Cyber Initiatives Group Preview Webcast with New York City CISO, Geoff Brown
Introduction: A number of high-profile hacks of U.S. cities have caused nearly every city CISO in America to take a look at their own cyber security defenses. For a few years now, leaders in New York City have been taking a similar approach to the one they took after 9/11, and not waiting on the federal government, or relying on its resources, to protect them.
Today, the city boasts a cyber Threat Management Division, a Security Sciences Division and an Urban Technology Division to help in its mission to keep New Yorkers safe in cyberspace.
We talked with NYC CISO Geoff Brown about the opportunities and challenges ahead and members asked their own questions about threat intelligence, partnerships and managing the day-to-day responsibilities.
Key Questions:
- How should U.S. cities be prepared for today’s cyber threats?
- What lessons did NYC learn from the hacks in Atlanta and Baltimore?
- How do you defend the technology that New Yorkers rely on for city services?
- How does NYC partner with the private sector and decide which information to share?
- What should every city CISO be focused on right now?
- How do you maintain a balance between the privacy of your citizens and a more secure cyber environment?
- What do you wish all CISOs knew?
Background Brief:
- Earlier this year, officials announced the creation of the New York City Cyber Critical Services and Infrastructure (CCSI), which is a group dedicated to making sure lines of communication between the public and private sectors are being utilized in ways that will secure critical city functions from emergency services to nuclear reactors. They are doing it much like they did after 9/11 to protect the city from further terrorist attacks, by sharing intelligence and providing coordinated responses to cyber events.
- Just over a year ago, the city introduced the NYC Secure Initiative and introduced a free app that provides enterprise-grade threat detection for mobile devices. Then NYC made it free to everyone who lives there.
- The city created its own Cyber Command by way of Executive Order in July 2017. That organization is charged with leading the city’s cyber defense efforts and Geoff Brown is the man leading that charge.
The Interview:
Cyber Initiatives Group: Tell us a little bit about your unique dual role with the city, serving as both CISO, and the Head of New York City Cyber Command and your responsibilities in both of those roles.
Brown: The way we think about the mission here is really two-fold. Very simply, we think about our enterprise mission. That mission is to defend the technology that enables services to be delivered each and every day to New Yorkers. The second piece of the mission is a public-facing mission.
Geoff Brown, CISO, NYC
"Here in our city, we believe that cybersecurity is a public safety issue and an essential service. Everything we do in cyber security is to help New Yorkers steer away from the threats in their digital lives. We should respect their privacy. We should respect the values of New York. Again, we have an enterprise-based mission and we have a public-facing mission."
The Cipher Brief: You've actually developed an app for New Yorkers as part of that mission. What can you tell us about that?
Brown: That's part of our NYC Secure Initiative. We launched that initiative over a year ago, with Mayor de Blasio. We decided that it wasn't just enough to define the principles that we would execute on, but we needed some tactics. We have two tactics. The first is an app that we published for free. Anyone can download this app. It is enterprise-grade threat detection for mobile devices.
It has two really central alerting functions. One is to help New Yorkers steer away from a Wi-Fi that might introduce threats into their phone. Making sure New Yorkers are aware of that, and perhaps don't interact with the internet using that unsecured Wi-Fi on financial transactions, or with their private data or health information.
The second type of alert is a non-device alert. Non-device alert means that there is some type of threat, being introduced into your mobile platform. That could be indicative of maybe malware being dropped onto your device. Maybe someone is attempting to route it and to jailbreak that phone, and it comes with a recommendation. For instance, for that type of threat, it might say, "Turn your device off immediately," and recommend restoring from a secure backup.
The second tactic is in the Wi-Fi space. Here in New York City, something we're really proud of is delivering free public Wi-Fi, across all five boroughs.
We think of that as part of the equity, for all kinds of people across New York City, so that they can interact with the internet and pursue their dreams. What we decided was, in all the places where the city is providing that free public Wi-Fi, if there's something we can do to make it safer, we should do that.
We partnered with a free not-for-profit organization called Quad9. Quad9, developed a DNS security solution. A DNS security solution that respects privacy. Not to get into the technical details, but simply what it does is when you enter into your query, and pursue something on the internet, it doesn't judge what you're trying to do. It doesn't do any categorization blocks, it simply blocks the website if something there has been put there by a criminal or a cyber actor to compromise your credentials or drop malware.
