Virginia wants to train a workforce to tackle cyber threats
If you were keeping up with the news in recent months, you probably heard that hackers working for Russian intelligence were suspected of infiltrating state election databases in Arizona and Illinois as well as breaching computer networks at the Democratic National Committee and The New York Times.
But you may have missed the story about the small dermatology practice in Reston that also was hacked.
It didn’t make national news in June when an unknown hacker from outside the United States attacked Professional Dermatology Care PC, compromising 13,000 patient records. It was a ransomware attack, a software raid in which a hacker shuts down or limits access to a computer network or website in an attempt to extort money from the owner. Unavailable for comment, the dermatology practice posted a statement on its website about the breach, stating that it had increased its cybersecurity measures, would be sending written notice to all affected patients and that it had reported the attack to authorities, including the FBI.
The practice said it believed “the criminals’ motive was to extract money from the company in order to de-encrypt data, rather than for the misuse of patient data.”
Though state-sponsored cyberattacks garner headlines, attacks on businesses of all sizes are an everyday occurrence, driving the increased need for more cybersecurity professionals — and endangering the existence of small businesses.
“Companies are under daily attack from cybercriminals,” says Collin Hite, an attorney with Richmond-based law firm Hirschler Fleischer who specializes in cybersecurity and data privacy. “This is happening to small medical practices all the way up to the Fortune 500 companies. And my view is … other than the Fortune 1000 larger companies, many companies are woefully underprepared.”
Virginia’s government and companies are positioning the state as a leader in the sector, preparing to take advantage of the economic opportunities created by the challenges of securing the ever-evolving host of technological systems and gadgets upon which 21st-century life depends. To meet the demand, Virginia is trying to grow its pipeline of cybersecurity professionals, an industry that so far has been unpopular with millennials.
“Every kind of organization is realizing the difficulty that cybersecurity risks pose to their organization and mission, and we’re helping to mitigate those risks,” says Charles Onstott, a senior vice president with McLean-based defense contractor SAIC who is responsible for the technology company’s cyber, cloud and data science services. “The cyber threat landscape has changed dramatically in the last 10 years — the persistence of attacks, the frequency of them and the alarming rate at which vulnerabilities are discovered and exploited.”
A lot of companies think they’re too small to be a target, but there’s no such thing. “Credit-card data makes somebody a high-value target,” Hite says.
By some estimates, the cost of remediating a stolen data record can be around $270 per file. This includes providing credit monitoring and identity theft protection for customers whose data was stolen. For smaller companies, costs associated with data breaches could be the tipping point in shutting down operations. That’s why Hite recommends that companies not only plan ahead for breaches but that they take out cyber insurance policies.
Health-care records in particular are a prime target, he notes, “because you can truly steal somebody’s entire identity with medical records because you have so much information: their address, their family members, dates of birth.” (About 39 percent of all data breaches were directed against health-care industry targets last year, according to a study by Symantec, a California-based cybersecurity firm.)
And while cyberattacks against large corporations might be coordinated by organized crime outfits in Eastern Europe and Russia, ransomware attacks like the one launched against the Reston dermatology practice are more likely to be the work of lone actors seeking a quick score, Hite says.
Ransomware attacks have “become so prevalent,” he says. “It’s allowing anyone to become a cybercriminal. So you don’t have to be all that sophisticated or have monetary backing to do ransomware. You can pretty much get [the hacking tools] off the internet and become a cybercriminal overnight. The bar to entry into the criminal element is lowering every day.”
Adds Hite: “2016 is going to be the year of ransomware. Because a lot of this stuff is on a smaller scale, you never hear about it. Nobody wants to admit it, so they just pay the ransom and try to go on. You don’t have the time or the resources to fix the system. You just pay the $10,000.”
Opportunity for Virginia
Virginia is likely one of the best places to produce a pipeline of workers to fight these threats.
There are more than 650 cyber-related companies in Virginia, according to state Secretary of Technology Karen Jackson. And due to its proximity to the federal government, the Northern Virginia area in particular is dense with cybersecurity firms and professionals.
