TESTIMONY
Kelly Moan, Chief Information Security Officer and Head of New York City Cyber Command, on Cybersecurity Initiatives and Legislation in New York City
0:11:41
·
8 min
Kelly Moan provides an overview of the efforts by New York City Cyber Command to strengthen cybersecurity defenses and resilience across the city's agencies and infrastructure.
- Moan details the establishment, mission, and operations of NYC Cyber Command under the Office of Technology and Innovation (OTI).
- She highlights key initiatives like the NYC Cyber Academy, the joint security operations center with New York State, and the city's vulnerability disclosure program.
- Moan emphasizes the collaboration with public and private sector partners to share threat intelligence and conduct joint preparedness exercises.
- She addresses proposed legislation on biometric recognition technology and data privacy, outlining OTI's position and challenges in implementation.
- Moan underscores the continuous and evolving nature of cybersecurity work, requiring sustained partnerships and a holistic approach to adapt to emerging threats.
Kelly Moan
0:11:41
Thank you so much.
0:11:43
Good morning, Chair Gutierrez, and members of the city council committee on technology.
0:11:47
Thank you for inviting me here today and allowing me an opportunity to speak on the work of New York City Cyber Command.
0:11:52
My name is Kelly Mowen.
0:11:54
I am the chief information security officer sir for the city of New York and the head of New York City Cyber Command under the Office of Technology And Innovation.
0:12:01
With me is Chantal Sinadis, OTI's Deputy Commissioner for Legal Matters.
0:12:06
Since since its inception in July 2017, New York City Cyber Command has played a vital role in protecting and defending the city in its residence from the impact of cyberattacks.
0:12:16
Over the last 7 years, we have built out security services and increased the cyber maturity at over 100 city agencies.
0:12:24
While we work collaboratively with agency partners, we as well as state, federal, and private entities, to safeguard the essential services and that New Yorkers depend on daily.
0:12:34
The city council, as I am sure you are aware, recognize the significance of our duty when it voted unanimously to add cyber command to the New York City charter in 2020.
0:12:45
Our mission, the one that inspires me and my talented team, is to make New York City the most cyber resilient city in the world.
0:12:51
This is no small endeavor.
0:12:53
New York City is America's financial, cultural, and media capital, and the size and scale of the city's ecosystem rivals that of most states or federal agencies.
0:13:03
New York City is also a target for cyberattacks with a technology landscape that is unparalleled among other cities and states.
0:13:11
This requires a unified comprehensive defense against constant cyber threats and partnerships from public and private sector as well as the support of the administration and the members of this council.
0:13:24
At the outset of his administration, Mara Adams signed executive order 3 in January 2022 to consolidate the city's technology agencies, including New York City Cyber Command, into the newly created Office of Technology And Innovation, OTI.
0:13:39
1 month leader, mayor Adam signed executive order 10, which further established the roles and responsibilities of Cyber Command, including setting information security policies and standards for the city, directing the city's city wide cyber defense and incident response, deploying defensive, technical, and administrative controls, and providing guidance to city hall and city agencies on cyber defense.
0:14:02
Executive Order 10 also directed each agency a point of cyber command liaison to interface with us to strengthen collaboration and expand incident response capabilities.
0:14:12
As a result, we launched New York City Cyber Academy, a specialized training program to bolster the city's cybersecurity workforce.
0:14:19
And enhanced agency cyber capability.
0:14:21
To date, we have graduated public servants from 50 city agencies in 3 cohorts with the 4th cohort currently underway.
0:14:29
In February 22, the same month that he signed executive order 10, Mara Adams joined with Governor Hochol to launch the 1st of its kind joint security operation center in Brooklyn.
0:14:38
24 by 7365 cybersecurity hub situated inside of New York City Cyber Command Security Operation Center allows us to coordinate real time efforts with city, state, and federal entities in ways that bolster the defenses of both New York City and the broader New York state.
0:14:56
As part of New York City Cyber Command's role, we provide a number of services to city agencies and assistant implementation of key work streams to bolster agency's cyber maturity.
