When the state of New York adopted a new whole-of-state approach to cybersecurity a few years ago, encompassing everything from transit to schools to power and water supplies, officials were still reeling from an attack that plunged part of Long Island into the paper-and-fax era of the ’90s.
Just before Christmas in 2021, a group of hackers, leveraging aging systems and outdated firewalls, quietly slipped into a computer in the Suffolk County clerk’s office and began spreading out across the network. It didn’t help that, over the following months, local officials ignored multiple warnings—including from the FBI—that something was amiss. When a ransomware attack eventually began months later, city services, including 911 operations, were knocked offline; some websites were out for months. Even though it didn’t pay the ransom—the hackers, linked to the group AlphV/BlackCat, would lower their demand to $650,000—the county eventually paid over $25 million to get its systems back up. The damage didn’t stop there either, with the data of residents and employees, such as Social Security numbers and driver’s license numbers, still floating around the dark web.
The next year, Gov. Kathy Hochul made moves to step up the state’s cyber posture, including boosting cyber spending and launching a statewide cyber strategy, an approach that unifies services and integrates local governments into its larger plan. As part of a 2023 regulatory overhaul, public and private entities across the state are now required to take specific measures to secure systems and to disclose cyber incidents and ransomware payments to the state.
In 2022, Hochul also appointed the state’s first chief cyber officer, Colin Ahern, to lead cross-agency efforts to keep New York safe from attacks. Previously first deputy director of New York City’s Cyber Command and acting chief information security officer for the city, Ahern got his start in cybersecurity in the Army reserves. He retired as a company commander in the Army Cyber Brigade, where he oversaw the creation of a specialized cyberspace operations organization.
Given his resumé, Ahern is particularly attuned to the ways governments at all levels can collaborate around better cybersecurity. For years, New York and other states have relied on federal support in the form of information sharing and technical resources backed by the Cybersecurity and Infrastructure Agency (CISA), as well as millions in cyber funds. A four-year, $1 billion federal grant program that launched in 2022 has proved especially helpful for cash-strapped localities, where IT resources are stretched thin, technology is be out-of-date, and security practices may be minimal.
Still, states need more help: Nearly two in five state-level CISOs say they are not getting the support they need to keep threats at bay, according to a Deloitte survey last fall. And that number could rise: at CISA, recent budget cuts have decimated technical services states rely on, and put those federal funds at risk.
Fast Company spoke with Ahern about the impact of the federal cuts on states, the role that Washington can and should play in state-level cybersecurity, and the AI-backed threats that keep him up at night.
This interview has been edited for clarity.
There are big questions now about how cuts in Washington are impacting cybersecurity at the state and local level. But before all that: what does the threat landscape look like right now?
The threat landscape continues to deteriorate really across two axes. Number one: we see a significant convergence, really accelerating in the last three or four years, that collapses the distinction between different threat actors.
There are the advanced persistent threat actors [APTs], aka nation-state actors, like those interested in espionage—like the so-called Salt Typhoon hacks allegedly perpetrated by the Chinese Ministry of State Security against the telecommunications industry—or military-focused preparations for cyber warfare. That includes Volt Typhoon, the alleged penetration by the People’s Liberation Army of China into our critical infrastructure, including water and power and other things.
The third category has always been financially motivated cybercrime of varying degrees of sophistication. On the low end, script kiddies, hacktivists, individuals. And on the high end, the increasingly accelerated professionalization of the cybercrime industry, magnified by a couple of things. Most principally, the ability to rapidly monetize the access to these systems via ransomware, and then extract value from those compromises in the form of a double extortion. And the whole ransomware ecosystem.
Right now, what we’ve seen is this convergence, a collapse from these three distinct groups, with their three distinct capabilities and three distinct target sets and three distinct motivations. We’re now seeing a collapse into everything and all of the above. You’re seeing Russian state-affiliated actors, astroturfing or moonlighting as ransomware operators. You’re seeing an increasingly blurred distinction between espionage and cyber warfare, like Salt Typhoon and Volt Typhoon.
And then you’re seeing the capabilities resident in these three different threat actor groups really not become that distinct at all. And that’s not because everyone’s getting worse. That’s actually because everyone’s getting better. And on top of that, everyone’s getting better at the same time as increasing government digitization, post-COVID consumer expectations, and other things. People have more and more technology systems, and they expect more and more of them. And that increases the threat surface. So the convergence along these two axes really means that everyone really has to raise their game.
