New York's cyber chief on keeping cities and states safe from cyberattacks

Three years ago, Colin Ahern became New York state’s first ever chief cyber officer — a role he took on after serving as first deputy director of New York City Cyber Command and acting CISO for the city.

As cyber threats targeting government agencies surged during the COVID-19 pandemic, he took steps to move state systems to the cloud and tighten security measures.

Ahern got his start in cyber as a U.S. Army Officer and left the Army as a company commander at the U.S. Army Cyber Brigade, where he oversaw the creation of a specialized cyberspace operations organization. He eventually returned to government after working in financial services and as a professor at Columbia University.

Ahern sat down with Recorded Future News earlier this year to discuss New York’s efforts to protect local governments from ransomware and more.

The following interview has been edited for length and clarity.

Recorded Future News: How did you get your start in cyber?

Colin Ahern: I actually enlisted in the Army Reserves when I was 17, actually, right after 911. I was fortunate to get an ROTC scholarship to Tulane University. I graduated after four years, and I was an active duty Army officer. I served as an intelligence officer overseas. Did a couple of tours to Afghanistan. 

My second tour, I got more involved in Signals Intelligence. After some additional training at Fort Meade, I was asked to make a transition into the new organization that was being set up called U.S. Cyber Command. So I stood up one of the Army's first cyber mission teams with a bunch of other really amazing professionals. 

I commanded one of the cyber mission teams. After that, I got out of the army, I got my MBA, I moved back to New York. I wasn't really sure what I was gonna do, but I decided I would stick with cyber, so I worked in cybersecurity in financial services for a little bit. 

After that, I was asked by [former New York City] Mayor Bill de Blasio, First Deputy Mayor Tony Shorris and the first Director of New York City Cyber Command Geoff Brown, to help stand up New York City Cyber Command. When the new administration came in, Mayor [Eric] Adams, I officially transitioned but then decided it was kind of time for me to leave the city service. 

I actually wasn't sure what I was gonna do, so I did some teaching. I taught at Columbia [University]. I did some writing and teaching while figuring out what to do. Then the governor called, and said ‘do you want to be the first chief cyber officer of New York State?’ And obviously you say yes to that. 

That was about two and a half years ago. It’s been a wild ride but the support that the governor has given us, the priority that she's really put on this to level up cyber has been obviously a big challenge, but I’m proud of the important successes and opportunities up to this point.

RFN: You’ve watched cybersecurity evolve from a niche issue to an important tranche of national security. What has it been like watching the field change?

CA: It used to be, 10 years ago, 15 years ago, when I was getting started in this field, there were a small number of threat actors going after a relatively small number of targets with very sophisticated, persistent, strategic engagement. 

Starting in ‘07 and ‘08 and then accelerating since 2010 and kind of really supercharged in the last five years, you've seen this convergence where no longer are there just one set of groups with these bespoke tools, zero-day attacks, malware which can evade detection, command and control. 

That used to be things that only guys and gals in the Beltway cared about. Unfortunately, now the convergence we've seen in cybercriminals and their capabilities, some of the Russians, the Chinese, the Iranians in particular, their use of cybercriminals and the proliferation of cyber tools across the industry — you can find advanced cyber tools on GitHub. 

Some of the malware, the ransomware, kind of criminal system and criminal economy. You have large, sophisticated organizations that have malware developers. They have people that specialize in breaches. They have information brokers which sell credentials, SIM swapping, the COM, just a wide array of actors that are pursuing not just purely strategic intelligence, but ideological aims as well. 

It really means that the threat is present everywhere. The importance of technology and how governments deliver services and how people experience commerce has changed. But also you can’t underestimate cryptocurrency and ransomware with really offering a really profound economic incentive for the bad guys to continue to improve and evolve their game.

RFN: Over the last five years several major U.S. cities — Dallas, Oakland, Baltimore and others — have dealt with large-scale ransomware attacks that caused significant impact on everyday people’s lives. How has New York City been able to avoid that?

CA: I think it's about a couple of things. Number one is, Mayor Adams and Governor Hochul have a close partnership on a number of public safety topics. Cybersecurity is no different. 

I think the frame that your readers and listeners should take is, you know, this is like other security and intelligence and counterterrorism topics, where we don't believe that any one event is inevitable to occur. We do understand, however, that there are thinking, breathing adversaries on the other side of the world, on the other side of that keyboard, that want to threaten the American way of life. 

They want to steal our citizens' information. They want to place our services at risk so that at a time and place of their choosing they can degrade, destroy, disrupt them. But that doesn't mean we sit on our hands. That means that in cybersecurity, we can either work together and succeed, or we can work by ourselves and fail, right? 

