Virginia Economic Review: Third Quarter 2021 by vedpvirginia

THIRD QUARTER 2021

Password

Cyber$ecurity1nV!rg!n!a

Hide Password

Strong

The Future of Cybersecurity in Virginia The Present and Future

A New Approach to

Virginia Universities

of Cybersecurity

Cyber Collaboration

Bridge Cybersecurity Gaps

Conversations With Thought Leaders Luiz DaSilva

Steve Morgan

Commonwealth Cyber Initiative

Cybersecurity Ventures

Constructed in 1949 atop Mill Mountain, the Roanoke Star has become a symbol of the city and the region. Mill Mountain Park, which surrounds the star, boasts several hiking and biking paths.

Contents 10 The Present and Future of Cybersecurity From emerging technologies to high-profile hacks, safeguarding the world’s computer networks is a major priority — and Virginia is at the forefront

16 A New Approach to Cyber Collaboration Focused on cyber defenses and talent development, the Commonwealth Cyber Initiative is cementing Virginia’s position as a global leader in cybersecurity research and innovation

30 Bridging Cybersecurity Gaps Virginia universities’ transdisciplinary research is driving digital security advancements

36 Safe Space The innovative Virginia Cyber Range is giving students in Virginia — and beyond — a chance to hone their cybersecurity skills

4 Facts & Figures 6 Selected Virginia Wins 22 Sharing Resources to Improve Cyberspace: A Conversation With Luiz DaSilva 40 Quantifying Cybercrime: A Conversation With Steve Morgan 52 Exporting Cybersecurity Services to the World 58 Regional Spotlight 66 Economic Development Partners in Virginia

46 Defense and Cybersecurity in Virginia The Commonwealth’s military presence and proximity to the federal government provide a strong talent base for cybersecurity companies

Subscribe today. Visit www.vedp.org/Virginia-Economic-Review

The U.S. National Park Service calls the hike to the summit of Old Rag Mountain in Madison County “the most popular destination in Shenandoah National Park.”

Virginia’s Leading Role in Protecting America’s Networks THE IMPORTANCE OF cybersecurity

became extremely clear to the day-to-day lives of Americans in May, when the Colonial Pipeline, which supplies nearly half of the East Coast’s fuel, was briefly rendered nonfunctional due to a ransomware attack. Any lingering perceptions of enterprise-level cybersecurity as an abstract issue were dispelled as customers waited in long lines to pay inflated prices for gas. The Colonial Pipeline hack was just one in a line of major incidents affecting U.S. businesses, government agencies, and citizens. Safeguarding the world’s computers and networks from vulnerabilities is now a major priority for citizens, governments, and businesses across the world, and Virginia is at the forefront of that effort. As arguably the birthplace of cybersecurity — dating back to the Pentagon’s Advanced Research Projects Agency Network (ARPANET) — cybersecurity professionals and companies have long been drawn to Virginia. Now home to the highest concentration of tech talent in the country, Virginia is recognized as a leader in the field, with consumer website Comparitech listing the Commonwealth as the top state in the country for information security jobs and Business Facilities Magazine recognizing Virginia as the No.1 cybersecurity leader in the U.S.

In this issue of Virginia Economic Review, we highlight the cybersecurity industry in Virginia and beyond, including the factors driving cyberattacks and corporate responses; the vital cybersecurity research and talent development underway at Virginia universities and the partnerships forged through the innovative Commonwealth Cyber Initiative; the practical cybersecurity training provided through the Virginia Cyber Range; and how Virginia’s defense community intersects with the cybersecurity industry. Also included inside are discussions with Commonwealth Cyber Initiative Executive Director Luiz DaSilva and Steve Morgan, founder of Cybersecurity Ventures and editor-in-chief of Cybercrime Magazine. We hope you enjoy this look at Virginia’s leading role in a growing, vital industry.

Best regards,

Stephen Moret President and CEO, Virginia Economic Development Partnership @StephenMoret

Facts Figures

Cybersecurity Workforce

State for Cybersecurity Employment

1 2

on East Coast

in United States CyberSeek, 2021

Comparitech, 2021

2021

1 1

# # 4

S TAT E R A N K I N G S R E P O RT

Best Business Climate

Cybersecurity Leaders

1 2

# #

Tech Talent Pipeline

Customized Training

Top 5 Location Quotient, Cybersecurity 1. Virginia, 5.4 2. Hawaii, 3.7 3. Colorado, 3.0 4. Alaska, 2.5 5. Rhode Island, 2.4 (tie) North Dakota, 2.4 (tie) CyberSeek, 2021

1 1

NORTHERN VIRGINIA /D.C. METRO

Top Rated Tech Talent Markets in North America CBRE, 2021

Cybersecurity Talent Discovery Cyber FastTrack, 2019

WASHINGTON, D.C. METRO AREA

Black Tech Workers (Net Employment) Cyberstates.org, 2021

Best Online Masters in Information Technology Programs U.S. News & World Report, 2021

Best Colleges With Computer and Information Systems Security Degrees in America Niche, 2021 5

Selected Virginia Wins Modine Manufacturing Company, a diversified global leader in thermal management technology and solutions, will invest $7 million to establish a manufacturing facility in Rockbridge County in the Shenandoah Valley. The company will convert its former warehouse facility in the county into an operation producing highly engineered data center cooling solutions. Virginia competed with several states for the facility, which will create 60 new jobs. Headquartered in Racine, Wisc., Modine Manufacturing specializes in thermal management systems and components. With $2 billion in revenues in 2020, the company has operations in North America, South America, Europe, and Asia. The company has operated a manufacturing facility in Rockbridge County since 1963, employing more than 260 people. Support for Modine Manufacturing’s job creation will be provided by the Virginia Talent Accelerator Program, a workforce initiative created by VEDP in collaboration with the Virginia Community College System and other higher education partners. Launched in 2019, the program accelerates new facility start-ups through the direct delivery of recruitment and training services that are fully customized to a company’s unique products, processes, equipment, standards, and culture. All program services are provided at no cost to qualified new and expanding companies as an incentive for job creation.

This site was selected as a result of the capabilities of the workforce, both hourly and salaried, and our confidence in their ability to quickly and safely begin producing high-quality HVAC solutions for our data center customers. NEIL BRINKER CEO, Modine Manufacturing Company

Selected Virginia Wins Central Virginia

Middle Peninsula

Southern Virginia

Jobs: 22 New Jobs CapEx: $9.1M Locality: Fluvanna County

CapEx: $182M Locality: King William County

Jobs: 45 New Jobs CapEx: $6.4M Locality: City of Danville/ Pittsylvania County

Stewart Tool Company Inc.

Greater Richmond CarLotz

Jobs: 192 New Jobs Locality: City of Richmond

Red River Foods, Inc. Jobs: 60 New Jobs CapEx: $16.5M Locality: Henrico County

SimpliSafe

Jobs: 250 New Jobs CapEx: $3M Locality: Henrico County

Hampton Roads

Nestlé Purina PetCare

New River Valley Xaloy

Jobs: 35 New Jobs CapEx: $1.75M Locality: Pulaski County

Northern Virginia Guidehouse

Southwest Virginia

Jobs: 162 New Jobs CapEx: $1.8M Locality: Fairfax County

StarKist Co.

Kristi Corporation

Shenandoah Valley

Lyon Shipyard

Walraven, Inc.

Ridgeline International, Inc.

Dante Valve Company

Jobs: 10 New Jobs CapEx: $1.1M Locality: City of Suffolk

Jobs: 58 New Jobs CapEx: $12.8M Locality: Patrick County Jobs: 46 New Jobs CapEx: $7.2M Locality: City of Danville/ Pittsylvania County

SPARC Research

Jobs: 40 New Jobs CapEx: $1.9M Locality: City of Norfolk

Prolam, LLC

Jobs: 900 New Jobs CapEx: $12.7M Locality: Fairfax County

Breeze Airways

Jobs: 116 New Jobs CapEx: $5.2M Locality: City of Norfolk

MEP Ltd.

Jobs: 16 New Jobs CapEx: $2.5M Locality: Fauquier County Jobs: 83 New Jobs CapEx: $3.6M Locality: Fairfax County

SunCoke Energy, Inc.

Jobs: 100 New Jobs CapEx: $50M Locality: Buchanan County

Virginia’s Gateway Region AMPAC Fine Chemicals Jobs: 156 New Jobs CapEx: $25M Locality: City of Petersburg

SIBO GROUP

Jobs: 24 New Jobs CapEx: $2.6M Locality: City of Harrisonburg

Jobs: 119 New Jobs CapEx: $24.4M Locality: City of Norfolk

MI Technical Solutions

Roanoke Region

Jobs: 10 New Jobs CapEx: $520K Locality: City of Chesapeake

New River Valley

Southwest Virginia I81-I77 Crossroads

Northern Shenandoah Valley

Washington, D.C. Northern Virginia

Shenandoah Valley Central Virginia

Greater Fredericksburg

Northern Neck

Middle Peninsula Greater Richmond Lynchburg Region

Eastern Shore South Central Virginia

Southern Virginia

Virginia’s Gateway Region

Greater Williamsburg

Hampton Roads

THE PRESENT AND FUTURE

OF CYBERSECURITY

Password

Cyber$ecurity1nV!rg!n!a Strong

Hide Password

2021 STARTED OFF WITH A CYBERSECURITY BOOM:

The White House officially blamed Russia for the SolarWinds hack, where its foreign intelligence service compromised a software supply chain to spy on thousands of targets, from Microsoft and FireEye to the U.S. Departments of Commerce and Homeland Security. In April, the stolen data of 533 million Facebook users was leaked online. And in May, the Colonial Pipeline — a privately operated pipeline providing about 45% of the East Coast’s fuel — was rendered nonfunctional due to a ransomware attack. These recent incidents affecting U.S. government agencies, businesses, and citizens have only underscored the urgency of cybersecurity. Data breaches continue to strike banks and hospitals, government records offices, and social media firms. Criminals deploy ransomware attacks with increasing frequency, encrypting organizations’ data and holding it hostage. All the while, nation-states are developing more sophisticated cyber intrusion capabilities as many sectors continue to underinvest in protecting their systems and data. The COVID-19 pandemic has only increased Americans’ internet use and dependency, with remote work, schooling, health care visits, and social interactions taking place online more than ever before. The Biden administration has made cybersecurity a priority, from a recent summit with Russian President Vladimir Putin, to newly established White House positions, to a May executive order calling for the federal government to improve its efforts to “identify, deter, protect against, detect, and respond to these actions and actors.” Within this national landscape, Virginia continues to expand its cybersecurity sector and cement its role in fostering next-generation cybersecurity talent, techniques, and technologies. The more digitized the country — and the more digitally dependent its population — the more important this leadership becomes.

