HPD’s misguided pause on Section 610 affordable housing applications threatens low-income New Yorkers and the city’s existing affordable housing stock. Unsplash+
New York City faces an affordable housing crisis of staggering proportions. Vacancy rateshoveraround 1.4 percent. Families earning moderate incomes are priced out of entire neighborhoods. Yet in May 2025, when the Department of Housing Preservation and Development (HPD) announced it would stop processing most new applications for Section 610 of the Private Housing Finance Law, the city turned its back on a policy that was working.
Section 610, signed into law by Governor Kathy Hochul in December 2022, represented a rare moment of policy innovation that benefited everyone involved. The law allows owners of rent-stabilized affordable housing to collect the full amount of federal and local housing vouchers, even when that amount exceeds the building’s registered legal rent, without increasing what tenants pay. Tenants continue paying only30 percentof their income toward rent. Building owners receive additional income to cover rising operating costs and building repairs. The government maximizes the value of its existing subsidy programs. It was an elegant policy design: preserving affordability while preventing the deterioration of the affordable housing stock we already have.
Then HPDpulled the plug, citing federal funding uncertainty. While maintaining that buildings with already-approved amendments can continue operating under Section 610, the agency announced it would no longer process new authorizations for most subsidy types, including crucial programs that serve the city’s most vulnerable residents: the City Fighting Homelessness and Eviction Prevention Supplement (CityFHEPS) and HIV/AIDS Service Administration (HASA).
This decision reflects a fundamental misunderstanding of what Section 610 accomplishes. The program doesn’t create new government obligations; it simply allows existing subsidy dollars to flow more efficiently to where they’re already committed. When a voucher holder moves into a Section 610 building, the city is already obligatedto pay that subsidy. The difference lies in whether those dollars are allocated toward maintaining quality, affordable housing or are constrained by artificially low registered rents that leave buildings financially struggling.
Consider the reality facing affordable housing providers. Insurance costs have skyrocketed. Property taxes continue climbing. Labor and material costs for maintenance have surged. Meanwhile, developers who built affordable housing under regulatory agreements years ago are locked into rent caps that no longer reflect the economics of building operations. Some are collecting only 93 percent of rents compared to the 95 percent they underwrote, and those projections were considered conservative before 2020.
Without Section 610, these buildings face a slow death spiral. Insufficient cash flow means deferred maintenance. Deferred maintenance leads to building deterioration. Deterioration results in tenant displacement and the loss of affordable units from the city’s housing stock. We’ve seen this story play out countless times across the five boroughs.
Section 610 offered a lifeline. By allowing buildings to capture the full voucher amount, it provided the financial breathing room needed to maintain properties, make necessary repairs, and remain viable participants in affordable housing programs. This wasn’t a windfall for owners, but a survival mechanism for the affordable housing ecosystem.
HPD’s justification, federal funding uncertainty, rings hollow. The federal voucher programs that Section 610 leverages are not new appropriations. These are existing commitments. If HPD is concerned about budget constraints, the solution is to prioritize which buildings receive Section 610 authorization based on demonstrated need, not to shut down the program entirely for new applicants.
Moreover, the timing couldn’t be worse. New York is in the midst of implementing its most ambitious housing agenda in decades. The City of Yes for Housing Opportunity aims to create new homes across all neighborhoods. The 485-x tax incentive is designed to stimulate affordable housing construction. Yet what good are new affordable units if we’re simultaneously allowing our existing affordable stock to deteriorate through bureaucratic paralysis?
The policy’s design already includes safeguards. Regulatory agencies assess project financials to prioritize buildings with the greatest need. The program requires that rent stabilization protections remain in place. If a tenant loses their voucher, rents must drop back to the legal regulated amount. These provisions ensure that Section 610 serves its intended purpose: preservation of affordability, not profit maximization.
HPD claims it will continue processing authorizations for NYCHA tenant- and project-based vouchers and Emergency Housing Vouchers. But this carve-out is insufficient. CityFHEPS and FHEPS serve thousands of New Yorkers, including families with children and individuals experiencing homelessness. HASA vouchers support people living with HIV/AIDS. Excluding these programs from Section 610 means the buildings that serve our most vulnerable residents are precisely the ones left without financial support.
