ALBANY — In her state-of-the-state address, Gov. Kathy Hochul made some proposals that she said will strengthen New York’s approach to cybersecurity, but one local expert says that will likely take some time to come to fruition.

To get a better understanding of the state of cybersecurity in New York State, the Daily Sentinel recently interviewed Utica University Director of Graduate Cybersecurity programs Andrew Carr, who also works as an assistant professor of cybersecurity at the school.

“Unfortunately, cybersecurity threats are always on the rise,” Carr said.

“As technology is more heavily integrated into all aspects of our lives, businesses, and economy, the propensity for cyber attacks increases. The methods and targets for cyber attacks evolve and change from year-to-year, but all indications point to significant increases in the coming years.”

Manpower and education

In early 2022, Hochul oversaw the launch of the first New York State Joint Security Operations Center (JSOC) in Brooklyn, to help county and local governments assess and remedy gaps in their cyber defenses, in cooperation with state and federal efforts. This was part of a $61.9 million investment in cybersecurity in her 2023 budget, to which she announced an additional $35.2 million in new funding at her state of the state address in early January.

Carr said that while this money is “significant,” there still comes a cost in time and manpower.

“While New York State is certainly committed to cybersecurity and has been for a long time, the newer additions will take time to make a tangible impact,” Carr stated, noting that the governor’s announcements did not mention any sort of collaboration with the private sector.

“Organizations like the JSOC will also struggle to attract and retain highly-skilled and sought-after cybersecurity professionals due to the enticing salaries of private sector opportunities. This isn’t unique to New York State as it is an issue for all public sector organizations seeking employees in cyber roles.”

Carr said the number of schools and colleges offering cybersecurity classes has increased “significantly” in the last five years. Utica University launched their program in 2006 — “well ahead of the curve,” he noted. The university’s bachelors program was ranked 7th in the nation by Online Schools Guide, and their master’s program in cybersecurity was ranked 13th in the nation by Fortune’s Best Online Master’s in Cybersecurity Degrees, and 6th in Fortune’s affordable cybersecurity online master’s programs.

Utica University underwent a “complete curriculum overhaul” last year that adjusted course offerings, created new courses and doubled down on practical learning, Carr stated.

“While other institutions are getting their feet wet in the field of cybersecurity education, Utica continues to innovate and lead from the front,” Carr said.

Industrial control systems

The governor announced that the state Division of Homeland Security and Emergency Services will establish a first-ever in specialized industrial control system assessment team to help protect critical infrastructure and manufacturing systems. This team would work alongside the agency’s physical security and cybersecurity assessment programs to “improve the overall security posture” of energy, transportation, manufacturing and other critical infrastructure systems.

According to Carr, industrial control systems are those that monitor and control infrastructure like gas and oil pipelines, the electrical grid, water treatment plants and the like.

“These systems have historically been neglected in regard to cybersecurity, but awareness of the risks associated with attacks on them has increased in recent years,” Carr stated.

“This will likely involve physical security assessments, cybersecurity assessments, incident response and resiliency plans and more. The assessment team will help these organizations and facilities understand the risks they face and how to efficiently and effectively address them.”

Cyber-attacks

In her address, the governor noted that ransomware attacks rose 13% nationwide in 2021, with more than 3,600 state, local and tribal governments across the country coming under attack since 2017. Ransomware is when hackers hold data and computer systems hostage until a demanded ransom is paid.

Carr said 2020 and 2021 saw “explosive growth” in hackers using ransomware, and that’s just the reported numbers. Carr said a report from the Committee on Homeland Security & Government Affairs that came out earlier this year said that reporting on ransomware attacks is “inconsistent” and possibly even “incredibly low” compared to actual occurrences.

“There is conflicting data on the number of ransomware attacks that occurred in 2022, but my former colleagues within the incident response field indicated a significant drop off in ransomware activity after the start of the Russia/Ukraine war,” Carr noted.

Despite that drop, he said he sees no signs that ransomware and other cyber-attacks will ever go away.

“Threats like ransomware were unknown to most people five years ago, and there will likely be something new we are talking about next year. Threats like data breaches, identity theft, network intrusions, and fraud aren’t going away anytime soon,” Carr said.

“The ways in which cyber criminals carry out these crimes changes seemingly every day. Educational institutions like Utica University can’t predict the future of cybersecurity, but we will stand ready to continually innovate and educate the next generation of cybersecurity professionals.”