New NYU Law clinic tackles increasing cybersecurity threats

Judith Germano

Judith Germano

Cybersecurity continues to make headlines: Canvas, the classroom management platform, was hacked and temporarily shut down this past semester, and Anthropic’s AI model Mythos shocked the tech industry with its ability to spot thousands of security flaws in widely-used software. Though far from new, cyberattacks are increasingly aimed at operational technology systems, putting at risk critical infrastructure such as electrical grids and water and waste management systems.

The new NYU Cybersecurity Clinic, established this summer with support from Craig Newmark Philanthropies at the NYU Center for Cybersecurity, intends to tackle these problems head-on. What makes the clinic unique is its focus: protecting organizations without significant IT resources, such as schools, nonprofits, community health clinics, and legal aid services. Through trainings, tools, technology and governance strategies, and public-private information sharing, the aim is to help its clients harden their own defenses. NYU News spoke with Judith H. Germano, co-director of the NYU Center for Cybersecurity and former chief of the Economic Crimes Unit at the US Attorney’s Office for the District of New Jersey, about recent cybersecurity news and the work of the new clinic.

What is the biggest concern in cybersecurity right now?
Well, I’d say there are two. One important concern is the old problem that people still haven't done enough to ensure basic protections and good cybersecurity hygiene. Many problems we’ve seen even in recent years have to do with fairly basic mistakes and vulnerabilities, such as a lack of multi-factor authentication or a failure to disable software that was no longer in use, failed password protocols, and a lack of rigor around good cybersecurity practices.

Another major concern right now is how AI is changing our landscape in a way that is faster than human capabilities. AI brings many benefits, but the risks can quickly spiral out of control. This is a significant concern with frontier AI, including Anthropic’s Claude Mythos. Anthropic’s AI model is so powerful and fast at not just finding software vulnerabilities but also exploiting them, and leveraging multiple smaller vulnerabilities to create significant harm. This is a powerful cybersecurity tool, but in the wrong hands, it also exponentially increases risk. To combat these next-generation cyber threats, we need to leverage AI to improve cybersecurity while simultaneously increasing focus on basic protections as well as rigorous redundancy and recovery systems such as offline backups and crisis plans. Also, with AI agents that can multiply and infiltrate systems with very little human oversight, we need to increase identity access management systems—to verify not just people but also agents in systems—and ensure strong and regularly tested guardrails and human intervention.

Individuals rely on organizations to keep their data safe and their systems operating and working well. Organizations, meanwhile, are facing multiple attacks that often are lucrative or otherwise beneficial to bad actors. Organizations also have to protect against users making mistakes, such as clicking on links that they shouldn't or failing to protect sensitive data. Since there is a balance of organizational and user accountability, we need to help organizations strengthen their cyber resilience and also better educate users regarding cybersecurity risk and best practices. It is important to understand cybersecurity risk and how organizations and individuals are vulnerable, as well as how technology can help protect organizations and individuals.

What kinds of issues will students and faculty at the clinic address?
A significant component of our work with focus on education and training regarding cybersecurity awareness, governance protocols, and best practices to address online fraud, extortion, critical system vulnerabilities, and other types of cyber risk. We will do this through workshops, publications, and meetings with stakeholders. We also will help certain low-resourced organizations map their systems, identify where they are most vulnerable, and understand how they can improve their cybersecurity through an interdisciplinary approach addressing technology, governance and processes.

An area where I have done a lot of work is in cybercrime and deepfakes used for fraud, abuse, exploitation and manipulation. Deepfakes are synthetically altered media—images, videos or audio—created to make it look or sound like something happened or was said that is not real. They can be manipulations of existing media (such as adding a person to a photo or changing what someone in a video said), or created fully new. The broad availability of AI tools has created a surge in deepfake-related fraud, and there are millions of deepfake videos circulating online. The majority of deepfakes are non-consensual intimate imagery, and there also are growing numbers of deepfakes in financial fraud cases. These include fake celebrity endorsements, fraudulent schemes

A new Anthropic project, called Mythos, has raised more concerns about the power of AI.
Mythos has been described as revolutionary—some question if that is hype, but I agree with many in cybersecurity who believe it is indeed groundbreaking and warrants considerable and serious attention. Here, AI has been able to outpace human ability to detect and leverage cyber vulnerabilities in epic proportions. Mythos has been able to find and identify cyber vulnerabilities with considerable speed, deep within systems, and also determine how to exploit those vulnerabilities to cause harm.

On one hand, it's an incredibly helpful tool for determining exploits so they can be fixed. And on the other hand, it is a dangerous weapon if somebody is using it for bad reasons. This is a real wake-up call for, as I was saying earlier, organizations and individuals still needing to get their basic cybersecurity right. And now the stakes have gone up.

How will the clinic be able to address all of these different concerns?
The NYU Center for Cybersecurity has been doing groundbreaking thought leadership work for the past decade since we started in 2016 as a collaboration between NYU School of Law and NYU Tandon School of Engineering. We take a necessary interdisciplinary approach to cybersecurity, where we have legal experts, technological experts, governance, regulation, and business experts, all working together to address key and emerging issues of cybersecurity for practical applications and understanding in business, government, and academia.

As Greg LeMond, the famous professional cyclist, said: “it doesn't get easier, it just gets faster.” We're not racing in the Tour de France, but the same concept applies as we work to address significant issues of national security, financial security, government security, and individual security. To do that most effectively, we bring together different perspectives and diverse expertise to address cybersecurity problems from multiple angles.

The new clinic enables us to reach high-risk, low-resourced organizations. We’re focusing on identifying those organizations—in government, critical infrastructure, and the community—that may have higher risk because of their systems or sensitive data, and who lack the resources to sufficiently address the ever-changing and increasingly difficult challenges of cybersecurity.

The clinic is part of a national consortium of Cybersecurity Clinics, which enables us to really leverage the work of many terrific academic institutions and experts who are addressing these challenges nationwide. Through collaboration and information sharing, we can better provide meaningful, broad-based, and grassroots support to help improve critically important cybersecurity.

This interview has been condensed and edited.

News Information