Defending New Yorkers against criminals and terrorists has been a priority for city leaders and law enforcement for quite some time, but in the last couple of years, officials have taken more aggressive steps to protect the city from the threat actors that often go unseen but can wreak havoc with city infrastructure, leading to loss of life, in the worst case scenario.
Cyber threat actors have targeted several U.S. cities in recent years. Officials from Atlanta to Baltimore can tell you just how these cyber criminals strike and how important it is for cities to be prepare
There have also been warnings from intelligence officials for years that a Cyber 9/11 is coming – an attack that could target national critical infrastructure - and leaders in New York are taking a similar approach to the one they took after 9/11, and not waiting on the federal government, or relying on its resources, to protect them.
Earlier this year, officials announced the creation of the New York City Cyber Critical Services and Infrastructure (CCSI), which is a group dedicated to making sure lines of communication between the public and private sectors are being utilized in ways that will secure critical city functions from emergency services to nuclear reactors. They are doing it much like they did after 9/11 to protect the city from further terrorist attacks, by sharing intelligence and providing coordinated responses to cyber events.
The city created its own Cyber Command by way of Executive Order in July 2017. That organization is charged with leading the city’s cyber defense efforts and Geoff Brown is the man leading that charge. The Cipher Brief’s soon-to-be-announced Cyber Initiatives Group spoke with Brown about the challenges associated with building a centralized organization that will keep New Yorkers safe from cyber threats.
Cyber Initiatives Group: Tell us a little bit about NYC’s Cyber Command and your role leading it.
Brown: New York City Cyber Command is the center of gravity for the cybersecurity mission for the City of New York. When I think about New York City Cyber Command, I describe it in two high-level ways, one is the enterprise mission, the other is the public facing mission.
The enterprise mission is to defend the technologies that deliver services to New Yorkers. New Yorkers rely each and every day on the different services their City delivers. To give you an idea of the scope of New York City government and the services it delivers, here are some figures. We are around 340,000 employees, delivering all kinds of services, every single government function, such as the work at agencies like the Department of Environmental Protection (DEP is the water utility that handles the delivery of water as well as waste-water treatment); Department of Correction in the justice space; Department of Veterans Services, Department of Transportation that runs the traffic lights, we have FDNY and the Department of Sanitation, Department of Finance, Department of Health and Mental Hygiene, and many, many others. Keep in mind that New York City is around a $90 billion dollar enterprise.
We have all these services that, each and every day are delivered to New Yorkers in some way, via technology. My organization is charged with defending that technology. That's what we do.
We have a public facing mission as well and that is to bring cybersecurity itself to New Yorkers so they can navigate away from threats as they interact with the internet. That public facing mission is encompassed in NYC Secure. NYC Secure is an initiative that was announced by Mayor Bill de Blasio last year, and NYC Secure is really our principle approach for cybersecurity for New Yorkers.
The principles we announced are that cybersecurity is a public safety mission, an essential service, and that everything we do, as we bring cybersecurity to New Yorkers, must respect their privacy. So, we applied two individual technical tactics under this principle. The first, was that we made available for free at the two major app stores, both for Apple and for Android, a threat detection app. We customized an enterprise-grade threat detection capability and call it the NYC Secure app. What that does is it detects wireless network threats and on device threats, alerts on the mobile device, and advises New Yorkers what to do. It might suggest navigating away from an unsecure wireless connection that you shouldn’t put personal data into, or it might even suggest, for on device threats, turning off the mobile and restoring from a safe back-up. The point is to help New Yorkers make safer decisions while using the internet and proves you can do this without invading privacy. That's the NYC Secure app.
The other technical tactic is for anywhere that the City is providing free public WiFi. We believe that access to the internet is essential, so the City has a number of initiatives to provide free public internet access. And in those places where the City is providing free public wireless, we've elected to use a not-for-private, privacy respecting DNS security solution, called Quad9 (9.9.9.9). We chose Quad9 because the technology doesn’t work off of categorizations or imply a judgment on what you want to do when you interact with the internet, but it can positively identify only those sites that are trying to steal your credentials or to drop malware on your device, and it stops those threats. I think if you can do something that respects privacy and protects, then we should do it.
We also like Quad9 because New Yorkers can avail themselves of this same DNS security at home. You could set your home router to 9.9.9.9 and you’ll be protected from a lot of threats.
