While the coronavirus pandemic halted in-person operations for government agencies across nearly every large American city this year, the shift to remote work represented a vindication of sorts for New York City Cyber Command. In a webinar Wednesday, its leaders described the organization as one of the most prepared in the country for manmade and natural disasters.
NYC3 leaders shared their strategy for ensuring that the coronavirus pandemic did not interrupt the city’s cybersecurity initiatives, attributing much of the continuity to a new cloud-based data storage system that enabled the agency to ingest security data while keeping tight control over how it was shared.
When the city transitioned to remote work in early March, said Colin Ahern, one of the city’s deputy chief information security officers, all of NYC3’s nearly 100 employees were able to resume work from their homes the next day. That wouldn’t have been possible without the agency’s conversion to the cloud, which was initially conceived as a way to collect data from different agencies and devices more rapidly than an on-premise system.
“That was the culmination of this cloud-first journey,” Ahern said. “That was the end of this multi-year process, starting with Executive Order 28 and with the environment that we built. That all really culminated in one afternoon where basically 100 people picked up their laptops, and we’re substantially safer because of it.”
New York City Cyber Command was initially conceived by Mayor Bill de Blasio in 2017 as a special task force to oversee information security policy. In 2019, NYC3 chose to adopt Google’s cloud software to enable officials like Ahern and Quiessence Philips, also a deputy CISO and the agency’s head of threat management, to access security data from any government network-connected device in the city. Working remotely wasn’t necessarily the end goal, Ahern said, but it was a possibility once the city set up a data pipeline to aggregate security data from all over the city in one place.
“We spent a lot of time thinking about remote response,” Philips said. “Even if we’re not in a pandemic, this is still a huge city. It takes time to go to another borough to collect a device to do forensic analysis on it. That’s not a place we want to be, especially when we prioritize speed.”
Once it became clear that city employees were not returning to offices anytime soon, Ahern and Philips said they made sure to take advantage of automation that the cloud environment allowed for. The the amount of devices — laptops, wireless hotspots and routers — that the city had to defend increased dramatically during the pandemic because many of the city’s more than 325,000 employees needed equipment to use at home, expanding the attack surface for potential bad actors. And, Ahern said, New York City is a target for hackers even in non-pandemic times.
“Not many entities at all have the scale, skill and threat profile of this city,” he said. “So us treating data as one of the first and most important considerations in building this environment enabled us to substantially transform the city’s risk profile.”