NYC CISO Geoff Brown on Public Privacy and Security
By Amanda McKeon on April 30, 2018
This week we welcome back to our show Geoff Brown, chief information security officer for the City of New York. In a city with 8 million citizens that’s also a global center of commerce, innovation, and tourism, protecting the public when they use publicly available online resources is an effort toward making everyone safer.
New York City’s leadership is in the process of implementing a new initiative they’re calling “NYC Secure” that aims to better protect the city’s residents, workers, and visitors from cyber threats. Geoff Brown describes the new initiative, and explains how it could serve as a model for other municipalities and communities around the world.
For those of you who’d prefer to read, here’s the transcript:
This is Recorded Future, inside threat intelligence for cybersecurity.
Hello everyone, I’m Dave Bittner from the CyberWire. Thanks for joining us for episode 54 of the Recorded Future podcast.
This week, we welcome back to our show Geoff Brown, chief information security officer for the City of New York. In a city with 8 million citizens that’s also a global center of commerce, innovation, and tourism, protecting the public when they use publicly available online resources is an effort toward making everyone safer.
New York City’s leadership is in the process of implementing a new initiative they’re calling “NYC Secure” that aims to better protect the city’s residents, workers, and visitors from cyber threats. Geoff Brown describes this new initiative and explains how it could serve as a model for other municipalities and communities around the world. Stay with us.
The new initiative is NYC Secure. NYC Secure is a decision by the city government of New York to take cybersecurity beyond our enterprise mission and to provide capabilities, tools, and protections to New Yorkers themselves.
What prompted the mayor and your team to take this on?
Well, if you think about it, cybersecurity everywhere, and in our city as well, is a shared risk. As we execute on the enterprise mission, we realize that if you think about what government does, it’s the social contract between a government and its citizens. Like here in New York, the city government of New York does many other things, right? Like go beyond the enterprise. We started to examine that mission and said, “As we watch headlines from around the world talking about cyber threats, the people that feel the impact of those threats are average Americans.” Or average New Yorkers, in this case. And we said, “In fact, we have so many other disciplines as a government that New Yorkers expect us to deliver on.” If you think about sanitation, policing, fire, public safety, and health. There are a lot of things that we do on behalf of New Yorkers that really represent the question that we encountered.
It says, “Should we be taking cybersecurity in the same direction?” We know that people increasingly live their lives online, and we decided it’s our job as a government to make sure people are safe online, just like we have decided for so many years to put such great effort into successful programs to keep people safe as they walk our streets.
Take us through the initiative. What are some of the specific things that NYC Secure is going to do?
We decided, right off the bat, on what I think of as two tactics. These two tactics support the policy decision, and these two tactics are meant to provide a greater level of protection to New Yorkers. The first tactic is in the mobile app space. We announced our intent to create a custom app that will debut this summer, be free for all New Yorkers to download, if they so choose, onto their mobile device, and it is to be designed specifically to give the person, or the user, notifications when they come across threats as they live their lives through their mobile device — their digital life through their mobile device.
It’ll be designed to advise that user to disconnect, for instance, from a WiFi network that’s been identified in the past as being the bearer of malicious content, or malicious threats. It’ll tell the user, for instance, to navigate away from a website that’s been identified as compromised. Or it’ll tell the user, “Hey, you’ve downloaded an app that’s malicious.” And it’ll recommend deleting that app.
It’s important to note that the app itself is not going to take actions on the phone. It’s guiding the user through and away from threats in their digital life, and zero personal data is required for the app to work. The app itself is interesting from a practitioner perspective. Our intent is for the app to have the baked-in machine learning and data science to diagnose when your phone starts to behave in an abnormal way, and then advise you that it’s likely identifiable with a threat. The analogy that I think is most common, when you think about it this way, is your phone exhibits symptoms of being infected just like you, as a person, exhibit symptoms when you’re sick. And through great data science and hard work on behalf of private sector partners, that’s been baked in from an AI perspective onto this app, and it’ll detect when your phone begins to be abnormal, and it’ll tell you that the threat has been identified and that you should do something about it.
It’s not going to send data off your phone to a cloud environment for it to be adjudicated elsewhere, and then for that message to come back down to your phone. That’s the way a lot of mobile threat management apps work. Our intent is not for it to be that way because we think that’s too invasive of a user’s privacy, for these purposes.
As you mention privacy, I think particularly with what we’ve been seeing about companies like Facebook in the news recently, I think privacy is top of mind for a lot of folks today. It sounds like that was a priority for you all as well, to make sure that you were taking care of privacy in this app.
