New York City touts cyber resiliency amid pandemic
A group of cybersecurity fellows attached to New York University on Monday convened virtually for an annual exercise held in conjunction with New York City Cyber Command, the citywide agency tasked with defending New York’s municipal networks and residents from digital threats.
The Cyber Simulated Threat Response and Incident Knowledge Exercise, or Cyber STRIKE, used the resources of a city-run cyber range to test the fellows’ abilities to detect and mitigate attacks against government, educational and corporate organizations, especially with most people still working remotely. The goal, officials said, was to prepare for a post-coronavirus world in which the increased prevalence of remote work potentially gives hackers more ways to target networks across all public and private sectors.
“If you don’t know or see your environment, you don’t know what you’re working against,” New York City Chief Information Security Officer Geoff Brown said during a panel discussion that ran alongside the exercise.
Over the course of the event, the fellows went through three scenarios, including a simulated ransomware infestation, a spearphishing campaign and a cryptocurrency mining scam. One of the points of the exercise, Brown said, was to remind participants that network security runs in both directions.
“Always keep in mind that cybersecurity is kind of like a chess match,” he said. “Like a chess match, there’s a sentient opponent on the other side.”
While the fellows who took part in the Cyber STRIKE event are all enrolled at NYU’s Tandon School of Engineering, city officials said the exercise will offer lessons for all of New York.
“For our part, the most valuable thing is building the workforce,” said Mitch Herckis, a New York City Cyber Command senior adviser. “We have an all-of-New York City mission.”
While NYC3’s enterprise mission is to safeguard the city government’s networks, it is also tasked with growing the city’s public- and private-sector information security workforce. The city projects it will need at least an additional 10,000 cybersecurity professionals by 2027, while industry experts say there is a national shortage of about 200,000.
But New York, like many other major cities, is still operating with most municipal employees working from home as the COVID-19 crisis drags on. Brown said during the panel discussion that the city was able to pivot relatively smoothly last March thanks to strong virtual private network and identity and access management processes.
“We were able to immediately shift to people grabbing laptops and moving to a position where we can work remotely,” he said.
Herckis said there were “a lot of pieces” the city had to move in making the transition to widespread telework.
“Students needed to be able to learn remotely,” he said. “Teachers need to teach remotely. People who had jobs that were completely office-based had to figure out how to work with residents no matter where they are.”
Five months on, Herckis said, New York’s cybersecurity infrastructure has shown its sturdiness.
“We certainly learned a lot and saw that we’re extremely resilient,” he said. “We learned a lot about how we could work in moments of trial.”