WITH GREAT CONNECTIVITY COMES GREAT RISK The cyber threat landscape is becoming more complex due to more widely deployed technologies, new attack vectors, and ever-more-sophisticated threat actors. One of the most significant cyber revolutions is the internet of things (IoT) — internet-connected devices, typically with less computing and battery power than a standard computer, deployed in everything from toasters to electrical grids. These IoT systems are increasingly entering not just houses and cars, but also public squares, government buildings, and private sector workplaces. Across the country, Americans are joining the IoT fray: market analytics firm Statista places 2020 U.S. IoT spending at nearly $750 billion. That figure appears to be predominantly consumer- and private sector-driven; Gartner estimates that the U.S. government spent $15 billion in 2020 on IoT devices, for applications ranging from street lighting, to police surveillance, to toll management. According to Deloitte’s 2021 Connectivity and Mobile Trends Survey, 66% of American households now have smart devices. By all accounts, connecting everything to the internet is hardly a fad. The market research firm IDC predicts that global IoT spending will have a compound annual growth rate of 11.3% over the 2020–2024 period, translating into trillions more to be spent on these technologies.

With each new connection, however, comes increased security risk. IoT devices link previously offline or noninternet-connected systems to the global web, making it possible for hackers to now target those devices from anywhere in the world. Compounding this problem is the often-poor security baked into these devices from the outset: weak encryption, easily guessable default passwords, and other major security issues. Citizens and consumers will feel these harms personally. Hijacked thermostats and smart fridges could malfunction and make it impossible to use home appliances. Hacks of connected insulin pumps and heart monitors only increase the potential for cyberattacks to cause real-world physical harm. Information collected by these devices contributes to future data breach risks as well. This is the motivation behind Virginia’s new statewide IoT cybersecurity contest open to college faculty, graduate students, and undergrads: designing new cybersecurity protections for connected devices. The Commonwealth Cyber Initiative also funds research projects dealing with security for these devices. Yet these changes, and risks, are not confined to the home. Industrial and manufacturing facilities — from energy grids and oil pipelines to vehicle factories and water treatment plants — are digitizing their business functions, too. In the process, many so-called industrial internet of things (IIoT) devices link

THE PRESENT AND FUTURE OF CYBERSECURITY

ENTERPRISE CYBERSECURITY MARKET SEGMENTS

Pre-compromise Identify

Protect

Post-compromise Detect

Respond

Recover

IoT/IIoT Security

Devices

Asset & Device Management

Applications

Identity & Access Management

Endpoint Security

Mobile Security

Endpoint Threat Detection

Application Security

Web Security

Email Security

Continuous Network Visibility

Network & Cloud Security

Network Threat Detection

Penetration Testing

AI Threat Intelligence

Cloud Configuration/ Hybrid Configuration

Network

Data Privacy

Data

Data Labeling/Data Management

Data Encryption

Data Rights Management

Data Backup & Recovery Solutions

Cryptography Insider Threats

Users

User & Permission Control Management

Phishing & Ransomware Prevention

Behavioral Analytics Fraud Detection

Process

Compliance Management

Security Orchestration & Operations Management

Source: Adapted from Sounil Yu, “Understanding the Security Vendor Landscape Using the Cyber Defense Matrix,” as shown in OMERS Ventures, “Cybersecurity: Industry Overview, Market Map, Global Investments,” 2019

THE PRESENT AND FUTURE OF CYBERSECURITY

U.S. INTERNET OF THINGS SPENDING

OVERALL:

GOVERNMENT:

$15B

$750B

Source: Gartner; Statista

these physical systems directly to the internet. Market research firm Juniper Research, for instance, predicted that IIoT connections would rise from 17.7 billion in 2020 to 36.8 billion in 2025, representing a massive public and private investment in this technology. Connecting industrial systems online is compelling to businesses. The operator of a water treatment plant can get real-time data from chemical sensors; safety personnel on a factory floor can remotely deactivate machinery from their devices. Digitizing old, clunky industrial systems promises cost reduction for companies alongside potential gains in safety and system control. More connectivity brings more risk, and a rapidly growing market offers protections for these systems that manipulate the physical world.

SHIFTING THREAT VECTORS Newfound connectivity is not the only problem facing digitally connected citizens, businesses, and government agencies. Cybercriminals’ growing use of ransomware — which infects computers, encrypts data, and holds it hostage until victims fork over cryptocurrency ransom — is likewise shifting the cybersecurity landscape.

The nonprofit Institute for Security & Technology’s Ransomware Task Force wrote in its April 2021 report that ransomware “has disproportionately impacted the healthcare industry during the COVID pandemic, and has shut down schools, hospitals, police stations, city governments, and U.S. military facilities.” The East Coast’s major fuel pipeline, the Colonial Pipeline, was struck by a ransomware attack earlier this year, after which Virginia declared a state of emergency. Fairfax County Public Schools, Virginia’s largest public school system, was itself hit with a ransomware attack in the fall of 2020. Taking advantage of outdated, possibly unpatched systems is a serious problem as well. “Advanced persistent threats are using not only novel new techniques, but also older exploits that can prey on outdated technology to exploit public and private sector networks,” said Adam Maruyama, manager, customer success and federal practice lead for the Cortex Xpanse platform at Palo Alto Networks in Arlington.

TRACKING AND RESPONDING TO CYBER THREATS Business and government agencies increasingly need to track and respond to these cyber threats. It’s why threat

intelligence, network defense, and incident response needs have driven a rapidly expanding national cybersecurity services market. Nationally, firms like FireEye, CrowdStrike, and Palo Alto Networks have rapidly grown in recent years to service clients across public and private sectors. Virginia serves as a key nexus for this work. The Commonwealth has more than 650 cybersecurity companies in its borders, the most per capita in the country, according to the CyberVA Commission. Virginia-based cybersecurity professionals span private companies, universities, the nonprofit sector, and the United States defense and intelligence communities. Consumer website Comparitech recently listed Virginia as the top state in the country for information security jobs. It’s not just companies and government agencies. FS-ISAC — the global cyber intelligence-sharing organization for the financial sector — is headquartered in Fairfax County. The nonprofit Global Resilience Federation that connects many cyber intelligence-sharing communities, and which grew out of FS-ISAC, is also based in Fairfax County; its members span five continents and numerous critical industries.

THE PRESENT AND FUTURE OF CYBERSECURITY

INDUSTRIAL INTERNET OF THINGS CONNECTIONS

2020:

17.7B

2025(E):

36.8B

Source: Juniper Research

Virginia is uniquely positioned to facilitate and host collaboration between the federal government and industry. Government and industry need to get better at aligning in the fight. Virginia is the place where that alignment is happening. ERNIE MAGNOTTI Chief Information Security Officer, Leonardo DRS

“Virginia is uniquely positioned to facilitate and host collaboration between the federal government and industry,” said Ernie Magnotti, chief information security officer at Leonardo DRS. “Government and industry need to get better at aligning in the fight. Virginia is the place where that alignment is happening.”

FOSTERING CYBER TALENT Flashy new cyber defense technologies, however, mean little without humans to manage and improve them — and without personnel focusing their time and talents on the constant battle of maintaining strong cybersecurity. In short, none of this works in the absence of cyber talent. (ISC)2, a membership association of certified cybersecurity professionals, estimated that cybersecurity industry growth would create 4 million unfilled jobs around the world by 2022. This high

demand and low supply persist in the United States — a full-on talent shortage. Government agencies, companies, universities, and nonprofits are moving to close this gap. Investing in the cybersecurity talent pipeline can yield large payoffs for employers who need the skills; universities, conversely, can send graduates into well-paying jobs in a growing field. Not to mention that investing in the future cyber workforce helps boost the economy and protect citizens, companies, and the country. The Information Systems Security Association and the analysis firm Enterprise Strategy Group found in a 2017 report that the cyber skills shortage was exacerbating the data breach problem: There weren’t enough cybersecurity staff, and non-cybersecurity staff weren’t adequately trained. As universities across the country launch their own cybersecurity and cybersecurity policy programs — from

THE PRESENT AND FUTURE OF CYBERSECURITY

As a growing tech hub and the seat of much of the U.S. government’s military and intelligence presence, the Commonwealth is uniquely positioned to improve cybersecurity by fostering businesses that can make the internet a safer place through private-public partnerships and workforce exchanges. ADAM MARUYAMA Manager, Consumer Success and Federal Practice Lead, Palo Alto Networks

smaller community colleges to large research universities — so have those in Virginia. The Commonwealth created the Tech Talent Investment Program, a $2 billion initiative to double the number of graduates in computer science and related fields. Today, the University of Virginia offers numerous cybersecurity classes. Its undergraduate cyber team also won its third National College Cyber Defense Competition in 2020, sponsored by Raytheon. George Mason University launched a new cybersecurity engineering department that same year, and the University of Richmond has continued offering its online cybersecurity boot camp through the COVID-19 pandemic. See page 30 for more on cybersecurity research at Virginia universities. “As a growing tech hub and the seat of much of the U.S. government’s military and intelligence presence, the

Commonwealth is uniquely positioned to improve cybersecurity by fostering businesses that can make the internet a safer place through private-public partnerships and workforce exchanges,” Maruyama said.