Fairfax County is home to 10 of the world’s 500 “hottest and most innovative” cybersecurity firms, according to the Cybersecurity 500 list by Cybersecurity Ventures, a leading industry research and market analysis firm. (The top Fairfax-based firms include IKANOW, Booz Allen Hamilton, Northrop Grumman and L-3.)
“Most people in the industry recognize that the national capital region has more cybersecurity talent than any other place on Earth, and that’s a great place to seek innovation,” says Rick Gordon, managing partner of the Mach37 cybersecurity business accelerator in Herndon, an initiative of the Center for Innovative Technology.
Since 2013, Mach37 has helped launch 35 cybersecurity companies that collectively employ more than 100 workers. Companies participating in the accelerator, which helps them with education, seed money and venture capital contacts, agree to establish a significant presence in Virginia within two years of graduating from the 14-week program. Mach37 also announced last summer a new partnership with the University of Virginia’s College at Wise that will work to strengthen the cyber industry in Southwest Virginia.
Despite the number of cybersecurity firms in the state — or perhaps because of it — Virginia has an immediate need for about 17,000 more cybersecurity professionals, with each job paying an average of $88,000 per year, according to a Virginia government-sponsored study by Burning Glass Technologies.
“This is a complex issue, and it’s not going to go away. We need to harness all of the workforce and all of the capabilities we can to make sure we can defend against those who would do us ill through cyber, and that need is only going to grow,” says Jackson, the secretary of technology.
In addition to business development, Virginia companies and the state government are focused on education and early outreach efforts to build the commonwealth’s cybersecurity workforce.
“Education and the workforce is a big deal,” Jackson says. “When it comes to feeding the workforce pipeline, cybersecurity firms by and large are based on talent, and they are pretty much as good as the talent they are able to find. And so the states that have the best people and have the most talented workers are going to be the ones that garner the most amount of [cybersecurity] companies over the long term.”
The state government’s efforts aren’t purely selfless — it needs cybersecurity professionals, too. “We have 300,000 attacks on our network every day,” Jackson says. The attacks range from email phishing to more serious hacking attempts.
The state government can’t compete with private industry on salaries and perks, Jackson says, so Gov. Terry McAuliffe’s administration has established a $1 million scholarships-for-service program to augment its workforce. The program offers up to two years of paid college tuition for students pursuing cyber-related degrees in exchange for working in cybersecurity for the state government for the same number of years after graduation.
Virginia Tech has a similar program offering scholarships for three years of federal government service in cybersecurity. The federal government is launching its own initiative to hire 3,500 more cybersecurity professionals by 2017. In September, President Obama named retired Air Force Brigadier Gen. Gregory Touhill the nation’s first cybersecurity chief.
But there also are plenty of efforts to help private cybersecurity companies ensure they have a workforce they need.
In June McAuliffe announced that the state government was establishing a registered cybersecurity apprenticeship program to help students in community colleges and technical centers get on-the-job experience while earning degrees and certificates in cybersecurity fields. McAuliffe has made cybersecurity the central focus of his tenure as chair of the National Governors Association, encouraging states to share information and strengthen the nation’s collective cybersecurity profile.
In August, U.S. Sens. Mark Warner and Tim Kaine announced Virginia Tech would receive a $19.4 million National Science Foundation grant that largely will be used for cyber workforce development.
Virginia has been particularly focused on “middle-skills” workers — those who need more education than a high school diploma but less than a four-year college degree to enter the workforce. The state’s New Economy Workforce Credential Grant Program funds two-thirds of the cost of workforce credentials programs for students who successfully complete vocational certification programs and earn industry-recognized credentials and certifications in high-demand professions, including information technology and cybersecurity.
Margaret Leary, cybersecurity program head for Northern Virginia Community College and director of curriculum for the National CyberWatch Center, is a self-described “huge supporter” of the workforce credentials initiative. “The problem is the workforce needs people who can hit the ground running. They don’t want to spend 18 months to train someone on the hard skills needed to defend a network.”
