New York State to Debut First Cybersecurity Strategy

The state of New York will debut its first cybersecurity strategy, including plans to modernize government networks, provide digital defenses at the county level and regulate critical infrastructure.

The strategy, which Gov. Kathy Hochul is expected to announce today, comes as an array of cyberattacks have battered New York, with the state’s Division of Homeland Security and Emergency Services responding to 57 cyber incidents in 2022. These include a monthslong shutdown of municipal systems in Suffolk County, and attacks on schools and healthcare systems across the state.

Kathryn Garcia, director of operations for New York state, said that the growing sophistication of hackers and the threats they pose to both state and national security prompted the creation of the strategy.

“Many of the pieces of the strategy plan are already in flight, but we also know that we are only as strong as our weakest link,” she said.

The strategy focuses on five areas, including upgrading state networks to support modern security technology such as multifactor authentication. The plan also calls for the state to work with county governments and federal agencies on cybercrime investigations and information sharing.

In addition, the state plans to focus on developing its cybersecurity workforce and educating New York residents and companies about cybersecurity. Also key to the strategy is exploring how existing agencies can further regulate critical infrastructure companies to beef up cyber defenses, said Garcia. 

Several states have cybersecurity strategies in place, including Iowa, Michigan and West Virginia, and many other programs are folded into wider IT plans. Few approach the scale and resources dedicated to New York’s plan.

The fiscal year 2024 state budget earmarked an additional $35.2 million for cybersecurity, an increase of about 57% from the $61.9 million allocated for fiscal year 2023. Separately, the state has included a provision of $500 million for healthcare systems to upgrade their technology and cybersecurity programs.

Local governments have become a prime target for cybercriminals owing to the information they hold on residents and the critical services they operate. Aging technology and limited resources result in a struggle to respond quickly to hacks such as ransomware attacks. Local governments often are unable to meet new, stringent requirements to obtain cyber insurance.

Connectivity between branches of municipal government and the state, however, means that hackers can sometimes gain access to wider systems by breaching lightly defended ones. In New York’s Suffolk County, attackers last year gained access to county systems by compromising credentials at the county clerk’s office, resulting in months of downtime that ultimately cost around $5.4 million to recover from and investigate. During the shutdown, emergency service call centers, title processing and the courts were disrupted.

The state is providing Crowdstrike’s endpoint detection software free to all counties outside of New York City’s five boroughs. Colin Ahern, the state’s chief cyber officer, said that most counties have taken advantage of this $30 million program. A handful of others still have time to run on existing contracts or similar scenarios, he said. 

Garcia noted that county systems often link to state systems. “We’re connected to them, too, for a variety of reasons, and you don’t want someone to get into the systems through them,” she said.

The release of the strategy comes amid a series of actions on cybersecurity issues at the federal level. In March, the White House published the National Cybersecurity Strategy, which touches on several of the themes in New York’s own document. The U.S. Office of the National Cyber Director coordinated with the New York state government during the drafting process, said acting National Cyber Director Kemba Walden.

“Certainly we appreciate points of alignment, where appropriate, between state cyber strategies and the National Cybersecurity Strategy. But we also recognize that cybersecurity at the federal level differs from cybersecurity at the state level in some fundamental ways, and each state will further have its own unique capabilities, resources and requirements,” Walden said.

Some of those capabilities include an “enormous amount of regulatory authority,” Garcia said.

New York has already adopted a number of cybersecurity regulatory requirements at the state level, including cyber rules from the New York State Department of Financial Services, and legislation that requires electric grid operators to include cyber threats in their emergency response plans, along with natural hazards such as snow and wind conditions.

While the state will explore more rules for specific critical industries, Garcia said, it is also looking at how state resources can be used to strengthen defenses. 

“We are definitely thinking about how to do more regulation. But we are also thinking about what can we help with to get people over the line,” Garcia said.

The strategy also includes provisions for expanding the state’s cyber workforce, including new office locations throughout the state for tech workers outside of hubs such as New York City and state capital Albany. Telecommuting will be allowed in some cases.  

Coupled with workforce initiatives are expansions in New York’s intelligence capabilities, including investments in the New York State Intelligence Center in Albany and the Joint Security Operations Center in Brooklyn. The NYSIC is a multiagency fusion center that disseminates intelligence from federal, state, local and tribal authorities, while the JSOC is a joint project between Albany, Rochester, Syracuse, Albany, New York City and Yonkers designed to share information on cyber threats.

“We need to have an umbrella view of this across all of our agencies to ensure that we are protected from very sophisticated people, or machines, or whatever is coming up,” Garcia said.

Write to James Rundle at [email protected]