BUILDING A CYBER-RESISTANT FUTURE Investment in cybersecurity is only growing. Crunchbase reports that venture capital investors poured nearly $8 billion into cybersecurity deals globally in 2020, with U.S. companies receiving over 76% of that funding. The Biden administration, meanwhile, has already asked Congress for a $10 billion commitment in spending on civilian cybersecurity programs. $750 million of that, for instance, would go toward “lessons learned” from the SolarWinds hack. Members of the Cyberspace Solarium Commission recommend hundreds of millions be spent on the

Cybersecurity and Infrastructure Security Agency (CISA) in the Department of Homeland Security. All told, connectivity is increasing, and threats along with it — but so is public and private investment in a more secure, resilient digital future. “We’ve seen a lot of bad news about the state of the internet and cybersecurity, but I want to remind people that the internet can also be a force for economic, social, and political growth,” Maruyama said. Cybersecurity threats will never go away. Nor will the broad economic, social, and national security risks of online connectivity. But the many benefits, opportunities, and potential futures offered by new technologies — from smart health devices to cloud computing — mean cybersecurity will continue to be an increasingly critical part of building a safer digital world.

The Cyber Living Innovation Lab at George Mason University houses robotic platforms to evaluate 5G performance and a fleet of driverless cars that provide experiential learning experiences for students.

A New Approach to Cyber Collaboration Focused on cyber defenses and talent development, the Commonwealth Cyber Initiative is cementing Virginia’s position as a global leader in cybersecurity research and innovation

2020 SAW A number of records broken

when it comes to the amount of data lost in cyberattacks. Damages from these attacks are projected to carry a global cost of $6 trillion annually, up from $3 trillion in 2015, reports Cybersecurity Ventures — and it’s only going to go up from here. “With the explosion in the use of artificial intelligence and more and more devices like drones and sensors being connected to the network, the threat surface also expands,” said Luiz DaSilva, executive director of the Commonwealth Cyber Initiative (CCI), a state-backed network that supports collaborative research across universities, government entities, and private industry. “We need to harden our systems to defend against a whole new generation of attacks.”

Strengthening Virginia’s approach to cybersecurity against these new types of attacks is one part of the mission driving CCI. The program was established in 2018 to secure Virginia’s place as a global center of excellence for research and innovation around cybersecurity technologies. Research supported by the initiative is seeking to expand innovation and entrepreneurship around autonomous systems, artificial intelligence (AI), 5G applications, and entirely new approaches to cybersecurity. “CCI researchers have been working on preventing and defending against a number of attacks on our critical infrastructure, from the power grid to agriculture to communication networks,” DaSilva said.

As for the other component of the initiative’s mission? It’s all about ramping up talent development within the Commonwealth to support the tremendous demand for cybersecurity expertise.

REGIONAL FOCUS, COLLABORATIVE APPROACH CCI’s cybersecurity research spans a wide range of topics, some well beyond a traditional IT approach. To date, CCI has funded more than 30 research proposals through multimillion-dollar cybersecurity research collaboration grants. Researchers are investigating cybersecurity needs in terms of new technologies, but they’re also exploring these needs through unique regional lenses.

A N E W A P P R O A C H TO C Y B E R C O L L A B O R AT I O N

Commonwealth Cyber Initiative Higher Education Network The Commonwealth Cyber Initiative consists of 40 institutes of higher education, organized through four regional nodes across Virginia and Washington, D.C.

Node Leads Regional Node Institutions Northern Virginia Node Southwest Virginia Node Central Virginia Node Coastal Virginia Node

Lead: Virginia Tech New River Community Southwest Virginia Community College College University of Virginia’s College at Wise Mountain Empire Community College

Virginia Western Community College Radford University

Wytheville Community College Virginia Highlands Community College New College Institute

A N E W A P P R O A C H TO C Y B E R C O L L A B O R AT I O N

Shenandoah University Marymount University Laurel Ridge Lead: Community George Mason College University

The George Washington University Northern Virginia Community College

James Madison University University of Virginia

Virginia Military Institute

Liberty University

Germanna Community College University of Mary Washington

Piedmont Virginia Community College Lead: Virginia Commonwealth University Reynolds Community College Virginia Union University Brightpoint Community College Longwood University

Danville Community College The Institute for Advanced Learning and Research

Virginia State University

William & Mary

Christopher Newport University Lead: Old Dominion University Norfolk State University Tidewater Community College Camp Community College

Thomas Nelson Community College ECPI Regent University

A N E W A P P R O A C H TO C Y B E R C O L L A B O R AT I O N

Because each region of Virginia faces different risks and unique workforce development needs, CCI has taken a Hub and Node approach to its organization. The hub, located in Arlington County, coordinates the entire network, while each of the four regional nodes are focused on a specific region. For example, cybersecurity in the maritime and defense industries is an area of focus at the Coastal Virginia node. Cybermanufacturing is of particular interest at the Northern Virginia node, leveraging nearby organizations including the Cybersecurity Manufacturing Innovation Institute and the National Association of Manufacturers. Cybersecurity for agricultural applications is a major priority for the Southwest Virginia node, which covers a largely rural corner of the Commonwealth. Virginia Commonwealth University (VCU) is the lead of the Central Virginia node, which focuses in part on medical device security — protecting internet-connected devices such as patient monitors, CPAP machines, and glucose monitors. Connected medical devices can help patients receive care that is safer and timelier, but are vulnerable to security breaches. “Many of our researchers throughout the Central Virginia region have been tackling these topics for years,” said Erdem Topsakal, director of the Central Virginia node and chair of the Department of Electrical and Computer Engineering at VCU, “but with the encouragement

of CCI, we are now working together across institutions and building strong collaborative efforts across the region and the state. These topics are having impacts on people’s lives right now. With the support of CCI, we’re able to pursue research that really makes a difference.” Gretchen Matthews, director of the Southwest Virginia node and professor of mathematics at Virginia Tech, notes that CCI Southwest-funded projects are creating experiential learning opportunities that put students at the forefront of providing cyber solutions in rural environments. “Transferring data captured by sensors for livestock, crops, and environmental assessments and autonomous and robotic systems is challenging due to networking infrastructure and limitations,” she said. As such, the node is focused on addressing networking infrastructure through designs that are sensitive to environmental and agricultural needs. A current Coastal Virginia CCI-led research initiative brings together partners from Old Dominion University (ODU), Virginia Tech, and the defense industry in developing a backdoor detection and mitigation system for the neural networks within AI-supported combat systems. Data has become a critical part of modern warfare, but greater adoption of AI means new vulnerabilities to cyberattack. Bringing together armed forces expertise with university researchers

makes an even stronger value case, because it builds critical skills among local students soon to seek employment from local defense partners. “Our students benefit from the knowledge they acquire from their internships, our business partners benefit from the ability to hire experienced graduates as well as the opportunity to access up-to-date information, and faculty and researchers benefit from the insight provided by our industrial partners,” said Brian Payne, vice provost for academic affairs at ODU and director of the Coastal Virginia CCI node. CCI is also supporting innovators in getting critical technology advancements to market. It’s scaling a program to the whole state that will provide inventors within CCI universities and colleges with bridge funding toward commercializing their inventions.

TALENT DEVELOPMENT WHERE IT’S MOST NEEDED This regional approach has also helped employers position their organizations to appeal to the local workforce. “We’ve had success in hiring systems engineers and security engineers, but struggle to find qualified software engineers,” said Tracy Gregorio, CEO at G2 Ops Inc. in Virginia Beach and a member of the CCI technical advisory board. CCI is helping each of Virginia’s regions to better compete against other states with strong technology centers by training and hiring local experts.

A N E W A P P R O A C H TO C Y B E R C O L L A B O R AT I O N

Song Li, right, an associate professor at Virginia Tech’s Center for Advanced Innovation in Agriculture, incorporates robotics and big data into his research to increase yield in production agriculture crops.

Virginia has the highest concentration of cybersecurity workers of any state — nearly five times the national average — according to the National Institute of Standards and Technology National Initiative for Cybersecurity Education’s CyberSeek tool. Even so, the Commonwealth is not immune to the talent gap affecting the rest of the country. “CCI’s objective is to ensure a sufficient supply of cyber talent, with a particular focus on diversity and multidisciplinarity, and to form professionals who have rich hands-on experience,” DaSilva said. CCI is working to incentivize students from a broader array of disciplines

to understand how their work can impact cybersecurity projects. This has meant involving faculty and students in geography, political science, and communications, among a range of other fields, including the arts. Through the Building Bridges Arts and Design Collaboration Program, CCI is specifically engaging researchers within the arts to depict the results of cybersecurity research for both scientific and creative purposes. For example, a multimedia gallery developed by Michael McDermott, assistant professor, art and graphic design, at George Mason University, will display images, audio, and text fragments taken from smartphones to demonstrate the ease

of recovering deleted data. Other projects approach technology through the lens of music, dance, and gaming. These efforts are nods to both the pervasiveness of data in all aspects of life and strategies for broadening awareness of cybersecurity beyond the traditional IT focus. “Students learn a great deal when they work with those from different institutions, programs, and backgrounds,” Payne said. “Who knows? One of their proposals might lead to the next great cybersecurity business or product. We can be assured that these students will be prepared as thinkers, communicators, problem solvers, and collaborators.”

