The hearing comes on the heels of both public and private concerns including recent data breaches to FCC barring Rite Aid from utilizing facial recognition technologies
New York, New York, June 10, 2024 – The New York City Council’s Committee on Technology held a crucial hearing on the cybersecurity of New York City agencies, focusing on safeguarding critical infrastructure and New Yorkers’ personal data following cyberattacks in recent years on City agencies and their vendors, including the Department of Education, Health + Hospitals, and NYCAPS.
The Committee sought updates from the Adams Administration on cybersecurity measures mandated by Executive Orders 28 and 3, and Local Law 89 of 2020. However, despite this technology and cybersecurity reorganization, centralization, and publicly announced prioritization of these systems, there have been multiple breaches of City systems that have affected thousands of New Yorkers.
Representatives from the Office of Technology and Innovation (OTI) Chief Information Security Officer for Cyber Command Kelly Moan and Office for Legal Matters Deputy Commissioner Chantal Senatus testified, emphasizing the omnipresence of zero-day vulnerabilities and the processes in place to address them. OTI mentioned that they “work collaboratively with agencies to determine what data is impacted” in the event of a breach, but would not provide specific details. Social engineering was noted as a key threat, and OTI highlighted their “routine” engagement in identifying issues and promoting cyber maturity. However, OTI was unable to specify how often audits occur, only mentioning they are conducted “periodically.”
While acknowledging efforts such as the NYC Cyber Critical Services and Infrastructure Project (CCSI) established in 2019, the Committee expressed disappointment with OTI’s inability to provide concrete information about specific actions they take to protect City systems, citing the public nature of the hearing. Committee members across the ideological spectrum acknowledged the need for confidentiality regarding certain security details, but concurred in expressing concern regarding OTI’s lack of substantive responses.
The Committee also heard several bills related to facial recognition, biometric technology, and data privacy. OTI declined to provide feedback on the bills, noting that they did not have jurisdiction, without sharing which agency would be responsible for implementation and providing feedback. OTI’s representatives also could not provide clarity on which agency is responsible for oversight of this technology, leaving members of the Committee and the public without a resource to report issues of civil rights and other concerns. As the committee has previously observed, despite the Administration’s elevation of OTI as a priority, there are many instances in which the omnipresence of technology appears to preclude any particular agency from taking responsibility.
The Committee appreciates OTI’s commitment to enhancing cybersecurity and the dedicated cybersecurity workforce across the City, but today’s hearing showed significant gaps in communication and accountability that must be addressed to ensure the security and privacy of New Yorkers.