Since 2014, the United States has faced an increasing number of well-publicized cyber attacks. Although some have been severe, none have crossed the “traditional threshold of war,” as described by Garrett M. Graff in a November 2020 Wired article. To recap a few of these: In 2014, there was China’s theft of government personnel records and North Korea’s suspected hack of Sony; in 2016, Russia attempted to manipulate the presidential election; and more recently, we’ve seen numerous ransomware attacks on institutions and municipal governments, both large (Atlanta, Baltimore) and small.
In response to such threats, New York City created a citywide cyber command (the NYCCC) in July 2017. This centralized organization works across NYC agencies and offices “to prevent, detect, respond, and recover from cyber threats.” Geoff Brown, head of the NYCCC, described its challenges in a recent online briefing moderated by Cipher Brief founder Suzanne Kelly. A consolidated approach certainly has face validity, compared to asking a hundred different entities with personnel of varying training, skill, and interest to cobble together their own separate, inevitably not interoperable security plans. As Brown said, “We can’t predict what’s coming around the curve, but if we build resilient systems overall, we can respond well.”
Over the last year, in the face of Covid, the NYCCC has used its technical environment to “defend the defenders.” When city agencies moved to remote operations, that process also was aided by the NYCCC’s work. Not surprisingly, cyber adversaries took advantage of concerns about Covid to expand their intrusion attempts, knowing people would more quickly respond to queries and data requests that appeared to be Covid-related and ignore potential red flags.
It was incredibly sobering, Brown said, to reflect on how, in the middle of a life-threatening crisis, the health network itself became so vulnerable. As a result, NYCCC has worked with both the public and the private hearth care sectors to increase awareness of cyber vulnerabilities and strengthen their defenses. Never forget, he warned, that without extreme vigilance, the consequences can be deadly. He cited how a ransomware attack led to the recent death of a German man.
Understandably, health care systems have a fundamental concern about patient privacy, although even that makes the system subject to attack. Clearly, such attacks are corrosive, with damage beyond their initial impact, by damaging citizens’ all-important trust in governmental, public health, and social institutions.