In particular, the strategy aims to clarify the roles and responsibilities of different agencies and explain how various initiatives do or will fit into an overarching approach, the state said in its announcement. Measures include those intended to expand cybersecurity talent pipelines, provide cyber supports to local governments, enforce cyber regulations on critical infrastructure, and advise residents and businesses about best practices for reducing their risks. As New York considers both current and emerging threats, three key principles will guide its approach: unification, resilience and preparedness.
The state chief cyber officer will oversee putting the strategy into action.
The strategy will be fueled in part by targeted funding. That includes $500 million for improving health-care IT, including cybersecurity infrastructure, as well as $7.4 million to expand three state police units focused on cyber analysis, cyber crimes and Internet crimes against children. The governor had previously announced $90 million for cybersecurity, of which a third is aimed at supporting local government defenses via shared services.
The state itself is looking to expand the New York Security Operations Center, including with new facilities and staffing, per the strategy. It also will update its networks to allow for adopting more zero-trust practices and will prepare for encryption-cracking quantum computing. Various efforts aim to make it easier for IT talent to work for the state, including opening offices in more parts of the state and enabling agencies to conduct key parts of the recruitment on regular or ongoing bases.
To further bolster talent pipelines, the state intends to expand training programs like its Pathways in Technology offering for high school students and will partner on developing cybersecurity curriculum materials for higher ed and K-12. It also aims to see several State University of New York (SUNY) institutions become “hubs for high-technology research and centers for federal research funding.” To achieve this, the state aims to grow partnerships and build labs.
Local governments can struggle to afford and adopt a full slate of cyber tools and capabilities, and New York has been providing them with free endpoint detection and response (EDR) shared services. Now it hopes to expand access to the EDR service and offer additional cybersecurity tools.
The past few years have seen New York pass more requirements and regulations around securing critical infrastructure. In 2017, its financial services regulator added a cybersecurity requirement for banks, insurance companies, virtual currency companies and other financial service providers under its purview. Following that came a 2022 law requiring energy distribution utilities to address the risk of cyber attacks as part of their annual emergency response plans.
The state also said it will reach out to companies in fields like biotech and aerospace to alert them about cyber espionage risks and ways to detect and respond.
Cybersecurity is a whole-of-society affair, and the state also is continuing efforts to raise awareness among the public about good cyber hygiene practices and ways to stay safe online. That includes steps like updating software and operating systems regularly, being cautious about clicking on suspicious links, and adopting multifactor authentication (MFA).