So, the NYC Secure App and wireless protection with Quad9, those are the first two tactics that we debuted under our public facing mission.
The Cyber Initiatives Group: As we talk about this, it feels like you’re drawing a picture of a defense network that is trying to do in cyber what NYPD did on the streets of NYC years ago, and that was making a mission of cleaning up crime, creating a safer environment. I'm now kind of envisioning jumping on that free WiFi at the coffee shop and having a virtual policeman at the door to make sure no one's there to steal my information.
Brown: Isn't that a neat analogy. Very much so. I think to a certain extent what you're seeing here in the city is a great example of what big cities can do. We're saying we know that many enterprises, many of what your Cipher Brief experts have put so much work toward, are protecting their technologies that underpin that critical business function. We are doing those things in a unified way across the total landscape for New York City as a government.
Geoff Brown, NYC CISO, Head of NYC Cyber Command
"When it comes down to it, we are accountable to the public. We have a sacred duty to the public as public servants, so if we only did the enterprise mission, we would not be doing enough. To your point and your analogy about WiFi at the coffee shop. There are things we can do to help New Yorkers be safer as they navigate their life on the internet, their digital life, let's do those things too, but let's do those things in a way that respects their intrinsic privacy."
The Cyber Initiatives Group: Being a public servant, you're working for a public that has different levels of engagement. When you're putting out information that can help them be more secure, how important is it to get the word out and let them know these resources are there? How do you get people to pay attention to these tools you're putting out there that are meant to help them?
Brown: We have education awareness materials, training and tests, and even videos, that we roll out to the City’s employee workforce to help them make better choices as they interact with the City systems themselves. We're doing that as part of our core cybersecurity enterprise mission. And when we think about creating similar levels of awareness for New Yorkers, through a robust public discourse on our principles and technical initiatives, we acknowledge that it is very much a work in progress.
When we launched the NYC Secure app, we had a number of different approaches to marketing it out to the City public that we thought would engage them on what this technology does and what it doesn't do. We had success in getting initial market penetration in that regards. Many New Yorkers availed themselves of the solution, but we need to continue along the journey of that public discourse. It's something that I do pretty regularly. We really need to be helping them make their own choice. I think a lot of the things that we're doing in cybersecurity for New Yorkers is to help New Yorkers make a choice to be safer. We are giving them decision authority, of course, over their digital life.
I'd also mentioned that we are thinking through a couple of other components in the New York City landscape, that attack different parts of the cybersecurity puzzle. We have initiatives stemming from the NYC Economic Development Corporation when it comes to building out the engine of cybersecurity within New York City’s private-public and academic partnerships. We also have some initiatives for small and medium businesses. Let's not just think about individual New Yorkers themselves, but a vibrant part of our City are small and medium businesses.
What can we do to help them avail themselves of the best and the brightest ways of configuring their systems, maybe adopting things like the NYC Secure app, so that cybersecurity can be something that, if approached correctly, is a way of us increasing the total community resiliency, the community defense, by hitting all of the different verticals, not just concentrating on the very, very top and then the individual. We really need to think comprehensively about it.
The Cyber Initiatives Group: Let’s step back for just a minute and take a look at the threat landscape. How bad is today's threat and who do you think, in New York, is most at risk?
Brown: Great question. When I think about it from a municipal perspective, and especially thinking about the organization I'm accountable for, what concerns us the most is the ‘how’ of what's going on in the threat landscape. As practitioners, we call that the tools, tactics and procedures. How is it that an adversary is launching their attack? What are the particulars of that malware, what are the ways that they are accessing systems?
My organization can take that ‘how’ and make sure we are as defensible as possible and also make sure that we are practicing our playbooks to respond with an incredible amount of diligence, speed, and efficacy. We're thinking a lot about the ‘how’. There are other parts of the City government that think about the ‘who’. That’s one way we think about the threat landscape.
I'll highlight to you, of course, that we're watching various different types of events.
Geoff Brown, NYC CISO, Head of NYC Cyber Command
"I would be remiss not to mention our concern over the recent ransomware attacks against other Cities. We've seen a number of events that have had operational impact at the municipal level over the course of this calendar year. We're always maintaining awareness of these things, talking to the right information sharing bodies and making sure that our defenses are improved accordingly."