What this DNS security solution does, is blocks that cyber threat. The interesting thing about it as well, is it fits within our NYC secure public-facing initiative, because you can take that home with you.
You don't have to be accessing Wi-Fi through one of the New York City government-provided internet connections, either. You can go home and set your router to 9.9.9.9.9, that's Quad9, and receive the same type of protection.
Cyber Initiatives Group: How difficult has it been to balance privacy, with providing more security initiatives?
Brown: Well certainly, I think that's a great question, because what we needed to do was make sure that we are listening to New Yorkers. This is part of our need to understand, how they are looking towards their governments to help them enable safety within their digital lives.
What we realized of course is that New Yorkers and all kinds of people across our country, care about their privacy. We didn't want that to be a signal that we couldn't do anything.
What we needed to do was work with the great innovators, the great technical solution providers that build enterprise grade solutions. We asked them to work on providing us something that we could give to all New Yorkers, that would respect their privacy.
What I think is really exciting is that, a lot of times this divide between security and privacy is seen as a chasm that can't be crossed. I think here in the city we've proven that you can do both and help people be safe as they interact with the internet.
Cyber Initiatives Group: The cities of Atlanta and Baltimore have both experienced rather embarrassing destructive hacks. What did you take away from those incidents, and how is New York prepared to defend against attacks like these?
Brown: First and foremost, any type of attack, whether against municipalities or enterprises, whether in the country or globally, is incredibly concerning. One of the things that we do here in the city is make sure that we're receiving information about those events. We want to receive that information through the established authoritative channels for cyber threat intelligence and use that information to enrich our defenses.
Geoff Brown, CISO, NYC
"We’re voracious consumers of cyber threat intelligence. That's incredibly important, because we all have important defensive missions."
In previous iterations of my professional career, I've been involved in incident responses and we want to make sure that we're getting our information through the authoritative channels the impacted entity has chosen to use to spread information for community defense.
I think that's important, because when it comes down to it, is that responders need to concentrate on the job at hand and make sure they are stabilizing the environment. That's important to us.
I think also as we learn and grow, we develop trusted relationships with these information-sharing channels and the organizations that they represent. Then we have a real opportunity to build community defenses, and perhaps even community resiliency throughout, whether it's municipalities or enterprises. That allows us to really execute on that thing we always talk about, private-public partnerships within threat information sharing.
Cyber Initiatives Group: What have you learned in your role as CISO of New York City, that you wish all CISOs knew?
Brown: It’s a great question. There are really two things that I would pinpoint. One, I think it's really important for CISOs to be very clear on their voice. What I notice sometimes, is we like to have perspective across the entire sort of enterprise risk landscape. That's not a bad thing, but when it comes to offering decision support, I would advise CISOs to make sure you're being very clear about the voice that you own. I think that's a way to provide clear decision support for executives. Then the other piece of your question is, what have I really learned? I would say the thing I've really learned is to focus on keeping the most important thing, the most important thing. Sometimes we love to examine as cybersecurity practitioners, our individual problem set and that is important. I would encourage CISOs to keep the most important thing, the most important thing. By example, here in New York City, the most important thing is serving New Yorkers. If I have been thinking only like a traditional cybersecurity executive, then we would be executing as we are today on our enterprise mission. I may not be certain that we would have become so serious on our public-facing mission, its a very challenging experiment that we've engaged in.
By thinking about New Yorkers, because they're the most important thing, the city embraced the call to do something there. I think for me as the CISO, that was really powerful. I would encourage CISOs no matter where you sit, no matter who you serve, no matter what enterprise you're defending, to think about what the most important thing for your organization is, and go there.
Member Questions
Member Question: Where are you seeing the greatest threats to critical infrastructure and crime targeting average New Yorkers?
Brown: Sure, so I think when we think about it like any at-scale enterprise that's executing on a cyber security mission, there are ransomware threats, there are third-party compromises and social-engineering attacks. Certainly, we have concerns around the targeting of critical infrastructure and influence operations.
