John Shegerian, co-founder of electronic waste recycling company ERI, recalled how the data breach of a major casino traced to a so-called "smart" fish tank.
“That’s about as non-traditional as it gets,” he said.
Data from so-called smart devices, from watches to refrigerators to cars — “which are basically now computers on wheels” — can trigger cybersecurity risks if mishandled, Shegerian said during the Preserving NY conference at the Museum of Jewish Heritage in Lower Manhattan on Wednesday, sponsored by City & State New York.
“It’s very, very serious what’s going on right now,” Shegerian said.
Such obscure threats complicate the difficulty cities, states, other municipal borrowers and even the federal government face in managing cyber risk.
The capital markets have also begun to weigh in.
“When it comes to cybersecurity, despite the availability [and use] of cyber insurance, cure, as opposed to prevention, should really no longer be an option,” Van Eck Securities Corp. said in a commentary.
“When it comes to a credit rating, those borrowers who continue to depend upon the former should be subject to even closer scrutiny. And those who are actually doing something about cybersecurity should be rewarded."
High-profile hacking of late has included the City of Baltimore and corporations ranging from credit reporting company Equifax to credit-card behemoth Capital One, the latter revealed days ago.
“We’re not dealing any more with the kid in the garage with the thick glasses working on a computer,” said Franco Cappa, cybersecurity adviser for the U.S. Department of Homeland Security’s Office of Cybersecurity and Communications.
“[Capital One] was probably the latest iteration we heard of, but it’s one of many. There is a vast intermingling of relationships and dependence,” he said, citing the government, the private sector and third parties.
Homeland Security developed a list of national functions it deems critical. It lists 16 related sectors including transportation, finance energy and defense.
“Perhaps cataloging and assessing these vulnerabilities in domestic systems can be done in such a way as to influence, among other things, municipal borrowers to take meaningful action around cybersecurity,” Van Eck said.
The U.S. Department of Education cited third-party risk in its July 17 alert about a cyberattack campaign carried out through software widely used to manage university student accounts. The attacks affected more than 60 institutions.
According to the DOE, more than 600 fake student accounts emerged within 24 hours, with thousands created over several days and used immediately.
The vast amount of sensitive information available combined with outsourcing as a budgetary trend make academia a tempting target, according to Moody’s Investors Service.
“Increasing reliance on third-party vendors for critical services can expose universities to cyberattacks outside of their control, a credit negative for the sector,” said Moody’s, which called the college breach a cautionary tale overall.
Cyber vulnerabilities within New York vary.
Hospitals worry about the kind of power outages that struck Manhattan last month; some, notably Bellevue Hospital adjacent to the East River, have flooding concerns that date to Hurricane Sandy in 2012, when First Avenue was essentially a river.
Drones, hostile or incidental, worry the Port Authority of New York and New Jersey, one of the largest municipal issuers, at its three metropolitan airports.
“Cyber is infrastructure, no question about it,” said Roger Parrino, the Port Authority’s senior advisor for security and emergency management.
“Drones is the one issue that we just don’t have an answer for,” he said. “It could be just someone that has no ill will and is just recklessly flying a drone that could cause a problem for our air traffic, but we [also] know drones are being used by our enemies.”
Hackers could paralyze all Manhattan traffic by randomly stranding autonomous vehicles, according to a
Peter Yunker, a Georgia Tech assistant physics professor, and Jesse Silverberg of Multiscale Systems Inc. simulated what it would take to wreak havoc by randomly stranding these cars.
Randomly stalling 20% of cars during rush hour would mean total traffic freeze, the study said. “At 20%, the city has been broken up into small islands, where you may be able to inch around a few blocks, but no one would be able to move across town,” said David Yanni, a graduate research assistant in Yunker’s lab.
Hacking 10% of all cars at rush hour would debilitate traffic enough to prevent emergency vehicles from quickly cutting through traffic inching along citywide, according to the study. The same thing would happen with a 20% hack during intermediate daytime traffic.
Because the study focused on only static conditions, Yunker and Silverberg said, the problem could intensify with aggravating factors such as delivery trucks or police stops clogging streets.
Such a scenario could be worse in other cities, according to Yunker.
"Manhattan has a nice grid, and that makes traffic more efficient," he said. "Looking at cities without large grids like Atlanta, Boston, or Los Angeles, and we think hackers could do worse harm because a grid makes you more robust with redundancies to get to the same places down many different routes."
New York Power Authority, the country’s largest state-owned utility, is monitoring cyber's relation to new machinery.
“As we continue to build out automation and business-to-business machine capabilities, there are going to attacks that we haven’t even thought of yet,” said Kenneth Carnes, New York Power’s chief information security officer.
“Those are the things we’ve got to really get ahead of to understand how can we protect and secure those things as they get developed and built into our environment, or else we are always going to be chasing the possible gaps that are being introduced.”
New York State will receive $19 million and more than 8.5 million residents will be eligible for relief as part of a national settlement with Atlanta-based Equifax. The company must pay at least $575 million across the 50 states, including penalties and credit monitoring services.
“Cybersecurity across the board is the biggest single threat,” said Linda Lacewell, New York State’s financial services superintendent and a former federal prosecutor.
The Equifax and Capital One fiascoes “are very simple software problems that should have been caught,” Lacewell said. “It’s incumbent upon regulators to do everything that they can to hold these guys accountable for creating a system that works.”
Lacewell, a former chief of staff to Gov. Andrew Cuomo, is also a recent Cuomo appointee to the board of New York’s Metropolitan Transportation Authority. At a July board meeting, Lacewell suggested MTA board members hold an executive session on cybersecurity.
Budget strains challenge city’s public hospitals system more seriously than the private hospitals, said Anthony Notaroberta, senior director of systemwide security and hospital police for New York City Health + Hospitals, which runs 11 acute-care hospitals and many other facilities across the five boroughs.
Because H+H’s patient revenues do not cover expenses, the system has long been a strain on the city’s operating and capital budgets. The city also backstops its outstanding debt. According to Moody's, the city's roughly $78 billion of appropriation-backed debt as of June 30, 2018, includes $698 million issued through Health + Hospitals.
“Don’t forget, it’s a public hospital system. There is no money. This is not New York Presbyterian, this is not NYU. Our CEOs don’t make four, five, six million dollars a year,” Notaroberta said. “We rely on government funding. So as those pools of funds start to dry up due to the Affordable Care Act regulations, we really have to start balancing our needs.”
The city is also thin on cyber talent, said Liat Krawczyk, assistant vice president for emerging tech initiatives for the quasi-public New York City Economic Development Corp. There, she helps lead Cyber NYC, a $100 million public-private undertaking.
“We are seeing an immense shortage of cybersecurity talent,” she said, citing a projected 3-1/2 million positions worldwide — half in the U.S. — going unfilled by 2021. “Today alone, in the New York City metro area, we’re talking about 20,000 unfilled positions in cybersecurity, whether tech or tech-adjacent. So we really need to be able to fill that gap and at scale.”
Krawczyk said her organization is working with local universities such as New York University, Columbia, Cornell Tech and the City University of New York, to integrate industry-aligned degree programs.
Non-traditional options, she said, include continuing education and a 17-week boot camp.
“We’re really looking at a really comprehensive lens in terms of the training.”