Security

Q+A: New York Chief Cyber Officer Colin Ahern Tackles Whole-of-State Security

After more than a year on the job, Ahern identifies a convergence of threats that call for a unified response.

Mickey McCarter is the senior editor of StateTech Magazine.

In June 2022, New York Gov. Kathy Hochul appointed Colin Ahern as the first chief cyber officer for the state. Previously, the governor established the state’s first Joint Security Operations Center and based it in Brooklyn.

As chief cyber officer, Ahern manages cybersecurity threat assessment, mitigation and response for the state and across the interagency government enterprise.

The JSOC is a highly visible tool in his cybersecurity portfolio. It links New York state and New York City resources and provides insights into threats to county and local government units as well as relationships with critical infrastructure operators and federal agencies. The JSOC complements other state cybersecurity programs that together aim to improve the cybersecurity and cyber resilience of New York State infrastructure, institutions and businesses.

StateTech Managing Editor Mickey McCarter spoke with Ahern about his responsibilities and the benefits of the JSOC and the whole-of-state approach.

STATETECH: You hold the title of chief cyber officer for the state of New York. How is that different from a CISO?

Ahern: My responsibilities are multifold and highly collaborative across agencies. I assist the governor in ensuring the cybersecurity and cyber resilience of state networks. I oversee all cyberthreat assessments to help ensure the security and reliability of the systems that citizens, residents and visitors depend on to receive services from the state government. And I work closely with all of the state’s IT and security executives, especially the Office of Information Technology Services. ITS is an extremely capable partner and plays a huge role in the security and resilience of state technology systems.

We also work closely with the New York Division of Military and Naval Affairs as well as the New York State Police and the New York State Intelligence Center to ensure that our collective work contributes to a sum greater than our parts.

The state also has a great partner in our Division of Homeland Security and Emergency Services, which is led by Commissioner Jackie Bray, with whom I work very closely. DHSES includes the Office of Emergency Management, which coordinates response for all major incidents, including cyber incidents around the state. DHSES also is home to the state’s Cyber Incident Response Team, which provides support to government entities and critical infrastructure around the state.

So, we work with our federal, state and regional partners to coordinate cybersecurity assessment and response. For context, there is a significant element of increasing geopolitical risk. New York state holds a unique place in the defense-industrial base, with the Watervliet Arsenal outside of Troy, the Lockheed Martin facility in Liverpool and other places that are enormously relevant from not just a cyber perspective but also a larger national security perspective.

Click the banner below to gain cybersecurity insights as an Insider.

STATETECH: It seems smart to think of New York cybersecurity holistically in terms of geopolitical risk and advanced persistent threats. Are APTs at the top of your list of potential threats?

Ahern: The overall theme of cyberthreats recently is convergence. Historically, we had three distinct groups of threats with three distinct groups of targets.

We had individually motivated, ideologically motivated, politically motivated and racially motivated “hacktivists,” who were either individuals or small groups that were loosely affiliated and relatively unsophisticated. One step up, historically, we had cybercriminals: Think ransomware operations, digital smash-and-grabs and distributed denial-of-service attacks, all for financial gain. And then, the most sophisticated were from nation-states; those are sometimes referred to as advanced persistent threats. APTs are particularly troublesome for a couple of reasons.

One is that they are seeking strategic access. This means that they look for any opportunity to get a foothold onto a target, and then sit there as quietly as possible for as long as possible. In doing this, they “hold a target at risk”: While they don’t have a specific operation right now, they’re seeking to gain access, sit on it and, at a time of their choosing, perform a theft or an attack. This obviously makes them, in some ways, more dangerous and more pernicious. They’re low and slow.

There also are nation-states that have specific, operational objectives that they will spend significant resources to achieve: people, money, time, and zero-day or previously unknown exploits. For example, in the run-up to the Ukraine war, the Russian government temporarily disabled a satellite system called Viasat and significantly degraded Ukrainian military command-and-control networks. Now, in their recovery, Ukrainians have shown the world what cyber resilience really looks like. In many ways, I think we will be studying what the Ukrainians and their allies and partners have accomplished from a cyber perspective for years to come.

Today, you’re really seeing a convergence. Looking at targets, you’re seeing these roughly differentiated groups’ targets are becoming enmeshed; you’re seeing their capabilities spreading across and into an increasingly sophisticated, interconnected ecosystem. Criminals can buy sophisticated hacking tools from the dark web that are the kind previously used only by nation-states. Some nation-states, such as North Korea, now operate like criminal groups. I would say that there are still three distinct kinds of threats. But we’re seeing the convergence of these threats, targets and capabilities, all making cyber more challenging, along with the overall geopolitical factors.

The overall theme of threats recently is convergence.

Colin Ahern New York Chief Cyber Officer

STATETECH: Whole-of-state cybersecurity is a popular concept right now, and officials are looking for ways that state and local agencies can work together. In New York, you have the Joint Security Operations Center, which the governor established in 2022. Can you share some early lessons learned or best practices that we can draw from the JSOC, or perhaps things other states could follow?

Ahern: The JSOC is one part of our whole-of-state approach that aims to present a unified set of resources and tools to different stakeholders. Under the governor’s leadership, we have listened to our counties and local governments. We are establishing shared services around their needs. For example, for the endpoint detection and response shared service that we announced last July, the state handles the contracting and payments and partners with the counties to deploy the tool and monitor it 24/7/365. We have state civil servants at the Joint Security Operations Center to assist the counties in triage and incident response as part of the program.

County and local governments are target-rich, but they may not have the level of defense capabilities that they need. Because of this convergence phenomenon in the past two or three years, county and local governments are increasingly the targets of increasingly sophisticated adversaries. This is exacerbated by how technology has truly have been transformed by the pandemic, the remote work phenomenon and by the digitalization of government.

The state offers a suite of services to county and local governments via DHSES and the New York State Intelligence Center. For example, Homeland Security offers tabletop exercises, phishing simulations and threat assessments. The NYSIC has a phenomenal information-sharing program, among other capabilities.

Shared services are the future because an appropriate response to convergence is unification. The whole-of-state strategy really is the logical response to the convergence of cyberthreats.

Photography by Harry Zernike