New York cybersecurity law seeks to limit tech products agencies can buy
New York has taken a major step to bolster its cybersecurity defenses with the signing of AB A2237, a new law that aims to keep sensitive government data out of the hands of foreign adversaries and reduce the risk of cyberattacks by limiting what technology state and local governments can buy.
The law, signed by Gov. Kathy Hochul on Monday, bars New York state and its municipalities from purchasing certain technology products made by international companies that have close ties to foreign governments and are legally required to share data or cooperate with intelligence gathering.
Under the law, the state’s chief information officer, in consultation with homeland security and procurement officials, must maintain and regularly update a list of restricted technologies, such as computers, webcams, drones, semiconductors and other components that security experts say may contain hidden “backdoors,” spyware, or vulnerabilities that hackers can exploit. Any technology on this list cannot be bought by New York’s state agencies or local governments unless a waiver is issued under narrow conditions, such as when “no secure alternative” is available at a reasonable price.
Federal agencies have already banned many of these technologies in recent years from their own procurement due to national security concerns. The new law will officially take effect in 2027, giving state and local agencies two years to prepare for compliance and adopt safe procurement practices once it is fully implemented.
“From our power plants to our public transit to our servers packed with sensitive information, our procurement decisions determine whether or not there is an open door for hackers,” Assemblywoman Jenifer Rajkumar, the bill’s primary sponsor, said in a statement. “This bill leverages billions of dollars in purchasing power to keep dangerous tech off our shores and uplift our domestic semiconductor industry.”
State and local governments spend hundreds of millions of dollars on technology each year, and many of New York’s agencies have already suffered cyber incidents.
Last year, the Legislative Bill Drafting Commission was hit by a cyberattack that disrupted operations during budget negotiations. In 2023, the state Education Department’s Privacy Office received 23 data incident reports related to phishing emails, while New York’s educational agencies suffered approximately 40 cyberattacks, according to the office’s annual report.
Law enforcement agencies have also used imported drones that experts say could transmit sensitive data overseas. Earlier this month, the National Fraternal Order of Police urged Congress to authorize state and local law enforcement with more power to stop criminal drone activity ahead of the upcoming 2026 World Cup and 2028 Olympics.
In response, the Federal Communications Commission determined that UAS and UAS critical component parts that are produced in foreign countries pose “unacceptable risks to the national security of the United States and to the safety and security of U.S. persons” and should be included on the agency’s banned list of communications equipment and services.