Sharing Resources to

Improve Cyberspace A Conversation With Luiz DaSilva Luiz DaSilva is executive director of the Commonwealth Cyber Initiative (CCI) and Bradley Professor in Cybersecurity at Virginia Tech. Before coming to Virginia, he served as the director of CONNECT, a telecommunications research center at Trinity College Dublin. VEDP President and CEO Stephen Moret spoke with DaSilva about the collaborative research taking place at CCI’s member institutions and how that collaboration is positioning Virginia to set the course for the future of the internet. Stephen Moret: As you know, the cybersecurity sector is one of the biggest and fastest growing sectors in the Commonwealth of Virginia. And one of the most exciting things that’s been happening over the last few years is the development of the Commonwealth Cyber Initiative. Can you share the mission of CCI, its vision, and its structure? Luiz DaSilva: The vision of CCI is to establish Virginia as a center of excellence globally in cybersecurity and, in doing that, contribute to the economic development and diversification of our economy. We have three mission lines — research, workforce development, and innovation — and they’re all very much connected to each other. Without research, you don’t get innovation out of the universities and colleges that comprise CCI.

Workforce development is very tied in to education. We have these complementary mission lines at the intersection of cybersecurity, autonomy, and intelligence. Virginia has had the foresight to invest in this area in cybersecurity and to bring together 40 colleges and universities throughout Virginia. The combination of about 300 researchers across these 40 colleges and universities is what we call CCI. There is a hub that coordinates a lot of the programs in CCI in their overall strategy. That hub is hosted by Virginia Tech in Arlington, and that’s where I sit. Then we have four regional nodes for CCI, each hosted by a different university. In Northern Virginia, the node is hosted by George Mason University, in Central Virginia by Virginia Commonwealth University (VCU),

Virginia has a very strong university system. We have three of the top 30 public universities in the country. And it’s particularly powerful if we can bring people from across the universities to work together. The secret sauce for CCI is the ability to build these teams from across the state and not worry whether they’re Mason, UVA, or Virginia Tech. We bring together the researchers needed to do the job. LUIZ DaSILVA Executive Director, Commonwealth Cyber Initiative

in Coastal Virginia by Old Dominion University (ODU), and in Southwest Virginia by Virginia Tech. Combined, the directors of these four nodes, plus myself and the managing director for CCI, form what we call the leadership council. We set strategy and run the programs of CCI. Moret: When you think about the overall cybersecurity sector in Virginia, which is obviously a big, diverse, rapidly growing public sector, private sector — many different domains of work — how does CCI fit into that overall cyber ecosystem in the Commonwealth? DaSilva: We have the largest cyber workforce in the eastern part of the U.S. and growing. And you have tens of thousands of job openings in cybersecurity — around 50,000 is the estimate that you usually see. A big part of our mission is contributing to forming professionals who are qualified and can take on all of these functions in Virginia and help the economy grow.

The other way that we fit into the general ecosystem is by bringing together these researchers from across the different universities and colleges. Virginia has a very strong university system. We have three of the top 30 public universities in the country. And it’s particularly powerful if we can bring people from across the universities to work together. The secret sauce for CCI is the ability to build these teams from across the state and not worry whether they’re Mason, UVA, or Virginia Tech. We bring together the researchers needed to do the job. By doing that, we’re much more competitive for very large projects. We often partner with local and state agencies on initiatives. Right now, we’re partnering with Arlington County on a smart communities pilot the county is deploying. We make sure that all we do is complementary to other programs which already exist in Virginia. Moret: As I think about the field of cybersecurity, it’s grown beyond just the

internet. We’re seeing now, for example, the IoT, or the internet of things, is really exploding, creating a lot more capability, but also a lot more risk. How has IoT changed the importance of securing our connected devices? And I think more broadly as we look toward autonomous vehicles, are the stakes higher there? How are things going to be different or important relative to cyber and autonomy? DaSilva: It’s certainly true that the adoption of IoT in various sectors increases the threat surface. There are new vulnerabilities as well as new opportunities, of course, which appear once we integrate IoT into various industries. For example, you mentioned autonomous vehicles. One can imagine that an attack on an autonomous vehicle can have extremely serious safety implications. There are concerns regarding ransomware. Ransomware is very much top of mind at the moment because of recent large attacks on oil pipelines,

A C O N V E R S AT I O N W I T H L U I Z D a S I LV A

as well as hospital systems, and so on. You can imagine ransomware attacks expanding toward smart homes or IoT in general. The other issue with IoT is privacy. As you have more and more devices collecting information about the way we live, how we move around, this information needs to be secured for privacy reasons. IoT and autonomous systems being powered by and connected to the network is one of our areas of focus. We’re looking at how to better manage IoT devices — how to put them behind a virtual LAN, for example, to improve security and isolate the IoT devices, which are often less secure from the corporate network. Moret: Shortly after I think you arrived back in Virginia last year, you wrote a piece in the Richmond Times-Dispatch. You talked about how the COVID-19 pandemic might have accelerated the adoption of autonomous systems technology by a decade or more. That resonated with us because, as we’ve looked at all these economic effects of the pandemic, we think the single most powerful change is a dramatic acceleration in the digitization of business. A year later, how do you think that’s come to pass? DaSilva: It’s already clear that some technologies are accelerating because there’s this broad awareness that it’s possible to do things differently from the way we did them a year and a half ago. That, by itself, is also forcing some technologies to evolve faster. My area of expertise is wireless networks. We’re very much involved in some research regarding 5G and what’s being called 6G, the sixth generation of mobile networks. One of the drivers, in terms of application, is really a better way for us to interact with each other and to work remotely. We believe that in the future, work is going to be increasingly hybrid, with some on-site and some remote aspects. But we need the tools to also evolve, and the network to evolve, to

enable this interaction between people in a more natural way. People are starting to talk about teleportation through augmented reality, for example — a real sense of presence, even though we’re in different cities, but with an increased sense that we’re in the same room. There’s also the other side of the coin, which is that the pandemic exposed how inequalities can increase due to unequal access to network and communication infrastructure, which allows some people to be more effective than others in remote work and education, and so on. I think it’s quite clear that the communication infrastructure and the need to secure it is part of our critical infrastructure for the country — that is, to deal with some of the economic inequalities we see. We also need to work at access to these technologies that are going to be increasingly adopted for everything in our lives, from work to play. Moret: How can universities like Virginia Tech and others, and initiatives like CCI, help develop the talent needed to meet cybersecurity industry needs of the future? DaSilva: We already have some unique cybersecurity programs throughout Virginia. Mason has a Department of Cybersecurity Engineering, which is quite unique. ODU started the School of Cybersecurity. There’s a host of degree programs, from certificates all the way to Ph.D., focusing on cybersecurity. So, we start from a strong base. One thing CCI adds to that mix is experiential learning — opportunities for students to actually have hands-on experiences that complement what they see as part of their degree program. The demand is there. Students really value those opportunities, and it’s something that we can bring to the table. But then the other aspect of developing talent, I think, is recognizing that the talent won’t just come from traditional cybersecurity programs in computer science or computer engineering or electrical engineering.

We need to broaden the scope of what we think of as cybersecurity to other disciplines. Because many times the competency that’s needed requires knowledge of the domain, and not just knowledge of cybersecurity. We’re working with researchers at William & Mary in the law school, for example, looking at cybercrime and some of the legal implications of cybersecurity. We’re working with political scientists, looking at the role of cybersecurity in the spread of disinformation and misinformation. We’re working with operations researchers who are studying and modeling ransomware attacks on hospital systems and other critical systems in society. I think having this holistic view of what cybersecurity is and being inclusive of other disciplines is also very important if we are to expand the workforce to fill all this demand for professionals.

Moret: Could you elaborate on the importance of those partnerships between or among universities, not unlike CCI but even beyond that, relative to cybersecurity research? DaSilva: This is important even at the national level. I think we do a better job of bringing together experts from throughout the country and working together on this. What we’re seeing already in CCI is some large-scale projects we wouldn’t be able to engage in if it weren’t for this ability to work across universities. Recently, we were awarded a project to work with the Marine Corps Logistics Base in Albany, Ga., on the development of a pilot for a smart warehouse. It’s a very large $13 million project. And it involves researchers from five CCI universities — Mason, VCU, UVA,

ODU, and Virginia Tech. That’s a great example of something that’s enabled by CCI and this collaboration, and which wouldn’t have happened without CCI. It touches on a lot of key technologies that I think are going to be important for cybersecurity. Moret: Which research projects are you most excited about? In particular, which do you think have the greatest relevance or potential for impact relative to the near-term future of cybersecurity? DaSilva: The one I just mentioned that we’re doing for the Marine Corps. It’s a pilot project that touches on a lot of important and interesting technical questions in cybersecurity. How do you deal with positioning, especially indoor positioning? How do you integrate autonomous systems and what are sometimes called cyber-physical systems

A C O N V E R S AT I O N W I T H L U I Z D a S I LV A

in a secure way? I think they position us well to look into a lot of issues currently being examined, as well as have impact on the vision for 6G, the sixth generation of mobile networks. In CCI, we have invested in research infrastructure that’s aligned with artificial intelligence and also with next-generation communication systems. I think that project will actually contribute a lot to the understanding of how the next generation of communication systems is going to enable new things — in this case, a smart warehouse. We have invested in a number of pilot projects. These are small projects that essentially build capacity in Virginia for us so we can then go after some larger-scale projects. I would single out an investment we’re making in how cybersecurity can be used to limit the spread of disinformation and misinformation. This is a highly multidisciplinary project. There are experts from the technical side of cybersecurity — computer science, computer engineering, electrical engineering, math — but also from political science and communication and the library system. Together, they’re looking into how artificial intelligence can be used to detect the deliberate spread of misinformation and disinformation, which I think is a big concern for the country and the world.

of my graduate students for a few days of hiking. It was just beautiful. I had never been, even though I had lived in the area for a number of years. On one of those very long hikes, we didn’t see anyone for hours. In the middle of the trail, there was a black bear. It was momentarily scary, but memorable as well. To this day, I tell my students I saved them from a bear, which may not be completely true, because I think the bear just saw us and ran away. It wasn’t really interested. But it’s a story I keep repeating to new generations of students. Moret: Luiz, thank you so much again for joining us. We look forward to following your progress, as well as that of all the higher education institutions participating in the Commonwealth Cyber Initiative. We’re particularly excited about what’s coming in terms of the research, the workforce development impacts, and the innovation that’s going to come out of this effort.