What HPD calls uncertainty, housing providers call existential threat. Affordable housing developers who planned projects around the availability of Section 610 now face financing gaps. Buildings that were in the application pipeline when the pause was announced are stuck in limbo—unable to move forward, unable to plan, slowly hemorrhaging money while waiting for bureaucratic clarity that may never come.
The city should reverse course. HPD should immediately reopen Section 610 applications with appropriate prioritization criteria based on demonstrated financial need. If federal budget constraints genuinely require limiting the program’s scope, then create a transparent waitlist and approval process rather than an arbitrary shutdown. Work with the state legislature to expand and formalize Section 610’s provisions.
Most importantly, recognize that preserving existing affordable housing is just as critical as building new units, and often more cost-effective. Every dollar spent propping up struggling affordable buildings through Section 610 saves the much larger investment that would be required to replace those units once they’re lost.
New York cannot afford to let bureaucratic caution and budgetary pessimism undermine smart housing policy. Section 610 works. It should be expanded, not abandoned. The affordable housing crisis demands bold action, not timid retreat. HPD should open the doors to both Section 610 applications and the affordable housing future New York desperately needs.
From ransomware to quantum disruption, Canada must take urgent steps to defend its institutions and build long-term cyber capacity. Observer Labs
This Q&A is part of Observer’s Expert Insights series, where industry leaders, innovators and strategists distill years of experience into direct, practical takeaways and deliver clarity on the issues shaping their industries. At a moment when cyber threats are escalating alongside geopolitical tensions, Canada finds itself at a crossroads: how to defend its digital infrastructure, protect its economy and maintain global competitiveness while preserving the values of an open, democratic society.
Judith Borts, senior director of the Rogers Cybersecure Catalyst at Toronto Metropolitan University,sits at the intersection of policy, security and economic strategy. With a career spanning provincial economic development, national innovation policy and cross-sector collaboration, Borts has become one of Canada’s most vocal advocates for treating cybersecurity not as a niche technical specialty but as a shared societal responsibility—one that will determine the country’s digital sovereignty in the years ahead.
Her work at the Catalyst focuses on building the talent, partnerships and operational capacity Canada needs to withstand increasingly sophisticated attacks. But it’s her policy background that gives her a panoramic view of what’s at stake. Canada, she argues, can no longer afford a reactive approach to cyber risk. Nation-state adversaries, criminal networks and A.I.-accelerated threats are moving faster than traditional governance models can respond, and the downstream costs to Canadians are already enormous.
Borts outlines where Canada is falling behind global peers, what a truly unified national cyber strategy would require and why talent development may ultimately matter more than any single technological breakthrough. She also offers a candid look at the sectors most vulnerable today, the policies needed to strengthen resilience and how emerging technologies like A.I. and quantum computing will reshape the country’s digital future. Canada’s prosperity increasingly depends on something once viewed as purely defensive: a secure and trusted digital ecosystem.
With global alliances shifting and the U.S. pulling back from international cooperation, how are these geopolitical tensions directly reshaping Canada’s cybersecurity priorities and its role in intelligence-sharing networks?
Even as global alliances shift, intelligence sharing through networks like the Five Eyes, G7 and NATO remains strong. That’s not really where Canada’s biggest challenge is. What we really need to zero in on is building our own sovereign defence and resilience—including in the cyber and digital domains—so we can protect ourselves, respond quickly when threats come up and recover safely and securely.
Cyberattacks today can come from anywhere (foreign governments, organized groups or even individuals), and they pose real risks to Canadian institutions, businesses and citizens. Our national security and defence strategies need to reflect that reality. We need to invest more in homegrown talent and innovation, from cybersecurity research to advances in A.I. and quantum technologies, so that Canada can stay ahead of the curve. It’s not about losing trust in our allies; it’s about maintaining our strong relationships while also making sure we have the strength and resilience to stand on our own when it matters most.
Which Canadian sectors are most exposed to cyber risk, and how prepared are they to defend against the sophisticated attacks we’re seeing today?
