New York Governor Kathy Hochul unveiled a broad cybersecurity strategy earmarking $600 million directed at protecting the state’s digital and critical infrastructure from cyber threats. Touted as New York’s “first-ever” statewide cybersecurity strategy, Hochul said it sets high objectives for cybersecurity and resilience. According to a summary of the strategy, it also seeks to unify cybersecurity services statewide with access to information tools and services, while providing a framework for partnerships with the public sector and nonprofit organizations.
Hochul, a Democrat who took over as governor in August 2021 following the resignation of Andrew Cuomo, has made improving New York’s cybersecurity and resilience posture a high priority from the outset of her administration.
She pointed to last year’s massive ransomware attack that hit Long Island’s Suffolk County government, cutting off its critical services for months. “It disconnected more than 1.5 million residents from the services they rely on,” she said. “Emergency dispatchers spent weeks taking calls by hand, and real estate transactions were held up entirely.”
Joined by federal, state, and local cybersecurity leaders, Hochul outlined the strategy on Wednesday at NYU Tatum School of Engineering, during an awards ceremony for participants in the university’s professional certificate program in operational technology security.
In remarks during the briefing, Hochul emphasized the ongoing rise in cybercrime targeted at the US and New York state’s critical industrial and financial infrastructure. She also underscored the strategy’s focus on collaborating with the federal government and providing assistance to counties and local governments.
New York’s First Chief Cyber Officer
Last year, Hochul appointed Colin Ahern as the first chief cyber officer of New York State, based in part on his experience as New York City’s acting CISO. Ahern created the city’s Cyber Defense Agency and led the building of its first cloud-based zero-trust security environment, which enabled the Cyber Command group to shift to remote work during the COVID pandemic.
“He is one of the most brilliant people I’ve ever met in this space,” Hochul said in her remarks at the NYU Tatum event. She said she became familiar with the implications of cyber threats and attacks during her term in Congress a decade ago when she was on the Capitol’s Homeland Security and Armed Services committees, where she received White House briefings on cyber threats. “In the decade since, cyberattacks have only intensified every single day,” Hochul said.
Ahern noted that New York is a prime target for cybercriminals because, as the fourth most populous state in the US, it has 20 million residents and generates trillions of dollars in economic activity.
New York developed its strategy in collaboration with the federal government in the form of Jake Braun, a Department of Homeland Security senior adviser. Braun, who attended the unveiling of Hochul’s strategy, said his team has regularly talked with Ahern and the governor throughout the plan’s development.
“They’ve committed to massive, unprecedented resources going to their IT and OT improvements, and they’ve dramatically expanded public-private partnerships to enhance resilience in the case of an attack,” Braun said.
Components of New York’s Cyber Strategy
The new strategy calls for forming an Industrial Control System Cyber Assessment team that would function as part of New York State’s Cyber Incident Response Team at the Division of Homeland Security and Emergency Services. Days before Russian forces invaded Ukraine, New York created the Joint Security Operations Center in New York City. Ahern’s team has partnered with the mayors of Albany, Buffalo, New York City, Rochester, Syracuse, and Yonkers to build and maintain that center.
Hochul’s strategy builds on legislation passed in 2022 to create a cybersecurity protection framework for the state’s energy grid that requires electric distribution utilities to be prepared for cyberattacks in their annual emergency response plans. That legislation requires utilities to share those plans with the New York Public Service Commission (PSC), which now has broader auditing powers.
The latest state budget, submitted in May, called for $500 million to improve New York’s healthcare IT and cybersecurity infrastructure through the state’s Department of Health Care technology capital grant programs. Hochul sharply increased the state’s centralized security budget through fiscal year 2024 to $90 million, up from $20 million.
The budget includes expanded funding for the state’s shared services program for county and local governments. New York’s shared services program so far covers 53,000 county and local government computers, most upstate counties, and the five largest upstate cities. Also allocated in the FY24 budget is $7.4 million to expand the New York State Police’s Cyber Analysis Unit, Computer Crimes Unit, and Internet Crimes Against Children Center.