The talent won’t just come from traditional cybersecurity programs in computer science or computer engineering or electrical engineering. We need to broaden the scope of what we think of as cybersecurity to other disciplines. Because many times the competency that’s needed requires knowledge of the domain, and not just knowledge of cybersecurity.

DaSilva: Thank you very much. LUIZ DaSILVA

For the full interview, visit www.vedp.org/Podcasts

Executive Director, Commonwealth Cyber Initiative

Moret: I’m very excited and bullish about the work you’re doing, that CCI is doing, and that each of the participating institutions are doing in Virginia. It’s exciting on multiple fronts. You touched on them, but research, workforce development, innovation, we’re already seeing a lot of impact coming out of CCI. But to end on a personal note, what are your favorite places to visit in the Commonwealth of Virginia? DaSilva: There’s one particular trip that became very memorable to me. A couple of years ago, I went to Shenandoah National Park. I took a few

Airplane Rock on Cumberland Mountain in Dickenson County got its name from a 1965 plane crash that landed about 20 feet below the rock. Today, the overlook at the rock is one of several spots providing scenic mountain views on Route 611.

Virginia universities’ transdisciplinary research is driving digital security advancements

The world’s increasing connectivity offers more opportunity for cybercriminals. The FBI’s 2020 Internet Crime Report cited a 69% increase in complaints of suspected cybercrimes. Globally, the cost of cybercrime exceeded $1 trillion last year, according to research from McAfee Corp. Mirroring this growth in connectivity and cyber risk is a swell in research from Virginia universities exploring innovative approaches to cybersecurity. Researchers are exploring the gaps left in the fast pace of technology development. An added bonus of this university-driven research: the development of a savvy workforce ready to fill the nation’s projected 3.5 million cybersecurity job openings. 30

V I R G I N I A

T E C H

SUPPORTING CYBERSECURITY POLICY AND PRACTICAL APPLICATIONS Understanding the motivation behind cybercrimes is critical in developing policies that support cybersecurity. That’s the approach being taken by research bridging both computer and political science at Virginia Tech. Eric Jardine, an assistant professor in the university’s department of political science and deputy director of dark web initiatives for its recently launched Tech4Humanity Lab, is examining the effects of media coverage around drug market closures on the ensuing level of dark web searches for drug-related activity. “Basically, when the media talks about the closure in deterrent terms — ‘We caught them, we want to punish them, they’re going to jail for life,’ etc. — that tends to suppress dark web traffic to a degree,” Jardine said. “When they talk about some of the more sensational elements, like ‘We found millions of dollars,’ or ‘There are exotic parrots for sale,’ that actually tends to have an opposite effect.” This is one of many issues with which researchers at the Tech4Humanity Lab are grappling. The lab provides a space where students can immerse themselves within the advanced technologies they’re studying. Jardine sees this transdisciplinary space as critical in driving better understanding between two fields that have traditionally approached cybersecurity problems with very different modes of problem solving. Understanding patterns in cybercrime can have tremendous impact on how governments can create policy-driven responses. Other Virginia Tech researchers are working on real-world cyber concerns like modernization of the national utility grid. A current project is exploring strategies to support power grid operators’ shift to 5G communications. Power grid operators use communication tools for several applications, from coordinating protection across transmission lines, to transferring line status to control centers, to ensuring substation automation and operation of remote-controlled devices.

At Virginia Tech’s Tech4Humanity Lab, Assistant Professor Eric Jardine, left, is researching the connections between cybersecurity and policy.

“Because of this embedded communication, as a critical infrastructure that sustains other services, the energy sector has become a major target of cyberattacks,” said Ali Mehrizi-Sani, associate professor in the university’s Bradley Department of Electrical and Computer Engineering and its Power and Energy Research Center and principal researcher on the project. The current practice is to use proprietary communication tools to address security concerns, but this approach lacks interoperability with other systems and limits expansion. 5G is viewed as a game changer in many ways because it enables higher connection speeds among communication tools, lower latency, and slicing — the division of network connections into multiple virtual connections to better allocate resources to different types of traffic, allowing multiple applications to simultaneously use the same physical communication infrastructure with unique performance requirements. At present, Virginia Tech researchers are testing strategies to reduce latency in network signals, where the industry standard currently sits around 10 milliseconds on 5G and Wi-Fi. The team has gotten those delays down to around seven milliseconds in trials, working toward an industry goal of one millisecond — a development that will aid the usability of autonomous vehicles, factory robots, and virtual reality.

BRIDGING CYBERSECURITY GAPS

G E O R G E M A S O N U N I V E R S I T Y INTEGRATING UPFRONT CYBERSECURITY IN ADVANCED TECHNOLOGIES Internet of things (IoT) connectivity is new and growing fast, so it’s no wonder connected devices present significant vulnerabilities. Some of this risk stems from a lack of upfront security integration encompassing both hardware and software systems. This gap is where cybersecurity engineering comes into play. Cybersecurity engineering focuses on embedding integrated security solutions during system development. Peggy Brouse, director of the Cyber Security Engineering UG Program and professor of systems engineering and operations research at George Mason University (GMU) in Fairfax County, worked with industry partners to develop the first-in-the-nation cybersecurity engineering degree because of the need for a stronger emphasis on vulnerability analysis before cyberattacks occur. “You’re never going to completely solve the [cybersecurity] problem, but a lot of what’s going on with regard to hacks and ransomware could have been prevented if there had been a vulnerability analysis and mitigation strategies put in place,” Brouse said. While manufacturers are achieving new levels of production efficiency through IoT-driven advancements, these facilities are one of the top targets for cybercriminals. One issue: A piecemeal approach to technology deployment makes these systems particularly vulnerable. To counter one common type of cyberattack that leverages some IoT devices’ low levels of computing power and battery life, four GMU researchers recently received a $1.6 million U.S. Defense Advanced Research Projects Agency grant to create a low-energy security architecture for different types of IoT devices. GMU researchers are applying similar insights into a number of projects, including the CCI-backed Cyber Living Innovation Lab and an initiative for the Cybersecurity Manufacturing Initiative Institute (CyManII), funded by the U.S. Department of Energy (DOE). The university leads the East Coast headquarters for CyManII and, along with

The Cyber Living Innovation Lab at George Mason University’s Arlington campus, an initiative of the Commonwealth Cyber Initiative’s Northern Virginia node, focuses on research into 5G performance and security vulnerabilities.

Virginia Tech, serves as a managing member of the $111 million public-private partnership launched in November 2020, while Virginia Commonwealth University is a strategic member. GMU researchers are playing leading roles within CyManII in developing technical approaches to secure the manufacturing supply chain and improve cybersecurity within individual manufacturing sites. Other major initiatives from GMU researchers include: ◾ The Rapid Prototyping Research Center, aimed at establishing GMU as the country’s premier Command, Control, Communication, Computer, Cyber, and Intelligence (C5I) education and research institution serving U.S. Department of Defense and intelligence community stakeholders. The center is focused on integrating new and emerging technologies into existing infrastructures to help speed up the prototype acquisition process to solve battlefield communications challenges and other infrastructure issues. ◾ The Criminal Investigations and Network Analysis Center, a multidisciplinary academic consortium aimed at improving criminal network analysis, forensics, and investigative processes to counter transnational criminal activities in the physical and cyber spaces. Research is conducted across several GMU colleges and partner institutions, including Virginia Tech. ◾ Research into the capacity and security of the communications systems by which autonomous vehicles transmit and receive information.

BRIDGING CYBERSECURITY GAPS

R A D F O R D U N I V E R S I T Y ENGAGING FACULTY IN CYBERSECURITY EDUCATION ACROSS DISCIPLINES Expanding cybersecurity education to encompass additional disciplines offers tremendous value, but requires that transdisciplinary faculty understand how to address cybersecurity through their unique lenses. Providing faculty with the tools and skillsets necessary to teach cybersecurity through a broader perspective is a focus for researchers at Radford University’s Center for Information Security (CIS). Students and researchers at Radford University have focused on areas including the security of internet of things smart home devices.

“Most of our research is on either building engaging curriculum to excite students who probably haven’t heard of cybersecurity, or to help teachers get over the learning curve in order to learn and teach cybersecurity,” said CIS Director Prem Uppuluri. Through grants from the National Security Agency, Radford also develops curriculum to teach cybersecurity to K-12 teachers in Virginia. Helping these teachers engage students of all ages in cybersecurity education has two important implications. First, it makes cyber-awareness and security skills second nature to a generation of students growing up as digital natives. Second, it significantly expands awareness of cybersecurity careers to meet the demand for these skillsets. Radford researchers are taking a wide range of approaches to providing this education. For example, Radford IT professor Jeff Pittges is working with a team led by ODU professor Kevin Moberly in developing a gamified mobile app for cybersecurity education. Additionally, Radford’s cyber range is being adapted to support research on securing IoT devices. Toward this end, Uppuluri is working with students and researchers from the Universidade Federal de Pernambuco in Brazil to build a novel pedagogical lab nicknamed the “Hack House.” The house simulates a smart home environment equipped with IoT devices such as smart thermostats or smart door locks. Partially backed by a Commonwealth Cyber Initiative (CCI) grant, his team is researching and developing tools that will help researchers and educators co-relate network data across heterogenous IoT devices.

Peter Foytik, left, and his colleagues at the Virginia Modeling, Analysis, and Simulation Center at Old Dominion University are researching cyber threats to U.S. infrastructure and industrial control systems.