However, in Northern Virginia, she says, the majority of the cybersecurity employers tend to be federal contractors, and federal government contracts require most cybersecurity contractors’ employees to hold bachelor’s degrees. To this end, Northern Virginia Community College is working with schools such as George Washington University to help students get four-year cyber-related degrees. They also have a pathway program to help military personnel receive earned credits for their previous military experience in cyber fields.
One key problem is persuading younger professionals to enter the field.
At her community college, Leary says, most students pursuing cybersecurity degrees tend to be between ages 30 and 60 and are entering the field as a second career. Millennials, she says, aren’t really aware of cybersecurity career options.
“A lot of these students, if you ask them what might a cybersecurity specialist do, they don’t know,” she says. “There needs to be more career prep done at the high school level, even at the middle school level, so that people understand the range of opportunities within cybersecurity … Millennials are very attracted by worthwhile causes. If it could be represented as a worthwhile cause to them — protecting assets, protecting national security — then there would be more interest.”
William Eggers, managing director of Deloitte Services, agrees that there’s a problem in getting more teens and twentysomethings interested in cybersecurity careers. Millennials are expected to save the day when it comes to the cybersecurity talent shortage, he says, but surveys done in recent years show that they aren’t as interested in or even aware of cybersecurity as a career. Many say their guidance counselors never mentioned it as an option.
The McAuliffe administration is trying to change that.
Although Virginia public schools have no cybersecurity curriculum, this year the state Department of Education sponsored a one-time pilot program of 32 cybersecurity summer camps for high school students across Virginia.
In addition, McAuliffe signed a bill into law this summer requiring that computer science be integrated into the state Standards of Learning for K-12 Virginia public schools, likely beginning no sooner than fall 2017. (AP computer science classes, however, have been available to Virginia high school students for decades.) And while computer science classes aren’t a requirement for graduation in any of the 50 states, they provide a foundation necessary for cybersecurity jobs.
The private sector also is taking measures to grow its workforce.
Deloitte sponsors a national Cyber Threat Competition to increase awareness of cybersecurity careers among college students. (Virginia Tech placed second in the contest last year.) What’s different about Deloitte’s contest is that it’s open to any student, not just the technically minded. It’s more of a business competition and involves risk management, presenting reports to clients and creating communications statements about breaches for employees and the media. That’s because there’s a need for more than just tech people in cybersecurity.
Falls Church-based Northrop Grumman sponsors a national after-school CyberPatriot competition, giving high school and middle school students the chance to compete in timed contests to eliminate vulnerabilities in virtual computer networks. Last year, more than 3,400 teams competed, each with about four to six students on a team. Fairfax County Public Schools have done particularly well in the competition — once sweeping the top three spots.
“It’s not only measuring their expertise in finding the vulnerabilities, but also it’s against the clock, so they have to work well as a team, so they’re building their collaboration and communications skills,” says Diane G. Miller, Operations Cybersecurity Group program director.
Surprisingly, perhaps, cybersecurity companies in Virginia say they don’t have a problem finding talented techies. “We get unsolicited contacts from recruiters almost daily, and they’re not just from Virginia. From a talent acquisition standpoint, that’s one of the last things we worry about,” says Rob Hegedus, CEO of Suffolk-based cybersecurity firm Sera-Brynn, which was ranked the No. 1 firm in Virginia and 10th in the world on the Cybersecurity Ventures list of the top 500 hottest cybersecurity companies to watch in 2016.
What they do have more trouble finding, Jackson says, are support personnel with technical knowledge, as well as tech workers who have business and communications skills.
“It is very important to have the research and the technical people because they’re the ones who have to do what has to get done, but there also has to be a level of people involved who can translate the technical into what the C-suite or the board of directors or the general public can understand,” such as marketing and communications professionals, she adds. “That’s imperative. It’s very difficult to walk into a C-suite to get money for R&D if the C-suite can’t understand what you’re pitching.”
