Lessons learned on building cyber resilience

This article was written by Megan Stifel, Global Policy Officer at Global Cyber Alliance, and Geoff Brown, head of the NYC cyber command.

Earlier this week, the White House convened leaders of businesses representing technology, energy, finance, insurance and education to discuss cybersecurity. Amidst a raging pandemic, massive forest fires, and a host of other critical issues, this meeting demonstrates cybersecurity is not just a U.S. government priority, but also a priority for business leaders. A recent study indicates that the cost of phishing attacks has nearly quadrupled over the past six years with large companies now losing about $14.8 million annually, or $1,500 per employee, due to cyber incidents.

Though several of the attending companies announced investments and commitments to cybersecurity, attendance at one meeting isn’t going to have an effect on our nation’s cybersecurity. The businesses have agreed to reconvene in a month and identify a course of action, but a long-term commitment is needed. Both the public and private sectors will need to play a role going forward. We elect our public sector officials to lead; we expect our private sector partners to innovate. Both will have to commit to candid — even uncomfortable — dialogues with each other and the public, which sees cybersecurity as interesting but not nearly as important as it is for our digitally dependent lives. To improve our national approach to cybersecurity, it is helpful to look at what’s worked in New York City.

Six years ago, senior law enforcement officials in New York City and London recognized that prosecutions weren’t going to stem the tide of cybercrime. The District Attorney of New York County, together with the Center for Internet Security and the City of London Police, formed the Global Cyber Alliance to reduce cyber risk and help organizations become more secure.

We’ve learned a lot since then and believe these five steps, which include both organizational and technical actions, can meaningfully help our nation improve its cybersecurity.

Formalize and assign responsibilities

In 2017, NYC Cyber Command was launched to serve as a central authority to respond proactively to threats. While a relatively new agency, Cyber Command has developed a unified and coordinated approach to protection and response across 100+ agencies of varying sizes and defined cyber defense capabilities they are responsible for. Our federal leaders also need to delineate responsibilities, authorities, and expectations when it comes to securing both public and private sector digital infrastructure.

Develop simple tools that challenge preconceived notions

Once cyber protection efforts are assigned, our nation needs to develop and deploy easy-to-understand tools and resources to support cyber protection efforts. We applaud the Biden administration’s efforts to accelerate and amplify the work of organizations like NIST, but recognize there is much farther for us to go.

We need to stimulate a national conversation that can challenge preconceived notions, such as privacy and security being enemies rather than two sides of the same coin. We have proved that in NYC. Not long after the development of the NYC Cyber Command, Mayor Bill de Blasio launched NYC Secure, an application that provides corporate-grade cybersecurity protection to New Yorkers on their mobile devices and tablets, including phishing protection and other features to protect against spying. It puts the privacy of residents and businesses first: no data leaves the device.

Secure email

By now most people know they should be careful opening email attachments. But there are mechanisms organizations can use to reduce the number of so-called “phishing” emails at the onset. This would reduce the need for employees to make the right choice and not open the suspicious message or click the link. The Global Cyber Alliance offers free resources to help organizations use these protections, which studies have shown to prevent millions in losses.

New York City Cyber Command deployed these security tools across critical agencies and services supporting the ongoing pandemic, including NYC Health and Hospitals, the city’s COVID-19 test-and-trace portal, and the Department of Health and Mental Hygiene. As municipal services shifted online during the pandemic, and COVID-19 criminal scams proliferated globally, this effort ensured New Yorkers’ trust in critical city services.

Protect connections

Many workers spend a good part of their day online and employers need to provide protections to ensure employees stay safe while browsing the internet. Deploying an automated capability to block access to malicious sites – a so-called “protective DNS service” — is straightforward and is available to organizations of any size. Like enhanced email security, using this technology can also save millions in losses avoided. A range of such tools exists, several of which are free.

New York City deployed this capability on thousands of public Wi-Fi hotspots across New York City, keeping residents and visitors from connecting to sites that are only on the internet to deliver malware or steal personal data. This technology is also deployed in a manner that puts the values of the city first, adhering to the highest standards of user privacy.

Operational partnerships can help keep us safer

The large-scale ransomware attacks of recent months have reminded us of the importance of organizations and municipalities working more closely together to better protect themselves and each other. Combining internal organizational security efforts and sharing knowledge with essential partners can help keep us all safer.

This summer, New York City Cyber Command and the Global Cyber Alliance, along with the District Attorney for New York County and the NY Police Department, took a significant new step in the Cyber Critical Services and Infrastructure Project, which increases cross-sector communication at the local level, as well as helps coordination of resources in the event of an attack.

Earlier this month, the federal Cybersecurity and Infrastructure Security Agency (CISA), together with a number of tech companies, launched the Joint Cyber Defense Collaborative to similarly improve cyber defense planning and information sharing between public and private sectors. Efforts such as these are critical to bridge the gap between the digital dependencies of our modern lives and the vulnerabilities that can come with them.

We are happy to see that both Congress and the Administration are joining the fray; after all, the first step is to recognize that we — public and private sector — must be more actively collaborative in focusing our efforts. Attendance at this week’s meeting, and the ensuing initiatives announced, are a good start. But more of the private sector must step up, and define outcomes based on results for not just the critical function or large enterprise, but equally for the principles and people we aim to defend, whether it is our constituents or our clients.

And we must be resilient; if this were the Olympics, we’d be facing a triathlon, not a sprint.

Megan Stifel serves as the Global Policy Officer and Capacity and Resilience Director at the Global Cyber Alliance and previously served on the National Security Council at the White House. Geoff Brown heads the NYC Cyber Command.