Those are some of the things that we're observing across the whole threat landscape. We're trying to make sure that, as we think about that from an attack matrix perspective, we're putting in different defense in-depth solutions. To be more granular to the question about where the concerns are, I would highlight two things.
One is perhaps a long-term concern, which is that we need to make sure as enterprises, as innovators, as manufacturers, as industry introduce more and more connected devices into cities, we need to ensure that those things are being provided and built in safe and reliable and resilient ways. Something that is very interesting and also of concern is that we're not planning for that future and thinking about the lessons we've learned in cyber security.
The second thing that we really need to think about is ripped right off the front pages. And that is that attacks are leveraging misinformation and disinformation and are really traps. Those are very sobering for all of us to observe because of the nature of those attacks is almost a call to arms for private-public partnerships. The city itself doesn't really operate on the platforms that are being manipulated for these influence operations. Our private sector partners are. We need to make sure that we're working together to allow for New Yorkers to receive facts, authoritative facts, facts that are established. Then that allows them to make the decisions that they want to make.
Member Question: How can the U.S. government or local governments, convince Fortune 100 companies and small businesses that defending against state-sponsored corporate espionage is good for business?
Brown: Let me offer a concept before going into the particulars of the question. Sometimes I'm asked how we think about adversary attribution, as part of the cyber threat intelligence landscape that's incredibly important. The way that I answer that, is I talk about our need within my program, the Enterprise Defense Program, really to learn the how. We really concentrate on the how, of an attack. We leave it to our partners in law enforcement and otherwise, to worry about the who.
If we're learning about the how of the event, the various TTPs, that different types of adversaries may use whether that's criminal or state, then we can enrich our defenses accordingly.
To be more particular to the question, when it comes to the question of how do we motivate enterprises in the private sector to pay attention to state-level events, I would say, at least here in the city, it doesn't take much convincing.
Private sector entities are coming to the table actively here in New York, to ask New York City government how they can play a part. They ask how they can build those right bridges, so that we have community resiliency being intense. Part of the conversation really begins with that sobering study of recent events.
It doesn't take long once you present a stakeholder with the front-page article to really grab their attention and demonstrate the types of impacts and cascading impacts that can begin with perhaps a state-level event. They see how that can very quickly domino into private sector organizations or government organizations.
Member Question: What do you say to the private sector, when they say, "I cannot share breach data with you, because the data you want me to share is the same data the government will later use against me, to fine me for being breached in the first place?"
Brown: Very interesting question. I think that there are channels of protected information sharing that are available. If you share the information into those allowed channels, that will then sort of spread in the appropriate channels through the community.
The Department of Homeland Security has provisions that allow for the protection of that data, because there's one proscribed purpose, to share that information in an anonymous way across the different ISACs to make sure it gets to network defenders. Not knowing necessarily the exact particulars of the member’s question, I would just highlight finding the avenue where you are allowed to share that information and then perhaps sharing it there, where you have the appropriate protection. Then all of us together as cyber security practitioners, as national security practitioners, as governing officials, as private sector stakeholders, all of us together, we need to continually work on those information-sharing bodies, really because speed is of the essence.
I think the one part of the equation that certainly is not satisfying with my answer, is that if you want to make sure somebody gets the information quickly, so that they can enrich their defenses, I'm not sure we have the best mechanism. Or at least we don't have a mechanism that's any better than the things that the community has done, for as long as I've been a member, which is, pick up the phone and share it with somebody that you really trust, will respect the nature of the conversation.
Member Question: Do you feel that there is adequate sharing between government, obviously DHS and FBI and private industry, and city and local governments? Is it adequate?
Brown: I think it will be adequate. This is a far-reaching answer, but it will be adequate when the machines themselves operate in a community-defense fashion. I'm not sure we're there yet. I highlight though, that I think everybody recognizes the complication of different types of equities that need to be balanced when information is shared. People realize that the complication is there.
We are still sort of whittling away and making sure that people can talk to each other when the nature of the landscape is such where, the machines are moving from an attacker perspective, at a pace that the nature of that conversation cannot keep up with, so yeah.
Member Question: What role do you see then for emerging advanced technologies, AI, ML and others, in a public-sector approach to cyber security?
