NEW YORK — In the fall of 2012, President Barack Obama’s defense secretary, Leon Panetta, arrived to Manhattan’s west side to deliver an unprecedented speech about cyber warfare.
Aboard the USS Intrepid, the legendary World War II aircraft carrier now functioning as a museum along the banks of the Hudson River, Panetta devoted his entire speech to a topic seldom discussed in public by such a senior government official, let alone a member of the president’s Cabinet.
The US was on the verge of a “cyber Pearl Harbor,” Panetta warned.
Attackers could target and shut down power plants, water treatment facilities, and gas pipelines that would “cause physical destruction and the loss of life. It would paralyze and shock the nation and create a new, profound sense of vulnerability.”
Panetta’s words were stretched for emphasis and enunciated with such clarity that it was impossible to overlook what he was saying:
A cyber Pearl Harbor.
The invocation of one of the deadliest attacks ever on American soil would surely raise some eyebrows. But the tides of war were changing, and Panetta wanted the country to know about it in no uncertain terms.
The speech struck a chord with the crowd of mostly New York City business executives and national security professionals.
Among them, sitting at a far-off table in the corner of the room, was a little-known cybersecurity specialist named Geoff Brown.
Finding the right man to lead NYC3
On a Wednesday in March, Brown, 41, now the chief information security officer for New York City, was just wrapping up a call in a conference room in downtown Manhattan.
Rows of empty cubicles amid an otherwise nondescript interior made the office feel less like secondary office space for NYC’s cutting-edge Department of Information Technology and Telecommunications (DoITT for short), and more like an empty set from a ’90s movie that never got off the ground.
The conference room wasn’t any less drab, except for a display case in the corner memorializing a two-page document as if it were the US Constitution:
Executive Order No. 28. July 11, 2017. New York City Cyber Command.
“It’s really a brilliant document,” said Brown, the man charged with leading New York City Cyber Command (NYC3), the government agency Mayor Bill de Blasio established last year to lead the cyber defense of the city.
In the summer of 2016, Brown was hired as the city’s CISO, reporting directly to DoITT Commissioner Anne Roest, who has since retired from city government. She said he was “exactly what we were looking for.”
He understood the biggest risk was people.
“Brown viewed [the job] as a balance between business and security and he understood the biggest risk was people,” Roest told Business Insider. “The implementation of cyber is extremely technical, and to find someone who can speak about it at a level a layman can understand is a rare find.”
Anthony Shorris, NYC’s former first deputy mayor and one of the driving forces behind founding NYC3, had equally complimentary things to say about Brown: “He is comfortable in kind of a theoretical ambit, but also very ready to deal with the midnight phone call.”
“This is not just a job about boxes and wires,” Shorris continued. “It’s about getting people who run very large enterprises to be willing to work in a collaborative way with somebody whom they don’t know at all in a functional area they know very little about. And he had a good manner in working his way through that — being forceful without being threatening.”
‘We should not have to be held hostage’
Disruption of civilian life by hackers who find their way through the backdoor into the controls of critical systems — whether it’s the switch to a power grid, the wheel to a car, or the password to a computer — is no longer the stuff of science fiction.
Yet governments from the local to the federal level have generally been slow to keep up with the evolving landscape of threats that cities face every day in cyberspace.
Just ask Keisha Lance Bottoms, the mayor of Atlanta.
On March 22, unidentified hackers broke into the city’s computer network, placing malware on its systems and restricting access to vital data. The culprits demanded officials pay them $51,000 in bitcoin to unlock the government’s encrypted systems.
A week after the attack, Bottoms was still calling it “a hostage situation.”
Municipal court hearings were rescheduled and residents were unable to pay traffic tickets and water bills online for weeks. Atlanta Municipal Court finally reopened on April 16.
In the last two months, hackers have launched similar ransomware attacks against the Department of Transportation in Colorado and MedStar Health, a non-profit that operates 10 hospitals in the Washington, DC area.
Such attacks are so insidious and oftentimes so insufficiently understood that they rarely make front-page news. But the consequences could be severe, as some city officials recognize.
Yet others are still dragging their feet to do anything about it.
“There are a lot of cities that don’t put cybersecurity right up there as a major issue for them to worry about,” Herb Lin, a cyber policy and security expert at Stanford University, told Business Insider. “The problem is cybersecurity has never been treated, up until recently in some cities, as something that warrants high-level, concentrated attention.”
