It happened during the final frenzied moments of the New York state budget negotiations, when state lawmakers and the governor were arguing over how billions of dollars would be spent—the agency responsible for printing the actual budget went dark. On the morning of April 17, it was reported that the state's Legislative Bill Drafting Commission Office (LBDC) had been the subject of a cyberattack.
Within hours, the LBDC reverted to an old system for drafting legislation that dated back to 1994, and the legislature was able to vote on a budget that weekend. Governor Kathy Hochul quickly assigned the state's Division of Homeland Security and Emergency Services (DHSES) to investigate, and advised against jumping to any conclusions while the investigation was underway.
"It really would be premature for me to say anything conclusive at this time, just like any crime scene. This is evolving. This is the first hours of an evolving situation," Hochul told NY1.
State legislators told Hell Gate that the bill drafting system was hampered for days after the budget passed, as Albany entered its final few weeks of the legislative session.
"The commission is really important because they're the folks who I submit bills to, and then they mark it up, make sure I'm referencing the right laws, using the right language, and they give us a bill number and get it ready to be introduced," Queens State Senator Kristen Gonzalez told Hell Gate about the vital role the commission plays. "They can also draft bills from scratch for us if we ask them to."
Nearly one month after the apparent cyberattack, many questions remain unanswered, including who was behind it, why they targeted the drafting commission, whether the attackers requested a ransom, and what the state has done to prevent future attacks against the same office.
The governor's office did not respond to our request for comment, nor did Assembly Speaker Carl Heastie or State Senate Majority Leader Andrea Stewart-Cousins. DHSES told Hell Gate it does not comment on ongoing investigations, and didn't answer any follow-up questions about when an update would be given about the investigation, or what, if anything, would be released to the public about the results of their work.
Gonzalez, the chair of the State Senate's Internet and Technology Committee, said she's been given no updates from the governor or DHSES on the investigation.
"The only information we've gotten is what was shared publicly," Gonzalez said.
Cyberattacks on government agencies and public infrastructure are becoming increasingly common, and pose serious dangers for the public. According to a report last October by New York state Comptroller Thomas DiNapoli, the number of cyberattacks targeting critical infrastructure in New York state nearly doubled in the first half of 2023 compared to 2022.
In late March of this year, New York City teachers were left without access to their personal tax forms after a phishing attack on their payment system forced the City to take its entire payment website down. New York's hospitals have also dealt with a string of cyberattacks that have brought down entire systems that people rely on for care and forced ambulances to divert to other hospitals because the hospitals under attack could not coordinate care. Often, the people behind these attacks ask for ransom, sometimes exchanged through digital currency, and targets are forced to pay these ransoms in the interest of resuming services as quickly as possible, making it a lucrative endeavor for hackers.
Gonzalez has proposed the Secure Our Data Act, a bill that would help protect New York's legislative and government offices from cyberattacks.
"The bill requires government entities to perform regular vulnerability assessments of critical information systems, which means identifying possible security weaknesses and hardening those platforms by taking steps to improve our digital infrastructure," Gonzalez said. "We're seeing an increase in cyberattacks across the country, and this bill would codify some things we already do, but would also make agencies come up with cyberattack response plans so that we're not all running around with our heads cut off when they happen."
The legislation, which has already passed the State Senate, would also mandate regular training for government workers on how to look out for possible phishing attempts and how to identify attempts to enter the state's computer systems. That's especially important, Gonzalez said, as attackers use things like AI-generated text to make targets believe they're conversing with a real person, all in an attempt to get phishing targets to hand over the keys to important technological infrastructure.
The software used by the state legislature also appears to be incredibly vulnerable to these types of attacks—legislative staffers have described the software they use as already severely outdated and prone to crashing.
"You should see some of the systems we work on," said one Assembly staffer, who asked to remain anonymous to speak candidly. "Some literal MS-DOS shit."
But during the feverish end of the legislative session, the cyberattack has been subsumed by other priorities for legislators. There's currently no plan for the cyberattack and its fallout to be the subject of a public hearing this session before the legislature adjourns at the end of June. In the meantime, Gonzalez is hoping the Assembly version of her bill, sponsored by Long Island Assemblymember Michaelle Solages, will pass and head to the governor's desk for her signature.
"It's about being able to let New Yorkers know that their data is safe when they give it to the government, and that we're doing everything we can to protect it," Gonzalez said. "Because when New York's computer systems go down, it's going to be the most vulnerable people, the people that really rely on the government for help, who are going to feel it the most."