Every sector in Canada, as well as around the world, is exposed to cyber risk. Healthcare continues to face some of the most visible and alarming threats. Ransomware attacks have forced hospitals to cancel surgeries and even shut down emergency systems, putting patient safety directly at risk. The energy sector is another major target. And what used to be mainly about stealing data has now shifted to attempts to interfere with the systems that keep our power grid running. As our digital and physical infrastructure becomes more connected, those risks multiply and even a single successful attack can throw essential services across the country into chaos.
Canada’s economy is powered by small and medium-sized businesses, which make up about 99 percent of all companiesin the country and account for more than half of the country’s GDP. These companies are increasingly being targeted but often lack the specialized staff, training and resources to respond effectively. Plus, the impacts of a ransomware attack on an SMB’s bottom line can be massive.
We’re seeing progress in some areas, but these are still isolated efforts. Real national cybersecurity and resilience mean a coordinated approach, one that brings strong security standards together with real investment in education, innovation and long-term capacity building. That’s how we keep Canada’s economy secure and competitive in the years ahead.
What specific policy mechanisms are needed to create a unified national cyber strategy that also respects Canada’s diverse regional priorities?
A top-down approach alone won’t keep up with how fast threats evolve or be able to address the practical needs of all regions. Real resilience comes from bringing federal, provincial and local efforts together so we can build safe and secure communities, share information faster, respond in real time and build trust across sectors.
We also need to make it easier for Canadian businesses to operate securely, both at home and abroad. That means creating a more harmonized and less fragmented set of cyber standards and compliance requirements, so companies aren’t forced to navigate a maze of conflicting rules across jurisdictions. Taking a more unified approach that integrates leading global approaches and consistent standards would help Canada stay internationally competitive while keeping our digital ecosystem strong and secure.
In a nutshell, the federal government should set the national vision and provide the framework and tools while empowering local governments, organizations and innovators to adapt that framework to their realities. When everyone works from the same playbook, security can become part of how we do business—not a barrier to it.
As cyber threats evolve, is Canada keeping pace with peers like the U.S. and the E.U. in building defensive capabilities, or are governance gaps holding it back?
It’s an exciting time for cybersecurity in Canada, but the truth is we’re not yet keeping pace with our peers. The United States invests close to $800 billion or 3.5 percent of GDP annually in research and development, while Canada spends less than 2 percent of ours, and only a fraction of that goes toward cyber and defense innovation. That gap matters. The European Union, meanwhile, approaches cybersecurity not just as a security issue but as a pillar of economic resilience, seeing digital protection and competitiveness as two sides of the same coin.
Canada has world-leading talent in cybersecurity, A.I. and quantum. We are also building a strong foundation with proposed legislation like the Critical Cyber Systems Protection Act (Bill C-8) and a growing base of innovation, but we need to move faster—connecting our federal, provincial and municipal strategies, strengthening our talent pipeline and investing in homegrown technology. If we treat cybersecurity as both national defence and economic opportunity, we can close the gap and position Canada as a real leader in the digital future.
What are the most critical lessons from recent high-profile cyberattacks, and how should they guide efforts to build systemic resilience?
If there’s one thing recent cyberattacks have taught us, it’s that we need to wake up. No one is really paying attention to how serious this has become. We’re seeing massive fraud and data theft happening quietly, every day, and too often the response is weak at best. The impacts are not only felt at the victim’s level; the burden of the costs to Canadians is enormous, and we’re all paying for this.
And still, people aren’t changing their passwords, companies still skip basic protections like multi-factor authentication, and we’ve normalized the idea that our data will be stolen eventually. That has to change.
There’s a common mantra in the cyber community that when it comes to cyber threats: ‘it’s not if, but when.’ But the lesson isn’t that attacks are inevitable. It’s that we need to take preventative action and prepare for potential threats. Complacency is our biggest weakness.
We can’t treat cybersecurity as background noise while we rush to adopt new technologies like A.I. A.I. can make systems smarter, but it also makes cyber threats faster, more targeted and harder to detect. At the same time, many organizations are adopting A.I. without fully addressing the very real risks that come with it. Every organization embracing A.I. should be asking: Are we doing this in a way that keeps us secure and our clients/customers safe?