O L D D O M I N I O N U N I V E R S I T Y BUILDING RESILIENCY INTO VIRGINIA INFRASTRUCTURE The Colonial Pipeline ransomware attack that shut down the largest fuel pipeline in the United States in April may have been a surprise to consumers, but not to cybersecurity researchers at Old Dominion University (ODU) in Norfolk. Since 2016, these researchers have been working to develop technologies to protect infrastructure from cybercrimes through the DOE-funded Cyber Resilience Energy Delivery Consortium. As part of this $28 million initiative, ODU researchers are studying security risk assessment and software-defined networking for detection and classification of the impact of attacks on energy delivery systems.

One of those critical infrastructure components sits right in ODU’s backyard. Shetty is working to develop 5G security and privacy mechanisms for the Virginia Port Authority’s (VPA) connected vehicles. Like many organizations today, VPA is looking to reap the advantages of IoT connectivity, which allows organizations to achieve significant efficiency improvements based on data. To achieve the speed and bandwidth needed to support IoT devices and track vehicles across Norfolk International Terminals (NIT), VPA is working to deploy a private 5G network infrastructure.

“A misconception is that you can stop the attack,” said Sachin Shetty, associate director of the Virginia Modeling, Analysis, and Simulation Center, and associate professor in the Department of Computational Modeling and Simulation Engineering at ODU. “You’re not going to stop it, but can you be resilient? Can you survive it? Can you operate?”

NIT has the capacity to process more than 1 million containers annually, and data gathered by tracking trucks can drive tremendous efficiencies in asset management and dynamic route planning, among other areas. However, securing the massive amounts of data being transmitted across new 5G infrastructure is critical. Marine Log reports that maritime industry cyberattacks increased by 900% from 2017 through 2020, and new infrastructure means potentially opening The Port of Virginia to new risks.

It’s from this perspective that Shetty is also leading ODU research for the Department of Homeland Security-funded Critical Infrastructure Resilience Institute, a five-year, $20 million research effort into strategies to enhance the resiliency of the nation’s critical infrastructure.

With support from collaborators at George Mason University, the University of Virginia, and Virginia Tech, ODU is developing a 5G security enhancement platform prototype that will incorporate machine learning mobility-aware security and an artificial intelligence-assisted trust management system.

BRIDGING CYBERSECURITY GAPS

Cyber intelligence awareness forms a connection between the business and technical perspectives. That’s the beauty of it. It’s a common language between CEOs, CIOs, and CISOs that helps them communicate. MARY LOU BOURNE Director of Technology Innovation and Economic Development, James Madison University

J A M E S M A D I S O N U N I V E R S I T Y IDENTIFYING THE HUMAN MOTIVATION BEHIND CYBERCRIME When the COVID-19 pandemic spurred a huge jump in remote work in 2020, ransomware attacks in North America leapt by 158% compared to the prior year, according to security provider SonicWall. Part of this growth stems from the ease of deploying such an attack today through an evolving “ransomware as a service” model. “You don’t need to have any technical skills — you just go on the dark web and use available technology to attack companies,” said Mary Lou Bourne, director of technology innovation and economic development at James Madison University (JMU) in Harrisonburg. This ease of access means it’s become increasingly critical for organizations to not only address the technical side of cybersecurity, but to also identify the human motives behind these attacks. Understanding the motive can help organizations determine how to prioritize security measures. This intersection between business risk and technical response is at the heart of JMU’s one-year graduate certificate program in cyber intelligence, one of the first such programs in the country. By understanding vulnerabilities and prioritizing solutions based on need, organizations can make stronger decisions on how to address risk.

JMU is one of the seven original National Centers of Academic Excellence in Cyber Defense Education, managed by the National Cryptologic School at the National Security Agency. The university was one of the first in the country to offer a master’s degree in information security — a degree that dates back to 1997, when the first students graduated with master’s degrees in computer science with a concentration in information security. JMU has prioritized education that engages students beyond traditional computer science and technology disciplines. Bourne finds that cyber intelligence certificate holders tend to have a passion for puzzle solving or aptitude for pattern recognition and may come from backgrounds in psychology or communications. JMU researchers are applying these skillsets to a broad range of research initiatives, including improving security for autonomous cars and other intelligent transportation solutions, and securing IoT-connected devices to support healthcare asset management and COVID-19 contact tracing. “Cyber intelligence awareness forms a connection between the business and technical perspectives. That’s the beauty of it,” Bourne said. “It’s a common language between CEOs, CIOs, and CISOs that helps them communicate about the risk of cyberattacks and what to do to prevent them from a business standpoint.”

SAFE SPACE The innovative Virginia Cyber Range is giving students in Virginia — and beyond — a chance to hone their cybersecurity skills

etween 2010 and 2014, the U.S. cybersecurity job market showed significant growth; job postings for positions within the industry increased 91%, according to data compiled by analytics software provider Burning Glass Technologies. States across the country have struggled to find qualified professionals to fill those roles. In 2014, Virginia had the second-highest number of cybersecurity-related job postings of any state — 20,276, a 38% increase from 2010. Nearly a third of the cybersecurity jobs in the Commonwealth, though, were unfilled at the time, according to Virginia Cyber Range Director David Raymond, Ph.D. In response, the Commonwealth established a cyber commission, which made a number of strategic planning-related recommendations — including one that led to the 2016 creation of the

Cyber Range, a cloud-hosted platform designed to give students in the state practical cybersecurity learning experience.

REAL-WORLD GUIDANCE Through realistic labs and exercises performed in virtual environments, the Cyber Range serves as a training ground for high school and college students to practice activities associated with safeguarding network systems, such as securely configuring operating system access. In addition to course materials written by Virginia educators, the virtual cloud-based platform, which is overseen by an executive committee comprising public institutions within the Commonwealth, is available at no cost to Virginia public schools, both K-12 and universities. Students can access its cybersecurity exercises via essentially any computer with a web browser and internet connection — whether they’re on a campus, at home, or in another location.

XXXXXXXXXXX

The Virginia Cyber Range holds competitions at its events to sharpen students’ cybersecurity skills. Its last in-person competition was Commonwealth Cyber Fusion 2020, held at Virginia Military Institute in Lexington in February 2020.

We tell educators: If you’re going to have a cybersecurity class, like any technical instruction, you have to have a hands-on experience along with it, or it’s not going to be very interesting or educational. DAVID RAYMOND, Ph.D. Director, Virginia Cyber Range

The program “is really about talent development,” said Raymond. “We tell educators: If you’re going to have a cybersecurity class, like any technical instruction, you have to have a hands-on experience along with it, or it’s not going to be very interesting or educational.” After a spring 2017 pilot to test the Cyber Range platform that involved roughly 250 Virginia Tech and George Mason University students, high schools began using the program materials in the following fall semester. Since the Cyber Range’s launch, its content has grown to include more nuanced topics, such as web application security. The platform, which initially included three network environments, now sports a menu of roughly two dozen. “In the early stages, they were doing things like firewall configuration, password audits, and server hardening,” Raymond said. “Now they’re doing penetration testing and advanced digital forensics exercises. We

have a variety of different environments [with] three to four virtual machines in a network, where the student is not only operating on a single host, but in an environment [where they] can do much more advanced exercises.” Students may, for example, have a network penetration activity where they’re asked to view the contents of a file on a system they’re not supposed to be able to access. Educators can also fashion Capture the Flag events that let students demonstrate their cybersecurity knowledge in a competitive game — something GMU Cybersecurity Engineering Associate Professor Mohamed Gebril, Ph.D., says students in his classes have enjoyed participating in. “I will assign a challenge — it can be anything. I can give them a file of maybe capturing network packets, and I want to see what type of network verticals were used, or whatever the case may be,” Gebril said. “Whoever gets the answer first captures that particular flag, and they will get an award for that.”

XXXXXXXXXXX

Old Dominion University competed in the Cyber Cup at Cyber Fusion 2020 against teams including Danville Community College, Marymount University, Northern Virginia Community College, Radford University, Regent University, the University of Virginia, Virginia Military Institute, Virginia Tech, and the winner of the competition, George Mason University.

Jennifer Cramer Marden, who teaches IT classes at Loudoun County High School in Leesburg and serves as the Virginia Cyber Range K-12 Advisory Board chair, cites the platform’s customization capabilities and ability to let users work at their own pace as notable benefits. “I can have one Linux environment, or Windows, or another that’s tailored to what I need,” Marden said. “Students love the Virginia Cyber Range because it’s interactive and allows them to practice what they learn. Many students come into my class not knowing about cybersecurity and leave learning so much and wanting to learn more.”

EXPANDING THE INSTRUCTION’S REACH In tandem with the coursework component and online exercises it provides, the Virginia Cyber Range hosts an annual cybersecurity education conference and periodic boot camps to help educators understand the cybersecurity curriculum and how to use the online tool.

Technically, the original program resources are only offered to Virginia educators for use in Virginia educational institutions. However, since 2019, Cyber Range resources have been available to schools outside the state through a paid service model. Currently, approximately 120 high schools and colleges in 40 states utilize the platform and associated materials, according to Raymond. “If you’re a teacher in Iowa trying to teach a cybersecurity class, and you don’t have somebody who brings a ready-made platform, in most cases, you’re left without a hands-on component,” he said. “So, we created the U.S. Cyber Range. We provide access to schools outside Virginia, and they basically reimburse us for costs we incur on their behalf.” While the Virginia Cyber Range’s five-year tenure likely hasn’t been a long enough time frame to fully measure the initiative’s influence on the workforce, Raymond says its resources were being used by nearly every community college and university and about half to a third

of the high schools in the state as of spring 2021. The Cyber Range’s purpose, implementation, availability, and widespread use make the program a unique undertaking — which could potentially have a lasting effect on both education and the state’s economy, according to Judith Sams, specialist, business and information technology and related clusters at the Virginia Department of Education. “The resources and support provided by [the] Cyber Range have made a significant impact, especially on high school cybersecurity courses,” Sams said. “This investment by the Commonwealth has made Virginia a nationally recognized leader in cybersecurity education — and has opened the door to high-skill, highdemand, and high-wage careers for our Virginia students, regardless of where they live and go to school.”