Cybersecurity has never been treated, up until recently in some cities, as something that warrants high-level, concentrated attention.
In NYC’s case, Lin said, the fact that “some cognizant body in government made a conscious decision to say, ‘cybersecurity is really important for us and we’re going to put resources, time, and money into establishing a consistent and organized response to cyber threats’ … you could make the argument that that’s the most important thing.”
Brown realizes this and hopes NYC3 sets an example for other cities to shift away from what he calls “the Marcus Crassus model,” an analogy he admits he borrowed from someone else.
Crassus, a legendary general in Ancient Rome, formed the first known private fire brigade at a time when the city had no public firefighting force. When a property was on fire, Crassus wouldn’t let his men fight the raging flames until he had negotiated a price for his services with the property owner.
“Eventually, society realized that that is not the approach we should take. We should not have to be held hostage by people that are going to help us,” Brown said. “Right now unfortunately, I think in cybersecurity we have the old Marcus Crassus model, where if you have enough money and you have a problem, you can pay the best and the brightest to come and help you.”
In other words, only those who know the importance of online security and who have the means to buy sophisticated anti-malware software are able to protect their digital lives.
The rest are left out to dry. NYC3, Brown says, is trying to fix that inequity.
‘New York is always blessed and cursed by the same thing’
NYC is not the first major US city to implement sweeping cybersecurity reforms.
In 2013, four months after assuming office, Los Angeles Mayor Eric Garcetti issued an executive order calling for a Cyber Intrusion Command Center that would serve as the singular agency responsible for identifying cyber threats, responding to intrusions, and protecting the city in cyberspace.
A year later, Tim Lee, a veteran CISO at the port of Los Angeles, was promoted to lead cybersecurity efforts citywide.
But even with Garcetti’s executive order, Lee realized the city still had a long way to go.
“There was no coordination, no threat information sharing, and no standards and policies applied to all of the city’s departments,” Lee told Business Insider. “Each department was running its own operations.”
So Lee started pushing for the creation of a centralized threat management platform that would allow the city to funnel intelligence from each department into a single feed. This so-called Integrated Security Operations Center opened in 2015.
The fact that NYC and LA have the most advanced cybersecurity defenses in the US should come as no surprise. They are the No. 1 and 2 most populated cities in the country, respectively, which also makes them a bigger target for hackers intent on causing significant harm.
But being a prime target has its advantages.
“New York is always blessed and cursed by the same thing,” Shorris said. “The fact that it’s so enormous and so visible makes it a bigger target than any other city, which is a curse, but it is also blessed with more resources than any other city.”
NYC and LA have simply been able to afford things that other, less-resourced cities could only dream of.
In June 2017, for example, de Blasio unveiled Cyber NYC, a long-term plan aimed at positioning the city as a “global leader for cybersecurity” through public-private partnerships. With it, he announced a $30 million investment to train the next generation of cybersecurity professionals and to help support and grow the local cybersecurity industry.
NYC3 has also teamed up with New York University Tandon to provide students studying cybersecurity access to the Cyber Range, a virtual network provided by NYC3 that simulates real-world security vulnerabilities and attacks.
“Cybersecurity is a contact sport,” Nasir Memon, the founder of NYU’s cybersecurity program, told Business Insider. “You have to engage in these simulated exercises like the Army or Marines do.”
How a team of 30-somethings came to lead NYC Cyber Command
After Brown started at DoITT, the idea of centralizing the city’s cyber defenses under one agency wasn’t formalized yet.
But several months, and many meetings and big-picture discussions later, the notion of a cyber command began to crystallize.
“What Anne and I began talking about was the realization that we had not made sufficient investment in [cybersecurity] generally,” Shorris said. “This was not a lane anyone was really driving in. There wasn’t a point of accountability for it.”
Their solution was NYC3, which Shorris described as an all-of-government approach that would enable the city to more effectively respond to cyber threats and potential attacks.
When they brought the idea to de Blasio, Shorris said the mayor had “zero” hesitation.
“He understood instantly that [cyberspace] was a threat,” Shorris said. “He reads the paper like anybody else and knows this is a big issue. He was very supportive from beginning to end.”
In the months following de Blasio’s executive order, the Command’s top brass started to take shape.