And so I think that we're not saying that something bad couldn't happen, but we understand that New York's always been a target. I enlisted after 9/11. I think we all understand that cyber is a topic that is being used to create this sense of fear, to hold targets at risk. So we work very, very hard every day to make sure that doesn't happen. And really that's a lot about doing the basics. Patching things, multi-factor authentication, collecting logs, analyzing them. But the adversaries get better every day, so we work very hard.

RFN: What lessons have you learned since the ransomware attack on Suffolk County? 

CA: We have one of the country's leading cyber analysis units within the New York State Police. In fiscal year 2022-23, the governor doubled the size of the New York State Police Cyber Analysis Unit, Computer Crimes Unit and Internet Crimes Against Children's Center.

But it's just about getting back to basics. So understanding that the technology gets better every day, we need to stay abreast of it, but the basics — know your systems, patch your systems, have a plan — are perennially relevant. 

We continue to work with our state and local partners to expand the kind of shared services we're providing. The governor's directive has always been, it needs to be something that the government must do. It needs to be essential, and it needs to be something that the state government is uniquely positioned to provide a value for. 

So last year, the governor announced an additional shared service called attack surface management. We're in the process of rolling out over the next year or two — in addition to our endpoint detection and response shared service — attack service management, so providing the counties at no cost an enterprise-grade attack service management platform which will complement our endpoint [detection service] insofar as that, we'll have now a view of what is exploitable within the networks that are owned and controlled and managed that provide those services so we can assist local governments in triaging important findings, health checks, addressing issues before they occur. So we'll have both an endpoint view and an attacker's eye view of these government services. 

And so we think that that'll continue to evolve the security posture of New York State in a way that first and foremost provides the public good, which is, if a government service is not secure, it can't be considered reliable. And if it's not reliable, it can't be considered secure. So that's certainly one part of the user experience, modernization, resilience question and so we continue to emphasize those topics. 

RFN: If there is a cyberattack or cyber-related issues, do companies call your office for assistance?

CA: We do work principally through a couple of avenues. One is the Division of Homeland Security and Emergency Services which has a critical infrastructure protection unit. The majority of critical infrastructure is managed by private entities. Our primary focus is on county and local governments, but additionally other critical infrastructure partners do work very closely with the Division of Homeland Security Emergency Services. I would also add that the New York State Intelligence Center, our federally chartered multi-agency fusion center does work very, very closely with the private sector because they have a statewide mission to advance counter terrorism and other topics across the state. And you can't do that except by working very, very closely with the private sector. 

I would say additionally that the state is a regulator. The Department of Financial Services (DFS) in 2017 had one of the first prescriptive cybersecurity regulations, which covered not just state-chartered banks, but also insurance companies and other financial institutions. 

In 2022 DFS Superintendent [Adrienne] Harris updated those regulations for the first time since 2017 and the governor wants regulations that are as light a touch as possible, but no lighter. So simplifying the regulations and making the mandates more clear, concise, and tiering organizations by size and impact of the market, those are kind of some of the innovations that DFS has worked very hard on in 2022 and 2023. 

Additionally, the governor in December of 2022 signed first in the nation legislation to enable the Public Service Commission to prescriptively regulate cybersecurity for energy distribution. So we're one of the only public service commissions which places a cyberattack at the same level of regulatory import as a winter storm. We understand that energy distribution is distribution, not generation or transmission, which are regulated by the federal government, by NERC and FERC and other things. Distribution is regulated by the states. 

So this distribution, you see things like attacks against the energy infrastructure in Ukraine in 2014 and 2016, those are things that obviously concern us very significantly. We work very closely with our federal government partners to mitigate them. But again, we're not sitting on our hands, the governor is signing legislation which is saying and rulemaking that happened a few months later. If you're an energy distributor, you need to have an incident response plan that we regulate with the same degree of seriousness that we regulate your winter storm response plan. 

Because we understand that, though it unfortunately hasn't happened in this country yet. That doesn't mean it can't, and that doesn't mean it won't. So first and foremost, making sure that those energy distributors have plans. That's one thing we're undertaking. 

A second thing I would mention is the Department of Health just maybe a month ago, or two months ago, finalized the first rules for regulating the computers which provide care in general hospitals. So there are 200 general hospitals across the state. The care that you are provided at a hospital is provided by, with and through a computer, so what is the security posture of those systems? 

Has there been a threat assessment done? A risk assessment? Is there multi-factor authentication? So we respect the rules within HIPAA but we focus on the larger healthcare ecosystem landscape and on critical services, because New York's a big state, it is the fourth largest state by population. 

It's one of the largest in the continental United States by land area. And there are places where you’re remote. If a hospital goes on diversion because they are the victim of a ransomware attack, that's a big deal, and we've seen that in our state.

We're pairing regulations, which we believe address critical, absolutely essential elements of a cyber posture. But the governor in last year's budget worked with our partners in the legislature to put forward a multi-$100 million dollar technology and cybersecurity grant program, which provides up to $500 million for these facilities to upgrade their technology and cyber. 

