What is the Hazard?

A cyber incident involves either the theft or modification of information on City agency computer systems, or a system compromise with the potential to disrupt essential services.

A system compromise can impact one or more City agencies, a private utility, or specific Critical Infrastructure/Key Resources (CIKR) such as the power grid, public transportation systems, and wireless networks.

Cyber Threats and other Incidents

A cyber incident can affect a system’s:

  • Confidentiality: protecting a user’s private information.
  • Integrity: ensuring that data is protected and cannot be altered by unauthorized parties.
  • Availability: keeping services running and giving administration access to key networks and controls.

Cyber attacks differ by motive, attack type and vector, and perpetrator profile.

Motives for cyber-attacks can vary tremendously, ranging from the pursuit of financial gain—the primary motivation for what is commonly referred to as “cyber-crimes”—to political or social aims. Hacktivism is the act of hacking, or breaking into a computer system, for a political or social purpose. It is the most common motivation for incidents affecting New York City, based on historical occurrences. Cyber espionage is the act of obtaining secrets without permission of the holder of the information, using methods on the Internet, networks, or individual computers.

A cyber-attack has the potential to compromise the digital infrastructure and security of any individual or organization. Such attacks vary in nature and are perpetrated using digital mediums and social engineering. Generally, the impact of cyber-attacks is felt for a few minutes or up to a few days; however, large-scale cyber incidents can create longer term impacts.

Cyber-attacks may be carried out by a variety of perpetrators, which may be external, internal, and partners to the organization, agency, institution, or business (see table and Figure below). According to the Verizon Enterprise Solution’s 2018 Data Breach Investigation Report (DBIR), the highest proportion of attacks are carried out by perpetrators who are external to the victim organization.

Perpetrator Categories for Cyber-attacks

Category Category Description Description of Attack
External Outside the victim organization Attacks—which can be perpetrated by subgroups including organized crime, nation-state or state-affiliated entities, unaffiliated individuals, activists, former employees, acquaintances, competitors, or customers—can take any number of forms.
Internal Inside the victim organization These attacks have usually been malicious, for the purposes of financial gain, though some were the result of breaches due to careless or accidental data exposure. Internal actor subgroups include: system admin, end-user, doctor or nurse, developer, manager, executive, cashier, finance, and human resources.
Partner Third party sharing a business relationship with the victim The least common of the three perpetrator categories and often unintentional. Example: a courier losing a device containing sensitive data
Perpetrator Categories for Cyber Attacks (Source: Verizon Wireless DBIR, 2018)

The U.S. Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) developed the Cyber Incident Scoring System (NCISS) to evaluate risk severity and incident priority of cyber-attacks.

New York City aligns its severity ratings to the NCCIC Cyber Incident Scoring System, so that severity levels for cyber incidents within New York City map directly to NCISS. The severity levels shown from right to left, categorize the hazard level of cyber incidents from high to low:

  • Emergency (black)
  • Severe (red)
  • High (orange)
  • Medium (yellow)
  • Low (green)
  • Baseline – Minor (blue)
  • Baseline – Negligible (white)
NCCIC Cyber Incident Scoring System
Source: United States Computer Emergency Readiness Team (US-CERT)

A more complete description of the scoring system is provided here.  A demonstration that shows how to score the severity of cyber incidents is available here on the US Computer Emergency Readiness Team (US-CERT) website.

The probability of a cyber-attack affecting New York City is difficult to calculate given that human behavior is unpredictable and technology evolves rapidly. As perpetrators of cyber-attacks use more sophisticated techniques, companies and other digital technology users are keeping pace with technology advances and adding layers of protection to systems and databases.

Cyber threats differ from other hazards that affect New York City, because the causes are not always related to geographic location. Information systems are accessible remotely from all over the world through the Internet.

This table shows the volume of cyber incidents and breaches affecting victim industries across the United States during 2017, including the public sector.

Security incidents and breaches by victim industry and organization size in 2017

Incidents Breaches
Large Small Unknown Total Large Small Unknown Total
Accomodation (72) 40 296 32 368 31 292 15 338
Administrative (56) 7 15 11 33 5 12 1 18
Agriculture (11) 1 0 4 5 0 0 0 0
Construction (23) 2 11 10 23 0 5 5 10
Education (61) 42 26 224 292 30 15 56 101
Entertainment (71) 6 19 7,163 7,188 5 17 11 33
Financial (52) 74 74 450 598 39 52 55 146
Healthcare (62) 165 152 433 750 99 112 325 536
Information (51) 54 76 910 1,040 29 50 30 109
Management (55) 1 0 1 2 0 0 0 0
Manufacturing (31-33) 375 21 140 536 28 15 28 71
Mining (21) 3 3 20 26 3 3 0 6
Other Services (81) 5 11 46 62 2 7 26 35
Professional (54) 158 59 323 540 24 39 69 132
Public (92) 22,429 51 308 22,788 111 31 162 304
Real Estate (53) 2 5 24 31 2 4 14 20
Retail (44-45) 56 111 150 317 38 86 45 169
Trade (42) 13 5 13 31 6 4 2 12
Transportation (48-49) 15 9 35 59 7 6 5 18
Utilities (22) 14 8 24 46 4 3 11 18
Unknown 1,043 9 17,521 18,573 82 3 55 140
Total 24,505 961 27,842 53,308 545 746 915 2,216

Source: Verizon Enterprise Solutions, 2018 Data Breach Investigation Report