Excelling in the field
It takes more than a degree, however, to make a successful cybersecurity professional.
Among longtime cybersecurity professionals, it’s less important to them what kind of a degree you hold than what you’ve accomplished and what sort of mindset you possess. (And one might take note here that Microsoft founder Bill Gates was a self-taught computer programmer who didn’t earn a college degree.)
“The industry is snapping up anybody that’s got the word ‘cybersecurity’ in a degree and that’s good … but just because they have that in their degree name doesn’t mean it necessarily translates into real-world skills,” says Darren Manners, who heads up the offense security operations division of Richmond-based SyCom Technologies. His unit conducts penetration testing, emulating what hackers would do to locate and eliminate system vulnerabilities. “A degree is nice, but what have you done? Have you made your own applications? Have you built different systems?”
The cybersecurity sector also has been largely dominated by white males and hasn’t done as good a job at reaching out to women and minorities, say Manners and others, resulting in a huge loss of potential talent.
Furthermore, cybersecurity pros “don’t suffer newbies very well. You’re paid for what you know. Knowledge is everything in our industry … People can be overly critical, and there’s a reason for that. Mistakes cost a lot of money. Sometimes they can cost lives. It’s one of those industries where you can really make an impact, but you can also really mess up, and I don’t think some people take to that.”
Some companies, like Northrop Grumman and SyCom, recruit students as paid interns while they’re still in high school in hopes of bringing them on as full-time employees after college. “It’s almost like we end up doing what the basketball recruiters do,” says Manners. “We’re in it for the long haul, so we understand the particular skills set that we’re after. It’s very hard to find.”
And while cybersecurity salaries in Virginia are very competitive and can range from around $70,000 to $180,000, the best cybersecurity pros aren’t in it for the money, says Northern Virginia-based cybersecurity consultant William Lumpkin, known in the cybersecurity world by his hacker handle, InfoJanitor. “A successful person in computer security is not actually pursuing the money. He’s pursuing a puzzle or some nuance he’s never seen before, and he wants to be the person to solve that … You can’t make a geek happy with money.”
When Lumpkin was a kid, he wrote an electronic Rolodex program for his mom’s insurance agent in exchange for a Commodore 128 computer. He brags about the time he defeated a client’s motion sensor security system with a paper airplane.
Problem solvers and curious minds are the types of personalities that thrive in cybersecurity, say Lumpkin and others. Take for example, Mach37 grad Tiffany Rad. Her company, Anatrope, located in the AOL Verizon incubator in Sterling, specializes in cybersecurity for vehicular systems. She holds a law degree, previously worked in cybersecurity for Cisco and Kaspersky and teaches as an adjunct professor at the University of Southern Maine. Like Lumpkin, she has presented at the DEF CON hacking conference.
Raised by her CIA agent father (who himself was a consultant for the Robert Redford film “Sneakers” about security consultants battling hackers) to learn how to pick locks and administer polygraphs, Rad possesses what may be some of the coolest cred in cybersecurity at the moment. An episode of the Golden Globe-winning cyber-thriller TV series “Mr. Robot” was based on an experiment she led in 2011 that proved that jail doors could be hacked and opened remotely. Her white paper on the topic is visible in the episode.
“We were able to make it look like all the jail doors were closed when in fact they had been open,” says Rad, noting that she also discovered that at least one prison back then had multiple vulnerabilities via internet-connected devices. “It was our worst nightmare that ‘Mr. Robot’ put [on TV] in a dramatic fashion. At the time we were worried about someone trying to coerce us into using our exploit.”
The McAuliffe administration hosted a Cyber-Physical Systems Summit in September, focused on securing autonomous systems and infrastructure, particularly in light of the growing number of connected devices being brought online with the Internet of Things.
“That’s why a lot of us have insomnia,” Lumpkin says, speaking about working in cybersecurity. “Because if you knew how vulnerable things are all the time, it would make you a little nervous too.”