IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.
Special
What does this mean?

NYC Cyber Command: Embracing Our ‘Zero Trust’ Reality

As it works across more than 100 offices and agencies to prevent, detect, respond and recover from cyberthreats, the New York City Cyber Command wants help building a zero trust digital infrastructure.

Digital NYC
Shutterstock
As the centralized organization which leads the city's cyberdefense efforts, New York City Cyber Command works across more than 100 agencies and offices to prevent, detect, respond and recover from cyberthreats. New York City Cyber Command intends to help make our city the most resilient in the world, which requires collaborating with the best minds in cybersecurity and technology about how to build this reality.

Security and resilience are inexorably linked; a service is not secure if it is not resilient, and it is not resilient if it is not secure. That is why we spent significant time building a resilient cloud-based infrastructure for our threat response team based on “zero-trust” principles. In “zero trust,” access and authorization is limited and temporary: Users and the systems they work on must be continually verified.

This approach meant when the pandemic took hold in New York City and the decision came to rapidly shift to remote work, NYC Cyber Command employees could work from anywhere on their laptops while maintaining a highly secure and resilient environment. We made this shift in a single day without configuration changes or any impact to our ability to respond to cyberthreats against the city. It also meant we could focus on our mission: supporting our colleagues and partners throughout city government that deliver critical services.

A zero-trust approach reflects the new normal. The reality is — whether remote or in person — two-thirds or more of cyberattacks now are focused on impersonating trusted users and systems to access vital data or critical systems, according to the 2020 Verizon Data Breach Investigations Report.

That is why New York City Cyber Command is aiming to build a zero-trust environment across the entirety of our municipal government’s digital infrastructure: not because it is a neat idea, but because it is necessary.

The theory behind zero trust is old enough to hold a high school diploma. However, I would suggest the time to pay attention, to steal a phrase from a great book, arrived “Gradually and then suddenly.”

As the pandemic took hold in April, the FBI reported its Cyber Division was receiving as many as 4,000 complaints per day about cyberattacks, a 400 percent increase from pre-pandemic figures. In September, CrowdStrike said it had seen more intrusion attempts during the first half of 2020 than in all of 2019. In October, we saw a series of ransomware attacks on hospital systems. And then in December, there were the organizations that found out a foreign entity may have had access to their network

Whether it is a criminal enterprise, con artist or a rival nation, there are those who will use a crisis as an opportunity. The global scope of COVID-19, with the rapid increase in online services, and the rapidly changing work environment all create new vectors for cyberattacks. 

The massive increase in remote work has exacerbated underlying, systemic Internet security problems. Many of these issues were perceived as manageable by creating a tightly guarded “perimeter” around a network. As companies realize remote work and cloud services are here to stay, traditional defensive strategies have gone from flawed to broken.
 
Governments are, in many ways, “different.” Political and technical complexity are closely linked: Technical debt and legacy systems are the norm, as are critical systems that contain a lot of sensitive information, managed by various agencies and authorities with support from myriad vendors.

That’s why we can’t build it alone. We are seeking input on how a zero-trust architecture can be implemented in a manner that is tailored to the city’s unique infrastructure.

New York City wants ideas for how zero trust can work in complex environments. We need to know what kind of approaches make sense from a wide variety of voices. That includes advice on how to sequence, stage and implement our vision — and what barriers we might encounter and how we might overcome them. With support, we will identify a path that is manageable, cost effective and handles complexity at the scale of New York City. 

The traditional “castle and moat” approach will not create or sustain our future cyber-resiliency. Governments and industry now need to have a frank conversation about how zero-trust architecture solutions can play a role in that future.

To realize a new vision for cybersecurity and cyber-resilience, our partners in the information technology vendor community need to rethink the current script to help get us where we need to go. This new zero-trust reality will not exist without the development of broadly accepted standards so an ecosystem can develop that benefits the end users, avoids vendor lock-in and ensures competition in the space.

New York City Cyber Command wants to be at the vanguard of this effort. We hope you will join us.

Colin Ahern is the deputy chief information security officer for the city of New York and oversees security sciences for the NYC Cyber Command.