ALBANY — Cyberattacks are a growing threat to New York’s critical infrastructure, with more than 83 incidents in the first half of this year, a new report from state Comptroller Thomas DiNapoli said.
The report said that the state saw more than 25,000 cyberattacks in 2022, up 53 percent from more than 16,400 attacks in 2016.
“Cyberattacks are a serious threat to New York’s critical infrastructure, economy and our everyday lives,” DiNapoli said in a statement. “Data breaches at companies and institutions that collect large amounts of personal information expose New Yorkers to potential invasions of privacy, identity theft and fraud.”
During the first half of this year, there has already been a nearly 73 percent increase in critical infrastructure cyberattacks from last year’s 48 documented cyberattacks. Critical infrastructure attacks involve “systems and assets that are vital for the functioning of society, the economy and national security,” the report said.
The report said that cyberattacks cost New York $775 million in 2022, adding to the $10.3 billion nationwide loss last year. New York had the third highest incidences of both ransomware attacks and corporate data breaches across the country. A ransomware attack involves a hacker denying an owner access to a system or personal files, and demanding a ransom for the victim to regain access.
Attacks in New York last year against critical infrastructure included nine incidents in health care and public health, eight incidents in financial services and seven incidents in both commercial and government facilities.
Some of the widespread weaknesses in New York’s cybersecurity that the report identified include misunderstanding security risks, use of unsupported applications, unknown data on systems, poor access controls and a lack of monitoring system changes.
“Also troubling is the rise in ransomware attacks that can shut down systems we rely on for water, power, health care and other necessities. Safeguarding our state from cyberattacks requires sustained investment, coordination and vigilance,” DiNapoli said.
In May, the Albany NanoTech Complex was hit by a ransomware attack that downed emails. The facility houses the SUNY Polytechnic Institute’s College of Nanoscale Science and Engineering and the state-run microchip research center.
The state’s ethics commission was also the target of a “deliberate malicious cyberattack” in February 2022, when a web server that holds the state’s lobbying and financial disclosure filing systems had to be taken offline.
DiNapoli’s report also clarified that local governments and schools are at particular risk of cyber threats, with audits from 2019 through this July finding more than 2,400 cybersecurity issues in the infrastructure. Albany’s City Hall was hit with a ransomware attack in 2019 that halted many city services temporarily, including preventing police access to internet-dependent tools.
The report recommended improvement through information technology security awareness training and establishment of contingency plans, which can be implemented with little cost.
Last year, Gov. Kathy Hochul appointed a chief cyber officer, Colin Ahern, in an effort to bolster cybersecurity across state agencies. Ahern runs the Joint Security Operations Center linking the state’s government with that of New York City and other local governments, in hopes of improving cyberattack detection and response.
Hochul also released the state’s first cybersecurity strategy in August, opening the door for federal funding for the issue.
The federal government took action last year through the passage of the Cyber Incident Reporting for Critical Infrastructure Act, which will require cybersecurity reporting for sectors deemed “critical infrastructure.” The report said that inclusion of local governments within this reporting will improve coordinated responses to cyberattacks nationwide.