How has New York State’s upped its game in recent years?
I think New York State has a very important and powerful story to tell. In August of ’23, the governor released the state’s first ever whole-of-state cybersecurity strategy, and it really laid out a vision for making the state more unified by increasing access to cybersecurity tools and services, and making us more resilient by continuing to invest in critical infrastructure—especially lifeline critical infrastructure—both from a capital, grant perspective, but also in minimum standards that the state can promulgate. There’s also a focus on preparation, because we can either succeed together or we can fail separately.
We’re in the final stages of our budget, and we have several legislative and financial enhancements to the state cyber posture that the governor has made since she got into office. For example, she’s doubled the size of the Cyber Analysis Unit, the Computer Crimes Unit, and the Internet Crimes Against Children’s Center at the New York State Police. She’s invested tens of millions of dollars in shared services for local governments. Her shared services program covers nearly 100,000 government computers in 55 counties in more than 30 cities, villages, towns, police departments and sheriff’s offices across the state.
So the governor has, I think, an extremely impressive record of delivering efficient, scalable, value-added services to local governments and county governments especially, who are under-resourced to say the least.
Are there things that are really keeping you up at night now, in terms of types of attacks and types of targets?
I have two little kids, so a lot of stuff keeps us up at night… but I would say artificial intelligence. We’ve really seen the ability of AI to rapidly enhance the capability of moderately sophisticated threat actors. A person who knows their way around Kali Linux, a person who knows what a git commit is, who now can, with the use of AI, really enhance their own capabilities.
Say you have a situation in which you have a very popular open source package, then there’s a new path release for that open source package. Previously, to reverse engineer a security vulnerability from a recent software patch is both time consuming, tedious, error-prone and requires non-trivial expertise.
So we’re not saying that Joe, Josephine, anybody could do this, but you take a person who kind of knows what they’re doing already and knows what they want: Now, with the aid of AI, they themselves can do work that used to take other very highly-skilled people days or even weeks. They now have the ability to rapidly reverse engineer software packages—in particular, open source packages where the source code is therefore widely known and inspectable—and then rapidly extract the vulnerability, weaponize that vulnerability in the form of an exploit, and then use that.
So AI is really reducing the flash-to-bang time of patch-to-exploit: Where it used to be seven days, 15 days, 30 days, now we’re seeing one day, two days, three days. And those were capabilities that only APTs used to have. Now you can go on Hacker News and find out how to do it.
How would you describe the role of the federal government in the state’s cybersecurity?
We think the state has been a good partner to the federal government. We have partnered closely. And it’s no secret that we’re watching with concern, like many, the cuts across federal agencies, the lack of confirmed leaders in key positions, and overall signs of that nature. In a circumstance where world events continue to conspire to make cyber increasingly relevant and important, states have tools. But states need the federal government to lead on coordination, unification, major incident response. And that’s not even to mention there’s things that only the federal government can do, be they offensive or interstate or other issues.
Are there other things that you think the federal government is best positioned to do when it comes to cybersecurity? And what benefits to states are you most worried about losing?
I actually led a bipartisan public comment at the end of the Biden administration on the CIRCIA (the Cyber Incident Reporting for Critical Infrastructure Act). This was actually legislation passed in Trump 1 about the required disclosure of cyber attacks.
So we think that one of the things that only the feds can really do is this information sharing and operational collaboration. Our comment—which was signed by South Carolina and Ohio and New Jersey and on and on—really talked about how states and the federal government need to not just share information, but collaborate, in order to resolve the impacts that we potentially see from devastating cyber attacks, especially those against critical infrastructure. Everyone’s talking about supply chains these days, but a damaging cyber attack could very well take a long time to replace if those systems need to actually be replaced.
Many are confused about what the funding cuts in Washington will mean for state cybersecurity. I wonder what it looks like from your side: are people scrambling to try to figure out contingencies for the future? Are they scratching their heads?
All the above. Good information can be difficult to come by, but we continue to engage with our federal partners and our elected representatives in both houses, in both parties. But we’ve made very clear publicly and otherwise to the administration that we have partnered with the federal government for decades on these issues, and we want and expect that to continue.
And obviously we’ve been worried about some of the enormously concerning reporting we’ve seen out of Elon Musk’s DOGE about data. We want Republicans, we want Congress to exercise their oversight powers, like the governor has said on numerous occasions.
