The attack was staged as a color war, with a “good guys” Blue Team fending off a barrage of malicious Red Team hack attacks. NYC3 partnered with NYU Tandon and several of the city’s top financial and security companies to stage the exercise at Tandon’s new tech hub at 370 Jay St.

The Blue Team defenders were made up of a special cohort of NYU Tandon grad students — NY Cyber Fellows — and their NYC3 mentors. They worked from a large hall filled with networked computers and monitors showing ever-changing charts and graphs.

“So far so good,” said NYC3’s Sarwar Acad. “All the diagrams you see here, the network and the computers — we are trying to monitor all this for suspicious activity and working as a team to coordinate all our efforts.”

“They will come in and try lateral movement,” he added, “like pivoting from one machine to another machine and pretending that it comes from somebody within your network. Our job is to not just detect it; we are also going backward to see how they entered, where the weaknesses is, and we try to fill in the gaps.”

In a dimly-lit room down the hall, the Red Team, made up of seasoned security experts from NYC3 and private industry, sat around a conference table with just their laptops.

They were serious dudes.

“You took three domains out,” one of them laughed to another team member. “Ha ha, oh man.”

The event, called Cyber STRIKE (Simulated Threat Response and Incident Knowledge Exercise), will help NYC3 protect the city’s infrastructure and systems from malicious attacks, which are becoming more sophisticated and increasing in number.

City mission to train cybersecurity experts

Mayor Bill de Blasio, who has made cybersecurity a priority through Executive Order 28, called for the addition of 10,000 cybersecurity experts to the city’s workforce within a decade.

To help meet this goal, NYU Tandon, in collaboration with NYC3 and an advisory council including Booz Allen Hamilton, Bridgewater, IBM Security, Jefferies, Morgan Stanley and other companies, developed the inexpensive online Cyber Fellows program. Most fellows are mid-career professionals, and this was the first time they met each other in person.

“We need incredible talent to approach this from a cyber-defense perspective,” said Geoff Brown, NYC Chief Information Security Officer and head of NYC3, at a roundtable during the event. “The partnership you see in the exercise today is all different aspects that are necessary to combat those threats.”

Not all members of the Blue Team were technical specialists, Brown said.

To be successful, cybersecurity is a “team-of-teams type sport,” he said. “A successful cyber security future has cyber security-conversant professionals in law, in policy, in business — across the spectrum … To be effective in defense, you need to have all those verticals represented.”

Panel: Is it out of control?

Experts at the roundtable said the problem is only going to get worse before it gets better.

“I don’t think the industry is thinking through the far-reaching implications of cybersecurity,” said William Beer, principal in the Advisory Services practice of Ernst & Young.

“If you think about the future, about the move to the ‘cloud’ and large-scale digital transformation projects including things like 5G networks, we are becoming so reliant on technology now that we need to think very hard about the implications and what that would mean if things went wrong,” he said. “Exercises and initiatives like today are very important, because they help us think through and actually simulate the far reaching implications of what is going to come.”

“I actually think the problem’s probably going to get a lot worse over the next three to five years before it gets better,” said James Trainor, senior vice president of Aon Cyber Solutions and former assistant director of the Cyber Division of the FBI in Washington, DC.

“We need more people to understand the problems in order to address them,” Trainor said. “One of the challenges is the number of breaches that have occurred and the amount of data dumped out onto the dark web … And the other is the variety of tools that have been disclosed that have been turned into weapons, such as WannaCry or now Petya … All the bad actors have capabilities that have historically just been with nation states are now in the wild.”

Ramin Safai, chief technology officer and global head of information security at Jeffries, said his company sees three tiers of attacks.

The first is foreign adversaries, “especially from Iran and China,” he said. “They try to infiltrate our systems by sending us phishing attempts, for example, or getting very sophisticated access to our systems and monitoring it.”

The second group are those “who are interested in making financial gains by attacking us. They either attack us with DDoS [Denial of Service] attacks, bringing down our systems, or by encrypting our systems and asking us for some sort of money in order to decrypt the information.”

The third tier is insider threats, Safai said. “People who are inside the company and who either willfully or unwillfully try to do something that is bad for the company. That could expose our company to a huge lawsuit or huge embarrassment.”

Rich Cocchiara, chief data and information security officer for the New York City Department of Education, said, “Cyber, like anything, is an innovative field. As soon as you address one thing, somebody’s going to come up with a way around it.”

Edward Amoroso, CEO of TAG Cyber LLC and adjunct professor at NYU Tandon, agreed.

“People with a background in law enforcement know that a determined adversary is going to win every time,” he said.

While the issue of embedded malware is often in the news, that’s not the biggest problem, he said. “There’s a gigantic threat problem, let’s worry about that. That’s with the cloud, that’s what we teach our students here at NYU. We teach them if you’re going to solve something, the problem right now is perimeter architectures and sloppy computer security applications that are slapped together and not properly architected.”

“The biggest threat by far is the lack of trained talent,” said Nasir Memon, founder of NYU Tandon’s cyber security program and head of NY Cyber Fellows.

“There are reports out there that say we need from one to two million cybersecurity professionals in the next five to ten years,” he said. “At NYU, we started the cybersecurity program around 2000. In those roughly 20 years we probably graduated a few thousand people — two thousand, three thousand. Where is that million, where is that two million? We need programs that are affordable and that are done with partnership with industry, and also which are open to people from different disciplines.”

NYU Tandon’s Cyber Fellows program “is a model of industry, academia and government coming together to help shape cybersecurity talent, which is so badly needed in our country,” he said. “This is first event at this scale by three institutions of this kind of magnitude.”

End users are the weakest link

Big corporations aren’t the only businesses that get hacked, NYC3’s Acad said. Every network in the city is vulnerable.

“Security should not just be handled by the security folks,” he said. “All the phishing we’ve seen, that comes through normal people. They’re clicking links and they’re bringing all the bad stuff in.

“All the phishing we’ve seen look very legitimate,” he added. “They make it look like it comes from your own corporation or your own help desk. So we have to make sure we educate our end users about all the threats that are happening out there. If they can compromise you, then you are one of the main ones making the connection for them. End users are the weakest link.”

New York ahead of the game

Cybersecurity “all starts with partnerships like this one. It’s a security system built around machines, but it’s being conducted by humans,” NYC3’s Brown said.

“How we educate the next generation of cyber defenders, cyber business people, cyber lawyers — all those cyber terms — it’s going to be pretty important.”

He added, “Our city is leading on this. I think the mayor said that New York City is the place where ideas come to audition. We’ve moved beyond the audition phase in cyber security and New Yorkers should be proud.”

___________________________________

Updated 3/27/19 to indicate that Geoff Brown’s job title is NYC Chief Information Security Officer, not NYC Chief Information Officer.

---

Related Articles

1,000+ terror, security experts flood NYC to share expertise

July 16 | Mary Frost

A summer of self-driving vehicles and clawbots in Downtown Brooklyn

July 13 | Mary Frost

After attacks, Cuomo announces new counterterrorism measures

December 8 | Mary Frost

Anti-terror bollards proposed for Brooklyn Bridge Park, Coney Island Boardwalk and other high-traffic sites

June 28 | Mary Frost