True resilience isn’t about specific actions by a cyber team; it’s about how fast and effectively we respond and how seriously we take the responsibility to protect ourselves in the first place.
What role should partnerships between universities, public institutions, government, private industry and Canadian tech companies play in building national cyber resilience?
No single group can solve Canada’s cybersecurity challenges on its own—the threats are too complex, the digital infrastructure is too vast and diverse and the stakes are too high. True resilience depends on everyone working together: universities driving research and developing talent, government providing intelligence, guidance and coordination, industry building secure systems and helping to generate specialized talent and Canadian tech companies pushing innovation forward.
But collaboration can’t just happen in boardrooms or policy papers: we also have to meet Canadians where they are. Digital resilience and cyber awareness are no longer specialized skills; they are now basic workplace essentials. Everyone, regardless of their role, needs to understand how to protect information, manage digital tools responsibly, and remain vigilant to evolving threats. If we’re going to reach everyone, it means finding more creative and practical ways to weave cyber awareness and digital resilience into everyday life, whether that’s through local community programs, small business training or more accessible education.
When universities, public institutions, government, and industry connect directly with Canadians, cybersecurity stops being an abstract concept and becomes something everyone can take part in.
That whole-of-society approach is no longer optional. It’s literally the foundation of our national resilience.
How does developing a skilled and diverse cybersecurity workforce contribute to Canada’s digital sovereignty and long-term competitiveness?
When we talk about securing Canada’s digital future, the real advantage isn’t just in technology; it’s in people. We need Canadians to protect what matters to Canada and build a robust digital infrastructure that we can rely on to keep our economy and country growing in the face of mounting threats. This requires a trustworthy and capable workforce. At the Catalyst, we have no delusions about the impacts of A.I. on cybersecurity work. The key question is: what does a skilled cybersecurity workforce look like in the age of A.I.?
We are hyper-focused on creating not only skilled cybersecurity professionals, but also helping those in other organizational roles across different sectors to better understand the cybersecurity challenges they are facing while maintaining a keen eye on emerging technologies such as A.I. and quantum computing. Through our programs, we’re building job-ready professionals who can address the human, organizational and technical issues of cybersecurity.
But in an era where A.I. can automate certain technical functions, the real challenge—and opportunity—is in ensuring that we have an agile workforce and that we educate and support individuals in exercising judgment, creativity, critical thinking, contextual understanding and ethical reasoning that machines can’t replicate.
It’s like asking how you maintain a community of great writers when A.I. can draft a paragraph for you: the value shifts to insight, empathy, strategy and human perspective.
How can Canada’s cyber strategy link security, innovation and economic growth?
For too long, we’ve talked about cybersecurity as a purely defensive measure. Many still view it as just the cost of doing business. The truth is, in the modern economy, cybersecurity is an investment, and resilience is one of our biggest competitive advantages. It’s the bedrock of national prosperity and our ticket to maintaining our position as a serious player on the global stage.
Think about it: when we create an environment built on digital trust, with infrastructure that is both robust and secure, everything else follows. It’s what gives international partners the confidence to invest here, and it’s what gives our own innovators in critical sectors like finance, healthcare and technology the secure launchpad they need to bring their best ideas to life.
So, the critical question is, how do you intentionally build that kind of environment? It doesn’t happen by accident, and it can’t rest solely on a policy or a plan. It only comes about through action.
By combining smart government policies and strong intellectual property and patent protections with real incentives for our businesses, we stop treating cybersecurity as a problem to be solved and start seeing it for what it is: a massive opportunity to build our next generation of tech leaders and secure Canada’s role as an innovator.
How will emerging technologies such as A.I. and quantum computing reshape Canada’s cybersecurity landscape, and what must be done now to ensure a secure, sovereign, and competitive digital ecosystem by 2030?
A.I. is rewriting the cybersecurity landscape, and quantum computing won’t be far behind. Each one presents both huge opportunities and serious threats. As these technologies start to converge, we will see incredible new possibilities and potential, but also significant power to cause real damage if we’re not prepared.