In October 2017, Quiessence Phillips, 34, who formerly led the cybersecurity incident response team at Barclays, was hired as the deputy CISO for the threat management unit to “fight the fight” (as Brown put it). She’d also help lead NYC3 as part of the city’s network operations center, a hub in Brooklyn where computer technicians and engineers monitor potential security threats 24 hours a day.
Other city agencies and law enforcement partners also operate out of the hub.
A month later, Michael Krygier, 34, a former consultant at the cybersecurity firm Mandiant, was hired as the Command’s deputy CISO for urban technology. Krygier often thinks about what the security of the city will look like when faced with the widespread use of new technology, like self-driving cars and ambulance drones.
Colin Ahern, 32, a military intelligence veteran deployed twice to Afghanistan, was brought on as the team’s deputy for security sciences to help engineer the tools NYC3 uses to execute its mission. Mike Kenney, 33, is Brown’s chief of staff.
NYC3’s team is relatively small, but growing. Brown said he has a vision for the Command to be a couple hundred people.
The executive staff — Kenney and the three deputies — is young and excitedly ambitious, yet not in the naïve or overly idealistic way that one might expect a group of millennial technology enthusiasts to be.
“I understand intrinsically how daunting, in all honesty, this is and how quickly things can occur. It’s just the nature of the beast,” Brown said. “I am the one that’s accountable. I really am. I’m proud to own that on behalf of our city.”
Although NYC3 is a standalone agency, the executive team works closely with DoITT, and briefs the first deputy mayor on a weekly, sometimes daily basis, either over the phone or in writing. They speak more frequently if an urgent threat warrants it, but will hold a face-to-face briefing at least every few weeks to get City Hall up to speed on the volume and trends of threats at home and abroad.
‘When bad things happen, they actually affect real people’
After Brown, a New Jersey native, graduated from college, he worked as a researcher at the Stimson Center, a Washington think tank focused on security issues.
Then came 9/11.
Like so many Americans in the aftermath of that day’s tragic events, Brown found a role to play in the nation’s collective response.
By chance, Brown had a friend whose sister knew one of the co-leads of the NYC-based office of the 9/11 Commission, a bipartisan group of officials Congress tasked to investigate the circumstances surrounding the attacks.
He was hired as a research assistant.
“The Commission exposed me to a number of really weighty things,” Brown recalled. “That experience taught me a lot about the national security apparatus, but also that when bad things happen, they actually affect real people.”
Soon after his work with the Commission, Brown started working on international affairs and cybersecurity issues within the government, including at the US State Department, although he provided few other details about the nature of his sensitive work.
He left his experience immediately following public service equally undefined, except to say that he went on seeking “entrepreneurial pursuits” in the private sector.
After those “entrepreneurial pursuits,” Brown joined JPMorgan for two years as the head of the bank’s cyber threat intelligence team, and then led the threat management program at a payment processing company called First Data.
After another two years there, Brown said he was beginning to settle on a life in the private sector.
“I had done my part, I thought. I had done work more so than many people do in many different places all over the world to help our country,” he said. “I was like, ‘I did my thing. I’m going to make a ton of money now. I’m just going to kill it.'”
Then he got a call about an exciting opportunity that had just opened up in NYC. And the choice was simple.
No room for failure
Despite its importance, NYC3 has largely flown under the radar.
Since de Blasio’s executive order in July 2017, the Command has been featured only sparingly in the press. Aside from a Q&A with a small local outlet and an interview with a niche podcast, one might never know that Brown has one of the most important jobs on the Eastern seaboard.
But such a lack of awareness isn’t likely to last. During a press conference with de Blasio last month, Brown made his biggest public appearance yet to announce a new mobile phone app— conceived by the NYC3 team — that New Yorkers will be able to download starting this summer to help protect themselves online.
While the success of this initiative remains to be seen, its vision is consistent with that of NYC3: Cybersecurity is no longer a peripheral concern that should be relegated to technocrats in government.
It is something that concerns everyone, Brown says.
“If I wasn’t supposed to be here, I wouldn’t be here. I’d be another one of these people in our industry, out there,” Brown said as he swiveled in his chair to point out the window of his ninth floor conference room at the banks and hedge funds scattered across downtown Manhattan.
“If this city is going to remain the commerce capital of the world, we’re going to have to be really good when it comes to our technology, which means we’re going to have to be safe and secure. If we’re not, it’s going to be a problem.”