Yeah. Perhaps I should have mentioned this earlier, thinking about the policy, but privacy is a central component to every decision we’re going to make when it comes to additional tools and capabilities to support the policy. Here in New York City, one of things we’re incredibly proud of is, we have a very strict view on what it means to respect New Yorkers’ privacy. That’s one of the things that I’m incredibly proud of from a public servant perspective, and it makes New Yorkers happy about the stance that their government is taking. We do believe that security does not need to come at the cost of public privacy. This is a central belief that we have. We’re thinking it through in two ways, really. There’s contractual controls around privacy, and as we first examined what it would look like, we were thinking very much about contractual control.
When we partner with a technology provider, how do we make sure that the data we care about is held sacrosanct, and is in no way, shape, or form sold, or anything else like that, right? But then we decided that wasn’t enough. We really did. We decided that contractual controls are fantastic and people use them, but we must have technical controls. We decided, as I described with the app, we will only debut things that do not require PII, that are not writing any data to a disc. For the NYC Secure initiative, NYC Cyber Command are not receiving any data. We’re not managing that app, and we are not receiving data from that app. That’s why it’s so important that the logic that does the threat prevention is actually baked into the app itself.
I mean, there are very, very strict decisions that we have made because we want to debut things that people can use to empower themselves and probably, scientifically, do not impact the other aspects of their life that they’re conducting via digital means.
Now, one of the other parts of this initiative is that you’re going to be improving the security of public WiFi throughout the city. Take us through that.
Yeah. This is very exciting for us because, of course, the concept of doing DNS security is not new, right? There are all kinds of great enterprise-class providers of various DNS security solutions. It caught our attention last year when this new DNS security solution Quad9 was debuted, and Quad9 was debuted in partnership with an organization that I respect called the Global Cyber Alliance. Both Quad9 and the Global Cyber Alliance are not-for-profits, and both have similar views when it comes to privacy as we hold as a city. When this was debuted, we took a look at it and said, “Huh. This is a really interesting fit.” What we’re doing is, we are moving, by the end of the year, for every agency guest WiFi — an agency is part of the city government of New York — any guest WiFi is going to use the Quad9 DNS security solution.
It, again, doesn’t require any PII, or anything like that. It simply blocks known malicious sites. Sites that are delivering malware or harvesting credentials, stuff like that. Those sites are identified via a consortium of threat intelligence partners with high confidence that those sites are, in fact, only there to victimize you. It’s really this precept that if you, as a New Yorker, or as a visitor, are availing yourself of a public WiFi spot, that we’re providing you, as a city … We simply don’t think you should be victimized. We think that if there’s something we can do so that you’re not going to hit something that has been confirmed and is only there to victimize your device, we shouldn’t let that happen.
Our goal is to, by the end of the year, have all of those city-provided WiFis, public WiFis, be pointed toward this Quad9 solution. But beyond that, we have something really exciting to do as a city, which is to advocate that other places where New Yorkers connect to free WiFi take this issue just as seriously. This solution, Quad9, is very easy to set up. I think it’s as simple as, if you think about it, if you were a proprietor, if you’re a coffee shop, if you’re an office building, if you are a public space, and you are inviting people to be your customers and to use your space, and if there’s something that you can do that’s not going to impact their privacy and will keep them from being victimized, we think you should do something about that.
That’s why I’m so excited about the WiFi piece because it could … Just like the app, if you’re in the city, you can download the app, also. Then you can also navigate your way with more accuracy around threats. We also think that if you’re in our city, the more places you can walk into that you won’t get infected in, the better off we are as a city. We really hope that organizations take advantage of this tool. Our plan, via marketing and talking about this and getting the word out, is communicating that it’s a no-brainer. It really is a no-brainer. Switching your DNS is easy, and if it keeps people from being victimized, it should be done.
The other piece that’s exciting, of course, is as the conversation grows, this is a tool that people can bring home with them. You can go home and point your home router toward this same thing. You can set it up on your device to use as protection. It has onward benefits, I think, when it comes to protecting people.
Yeah. One of the things that strikes me about this is that because it’s coming from you all in the public sector versus a private solution, it kind of helps level the playing field for folks who may be relying on the access that they get from the city to be safer. They don’t have to pay extra for something to know that they’re going to have this level of protection.
