November 15, 2021

New York State needs to improve cybersecurity support to local governments and public authorities

In a letter dated November 12, 2021, New York State Comptroller Thomas P. DiNapoli advised the New York State's Division of Homeland Security and Emergency Services [DHSE] that his audit of its operation indicates that DHSES cannot assure the critical cybersecurity support they are providing to state agencies, local governments, and public authorities through their Cyber Incident Response Team [CIRT] to achieve the desired outcomes or is targeting the appropriate customers and their needs.

Essentially, the audit reports that the agency responsible for providing cybersecurity help to 2,800 public entities responds to attacks lacks strategies for preventing them.

New York’s Cyber Incident Response Team plays a vital role in safeguarding our infrastructure and critical data against cybersecurity threats,” DiNapoli said. “There are a lack of forward-thinking strategies, widespread training, and specific and measurable objectives that are critical in assessing progress. Additionally, the agency needs to be more proactive. As cybersecurity attacks continue to rise, I encourage the state’s Division of Homeland Security and Emergency Services to take quick action on this urgent issue.”

The recent passage of the federal Infrastructure Investment and Jobs Act underscores how critical strengthening cybersecurity is across New York. The legislation will provide much needed funding for local governments to modernize and protect their networks against future cyberattacks. In New York, cyberattacks have impacted public entities large and small, including reported attacks at state agencies; 911 systems; counties including Albany, Chenango, Erie, Nassau, Schenectady and Schuyler; cities including New York, Buffalo, Yonkers, Long Beach and Olean; towns including Brookhaven, Ulster, Canandaigua and Moreau; as well as school districts like Buffalo Public Schools and Guilderland Central School District.

Cyberattacks pose a fiscal risk and can have significant impacts on the public when they target public authorities and local governments, including water systems, utilities, airports, schools and health care facilities. For example, a 2019 ransomware cyberattack on the City of Albany cost the city roughly $300,000 because of destroyed servers, the cost to upgrade user security software, the purchase of firewall insurance and the performance of other improvements to firm up the city’s systems.

Cybercrimes, including phishing remain on a troubling rise and reach far beyond New York. Between 2019 and 2020, complaints of cyberattacks increased by 110%, from 114,702 in 2019 to 241,342 in 2020, according to the Federal Bureau of Investigation.

The rise in cybercrimes across our state highlight how vulnerable local governments are and presents CIRT with an opportunity to implement solutions ahead of future attacks. Between May 2018 and December 2020, CIRT responded to 122 cyberattacks statewide, including 39 phishing incidents, 23 ransomware attacks and incidents of compromised accounts.

Although it is responding to incidents, CIRT has not made enough progress when it comes to proactively evaluating the cybersecurity needs of the agencies it assists and measuring its progress in improving security. Its activities have only reached a fraction of the 2,800 entities it is responsible for. For example, despite acknowledging the need for specific training on how to detect phishing and prevent ransomware attacks, CIRT only provided five training sessions on phishing emails between July 2020 and March 2021.

Between August 2019 and December 2020, CIRT conducted just 11 risk assessments at counties and other local government entities, upon request by those entities. It also held or participated in 32 training sessions and 13 tabletop exercises, which stimulate discussion of various issues regarding a hypothetical situation, for county Boards of Elections, critical infrastructure, and transportation authorities to test whether they were prepared for a cyber incident emergency. 

DiNapoli’s audit also noted that most of CIRT’s activity is on a by-request basis or when areas of need are identified. Failure to conduct proactive outreach limits the ability to evaluate the needs of the entities in its purview and effectively prevent cyberattacks.

Officials said that they did not do surveys or collect data to see how many of the entities it covers have undertaken their own training. Without clear goals and documentation of security needs and progress officials cannot be assured their work is achieving the desired outcomes, if it is focused where public entities most need help, and if its limited resources are being used to the greatest benefit of the entities it was created to support.

DiNapoli offered several recommendations, including that DHSES:

Develop specific, measurable objectives and quantifiable, attainable goals, along with associated reporting mechanisms, to allow CIRT to evaluate if it is achieving its mission.

Take steps to determine the cybersecurity needs of the agencies, local governments, and public authorities CIRT is charged with supporting.

DHSES generally disagreed with the audit’s recommendations. CIRT officials stated that it has developed a sound and effective cybersecurity program that delivers valuable services to the entities they support. The agency’s full response is included in the audit.

Click HERE to access the Cyber Incident Response Team Report 2020-S-58.

CAUTION

Subsequent court and administrative rulings, or changes to laws, rules and regulations may have modified or clarified or vacated or reversed the decisions summarized here. Accordingly, these summaries should be Shepardized® or otherwise checked to make certain that the most recent information is being considered by the reader.
THE MATERIAL ON THIS WEBSITE IS FOR INFORMATION ONLY. AGAIN, CHANGES IN LAWS, RULES, REGULATIONS AND NEW COURT AND ADMINISTRATIVE DECISIONS MAY AFFECT THE ACCURACY OF THE INFORMATION PROVIDED IN THIS LAWBLOG. THE MATERIAL PRESENTED IS NOT LEGAL ADVICE AND THE USE OF ANY MATERIAL POSTED ON THIS WEBSITE DOES NOT CREATE AN ATTORNEY-CLIENT RELATIONSHIP.
Consistent with the Declaration of Principles jointly adopted by a Committee of the American Bar Association and a Committee of Publishers and Associations, the material in this blog is presented with the understanding that neither the publisher nor members of the staff are providing legal advice to the reader and in the event legal or other expert assistance is needed, the reader is advised to seek such advice from a competent professional.