Cyber Threats

What is the Hazard?

A cyber incident involves either the theft or modification of information on City agency computer systems, or a system compromise with the potential to disrupt essential services.

A system compromise can impact one or more City agencies, a private utility, or specific Critical Infrastructure/Key Resources (CIKR) such as the power grid, public transportation systems, and wireless networks.

Cyber Threats and other Incidents

A cyber incident can affect a system’s:

Confidentiality: protecting a user’s private information.
Integrity: ensuring that data is protected and cannot be altered by unauthorized parties.
Availability: keeping services running and giving administration access to key networks and controls.

Cyber attacks differ by motive, attack type and vector, and perpetrator profile.

Motives for cyber-attacks can vary tremendously, ranging from the pursuit of financial gain—the primary motivation for what is commonly referred to as “cyber-crimes”—to political or social aims. Hacktivism is the act of hacking, or breaking into a computer system, for a political or social purpose. It is the most common motivation for incidents affecting New York City, based on historical occurrences. Cyber espionage is the act of obtaining secrets without permission of the holder of the information, using methods on the Internet, networks, or individual computers.

A cyber-attack has the potential to compromise the digital infrastructure and security of any individual or organization. Such attacks vary in nature and are perpetrated using digital mediums and social engineering. Generally, the impact of cyber-attacks is felt for a few minutes or up to a few days; however, large-scale cyber incidents can create longer term impacts.

Cyber-attacks may be carried out by a variety of perpetrators, which may be external, internal, and partners to the organization, agency, institution, or business (see table and Figure below). According to the Verizon Enterprise Solution’s 2018 Data Breach Investigation Report (DBIR), the highest proportion of attacks are carried out by perpetrators who are external to the victim organization.

Perpetrator Categories for Cyber-attacks

Category	Category Description	Description of Attack
External	Outside the victim organization	Attacks—which can be perpetrated by subgroups including organized crime, nation-state or state-affiliated entities, unaffiliated individuals, activists, former employees, acquaintances, competitors, or customers—can take any number of forms.
Internal	Inside the victim organization	These attacks have usually been malicious, for the purposes of financial gain, though some were the result of breaches due to careless or accidental data exposure. Internal actor subgroups include: system admin, end-user, doctor or nurse, developer, manager, executive, cashier, finance, and human resources.
Partner	Third party sharing a business relationship with the victim	The least common of the three perpetrator categories and often unintentional. Example: a courier losing a device containing sensitive data
Perpetrator Categories for Cyber Attacks (Source: Verizon Wireless DBIR, 2018)

Severity

The U.S. Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) developed the Cyber Incident Scoring System (NCISS) to evaluate risk severity and incident priority of cyber-attacks.

New York City aligns its severity ratings to the NCCIC Cyber Incident Scoring System, so that severity levels for cyber incidents within New York City map directly to NCISS. The severity levels shown from right to left, categorize the hazard level of cyber incidents from high to low:

Emergency (black)
Severe (red)
High (orange)
Medium (yellow)
Low (green)
Baseline – Minor (blue)
Baseline – Negligible (white)

A more complete description of the scoring system is provided here. A demonstration that shows how to score the severity of cyber incidents is available here on the US Computer Emergency Readiness Team (US-CERT) website.

Probability

The probability of a cyber-attack affecting New York City is difficult to calculate given that human behavior is unpredictable and technology evolves rapidly. As perpetrators of cyber-attacks use more sophisticated techniques, companies and other digital technology users are keeping pace with technology advances and adding layers of protection to systems and databases.

Location

Cyber threats differ from other hazards that affect New York City, because the causes are not always related to geographic location. Information systems are accessible remotely from all over the world through the Internet.

This table shows the volume of cyber incidents and breaches affecting victim industries across the United States during 2017, including the public sector.

Security incidents and breaches by victim industry and organization size in 2017

	Incidents				Breaches
	Large	Small	Unknown	Total	Large	Small	Unknown	Total
Accomodation (72)	40	296	32	368	31	292	15	338
Administrative (56)	7	15	11	33	5	12	1	18
Agriculture (11)	1	0	4	5	0	0	0	0
Construction (23)	2	11	10	23	0	5	5	10
Education (61)	42	26	224	292	30	15	56	101
Entertainment (71)	6	19	7,163	7,188	5	17	11	33
Financial (52)	74	74	450	598	39	52	55	146
Healthcare (62)	165	152	433	750	99	112	325	536
Information (51)	54	76	910	1,040	29	50	30	109
Management (55)	1	0	1	2	0	0	0	0
Manufacturing (31-33)	375	21	140	536	28	15	28	71
Mining (21)	3	3	20	26	3	3	0	6
Other Services (81)	5	11	46	62	2	7	26	35
Professional (54)	158	59	323	540	24	39	69	132
Public (92)	22,429	51	308	22,788	111	31	162	304
Real Estate (53)	2	5	24	31	2	4	14	20
Retail (44-45)	56	111	150	317	38	86	45	169
Trade (42)	13	5	13	31	6	4	2	12
Transportation (48-49)	15	9	35	59	7	6	5	18
Utilities (22)	14	8	24	46	4	3	11	18
Unknown	1,043	9	17,521	18,573	82	3	55	140
Total	24,505	961	27,842	53,308	545	746	915	2,216

Source: Verizon Enterprise Solutions, 2018 Data Breach Investigation Report