QUANTIFYING CYBERCRIME A Conversation With Steve Morgan Steve Morgan is the founder of Cybersecurity Ventures, a leading cybersecurity research company that provides data and insights on global cybercrime to C-suite executives, and editor-in-chief of Cybercrime Magazine. Before starting the company, he worked for antivirus giant McAfee Corp. as the company grew to a market-leading security vendor. VEDP President and CEO Stephen Moret spoke with Morgan about skyrocketing cybercrime damages, the cybersecurity skills gap, and Virginia’s place at the top of the cybersecurity industry.

Stephen Moret: Can you tell us a bit about Cybersecurity Ventures, why you started the company, and what type of work the company is involved in today? Steve Morgan: I started up the company in 2015 in direct response to a lack of cybersecurity research data and figures that I had been after. At the time, I was writing for the media, and I’d been covering the industry for a while. I started out by compiling lists of companies nationally, then broke that down regionally. From there, I started conducting cybercrime research, mainly the damage costs associated with cybercrime. And in 2018, after finding there was a big appetite for that information, we launched Cybercrime Magazine, our own media, which originally was intended to serve up that data. We had a growing body of reports we’d published, and I guess you could say, accidentally, it turned into a mainstream media property. Moret: You worked at McAfee — one of the most well-known names in tech — in the mid-‘90s. That was when the internet was really becoming more widespread. Cybersecurity was in its infancy, but starting to become a concern of the general public instead of just a relatively small group of users. What cybersecurity issues did you see back then? How did that change, and what persists today? Morgan: It was very different back then. The biggest threats were computer viruses infecting PCs and, frankly, most companies didn’t take it very seriously until the proliferation of the internet interconnected them with so many other organizations. The internet became much like the airplane was to the human virus. It was the carrier.

Companies started to infect each other, and it was a very big deal. That was the start of our industry, the tipping point. You could argue that it started when there were products to protect PCs, which had been around for a long time. McAfee and other companies were organized around that. Moret: Your organization is estimating that cybercrime damages will cost the world $6 trillion annually by 2025. How does that underscore the importance of cybersecurity to businesses moving forward? Is this something we’re eventually going to get our arms around, or is it something that’s going to be with us permanently? Morgan: We originally published that figure at the end of 2017. And when you’re talking about such a big number, a number that equates to what would be the world’s third-largest country if you measured GDP, it’s certainly not to the penny. It’s not to the dollar. If you had to round it off, it might be by a few billion dollars, although I do believe it’s the most accurate estimation we have. It’s funny — many people would ask me in 2017, “Where did you get that figure?” It was vetted. We spoke to a lot of media, but people were wondering, could cybercrime really be causing that much damage? Now, a lot of those same people say, “Steve, that’s a vast underestimation.” And a lot of those people are chief information security officers at Fortune 500 companies. So, there’s been a wake-up call. Unfortunately, that wake-up call has taken five or six years. Thousands of cyberattacks and data breaches. The world has woken up to the reality that just about every company in the world — whether they’re small, midsize, or large — has been hacked. They may know about it. They may not know about it. The threat is real. Looking forward, we believe that number is going to grow, at minimum, 15% per year through 2030. We see that number growing to over $10 trillion annually. Moret: You helped sound the alarm on the cybersecurity skills gap, among

other things. From your vantage point, what skills are the most important for the cybersecurity workforce of the future? Morgan: I’m glad you asked that question, because there’s a misunderstanding about opportunity in cybersecurity. And it’s so important for our country and for the world to reach out to young people. I think it starts as early as middle school, or some people may argue it should start as early as kindergarten, K-6. We must engage young people. We have to get them at the high school level. They have to be thinking about cyber before they enter college. I’m not someone who thinks cyber is for everybody. I’m certainly not here to argue that it’s a better career opportunity than so many other options available to young people. I’m here to argue that it should be on the radar screen, but it’s not. It should be a choice. If a young man or woman is thinking about becoming a police officer, or thinking about law enforcement, then they should be thinking about becoming a cyber fighter. That should be available to them. Their parents should know about it. Educators should know about it, and it should be a choice. Unfortunately, I don’t think it is. And I say that from experience, I’ve been out talking to schools, and I’ve had a chance to speak with a lot of young people. I don’t feel that enough of them are being engaged early enough. Moret: In Virginia, we’re very familiar with this because we’re one of the biggest sources of cybersecurity talent in the world. Are there particular types of skills that are most relevant or in greatest demand? Morgan: The problem we have is the obvious skills the kids probably know about, even just abstractly. So, you talk about engineering, software engineering, cyber engineering. Those are hard skills that have to do with computer science, and I think a lot of people only think about that. So yes, clearly, we do need kids coming into the workforce with those

skill sets. But if someone has an affinity for cars, there’s a great opportunity in the automotive space for people to get involved with cybersecurity. There are opportunities with forensics, investigations — you don’t necessarily need coding skills for that. There are so many positions in cyber where you don’t have to become a cryptographer and be a mathematics major or a computer science major. That’s what we really need to get the word out around, because there are just a vast number of positions. Moret: With that in mind, what do you think colleges, universities, and other public entities, state governments, and others can do to help close the gap between available jobs in the cybersecurity space and the talent available to fill them? Morgan: We’re seeing a vast number of B.A. programs. We’re seeing a vast number of programs in the community college system, as well as vocational schools. So, we’ve seen huge growth around cybersecurity courseware across the board. And that’s a really, really good thing. There’s been a lot of investment, and I definitely think we’re moving in the right direction. Moret: Building on that, are there any leading examples you’ve seen around the country, around the world, in talent development for cybersecurity professionals, which you think we ought to be paying attention to here in Virginia? Morgan: We need to think outside the box. I recently interviewed Craig Froelich, the chief information security officer at Bank of America. He has been an advocate for reaching out to the neurodiverse community. Craig has done a great job of engaging them, hiring them, getting the word out to his peers, and starting a movement around our industry, looking to that community of people who otherwise have been ignored and may not have been proactive looking for positions themselves.

A C O N V E R S AT I O N W I T H S T E V E M O R G A N

The world has woken up to the reality that just about every company in the world — whether they’re small, midsize, or large — has been hacked. STEVE MORGAN Founder, Cybersecurity Ventures

Moret: How do you think we can make cybersecurity education, as well as knowledge of these growing, new, and novel career paths in this industry, accessible for more students in the United States and in Virginia? Morgan: I don’t know if accessibility is as important as the kids just thinking about it. The one point I want to hammer home over and over and over again is, we have to get the word out to parents. Most kids, up through 17, 18 years of age, trust their parents. They may not always get along, and they may not like what their parents have to say, but they trust their parents. They speak to their parents about what school they’re going to go to. They’re speaking to their parents about what they’re going to major in.

Morgan: If you look at the D.C. Beltway, just that part of our country, we have three and a half times the number of cyber engineers than the rest of the country combined. I want to emphasize “combined.” Not three and a half times more than any other part of the country. Three and a half times more than the entire country combined. Now, the reason that people may not think of Virginia when they think of a comparison to Silicon Valley is because the area doesn’t have the same number of commercialized cybersecurity companies. Companies who develop and sell a “product.” But there are a tremendous number of people in the Virginia area who work for those companies.

Most parents don’t fully understand cybersecurity. If you ask them what salaries look like for doctors, for heart surgeons, for nurses, for architects, they could probably answer very easily, or they’d be inclined to find that information. If you ask them those same questions about cybersecurity, I don’t think most parents could answer. And I think they’d have a blank stare if their kid brought it up to them. They certainly are not encouraging their kids to think about cybersecurity.

There are a tremendous number of companies providing professional services. They may not get the same media attention — maybe they’re not bringing a product to market that’s easy to write and talk about. But the population of people fighting cybercrime in Virginia is enormous. People need to know this is a great place. It’s a great place to relocate a business. It’s a great place to start up a business. It’s got a great quality of life. It has phenomenal universities, proximity to the D.C. area, and other neighboring areas that tie into the opportunity in cyber. It’s definitely one of the top places in our country.

Moret: I know you had, or have, a significant presence both on the West Coast and the East Coast. What’s your view on how Virginia fits into the overall cybersecurity ecosystem?

Moret: We’ve covered a lot of ground here, but are there any new cybersecurity developments you find particularly intriguing that we might want to keep our eyes on in Virginia?

Morgan: One of the biggest threats we see globally is mobile collaboration chat tools. This is what we need to be worried about right now. You have a tremendous population of people who are still coming online, using apps that haven’t been used previously. We really need to pay attention to it. We’re looking at about 75% of the world’s population being online right now. That’s going to grow to about 90%, or seven and a half billion people being online by 2030. That’s an enormous number. A lot of those people who come online don’t own computers, don’t own laptops. They use their phones, and they’re using a lot of tools that are new to many of us. And if they’re not new to us, we’re definitely using them in new ways or with new levels of importance — things like LinkedIn and Slack, or even a lot of mobile tools young people might be using. It’s a challenge. It’s a big issue. It’s something we really need to pay attention to. Moret: Congratulations on your interesting career and the opportunity to have a whole company that’s focused on one of the most dynamic, and one of the largest, industry sectors in Virginia and the world. It’s super-important today and becoming more important every day. We thank you again for making time to visit with us, and we look forward to staying in touch. Morgan: I thank you for having me.

For the full interview, visit www.vedp.org/Podcasts

The site of Fort Monroe at the mouth of the Chesapeake Bay in Hampton has been home to strategic fortifications since the early 17th century. The fort was decommissioned in 2011, and portions were designated as a national monument.