0:15:06
These range from technical controls such as security tools to administrative controls such as policies and procedures.
0:15:12
Cyber Command also has consistently worked with city agencies and elected offices to develop cybersecurity roadmaps that prioritize the critical cybersecurity work undertaken by these office In October 2023, New York City launched our vulnerability disclosure program, VDP, the 1st of its kind for our city and the largest for US municipality.
0:15:32
Broadening the scope of the city's efforts to identify and address vulnerabilities within its publicly accessible digital resources.
0:15:41
The VDP enables IT developers and security researchers to identify vulnerabilities within city owned websites and systems and responsibly disclose them.
0:15:50
It provides rules of engagement and guidelines for submission, and the program complements existing New York City Cyber Command Initiatives that facilitate timely remediation of identified risks.
0:16:01
I also wanna underscore to the counsel that our collaboration extends beyond government partners.
0:16:06
Roughly 85% of U.
0:16:08
S.
0:16:08
Critical infrastructure is private.
0:16:10
So here in New York, we have focused on partnerships in the private sector as well.
0:16:14
This means collaborating with banks, hospitals, utilities, among many others, to maintain our collective cyber resilience through cyber threat intel sharing and joint tabletop exercises.
0:16:24
As the city's chief information security officer, I am honored to serve alongside my dedicated team and our city agencies in furtherance of this critical mission.
0:16:34
New York City Cyber Command's expanded organizational structure and alignment within OTI have placed the team in a strong position to monitor and respond to wide ranging cyber threats.
0:16:45
But as we are all keenly aware, there are no there is no time for victory laps when it comes to cybersecurity.
0:16:52
The work is never over.
0:16:54
There are no absolutes.
0:16:56
There are no assurances that security and operational control measures will be successful in safeguarding against all cyber attacks.
0:17:04
New cyber threats are discovered daily with increasing sophistication and complexity.
0:17:09
In cybersecurity minutes matter, Having strong partnerships in place prior to an incident across many different sectors are essential.
0:17:17
And cybersecurity as a team sport, and New York City Cyber Command is only one part of that team.
0:17:22
Through continuous education to increase awareness of social engineering tactics, Our cyber aware city workforce is also a key line of defense to help prevent cyber attacks.
0:17:33
They stand vigilant, and train to report suspicious report suspicious activity expeditiously.
0:17:40
As we look to the future, we will continue to promulgate a holistic approach to strengthen New York City's defenses and adapt to a constantly evolving landscape.
0:17:49
I will now turn briefly to pieces of the legislation for today's hearing.
0:17:54
Intro 425 seeks to amend the administrative code of the city of New York in relation to limiting the use of biometric recognition technology in certain residential buildings.
0:18:04
To the extent that this legislation concerns the use of technology on private property, it is not within OTI's purview.
0:18:11
Intro 217 seeks to amend the administrative code of the city of New York to prohibit places or providers of public accommodation from using biometric recognition technology and to protect any biometric identifier information collected.
0:18:26
To the extent that this legislation has specified that it does not apply to the use of biometric identifier information by government agencies, employees, or agents, It is not within OTI's purview.
0:18:37
While OTI is unable to take a position on these bills, we want to underscore the administration's commitment to work with city council and ensure the proper balance of privacy and public safety within emerging technology.
0:18:50
Intru 539 seeks to prohibit communications, carriers, and mobile application developers from sharing a user's location data with another person if the location is within New York City.
0:19:02
This bill would also impose monetary penalties for violation of the provision and proposes that the Department of Information Technology And Telecommunication enforce this measure.
0:19:13
Although OTI supports the council's efforts to address privacy concerns, implementation of this legislation as drafted would not be possible.
0:19:21
OTI would welcome discussion related to the intended framework for enforcement under these provisions.
0:19:27
Additionally, OTI regulates the rights of way for telecommunication patience infrastructure and does not regulate mobile application developers.
0:19:35
I want to thank Chair Gutierrez and the committee members for your time and the opportunity to testify.
0:19:40
I'm happy to take any questions.