Big congratulations to Gov. Hochul are in order. She recently announced that the New York State Energy Research and Development Authority (NYSERDA) has finalized two major projects to deliver clean, renewable solar, wind and hydroelectric power from upstate New York and Canada to New York City. This is a big deal because these renewable energy and transmission projects will not only deliver substantial greenhouse gas reductions and air-quality improvements, but more than $8 billion in economic development across the state, including investments in disadvantaged communities.
If you’ve been following the news, you know that today, like at no other time before, big public projects like these are at real risk of a cyberattack that renders them inoperable. The federal government has recently discovered Russian malware or “botnets” that could be used for anything from mere surveillance to actual attacks that destroy critical infrastructure in the United States, including financial firms, pipelines and the electric grid, just like the new powerlines Hochul just announced. We are, truly, in the midst of a tsunami of cyberattacks, including attacks on our city’s critical infrastructure, from nation-state actors and cybercriminals operating on their own or for another party for a fee. The questions are what to do about it and how fast can we do it.
Two important developments have occurred relatively recently. First, businesses started to pay attention to cyber risk. But even so, too often it is in a silo; that is, a business seeks to protect its systems, but not informed by broader intelligence about attacks in distant places nationally or globally that may, like a virus, migrate to and infect the business.
Second, the federal government has stepped up the amount of information it provides to companies regarding — in cyber speak — “indicators of compromise, malware signatures and tactics, techniques and procedures” — the code by which penetration of a business is achieved. Businesses that “patch” their systems before they are “hit” have a much greater chance to avoid a ransomware attack achieved by gaining access to an agency’s or company’s computer systems through phishing, secret efforts of an unhappy employee, employees unknowingly connecting to malware by linking to a malicious web site, and many others.
One would think that all major American cities by now would have a playbook and game plan on how to respond to an attack on critical infrastructure. They do not.
The Daily News Flash
Catch up on the day’s top five stories every weekday afternoon.
Five years ago in New York City, we convened a high-level meeting at the NYPD. The purpose was to talk about cybercrime and terrorism prevention strategies generally. In that conversation, we looked at “what if” scenarios. We asked ourselves what would happen if a terrorist or state actor attacked our water supplies, like reservoirs north of the city. Who would respond?
To ask the question was to answer it. No one — not the FBI, Department of Homeland Security or any other federal agency — was capable of coming to our help in the midst of or in the immediate aftermath of an attack on critical infrastructure. It would be our responsibility as a New York City community to manage that attack, mitigate it and restore city operations.
We looked for models elsewhere for guidance, but there were none that met the extraordinary needs of the moment. So we decided we would convene representatives of the 16 critical sectors in New York City ourselves at a meeting to discuss and fix this gap. We created a public/private partnership with a task force of members from each critical sector to do three things; one, to share real-time cyber threat intelligence through the NYPD intelligence bureau to our private sector partners and other government agencies; two, to train for responding to potential attacks together by doing table exercises at the IBM cyber range in Boston; and three, in the event of a real attack, to convene at an operations center (which we opened in June 2021) to manage the attack from a secure location with access to power and communications even when there was a loss of power or communications outside the center. In the years since its inception, the task force has been a key intelligence-sharing hub for New York City and unlike other parts of the country, New York City’s critical infrastructure, remarkably, has been relatively unscathed by any significant cyber attack.
The governor has a vision to provide clean energy to New York City for this generation and those that follow. This is a big bet on a greener, healthier and more economically secure New York. It’s a vision we can all get behind. It is also a big target. In a world where billions of cyber attacks occur daily at machine speed around the globe, no country or city, especially New York, can truly say they are “safe” or immune from cyber threats.
What we can do, and what we must do, is clear. We must acknowledge first that we are in the midst of a global cyber pandemic. We must address it openly at the national, state and local level with the urgency the moment requires, because this crisis is already upon us. We must commit to true partnerships of shared responsibility between our key business and government sectors to manage the extraordinary risks that confront not just New York City but all American cities. The good news, if there is any, is that as much or more than any major city, New York City’s public/private partnership model is one that other cities can look to on how to build public and private partnerships to protect their own.
In earlier times, when a house in a village or city was on fire, the entire community would line up in a bucket brigade passing buckets of water from the well to pour on the burning home. Why? First, it was the right thing to do, to help a neighbor in distress. More fundamentally, it was because each villager understood that if she or he didn’t help put out their neighbor’s fire, their own house was at risk. Our cyber critical infrastructure task force in New York City operates on those same, fundamental principles. We are safer when we work together to protect each other.
Vance is the global chair of the cyber security practice at Baker McKenzie, LLP and former Manhattan district attorney.