport. The county runs a sewage treatment system. We're not the only one that does,” Latimer said. “If a bad actor can figure out how to shut down one of those services or get into our financial system, they can cause tremendous havoc.”

Governments, private companies and other organizations wanting to bolster their defenses in the wake of warnings about increased threats can look to the federal government’s guidance, which includes confirming incident response protocols, ensuring the use of tools like multi-factor authentication and keeping software up-to-date.