I'd also note, though, when I think about the threat landscape, I think about two pieces. One piece is the resiliency of the system that we are building moving forward. New Yorkers expect the City to continue to evolve, to continue to be able to enable new and exciting technologies that improve their lives. Some people talk about that as a smart city. In order to do that, we need to be at the very forefront of resilient technical systems.
Resilient systems, whether it's an adversary trying to do something against the system or it's a climate event or it's a technical operational failure, no matter what it is, when we think about the City's technical future, we think about resiliency.
The other thing, and perhaps this is more pointed to your question about who holds a lot of risk, when I personally think about risk, what concerns me very much are the things that, frankly, from a City government perspective, I have very little visibility and very little actionability around.
What I think about, and we talked about this a little bit at The Cipher Brief Threat Conference in Sea Island, is that campaigns of disinformation and misinformation, what can be called attacks on trust, are attacks on the very way people are making decisions. Our facts are being assailed each and every day in the threat landscape. To me, the biggest concern there is how do you establish trust with the people you serve? How do the people you serve, when they need to make a decision based on fact, how do they trust that decision if some of the most dangerous campaigns in the threat landscape that we observed in recent history attack the very core of trust via disinformation and misinformation?
I do think about that very particular threat, because I may be able to defend City systems, but the decisive defenses against those things are in other parties’ hands.
Finally, I also think about the need to make sure that as we build additional capacities to plug things into our systems that are IP enabled - that are smart, that do sophisticated things - that those things have an underpinning of a platform that is resilient and reliable by design. Secure by design.
The Cyber Initiatives Group: Let's talk about threat intelligence and how critical that is to what you do. I'm sure there are a lot of people who would love to hear your answer to this next question, which is how do you know you have the best threat intelligence?
Brown: Those are great questions. Let's talk about, first, how I think about threat intelligence. Threat intelligence is evolving in the cyber space, but the underpinnings are, of course, in the tried and true practice of the intelligence community. There's a whole underpinning of professionalism that I think the cyber community has benefited from over time and we continually need to apply those lessons. Like, how do you identify facts, what is the estimative language that you use as an analyst to provide context on that fact and how does that inform decision makers both tactically and strategically?
There's an underpinning of threat intelligence in the cyber landscape that I think greatly benefits from the professional application of that craft in other communities. You can perform hunt activity based on that threat intelligence and, as strategic decision makers, you can inform your executives, if you're someone like myself that's making different types of decisions and risk balances, with threat intelligence, I am much more able to make those decisions.
I also think cyber threat intelligence is this great way of us improving our talent. I think people who are involved in threat intelligence start to see not just the systems themselves, but the hard computer science and data science as well. They start to see attributes of maybe geopolitical or international security, economic security, all these other types of attributes that may motivate a threat actor to conduct a certain activity and how do you calculate all of these different pieces in order to be brief and be concise and informed when you're talking to a decision maker? I think it really helps us build talent. I think that discipline, that craft, is something we need to track and cyber threat intelligence very much helps us.
The Cyber Initiatives Group: NYC’s Mayor has called for some 10,000 cybersecurity experts to be hired in 10 years. To that point, how is New York staying ahead of recruitment and retention challenges when it comes to hiring enough qualified talent to fill these roles?
Brown: My answer to that question is that we have the best mission in the greatest city in the world. We don't have a problem recruiting against the mission. I think people who are excited about cyber security come to New York City Cyber Command very much because, one, they care deeply about this city, which is a sacred trust and I say that with admiration and genuinely.
Also, it's an interesting problem set. There are very few places where you are applying your skill, your craft, against so many different functional verticals. What do I mean by functional vertical? As I think about the landscape, I'm looking out of a window at downtown Manhattan. A stone's throw away from me are some of the strongest cybersecurity teams in private industry, specifically in financial services. They are right around the corner and they have great, great teams and they are great allies for us. Their teams though really apply the craft against the vertical of financial services and that's an absolutely national critical service.
When you come to New York City Cyber Command, the City is around a $90 billion enterprise. We have many different financial services organizations, but we also have a water utility, we also have a police force, we have a fire department, we have a health and hospital corporation which is the largest public health provider in North America. We have operational technology networks, we have industrial control systems, we have traditional IT networks. There is not a piece of the puzzle that you don't get exposed to when you're sitting as a colleague in this organization. We get to recruit against that objective and that's pretty exciting.
The Cyber Initiatives Group: How would you like to see the public and private sectors working together in the future to better manage these threats? You must constantly see every day, areas where the mission can be managed more efficiently.
