‘You can’t separate the physical from the cyber,’ says New York’s first security and intelligence director

In recognition of the many creative — and sometimes offline — modes of influence employed by the nation’s adversaries, New York Gov. Kathy Hochul last week promoted Colin Ahern, formerly the state’s chief cyber officer, to serve as its first director of security and intelligence.

Ahern’s new role, according to the governor’s press materials, will “provide strategic direction and further unify the State’s security assets.” Hochul noted that “the threats we face are more complex and interconnected than ever before” and enjoined the state to be “aggressive, innovative and adaptive” as New York’s new intelligence director operates across all levels of government, the region’s critical infrastructure providers, academia and the private sector, addressing attacks online, but also taking on malign foreign influence campaigns, “hybrid warfare and other national security issues.”

“The emerging doctrine of our adversaries” — China, Iran, North Korea and Russia, — is an “all of the above, all the time approach to either holding specific targets at risk, i.e. obtaining access to them via cyber means, or the ability to conduct attacks on the space, for example via drones,” Ahern said in an interview. He explained that recent instances around the globe of hybrid warfare — a combination of tactics that can be as technical as a ransomware attack or as analog as political skullduggery — have illustrated the “blurring of the lines between cyber and physical attacks, and physical impact of cyberattacks.”

He pointed to Poland, where Russia has not only employed cyberattacks in an attempt to disable its power grid, but is funding so-called single-use agents to stimulate social unease and erode support for the war in Ukraine. Ahern said his role is intended primarily to advance the state’s economic development and workforce goals, and to “manage the risk that the changing geopolitical landscape poses to New Yorkers”; he boiled the job into two primary functions, but his remit is expansive.

He’ll support large regional events that are expected to attract millions of fans, like 2026 FIFA World Cup matches in New Jersey. Hochul last month announced the state will receive $17.2 million in federal funding to mitigate unauthorized drones, a nuisance increasingly present thanks both to hobbyists clueless as to the dangers of flying in restricted airspace and criminals seeking to collect information or damage critical facilities. Ahern said he’ll also help secure U.S. 250th anniversary events this summer, including a seven-day aquatic parade along the New York waterfront that will feature dozens of “tall ships” from around the world.

He’ll support efforts to attract new security-adjacent businesses to the state, like Micron, which in January broke ground on a $100 billion semiconductor fabrication facility, planned to be the largest in the United States. Some who attended the ceremonial event described to the audience the project’s scale: “Imagine the megafabs that will be built here, each of them [the] size of ten football fields,” Sanjay Mehrotra, Micron’s chief executive, explained from the dais. Commerce Secretary Howard Lutnick, who began his remarks by noting that central New York was “the heart of Trump country,” said the project “only got scheduled” because the president “cleared out all of the environmental and other things that tend to get in the way.” In this case, those other things included hundreds of acres of trees, where two species of endangered bats roost for part of the year.

Ahern will help secure the state’s water and wastewater facilities, critical infrastructure for which the state recently wrapped up a second public commenting period on forthcoming cybersecurity requirements that include conducting annual cybersecurity vulnerability analyses, establishing formal cybersecurity programs, creating incident response plans, following new incident reporting requirements and training staff on cybersecurity hygiene. There are more than 150,000 public drinking water systems in the United States, and on rare occasions they sustain terrifying cyberattacks. A Russian hacking group in 2024 took credit for attacks against a wastewater treatment plant in Indiana and another water facility in Texas. A third attack against a water treatment facility in Kansas forced operators to switch to manual operations that were reportedly inefficient, and potentially hazardous if used over extended periods. 

Ahern said New York’s upcoming cybersecurity regulations for water and wastewater facilities will be “first of a kind” and that though a technical assistance program, the utilities will become “more cyber mature.” To protect the state’s energy grid from cybersecurity threats, Ahern pointed to 2022 legislation, passed unanimously by both state houses, designed to harden utilities’ cybersecurity postures by enlisting the state’s public service agencies to regulate how electrical distribution utilities do cyber — “I think we are still the only state that has this prescriptive, forward-looking legislative authority,” Ahern said. “You can’t in many cases separate the physical from the cyber, and I think this role is an acknowledgement of that.”