So that's kind of in process. That's a multi-year effort. But we not only said, ‘here are the expectations for general hospitals.’ We understand that this is not going to be free, and so pairing that regulation with a grant program was important. 

RFN: Is there more you think the federal government can do to help deal with ransomware and other threats?

CA: I help lead a bipartisan coalition of chief cyber officers and chief information officers. I think we had 17 states. We issued a comment on the CIRCIA [Cyber Incident Reporting for Critical Infrastructure Act]. We did a bipartisan public comment to CIRCIA where we outlined a couple of ways. 

Government is a service provider, so our public comment outlines a couple of specific areas in which federal rule making and federal processes can do even more to collaborate across the levels of the government, by not just sharing information in an anonymized form, but working collaboratively with up-to-date threat-centric information, really in the model of the Counter Terrorism Fusion Task Forces, the Joint Task Forces.

We believe in extending that model to cyber. Because we think that what New York, with the federal government, with the New York Field Office of the FBI, really pioneered after 9/11 is that we're all on the same team. We're going to have access to the same information because this is a full court press, there's not going to be Sally over there and Tom over there. We're one team. So we think extending that into the cyber domain is important. 

Additionally, I think acknowledging the incredibly important role of the private sector. The Internet itself is, in large measure, owned and managed by the private sector. The critical infrastructure of these computers are owned and managed by the private sector, the operating systems delivered by a private company. So acknowledging, and I think, really magnifying the collaborative relationship between different levels of government and the private sector to advance on this issue, it will continue to become more and more relevant more quickly. But in particular, as unfortunate events occur, you continue to see that the entities that recover quickly are those that have deep and existing relationships with, say, a private incident response vendor.

RFN: What are the biggest difference between New York City Cyber Command and New York State Cyber Command?

CA: It's different missions. One is the largest city in North America, the center of global commerce, and one is one of the largest states. Both of them are incredibly important, dynamic and interesting places to work. But obviously the state has responsibilities, has resources, has capabilities that the city does not, and really vice versa. The state government is not a county or a local government. 

New York City is both a county and a local government. In New York City the five boroughs are five counties. So New York City is an extremely unique place. My family's been here since, you know, since the 1840s basically. So New York's a very special, important place. It's the only government like that in the United States.

The city is interacting with residents on a more continuous basis, so the kinds of services, the kinds of systems that the city is dealing with are different. Both are very important and unique, and we’re fortunate to have very close partnerships with the city.

RFN: What kind of threats does New York face?

CA: New York's a unique place and there is something for everybody, from cybercriminals to ideologically motivated individuals in small groups, activists to obviously, nation-states. 

Unfortunately, its an all-of-the-above situation. First and foremost, the techniques that are utilized by cyber criminals, by highly motivated individuals or by highly resource advanced persistent threats are like we were talking about, not as differentiated as they once were. 

So you have people with sophisticated command and control, breach and lateral movement, living off the land, malware, GO language malware, all these kind of new topics, virus polymorphism, topics that you guys are covering each and every day.

RFN: Looking forward, what kind of threats keep you up at night and what gives you hope for the future?

CA: I have two kids but I would say one thing keeping me up at night is that cybersecurity is one of the relatively few remaining bipartisan issues. We work very closely with partners across the country, red and blue. 

So the loss of cybersecurity as a bipartisan issue, and the increasing vitriol spilling into this topic that is worrisome. But hopefully that doesn't happen.

Number two is a catastrophic cyberattack. Something our governor says is that in many cases, people's imagination about how bad this can get is often not good enough. And New York was absolutely at the front lines of not just terrorism since 2001 but also COVID-19 in 2020. A catastrophic cyberattack worries me, especially one that impacts critical infrastructure in a widespread way. 

One thing giving me hope is Governor Hochul’s leadership. We are really moving the ball down the field. Another thing that gives me hope is our young people. One of the things we've been working on very closely the last couple years with our partners in the legislature, in particular in the Assembly and the State Education Department, is the Computer Science for All curriculum. So New York, over the last several years, the state Education Department has done a tremendous job in organizing, promulgating and now requiring a broad spectrum computer science curriculum which has several elements, one of which is cyber.

With K-12 in New York State, your son or daughter probably has a technology class, and now they're going to be learning about cyber bullying. They're going to be learning about the importance of protecting their information online. They're going to be learning about the importance of cyber hygiene topics. 

Because just like literacy and numeracy and financial education, computer science education, STEM and STEAM topics, are really an enormous source of hope to go into. And I have a second grader, so seeing what she's learning in her technology class at the public school down the street, that gives me hope. 

The facility with which she can use these systems, with the educators that I think are deeply passionate about making the future better than the present, I think should give everybody hope.