What is the Hazard?
A cyber incident involves either the theft or modification of information on City agency computer systems, or a system compromise with the potential to disrupt essential services.
A system compromise can impact one or more City agencies, a private utility, or specific Critical Infrastructure/Key Resources (CIKR) such as the power grid, public transportation systems, and wireless networks.
Cyber Threats and other Incidents
A cyber incident can affect a system’s:
- Confidentiality: protecting a user’s private information.
- Integrity: ensuring that data is protected and cannot be altered by unauthorized parties.
- Availability: keeping services running and giving administration access to key networks and controls.
Cyber attacks differ by motive, attack type and vector, and perpetrator profile.
Motives for cyber-attacks can vary tremendously, ranging from the pursuit of financial gain—the primary motivation for what is commonly referred to as “cyber-crimes”—to political or social aims. Hacktivism is the act of hacking, or breaking into a computer system, for a political or social purpose. It is the most common motivation for incidents affecting New York City, based on historical occurrences. Cyber espionage is the act of obtaining secrets without permission of the holder of the information, using methods on the Internet, networks, or individual computers.
A cyber-attack has the potential to compromise the digital infrastructure and security of any individual or organization. Such attacks vary in nature and are perpetrated using digital mediums and social engineering. Generally, the impact of cyber-attacks is felt for a few minutes or up to a few days; however, large-scale cyber incidents can create longer term impacts.
Cyber-attacks may be carried out by a variety of perpetrators, which may be external, internal, and partners to the organization, agency, institution, or business (see table and Figure below). According to the Verizon Enterprise Solution’s 2018 Data Breach Investigation Report (DBIR), the highest proportion of attacks are carried out by perpetrators who are external to the victim organization.
Perpetrator Categories for Cyber-attacks
|Category||Category Description||Description of Attack|
|External||Outside the victim organization||Attacks—which can be perpetrated by subgroups including organized crime, nation-state or state-affiliated entities, unaffiliated individuals, activists, former employees, acquaintances, competitors, or customers—can take any number of forms.|
|Internal||Inside the victim organization||These attacks have usually been malicious, for the purposes of financial gain, though some were the result of breaches due to careless or accidental data exposure. Internal actor subgroups include: system admin, end-user, doctor or nurse, developer, manager, executive, cashier, finance, and human resources.|
|Partner||Third party sharing a business relationship with the victim||The least common of the three perpetrator categories and often unintentional. Example: a courier losing a device containing sensitive data|
|Perpetrator Categories for Cyber Attacks (Source: Verizon Wireless DBIR, 2018)|
The U.S. Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) developed the Cyber Incident Scoring System (NCISS) to evaluate risk severity and incident priority of cyber-attacks.
New York City aligns its severity ratings to the NCCIC Cyber Incident Scoring System, so that severity levels for cyber incidents within New York City map directly to NCISS. The severity levels shown from right to left, categorize the hazard level of cyber incidents from high to low:
- Emergency (black)
- Severe (red)
- High (orange)
- Medium (yellow)
- Low (green)
- Baseline – Minor (blue)
- Baseline – Negligible (white)
A more complete description of the scoring system is provided here. A demonstration that shows how to score the severity of cyber incidents is available here on the US Computer Emergency Readiness Team (US-CERT) website.
The probability of a cyber-attack affecting New York City is difficult to calculate given that human behavior is unpredictable and technology evolves rapidly. As perpetrators of cyber-attacks use more sophisticated techniques, companies and other digital technology users are keeping pace with technology advances and adding layers of protection to systems and databases.
Cyber threats differ from other hazards that affect New York City, because the causes are not always related to geographic location. Information systems are accessible remotely from all over the world through the Internet.
This table shows the volume of cyber incidents and breaches affecting victim industries across the United States during 2017, including the public sector.
Security incidents and breaches by victim industry and organization size in 2017
|Other Services (81)||5||11||46||62||2||7||26||35|
|Real Estate (53)||2||5||24||31||2||4||14||20|
Source: Verizon Enterprise Solutions, 2018 Data Breach Investigation Report