Brown: Without going into detail, those are things - especially ML - that the program here is very much taking advantage of. Think of it this way, the public sector at least here in New York City, can take advantage of the efficiencies; the innovation, the defense of technologies, the data science, the same types of things that are available to private sector enterprises. In many ways I describe the defensive strategy against the enterprise mission. That strategy is to defend the technology that enables services to be delivered to New Yorkers. It's very much the same type of thing you might find in a private-sector enterprise of the size and scale of the technology and service footprint, of the city of New York.
I think to a certain extent when it comes to taking advantage of threat intelligence, I go back to that tried and true point, that all of us know when it comes down to it. At least in cyber threat intelligence, the private sector has the same access to the internet, so to speak, that the government does.
We get that threat intelligence, and we apply it within our program here. When it comes to the public sector, the government itself sharing information, I think again, I go back to the point I made before about respecting the balance of equity, that they have to adjudicate on their side.
I share with my fellow practitioners the call that, that process be hastened, so that as with responsibility to defend different types of networks, even critical infrastructure networks can apply that learning, and try and get in front of the attackers.
Member Question: A lot of threat intelligence-sharing, focuses on the common operating picture. Would you say that we as a community are doing a good job of common operating information?
Brown: My gut reaction is no, and I'll tell you why I think that. A lot of maturity within the cyber security space, is operated by the enterprise operating within a specific vertical. I would say one of the things that we think about within our program, is about all the different "enterprises"; all the different departments, offices, agencies that make up the city government of New York, and they are across every vertical imaginable.
When I think about creating across all those verticals, the common operating picture, it is not necessarily a thing that I observed in my career before coming to the city. I think each of those verticals has the uniqueness of understanding their business environment and trying to flatten the reality that because of that business environment, the ability to prosecute a cyber-security mission, is slightly different. Not taking into account those enterprise risk calculations, I'm not sure if I've seen holistic solutions that break across all of those verticals in a horizontal fashion.
Member Question: What is the relationship like between the city and other governments, both other city governments but also other levels of government like state and federal? What are the strengths and where can improvements be made?
Brown: I see a lot of great relationships, and I don't say that as a throw away comment. I really do think that, at least from this vantage point, and I will acknowledge it is New York City. There's some reputational advantage there, that I won't be shy of taking advantage of when it comes down to it, whether that be state partnership or federal-level partnerships. We have great partnerships with people who care about the mission here, people who have visited this exact office space where I'm located. People who have gone on tours of our critical infrastructure, to make sure that they're doing everything they can to help us.
We have great partnerships, and I'd even stand beyond that. There are organizations like the Global Cyber Alliance who are involved and we’re participants in that. Then in the global conversation about cybersecurity, we have had conversations with other cities, Singapore and others, to understand how they're thinking about the problem set, and how we can build systems from a municipal level across, not just the country, but perhaps internationally to defend the people that walk our streets.
Member Question: How can an individual employee of a private or public company, support communities' cybersecurity, when the company leadership remains obstinate to outreach or reporting to the public sector on breaches or security issues?
Brown: Of course, there are things within private sector enterprises that have to be respected. I think that as employees of enterprise, there are sort of rules of the road, and that's important to respect. I might say, I'd be surprised if enterprises wouldn't be embracing someone with cybersecurity technical capability or process capability or experience. Being willing to share that in a way that enriches sort that resiliency, or defense of a community is something that most organizations will sign off on, if they don't necessarily applaud it.
END OF BRIEFING
If you have feedback or thoughts on future briefings, we'd love to hear it. Email us at CIG@thecipherbrief.com
The next Cyber Initiatives Group Webcast (requires additional membership) will be Tuesday, August 6 at 2p EST. Former senior counsel at the NSA Joel Brenner will engage in conversation about Cybersecurity for Small and Mid-Sized Businesses. CIG members will receive registration information via email. Sign up to become a CIG member here.
“I’m excited to facilitate this critical cyber conversation and to be working with leaders from across the private sector as they tackle the very difficult cyber issues that impact ever company doing business today.” – General Michael V. Hayden, Former Director, NSA and Former Director, CIA
Read more in The Cipher Brief