Yeah. This hits home for us because we have a core belief that digital safety is a necessity. It’s not a luxury. It’s a necessity, right? Something that we’re really proud of within this administration is that there’s been an incredible push to bring internet connectivity across all five bureaus. All five bureaus. All New Yorkers. It doesn’t matter your economic means, it doesn’t matter who you are, but the internet is a way for people to conduct their lives today. We’re bringing it across all five bureaus, and we think, to take that and then add the transparency layer on top of that, on top of additional security and safety, it really levels the playing field to user language.
I’m sitting in an office here in New York City and looking across downtown, right? There’s incredibly strong cybersecurity programs at the enterprise level all around me, represented by these great teams in these buildings, right? But frankly, that introduces a siloed approach to a security topic. As a city, we think initiatives like this allow there to be better protections in an interconnected fashion — not just a siloed fashion. Because again, going back to that point, we don’t think you have to have great power of the purse, or even great personal knowledge, directly in this domain. We don’t think the people that have those things should be the only people that are safe. It’s a safety issue, too — not just a technology issue.
From the perspective of the leadership of the city — I’m thinking of the mayor, and then down to folks like you — do they look at the cybersecurity of the residents as being part of critical infrastructure? I think of, you mentioned earlier, some of the things that people rely on the city to supply. Things like picking up the trash, having safe water to drink, and public safety through police and fire. Has cyber risen to that level, where it’s considered one of those critical things, or considered part of the fabric of a city the size of New York?
Yes. Emphatically, yes. It is absolutely critical for this city to think very carefully, to do very deliberate things, and measure ourselves against those things to improve the interconnected cybersecurity. That is absolutely critical to our success. When it comes down to it, the city is the center of commerce and so many things across the world. We think, as we embrace our smart city future, and as we deploy more technologies to make this city even more of a hub of innovation, ingenuity, diversity, and commerce, those things need to be safe. That’s part of our strategic advantage as a city, and we intend on keeping that advantage in perpetuity. This is one of the things we need to do with support from City Hall and beyond, across city leadership. In both, I should mention — public and private sector. There are a lot of people out there who are emphatically excited that New York is taking this leadership role.
What do you see from other cities around the nation and around the world, as they see New York taking on these initiatives? Do you think it’s the kind of thing that people will see and follow your example?
Yes, we do. We think it has to spark a more evolved public discourse. We think it has to spark that discourse across governments. What is that government role? What is the government role in this space? No one would debate that it’s part of the social contract with a citizen that governments have a role in security.
But so far, there’s been a number of different approaches, and many of them I absolutely applaud, for government to have a role in cybersecurity. Many of them have been legislative. I do tip my hat, so to speak, to some of the great things being done in the UK when it comes to the government’s role in this space. I think, to a certain extent, more of those conversations need to happen. With that said, New York is thinking about it in a very specific way. That specific way is in measurable solutions that 100 percent respect the privacy of the New Yorker. We think that is the way to go. There are things you can do in the security space, but we do not think those things have to mean that the New Yorker gives up their privacy.
It is important for me to note that these two tactics underneath … We’ve made a decision on policy. We made a decision that cybersecurity is a safety issue, and that you can debut things in that space that make a difference, that respect privacy. That’s the policy decision. These two tactics we recognize are tactics that we need to iterate on over time and need to improve on, and they will not be the only tactics. It is from New York’s perspective that we issue a challenge to providers, innovators, businesses, governments, and to everyone that cares about cybersecurity. There need to be other tactics, and we know there need to be other tactics. It is on us to make sure that these first two we debut are highly successful, that we iterate on them appropriately, that we have the public discourse, and that we get this right.
With that said, we will not stop with these two. I think, to a certain extent, we are very, very open minded and want to hear from the community. If you have a tactic that you think can scale to over 8 million residents and the size of this wonderful city, and respect 100 percent of the privacy of a New Yorker, I want to hear about that tactic. I’ve already had a number of conversations with leaders in the cybersecurity community. There’s some really interesting ideas out there, but I am kind of calling on the community to help this city be safe, and this is the way. Now we have a city that’s made a decision. We’re going to do something. And so, it’s the community’s opportunity to roll up our sleeves. Yeah, this is the exciting thing about cybersecurity professionals, right? We are great technologists, but we are in the business of security. It’s time to roll up our sleeves as a community to protect everybody. I think that’s what this is about.
Our thanks to Geoff Brown for once again joining us.
If you enjoyed this podcast, we hope you’ll take the time to rate it and leave a review on iTunes. It really does help people find the show.
Don’t forget to sign up for the Recorded Future Cyber Daily email, where everyday you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.
We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.
Thanks for listening.