Brown: The Police Commissioner and the Manhattan DA penned an op-ed recently in the Wall Street Journal, highlighting an organization that myself and the Head of Global Cyber Alliance, with the Police Commissioner and Manhattan DA, co-founded. The four of us recognized some time ago that, to be successful in the five boroughs, we needed to bring to the same table partners from different verticals, like the private sector, the public sector, energy sector, telecommunications, etc. The reason why I'm highlighting this effort called Cyber Critical Services and Infrastructure, or CCSI, is because I think what that points to is a very simple fact. New York City has an opportunity to build a more resilient cybersecurity community, so that means more resilient ways that technology interacts between different companies and different business functions to make sure that New Yorkers are delivered services, whether it's a private sector service or public sector service, in a reliable safe way each and every day.
Geoff Brown, NYC CISO, Head of NYC Cyber Command
"We brought all these people to the table and what we really started with was this idea that we needed to build better information sharing relationships in order to really identify where we had co-dependent technical systems themselves, and, then of course, co-dependent people-based processes. When you look at the threat landscape and attacks that have been observed over the last two years especially, you see that an impact against a targeted entity can very quickly domino into second and third order impacts."
When you look at the very close-knitted fabric of New York, it would be naïve to think an impact against, say, the thing I'm accountable for, would not have second and third order impacts on the people that show up to work in a financial services company down the street from here. Or a significant impact to an energy sector company, or conversely an impact to a financial services company, may in fact also have an impact on the municipal government. We recognize that we all have shared risk here. We have risk that's sitting on each other's ledger books, so to speak, and we need to do something about that. That's how we really think about the urgency of our public-private partnerships.
The Cyber Initiatives Group: What have you learned in this role that you wish all CISOs knew?
Brown: What a cool question. I've given you a lot of large strategic answers. If you'll allow me, I'd like to give you a very tactical answer.
I have learned really two very tactical things for CISOs to think about or CSOs, really any security professional. One, I've learned to break down components of the risk conversation based on formula. A lot of times, I'm thinking about how I explain a complicated issue to another executive and I start to break down the components of the thing based on a formula. For example, if you think about enterprise risk at large, cyber risk might be one component of that, but then you need to add into that, what is the business function criticality of the impacted system? There's a business risk. What is the technology operational risk? There's a tech ops risk. There's reputational, communication, legal. You can go down the list and as you start to explain it based on a formula, you can start to think, what are the components of my formula that I'm missing that I need more information on? What are the weights that I’m giving to all these components? And is each thing a solid fact represented by the accountable stakeholder?
I actually think about that actively when it comes to my own organization.
I have a simple organization formula that I developed and use. Simply, "Facts plus Judgment plus Culture equals Trust." That's my formula that I try to think through. If you get those three components right, you deserve trust. If you get them wrong, you don’t.
My tactical answer for the community is to start to break down the components that you need in order to establish your end result. For me, the end result is always trust, and if you line it up that way, you have very clear thinking.
The other piece of very tactical feedback is to be almost ruthlessly centered on representing the thing you are accountable for, and with everything else you have might have an opinion, but you're not accountable for that thing.
When you think about crisis management and crisis response, a lot of times you have a lot of accountable executives who at times may or may not be ruthless in representing the component they are accountable for. They might be trying to solution the total, but the decision authority around solution may reside in a different executive. You have to really know how to be very, very precise in your part of the harmonized system.
The Cyber Initiatives Group: We have an upcoming webcast with you where Cipher Brief members will be able to ask their own questions, but for now, is there anything I haven't asked you that you would've liked to have talked about today?
Brown: Yeah. The thing that I would like bend your ear on, is how much I admire everyone that I'm surrounded by each and every day. It is a misnomer that true innovation can't happen behind the walls of government, because man, there are people dedicated to this mission for New Yorkers that I think are absolute heroes. I really do.
Have questions for Geoff Brown? Cipher Brief Members will have the opportunity to ask questions and engage by registering for our Cyber Initiatives Group webcast on Wednesday, June 19th from 12:30p – 1:15p EST. We’ll be talking about a range of issues during this 45-minute introductory session for Cipher Brief Level One members. Members will be receiving an email invitation in the next few days. Not a member? Sign up here to be able to take part in this, and future webcasts with national security experts.
What did you think of this interview? Have a different POV? Click the button below to leave us your thoughts.