New York Governor Proposes New Cyber Security Measures

Following the Intelligence Community report blaming Russia for both the Democratic National Committee hack in 2016, and for attempting to influence the presidential election in favor of Republican Donald Trump, the Democrat Governor of New York has now introduced new cyber security proposals to his January State of the State address.

Andrew Cuomo has a troubled relationship with the state Legislature, and this is likely to continue. Rather than deliver his address directly to the Legislature as is custom, this year the governor is taking to the road to speak more directly to the people in a series of shorter addresses. 

This is seen as an attempt to bypass his Legislature problems and concentrate on popular proposals that the lawmakers will have difficulty in defeating. He is yet to put forward the associated budget proposal, and has until January 17th to do so. At that point he will need to bring the lawmakers on side; but it will be difficult for publicly elected officials to reject improved cyber security proposals in the current climate.

Cuomo’s new proposals focus on two areas: improved incident response, and increased deterrence through more severe legal punishments. “Our laws must keep pace in order to combat these increasingly sophisticated criminal acts,” Cuomo said in a statement. The proposals come partly from the state’s Cyber Security Advisory Board established by the governor in 2013.

A new cyber incident response team (CIRT) is to be established. It will be assembled from computer experts in the state Division of Homeland Security and Emergency Services, the National Guard, the state Office of Information Technology Services and other agencies. Its purpose will be to help state agencies, local government authorities, critical infrastructure and schools who suffer cyber-attacks or system breaches.

The team will provide advice on how organizations can better protect their information technology assets, critical operating systems and data from cyber-attacks, malware and ransomware. It will also provide a hotline for reporting incidents.

The deterrent effect will come from increased and graduated punishments for cybercrimes, with harsher punishments for more serious or damaging crimes. Theft of multiple identities, for example, could range from an A-level misdemeanor to a D-level felony; and there is a proposed new B-level felony for those causing more than $1 million in damages.

“We couldn’t have a better template of time than right now for seeing how cybersecurity is so important when we can’t even safeguard the security of our presidential elections,” commented Joseph Lentol, a Brooklyn Democrat, in an interview January 6th. “It is obvious that we are living behind the times and we have to take measures to stop cyberthieves from interfering in our lives and in our computers and in our institutions.”

It should be remembered, however, that State of the State addresses are primarily a vehicle for publicizing a political wish list for the governor — it is, in fact, a political tool in itself. Many proposals don’t come to fruition, either through lack of time, loss of will, or lack of budget. The budget comes from the lawmakers; and these cyber security proposals will require a budget. For them to go ahead, the troubled relationship between governor and Legislature will need to be repaired, if only temporarily.

In December 2016, the New York State Department of Financial Services (DFS) published proposals for a new cyber security regulation for New York financial services. This is due to come into effect on March 1, 2017.