Virginia companies and universities ramp up to thwart computer attacks
- March 1, 2012
Partly by luck of geography, but mostly due to its innovative technology companies, Virginia is in the vanguard of the fast-growing cyber security industry. More than 300 cyber-related technology firms have a presence in Virginia, and one-third of those have planted corporate headquarters here.
So, it’s not surprising that Virginia companies are creating new products to defuse computer attacks at a time when the stakes have never been higher. During the past five years, attempts to breach government computing networks skyrocketed 650 percent and show no signs of abating, according to a report by the U. S. Government Accountability Office. Virginia says its state government systems fend off more than 10 million cyber attacks a month.
In response, federal agencies are poised to spend $14 billion by 2016 to secure their vast information networks, says Herndon-based Deltek Inc. PricewaterhouseCoopers said in a recent study that organizations spent $60 billion globally on cyber security in 2011. Over the next five years, it predicts annual spending will increase 3 percent to 5 percent.
Virginia is well positioned to get some of that business. “The attacks definitely can cause problems,” says the state’s Secretary of Technology James D. Duffey, “but our universities and business community are scaling up to thwart the attackers.”
A precise estimate on the growth of Virginia’s cyber security industry is not available, because jobs in cyber security are lumped under a larger IT umbrella. Yet Virginia ranks first in the nation in its percentage of computer systems analysts and software engineers, according to the federal Bureau of Labor Statistics.
Another indicator of Virginia’s strong bench is TechAmerica Foundation’s annual Cyberstates report. In 2011, it ranked Virginia No. 2 nationwide, behind California, in terms of its largest high-tech sector — computer systems design and related services — which employed 138,800 workers in 2010. The Richmond region’s supply of IT-trained workers was one of the reasons given by General Electric Co. for its recent decision to open a cyber security center at Innsbrook Corporate Center in Henrico County that will eventually create 200 new jobs.
A corporate priority
Businesses can face devastating financial setbacks from cyber attacks. In 2010, data breaches cost organizations an average of $7.2 million, up 7 percent from 2009. That’s according to an annual study by the Ponemon Institute in Traverse City, Mich., a research firm that specializes in information security. “If you’re a financial services company, a health-care provider or an insurance firm, cyber security is going to be mission-critical to your business — if it isn’t already,” says Paul Christman, president and CEO, Quest Software Public Sector in Reston.
“It’s a problem for the financial services sector because that’s where the money is, but it’s also beyond that. Companies worry their intellectual property is being drained,” observes Joan Dempsey, a senior vice president at consulting firm Booz Allen Hamilton in McLean.
Virginia Gov. Bob McDonnell is earmarking more money for cyber security. His proposed biennial budget includes $2.3 million to improve Virginia’s marketing to the cyber security industry, including the creation of a National Center of Cyber Excellence. In 2010, McDonnell authorized $54 million in state funding (as part of his “Opportunity at Work” jobs agenda) to promote research at Virginia universities and provide seed capital to start technology firms.
At the same time, public universities in Virginia are expanding curricula to offer degree programs in cyber security and related fields. They include George Mason University, James Madison University, Norfolk State University, Old Dominion University and Virginia Tech.
Meanwhile, university researchers are creating potentially game-changing cyber technologies. Among them is browser-virtualization software by Invincea Inc., launched two years ago as a spinoff from research at George Mason University’s Center for Secure Information Systems. Invincea last year received $5 million from three Virginia-based venture funds.
Investors were wowed by its software, which creates virtualized environments for Web browsers and PDF readers. The tool safeguards corporate networks in case a user inadvertently opens an infected file. “It makes user mistakes irrelevant to the network,” says Stephen Ward, company vice president.
Employees can be big risks
Invincea targets what experts say is one of the biggest vulnerabilities organizations face: insider threats. Of particular concern is how users may unwittingly download malware, thus providing hackers with a gateway to sensitive data. “There’s growing consensus that securing computers is almost impossible. The interest now is in the idea that the user is the edge of the network, not the computer,” says Charles Clancy, a Virginia Tech professor and director of The Hume Center for National Security and Technology in Arlington.
More organizations are allowing employees to bring their iPods, tablets and other portable tools to work. Although organizations reap potential benefits of higher productivity by enabling employees to go mobile, security experts say there is a downside.“It increases the types of risks they’re exposed to in ways we are just beginning to understand,” says Maria Horton, CEO of EmeSec Inc., a cyber security company in Reston that primarily serves federal agencies.
Even industries that have embraced mobile technologies are behind the security curve. Insurance companies have benefited greatly from being able to digitize their business information, yet most are unprepared to protect it, says Bryant Tow, the chief security officer for Computer Sciences Corp. (CSC). “When I talk to CIOs at insurance companies, I am constantly amazed at their general lack of awareness,” Tow says.
To underscore the urgency, Falls Church-based CSC last year launched the Insurance CyberSecurity Advisory Council. Here insurers will be able to share ways on tightening data security, including information on training, user policies and cloud computing.
Even more terrifying than massive financial damage is this prospect: cyber terrorists using powerful viruses to disable automated systems that run America’s power grids, financial system, transportation networks and other infrastructure. To combat such infiltrations, Booz Allen Hamilton is championing the creation of a highly secure “Internet enclave” that would provide a ring of security around these critical national assets.
Conceptually known as “dot.secure,” Dempsey says it would create “protected lanes” in cyberspace that provide more robust security without hindering innovation or violating individuals’ privacy.
Although far from becoming a reality — Dempsey says it would require broad agreement between the government, academia and industry — dot.secure could be a linchpin in the nation’s civilian infrastructure and other assets that sustain society.
With hackers more devious and persistent than ever, the need for better cyber security is unlikely to diminish. “The threats we face now probably won’t be the same threats we face next year or the year after that,” says Horton of EmeSec.