New York now has its own cybersecurity strategy

Governor Kathy Hochul unveils New York’s first-ever state-level cybersecurity strategy, aiming to strengthen the state’s resilience against modern-day cyber threats.

Last week, Governor Kathy Hochul introduced New York’s first-ever statewide cybersecurity strategy, backed by a $600m commitment, and aimed at heightening New York’s resilience against contemporary cyber threats.

The plan includes allocating $90m to centralize cybersecurity, with $30m designated for shared services strengthening local governments’ cybersecurity. An additional $500m will be invested in healthcare information technology cybersecurity infrastructure, and $7.4m will expand New York State Police’s cyber units.

The governor also signed legislation to boost New York’s technology talent pool, providing necessary funding for employers to acquire and retain cybersecurity professionals.

New York State’s Chief Cyber Officer will oversee the implementation of the strategy, a position created by Hochul in 2022.

“Our interconnected world demands an interconnected defense leveraging every resource available,” Governor Hochul said in a video of the announced launch of the initiative. “This strategy sets forth a nation-leading blueprint to ensure New York State stands ready and resilient in the face of cyber threats.”

Strategy principles

The strategy document notes that the FBI has estimated that more than 25,000 New Yorkers were the victims of cybercrimes totaling $777m in losses in 2022, making New York third in the nation in total victim losses by state.

It seeks to build critical resources that will help deter cyber-attacks, plus neutralize potential threats effectively, and shield critical infrastructure, data, networks and technology systems from malicious attacks.

The strategy sets forth an approach to cybersecurity and resilience based on the principles of unification, resilience, and preparedness.

“A well-considered next step in New York’s leadership on cybersecurity preparedness and resilience.”

Maria Vullo, CEO, Vullo Advisory Services PLLC

Unification means working to increase access to cybersecurity information, tools, and services so the state’s most sophisticated defenses are available to even the state’s least-resourced entities.

Resiliency is defined as moving to expand the scope of cybersecurity regulations, requirements, and recommendations so New York’s critical infrastructure is better protected.

And preparedness means providing advice and guidance to ensure New Yorkers are empowered to take charge of their own cybersecurity.

The strategy outlines a variety of responsibilities for state-level agencies (including the state’s police department and state military), county and city agencies, critical infrastructure owners, and educational institutions.

It also mentions New York-based private businesses, saying these entities “can expect the state to share information with them to disrupt malicious cyber actors, regulate them to ensure the privacy of New Yorkers, and provide advice and guidance about cybersecurity and resilience best practices”.

Praise for the strategy

Governor Hochul’s plan has already gained broad support, including from acting national cyber director, Kemba Walden, who likened the strategy to the federal cybersecurity strategy’s core principles.

Walden said: “The New York strategy similarly articulates a fundamentally affirmative vision for cyberspace – that is, it is not simply reactive to threat actor behavior – and advances policy in areas such as public-private operational collaboration, regulation of critical infrastructure, cyber education and workforce development and IT modernization.”

Maria Vullo, CEO of Vullo Advisory Services PLLC and former Superintendent of the New York Department of Financial Services
Maria Vullo.
Photo: Private

Maria Vullo, CEO and founder of Vullo Advisory Services PLLC and a former superintendent of the New York Department of Financial Services (NYDFS), said she thinks Governor Hochul’s statewide cybersecurity strategy “is a well-considered next step in New York’s leadership on cybersecurity preparedness and resilience. 

“The Governor’s unified strategic plan recognizes NYDFS’s leadership with our issuance of a nation-leading cybersecurity regulation for NYDFS-regulated entities in 2017, which as written is fully adaptable to all industries as well as governments. I was pleased to lead this effort as NYDFS Superintendent and to Chair New York State’s Cybersecurity Board, and look forward to New York’s continued leadership on combatting this continuing threat,” Vullo said.

Governor Hochul’s plan has already gained broad support, including from acting national cyber director, Kemba Walden, who likened the strategy to the federal cybersecurity strategy’s core principles.

William Hugh Murray, a retired information security officer who has worked at IBM and Verizon (among other firms), noted the drafting of the strategy was done at the NYDFS. But, he said, “in her presentation, the Governor demonstrated a remarkable grasp of the issues confronting the state and the nation, ownership of the strategy, and a commitment to it”.

Noting that this list of stakeholders is helpfully broad, Lee Neely, a Senior Cyber Analyst at Lawrence Livermore National Laboratory, said New York’s new strategy could be a model for others to follow.