State Leaders Developing Cybercrime Policies

David J. Valesky

December 10, 2013

By RICHARD MOODY, Legislative Gazette, December 02, 2013

The chairs of six Senate committees held a hearing in central New York last week to hear testimony from law enforcement, cybersecurity experts, bankers and insurers regarding the threat of cyberattacks and cybersecurity in the state.

"In all my years in the Senate I've never seen a comprehensive hearing with six Senate committees coming together like this," said Sen. Martin Golden, R-Brooklyn. Golden chairs the Select Committee on Science, Technology, Incubation and Entrepreneurship.

The other senators who participated in the hearing were Sen. Joseph Griffo, R-Rome, chair of the Senate Banking Committee, who organized and ran the hearing; Sen. Greg Ball, R-Patterson, chair of the Veterans, Homeland Security and Military Affairs Committee; Sen. James Seward, R-Oneonta, chair of the Senate Committee on Insurance; Sen. David Valesky, D-Oneida, chair of the Senate Committee on Commerce, Economic Development and Small Businesses; and Sen. Patrick Gallivan, R-Elma, chair of committee on Crime Victims, Crime and Corrections.

"As our world has transformed with the proliferation of technological advances, we must also change the way we protect ourselves from crime and attacks. Everyone, from individuals to corporations and governments, must be aware and diligent," Valesky said.

All those who testified agreed regulations alone will not be enough to tackle cybercrimes. They also agreed the state should focus on educating public and private entities about cybersecurity best practices and one person alone cannot take charge in this fight.

Benjamin Lawsky, superintendent of the Department of Financial Services, said his agency has looked at how the banking industry identifies and handles the constant threat of cyberattacks by surveying hundreds of banks in the state through a confidential collection of data. In May the DFS also sent out letters to 31 insurance companies requesting information on security. All 31 companies responded to the requests.

Lawsky said the DFS used the "308 letters" because insurance companies do not like to share information and the letters force them to provide the information, but also afford the companies a level of secrecy. He said all information collected was looked at as "sacrosanct."

DFS will host an interactive self-evaluation exercise, available for all banks to participate in, on Dec. 12. The banks will anonymously participate and see afterwards how they compare with other banks in their response to cyberattacks.

Lawsky said regulations meant to help government entities such as DFS may not be the best solution.

"I think the jury is still out on that. When it comes to regulations, don't be too specific because [cybertechnology] evolves so rapidly" Lawsky said.

Following the hearing, Gallivan said he agreed with Lawsky that cautiousness should be applied when discussing regulating cybercrimes. "We are the most regulated state in the country. So we have to be very cautious when it comes to regulations," Gallivan said on the question of whether the Legislature should do something about cybersecurity. "Legislative action is not appropriate at this time. Not without further research."

Superintendent of State Police, Joseph D'Amico said he believes education, workplace development, and training in regards to cybersecurity should be the state's main focus.

D'Amico praised the Integrated Intelligence Center created in 2003, which is now the hub for investigating cybercrimes in the state. He also praised William Pelgrin, CEO of the Center for Internet Security for his continued work with the state. CIS is a nonprofit organization that advises public- and private-sector entities on cybersecurity.

D'Amico said the State Police train police officers with the FBI to learn how to handle cyberattacks. However, he added, "Industry should have a role in the education of people. The government can only do so much."

Gallivan believes educating the public and private sectors on cybersecurity should be the state's next priority, but he said the question of whose responsibility it is to educate people, employers or government, has yet to be answered.

When asked in the hearing if the DFS has thought about creating incentives for companies in the cybersecurity industry to come to New York for the purposes of advising and educating state entities, Lawsky said the DFS has not looked down that avenue, but would consider it.

Several of those who testified agreed a single person at the top of the cyber-crime fighting structure, who they also call a "cyber czar," would not work.

"Across all sectors there are common risks," D'Amico said. "There are also unique issues that should be addressed individually." He said the members on the Cyber Security Advisory Board, a group of cybersecurity experts put together by Gov. Andrew Cuomo back in May, have a general knowledge and he does not know anyone who is an expert in all areas. "I don't know if one person could focus our energy."

"DFS should not be the lead regulator of cyberattacks for the state," Lawsky said. He said he was unsure if a cyber czar is necessary or practical, due to the wide range of sectors affected by cybercrimes.

Lawsky said the DFS doesn't receive federal money to conduct its cybersecurity inquiries. "I think we have adequate resources," he said. Due to the rapid evolution of cybertechnology Lawsky believes the government will always be playing catch-up with cybercriminals regardless of the amount of resources they have at their disposal. "Just to be fair, we will always be behind," he said.

D'Amico said the state receives federal grant money, which it distributes among its cybersecurity entities. He said the cybercrimes division doesn't receive much federal money, but last year the state received an increased amount of money from the federal government. "We get more money than any other state," he said.

D'Amico said due to the rising reliance by both private and public entities on cybertechnology his "biggest concern is someone getting into our transportation system, our infrastructure."

"I'm concerned on all levels. Every day we are trying to catch up to where the criminals are. Attacks are happening every day," D'Amico said.