A.I. is now an arms race. For every advanced risk detection model we create, our adversaries are using A.I. to launch attacks. And quantum computing is the horizon. This will threaten most of the common encryption used today.
This new reality demands a strategic change, including what the industry calls the “shift-left approach.” Traditionally, security testing happened at the end of a project, just before the software was released. Shift-left flips that model by pushing security earlier in the development cycle—essentially “shifting” it to the left on the project timeline.
For example, instead of waiting until a new system is fully built to check for vulnerabilities, developers should build security into the design on day one, and then test for risks at each step. This approach comes from modern software engineering, but it’s now essential for cybersecurity: if emerging technologies like A.I. aren’t built with security-by-design, we’re already behind.
Ultimately, by investing in talent, targeting the best in R&D, and investing in an innovative ecosystem, Canada can make sure we’re not just reacting to technological change but we are leading the change.
Compliance, compute and cross-border rules are becoming the true arbiters of A.I. advantage. Unsplash+
The contest for A.I. leadership has shifted from lab breakthroughs to law books. Over the next eighteen months, the rule-making calendars in Washington, Brussels and Beijing will have a greater impact on margins, market access and M&A than any single model release. For investors, the divergence in the U.S., E.U. and China’s approaches is not academic; it is the new map of operational risk and strategic advantage.
Three playbooks, one race
United States: security-first, process-heavy
The U.S. framework is coalescing around national-security guardrails and governance standards rather than a single omnibus statute. Federal agencies now operate under the Office of Management and Budget’s (OMB) March 2024 memorandum (M-24-10), which compels agencies to formalize A.I. risk management and appoint Chief A.I. Officers, signalling that procurement and federal use will privilege vendors with robust assurance practices. NIST’s Generative A.I. Profile extends the AI Risk Management Framework into concrete practices for model testing, red-teaming and documentation. Think of it as an emerging “assurance stack” that enterprise buyers will increasingly expect to see mirrored in the private sector.
Export control policy is the sharper instrument. In January, the Commerce Department’s Bureau of Industry and Security (BIS) introduced an interim final rule expanding chip controls, notably adding controls on certain advanced model weights, a first step toward treating the most capable closed-weight models as dual-use technology. A related 2024 proposal laid the groundwork for mandatory reporting by developers and compute providers training powerful models. The message is clear: compute concentration and frontier training will be monitored and, where necessary, rationed.
Policy now intersects visibly with markets. Washington has adjusted its posture on sales of constrained accelerators to China, with reporting on resumed H20 chip shipments and talks over a bespoke, de-rated Blackwell-based part, underscoring that export policy will remain dynamic, not binary. It will shift shares between chip bins and geographies.
The wild card is federalism. California’s ambitious SB-1047 effort to mandate third-party audits for “frontier” models was vetoed in 2024, but the legislative momentum it generated has not dissipated; Sacramento and other statehouses remain active, even as the industry seeks federal preemption. Expect continued volatility at the state level, complicating the national go-to-market strategy.
European Union: market access in exchange for compliance
The E.U. A.I. Act entered into force in Aug. 1, 2024 with a phased rollout: bans on specific uses and A.I. literacy obligations applied from Feb. 2, 2025; obligations for general-purpose A.I. (GPAI) models—including those with “systemic risk”—apply from Aug. 2, 2025; the comprehensive high-risk regime lands in August 2026, with a longer runway for embedded systems. The European Commission, based in Brussels, also published a GPAI Code of Practice and accompanying guidelines this summer. The Code is voluntary and recognized by the Commission and the A.I. Board as a credible route to prepare for compliance. The A.I. Office will coordinate implementation and oversight. Translation: providers that align early get predictability and smoother market access.
The guidelines outline transparency, copyright and safety expectations, including model evaluation, adversarial testing and serious incident reporting for models deemed to present systemic risks, with fines of up to 7 percent of global turnover. For large platforms and foundation-model vendors, this is a compliance program, not a checkbox exercise.