Do you think that there are certain things that need to change in terms of how the federal government and the states think about cyber? Do you see reasons for optimism?
I think there is some optimism. I would note that the two most significant advancements in the capabilities of the US government—to coordinate defensive activity and even prosecute and hold our adversaries at risk—happened really under Trump’s first administration, with the creation of the Cybersecurity Infrastructure and Security Agency, and the significant expansion of their capabilities, resources, and appropriations. Then, I think there were some significant coordination advancements under Biden’s term, including the first national cyber director. So we’d like that forward momentum to increase and even increase in pace. But it remains to be seen how that’ll play out.
One thing I would note is, there have been some recent bipartisan moves to take a hard look at how we’re organized in cyber. In December of last year, there was an amendment added to the National Defense Authorization Act talking about the need to study how the U.S. government and especially the Dept. of Defense is organized in cyber, a.k.a., The Cyber Forces study [to examine the viability of a new armed service]. It was actually watered down at the end of the Biden administration, but it remains in the law, and I think there’s wide acknowledgement that we need to take a look at how we’re organizing. And that amendment had bipartisan support and multiple sponsors in both parties in Congress, so I think there’s some optimism on that front.
Speaking of bipartisanship, how do you think about the political tint that’s shaded the conversation about cybersecurity?
It’s unfortunate, because I think there’s wide acknowledgement that we need to essentially do two things at once, and do them even faster and better than before.
On the one hand, we all need to collectively raise our game because the adversaries are continuing to raise theirs, and that means falling in love every single day with the basics: multi-factor authentication, patching systems, risk management, certain response plans, et cetera.
And on the other hand, our adversaries are seeking to do bad things, and we need the capabilities, especially those that can only be resident in the federal government, to deter them in cyberspace. And we should be very clear about what we find not acceptable: attacks against critical infrastructure, hospitals and schools, et cetera.
And we could be somewhat circumspect in the manner in which we will deter our adversaries. We wouldn’t wanna give ’em a playbook or anything like that, but certainly the use of economic tools, sanctions, some of the indictments that have come down from the Dept. of Justice, naming and shaming cyber actors, including Russians and Chinese ones, and obviously offensive cyberspace operations. We need all of those tools to be ready, willing, and able to be used in furthering our national interest.
Where do you see the US’s interest in offensive capabilities, in more aggressive actions, fitting in alongside a defensive mindset?
Retired Rear Admiral Mark Montgomery and I wrote a piece in the Washington Post talking about some recent reporting—which was later denied in some fashion, ex post facto—about cessation of planning for Title 10 [offensive] Russian cyber operations. So we’re on the record as saying that we need an all-of-the-above approach, and we need to be planning. But in addition to that, I do think that the Trump administration has been very clear that they seek to hold our adversaries at risk, that they are interested in deterrence. They’ve made no secret of that, and I applaud that.
It just seems reasonable that we can’t expect different results with the same capabilities, the same organizations, so time will tell. Senator Kristin Gillibrand from New York has been extremely influential on the issue of the Cyber Forces for many years. We’ve worked closely with her staff, and I’ve written publicly in support of her amendment [requiring the Pentagon to study the creation of a Cyber Force]. But like I said, it would be unfortunate for that to be caught up in the political maelstrom that it potentially could be.
Trade wars tend to escalate cyber tensions too. How much of a concern are the White House’s tariffs from a cybersecurity perspective?
I think a significant concern, and the governor has been extremely vocal and clear on the role of uncertainty and the importance of our trade partnerships, especially our partnerships with our NATO allies. New York is the gateway to Europe, as she said. But we also have an extremely close relationship with Canada.
One thing I’d say on the tariff front is—and the governor actually has met with the counsel general, and has discussed this ad nauseum publicly: we have important projects that deliver power from Canada, our close trading partner. One is called the Champlain Hudson Power Express. It brings hydro electric power north from Canada and south into New York. And I don’t know if you’ve heard of this thing called artificial intelligence, but it requires enormous amounts of power [laugh]. And for us to maintain our competitive edge, New York is actually in the process of building one of the largest semiconductor software foundries in the world: Micron Technologies, tens of billions of dollars of investment, tens of thousands of direct and indirect jobs.
And so these tariffs: obviously the economic uncertainty, the impact to real people’s lives, bank accounts, is important. But for us to maintain an edge in cyber, AI and semiconductors, we need our trading partners. We need clean energy. And these are not issues that happen in silos or vacuums from each other.