Cyberattacks
in New York state increased 53% between 2016 and 2022, jumping from
16,426 incidents in 2016 to 25,112 in 2022. The number of attacks
targeting critical infrastructure in New York state nearly doubled to 83
in the first half of 2023 compared to 48 during the entirety of last
year, according to a report released on October 5, 2023, by State Comptroller Thomas P. DiNapoli.
Estimated losses in New York from cyberattacks in 2022 totaled over $775 million, while losses nationwide totaled $10.3 billion.
“Cyberattacks are a serious threat to New York’s critical
infrastructure, economy and our everyday lives,” said DiNapoli. “Data
breaches at companies and institutions that collect large amounts of
personal information expose New Yorkers to potential invasions of
privacy, identity theft and fraud. Also troubling is the rise in
ransomware attacks that can shut down systems we rely on for water,
power, health care and other necessities. Safeguarding our state from
cyberattacks requires sustained investment, coordination, and
vigilance.”
Relative to other states, New York had the third highest number of
ransomware attacks (135) and corporate data breaches (238) in 2022,
trailing only California and Texas for ransomware attacks and California
and Florida for corporate data breaches. New York also had the
fourth-highest number of cybercrime victims in the nation in 2022 with
losses skyrocketing 632% since 2016.
The two most attacked critical infrastructure sectors through
ransomware and data breaches in New York were Healthcare and Public
Health (9) and Financial Services (8). Commercial Facilities and
Government Facilities (7) tied for third.
Combatting the Threat
Securing critical infrastructure from cyberattacks will require
sustained investment, coordination and vigilance. In 2022, the Governor
appointed a state chief cyber officer to lead cross-agency efforts to
combat cyber threats and improve the state’s critical infrastructure
assets’ cybersecurity. The cyber chief leads a newly created Joint
Security Operations Center, a multi-agency cybersecurity coordination
hub linking New York state, New York City, local and regional
governments and critical infrastructure stakeholders and federal
partners for information sharing, cyber threat detection and incident
response. In August, the Governor released the first statewide
cybersecurity strategy, which will allow the state to access new federal
funding.
The federal Cyber Incident Reporting for Critical Infrastructure Act
of 2022, for which rules and regulations are being developed, will
require cybersecurity reporting for critical infrastructure sectors. The
creation of a centralized repository of data breach reports from across
the critical infrastructure sectors would also aid in identifying new
attack-vectors or exploits before they become widespread, and for
coordinated responses to emerging cyberthreats. Encompassing local
governments in this database would be important.
DiNapoli’s cybersecurity audits of state agencies and public
authorities have found several common technical weaknesses and risks
across its audits, such as entities’ misunderstanding of security risks,
unsupported applications, unknown data on systems, poor access controls
and a lack of monitoring of changes to systems, among others.
Recommendations are provided to each agency to enable them to begin
corrective actions immediately to strengthen their networks.
Cybersecurity Challenges Facing Local Governments and Schools
DiNapoli also released a report
on the cybersecurity challenges facing New York’s local governments and
school districts. In New York, cyberattacks have impacted local
governments and schools both large and small, including reported attacks
at counties including Albany, Chenango, Erie, Nassau, Schenectady,
Suffolk, and Schuyler; cities including New York, Albany, Buffalo,
Yonkers, Long Beach, and Olean; and towns including Brookhaven, Ulster,
Canandaigua, and Moreau.
In 2019, a ransomware attack on the Syracuse City School District
froze the district out of its own systems, crippling the website, email
system, phones, and back-end functions like payroll and student
management. Other attacks on local governments have had far reaching
impacts. The September 2022 ransomware attack on Suffolk County, the
ramifications of which the county is still dealing with, required the
county to disable important computer systems and move many of the
county’s functions back to pen and paper for months. It was a cautionary
example of the potential impacts of a cyberattack, and highlighted the
risk to state systems that linked local government systems could pose.
These and other recent events have demonstrated the serious risks
that illegal access to these systems can pose to critical local
government and school operations that rely heavily on technology.
DiNapoli’s report provides guidance and resources for local governments
and schools to help them manage the risks associated with cybersecurity.
Risks in Local Governments and School Districts
From 2019 through July 31, 2023, DiNapoli’s Local Government and
School Accountability division released more than 190 information
technology (IT) audits, finding more than 2,400 cybersecurity-related
issues. The audits focused on breakdowns or gaps in fundamental
cybersecurity components. The most common areas where improvement and
corrective action were needed included cybersecurity governance aspects
such as training in IT security awareness, policies and procedures, and
the need for contingency plans. Because these cybersecurity audits are
sensitive in nature, many findings and recommendations for corrective
action are communicated confidentially to local government and school
officials. Often the audit recommendations can be implemented at no or
low cost to local governments or school districts.
Reports
Cyberattacks on New York’s Critical Infrastructure: Staying Ahead of the Threat
New York Local Government and School Cybersecurity: A Cyber Profile