Beijing’s layered regime arrived early and moves fast through administrative measures. Algorithmic recommendation rules have been in effect since March 2022, requiring filings with the Cyberspace Administration of China (CAC) and imposing controls on profiling, amplification and “information cocoon” effects. Generative A.I. services have been subject to the CAC’s Interim Measures since August 2023, which require security assessments, training data governance and synthetic content labelling. Filing obligations and the CAC’s algorithm registry give authorities visibility and leverage over providers’ technical choices.
At the same time, China remains constrained in cutting-edge computing by U.S. export controls. Policy gyrations around “de-rated” accelerators illustrate a managed-access equilibrium: enough supply to keep domestic ecosystems moving, not enough to enable unconstrained frontier training. That balance will continue to ripple through the capex of Chinese hyperscalers and their local chip design efforts.
Where policy meets P&L
Compliance as a competitive moat
In the E.U., the cost of conformity will be meaningful but predictable; early movers that operationalize the GPAI Code and documentation standards may enjoy accelerated procurement and less regulatory friction. In the U.S., assurance signals mapped to NIST profiles will increasingly become table stakes in enterprise sales and federal contracts. In China, the filing-first architecture rewards incumbents with regulatory muscle and local data pipelines, while raising the bar for foreign entrants.
Compute, constrained
BIS controls on chips and model weights make computing not just a cost line but a policy variable. Firms with diversified training strategies, mixtures of smaller specialized models, retrieval-heavy systems and efficient fine-tuning will carry less policy risk than pure frontier bets. Watch for “good enough” accelerators purposely designed to circumvent export rules, and for cloud providers packaging compliance attestations alongside GPU capacity as part of their product offerings.
Capital concentration and consolidation
A.I. funding remains elevated and skewed toward incumbents. The first quarter of 2025 saw a record $66.6 billion across more than 1,000 deals, and the hyperscalers’ 2025 spending plans point to another year of unprecedented infrastructure outlay. That scale will pull services, safety tooling and data infrastructure vendors into an M&A slipstream.
Cross-border data and distribution
For consumer and enterprise vendors alike, the same model will not ship the same way in all three blocs. The E.U. will reward traceability and documentation; China will insist on content controls and filings; the U.S. will probe provenance, cybersecurity and incident reporting, especially in public-sector deals. Product, legal and go-to-market need to travel together.
The investor lens: positioning for policy alpha
Back assurance infrastructure. Vendors that simplify compliance, such as evaluation suites, incident reporting pipelines, copyright management and model-card automation, will be natural beneficiaries of both the E.U. A.I. Act and U.S. federal procurement norms. The E.U.’s GPAI guidance and NIST profiles are effectively shopping lists for this category.
Prefer adaptable model strategies. Firms optimized for parameter-count theater will be whipsawed by export and safety rules. Those advancing efficient training, retrieval-augmented generation and domain-specific small models will face fewer chokepoints as BIS and allies tune controls.
Price E.U. clarity as a premium, not a drag. The narrative that “Europe regulates, America innovates” misses the strategic upside of regulatory certainty. For many B2B use cases, the E.U.’s predictable timeline and the Code of Practice reduce legal discount rates on revenue. Execution matters, but the framework is now set.
Treat China exposure as policy-beta. Returns will hinge on regulatory fluency and supply-chain agility more than pure technology. The CAC’s filing regimes and content rules favor local champions and foreign joint ventures with deep compliance capability. Export-control volatility should be assumed, not feared; portfolio companies that can pivot across chip tiers will fare better.
What to watch next
E.U. enforcement cadence as the A.I. Office operationalizes audit, incident reporting and systemic-risk oversight post-August 2025. Early supervisory choices will set industry norms.
BIS follow-ons defining thresholds for model-weight controls and clarifying reporting duties for compute clusters—details that will influence where and how frontier models are trained.
U.S.-China chip détente or divergence, including any further carve-outs for “de-rated” accelerators and China’s reaction through indigenous GPU roadmaps.
Across all three blocks, the through-line is power: who sets the standards, who grants market access and who controls the scarcest inputs—compute, data and trust. Regulation is no longer a compliance afterthought. It is an industrial strategy by other means and, for disciplined capital, a source of lasting competitive advantage.