DEFENSE AND CYBERSECURITY

he field of cybersecurity is as old as the computer, but it’s only in the past decade that it went from being a periphery issue to a cornerstone of government budgets and one of the fastest-growing career fields. Anchored by the Pentagon, various military installations, and a variety of research hubs in between, Virginia is leading the fight to protect and defend in the cyber domain. When it comes to cybersecurity for defense, Virginia is a leader for several reasons: its proximity to the nation’s capital, its concentration of military facilities, its cyber workforce and university system, and the breadth of companies of all sizes taking on cybersecurity challenges. The 2021 federal budget proposal included a significant 6% increase in U.S. Department of Defense cybersecurity spend. The request comes after years of relatively flat cyber requests and signals growing concerns about the effect a cybersecurity breach could have on national security. The $10.4 billion includes $5.6 billion to protect IT systems, $2.5 billion for workforce development and new cybersecurity specialists, and various IT modernizations and advancements. When it comes to cyber, demand has likely never been higher, and when it comes to cyber investment, interest, and risk, the mantra is this: There’s nowhere to go but up. “I’ve been in technology my entire career. We’ve always had to be concerned about security,” noted Tracy Gregorio, CEO

IN VIRGINIA

of G2 Ops Inc., a Virginia Beach-based company that helps companies stay ahead of IT crime and cyber threats. “But for a long time, it was only an IT concern. Now everyone in your company needs to be aware, trained, and on alert — starting with the CEO.” Virginia is arguably the birthplace of cybersecurity, dating back to the Pentagon’s Advanced Research Projects Agency Network (ARPANET), an experimental computer research network from the 1960s that connected the Pentagon to research facilities across the country. That legacy of cyber innovation continues today with initiatives positioning Virginia as a leader in cybersecurity, including the Commonwealth Cyber Initiative (CCI) and the Cyber Veterans Initiative, which commemorates five years since its implementation this Veterans Day in November. Virginia has the nation’s second-highest active-duty service member population and the fourth-largest population of working-age veterans in the United States, with large clusters in Northern Virginia, home of the Pentagon, and Hampton Roads, home to the world’s largest naval base, Naval Station Norfolk. Keeping that talent in the state after service is key, and cybersecurity firms like Sera-Brynn in Suffolk see value in taking “that highly trained and highly skilled competency and redirect[ing] it to the private sector,” according to CEO Rob Hegedus, himself a former U.S. Air Force intelligence officer.

“It was important to us to make sure that population didn’t leave here when they left military service, but built careers here,” said Penny Gross, a member of the Fairfax County Board of Supervisors and chairman of the Northern Virginia Regional Commission’s Community, Military, and Federal Facility Partnership.

COLLABORATION AND COMMUNITY A key part of Virginia’s leadership in the defense cyber space comes from its proximity to the federal government, as well as the research chops it brings through area universities. The CCI connects efforts across the entire state and ensures research, technological advancement, and talent development happen collaboratively. “We leverage resources from DoD, private industry, and government,” said Liza Wilson Durant, associate provost for strategic initiatives and community engagement at George Mason University and director of the Northern Virginia CCI node. “We’re trying to get folks to work together so we can have a bigger impact. “We have to work together, not siloed. It’s collaborative work, marshalling assets and expertise so we can amplify the impact.” The CCI has three main efforts: cybersecurity research focusing on physical systems, cybersecurity talent and workforce development, and security entrepreneurship and innovation. But because of the very nature of the work being accomplished, you won’t necessarily see the state’s cybersecurity efforts making headlines.

T O P 10 I T C E RT I F I C AT I O N S H E L D BY VIRGINIA RESIDENTS How Virginia stacks up in the top certifications based on Emsi analysis of LinkedIn profile data VIRGINIA PROFILES PER 100,000

N AT I O N A L RANK

482

327

Cisco Certified Internetwork Expert

GIAC Certifications

150

Project Management Professional

993

ScrumMaster

238

C E RT I F I C AT I O N

Amazon Web Services Certified Information Security Manager Certified Information Systems Security Professional

Microsoft Certified: Azure Administrator Associate Microsoft Certified Solutions Expert

VMWare Certified Professional/Advanced Professional Source: ClearanceJobs; Emsi; LinkedIn; 2021

G2 Ops, Virginia Beach

Sera-Brynn, Suffolk

Virginia is the security capital of the United States. You have security professionals, the federal government — who is all about security — and a legacy of security practices that cyber has grown out of. ERNIE MAGNOTTI Chief Information Security Officer, Leonardo DRS

DEFENSE AND CYBERSECURITY IN VIRGINIA

360IT Partners, Virginia Beach

TOP 10 GOVERNMENT D ATA B R E A C H E S 2014: U.S. Postal Service

3.7 million records 2015: U.S. Office of Personnel Management

21.5 million records 2015: Georgia Secretary of State

6 million records

“It’s hard to talk about because the nature of cybersecurity work is that it’s classified,” Durant said. “Some of the leading-edge work we’re doing at George Mason University, you’re not going to read about in the newspaper.” Even some of the requests for proposals the government is releasing in cybersecurity are classified — meaning that the public doesn’t even know the work exists, with everything from proposal development to contract implementation occurring behind the closed doors of a secure facility.

AMERICA’S SECURITY CAPITAL “Virginia is the security capital of the United States,” said Ernie Magnotti, chief information security officer at Arlington-based defense contractor Leonardo DRS. “You have security professionals, the federal government — who is all about security — and a legacy of security practices that cyber has grown out of.” The Pentagon recently took further steps to put teeth behind its security practices with its implementation of the Cybersecurity Maturity Model Certification (CMMC). The interim rule went into effect in November 2020

and is expected to be included in all defense contracts by 2026. For requests for proposals with CMMC requirements, compliance is required in order to bid on the contract. That means Virginia contractors who want to stay competitive are having to get up to speed on CMMC — quickly.

2015: U.S. Office of Personnel Management

4.2 million records 2016: Washington Office of Child Support Enforcement

5 million records

“The government has been looking at its supply chain and saying, ‘Hey, this is a weak link.’ Everybody takes that seriously,” said Justin Carter, chief technology officer at 360IT Partners, a Virginia Beach-based IT services company. Carter noted that more than half of the projects they’re working on today are for CMMC compliance.

2016: Washington Department of Fishing and Wildlife

“Security is a cultural thing within an organization, and the culture of an organization is defined by its leaders,” said Carter. “You cannot be successful with a good cybersecurity program within an organization without the leadership’s buy-in.”

60 million records

Service members and veterans are immersed in that culture of leadership, stability, and security. Virginia’s concentration of military facilities is positioning the Commonwealth to lead the way on critical cybersecurity issues.

2018: Los Angeles County 211

2.4 million records 2017: California Secretary of State

19.2 million records 2018: U.S. Postal Service

2018: Government Payment Service, Inc.

14 million records

3.2 million records

Source: Comparitech, 2019

Cynalytica, Inc., Arlington County 52

EXPORTING CYBERSECURITY SERVICES

TO THE WORLD Virginia is a national leader in the cybersecurity and technology industries, offering tech firms access to the highest concentration of tech talent and the third-largest tech industry workforce in the country. Tech firms in Virginia focus on a wide range of issues, from basic cybersecurity functions, to government-level security, to specialized services such as protecting manufacturing operations and managed security. Not every country has the same level of cybersecurity offerings as the United States, especially as the sophistication of attacks and the needed security tools become more specialized. Virginia cybersecurity companies are filling the void by exporting their products and services around the world.

CYBERSECURITY ON THE INTERNATIONAL STAGE For many civilians, cybercrime has always been something that happens to someone else. Ransomware has changed that. The millions of dollars’ worth of cryptocurrency at stake in enterprise-level cyberattacks are an abstract concept to most, but when ransomware causes long lines at the gas station or shuts down a hospital and prevents patients from getting life-saving treatment, the attack becomes very real to everyone. The motive behind cyberattacks isn’t always monetary, particularly on the global stage.

EXPORTING CYBERSECURITY SERVICES TO THE WORLD

“You have state actors who are looking to conduct espionage, the goal of which is to not destroy anything, but rather collect information,” said Eric Malawer, CEO of Arlington-based cybersecurity company BluVector, which uses artificial intelligence (AI) and a proprietary machine-learning engine to enhance its protection for commercial and government clients. “You have state actors looking to disrupt or punish.” Internationally, there’s a very strong geopolitical component to cybercrime. For example, the tensions between mainland China and Taiwan and Hong Kong, the current state of the Middle East, and threats from North Korea all drive risks to cyber networks, infrastructure, and systems.

INTERNATIONAL HELP The U.S. cybersecurity market is on overload. It’s a hot industry rife with opportunities to expand into providing cybersecurity tools and expertise. According to Malawer, BluVector previously worked primarily with the federal government and saw international trade as an opportunity to expand its customer base. Organizations based abroad may not have access to more sophisticated security systems, but are at high risk for a nation-state attack, which BluVector’s platform is prepared to detect and hunt down. However, because of compliance regulations and legal requirements at all levels, an American cybersecurity company cannot simply reach out to a foreign entity and make the sale. “Working with VEDP’s International Trade division can help to facilitate consultations with companies around the world,” said Richard Robinson, CEO of Arlington-based cybersecurity company Cynalytica, Inc. “What they’ll do is hire a regional contractor to help us with the facilitation,” Robinson explained. “The regional contractors are knowledgeable about the local laws and have a good understanding of the market and what companies there are looking for.”

BluVector, Arlington County

EXPORTING CYBERSECURITY SERVICES TO THE WORLD

The more conversations, the more relationships you’re going to close. ERIC MALAWER CEO, BluVector

VEDP’s team of international research consultants covers more than 80 countries around the world. These experts provide valuable in-country market research specific to a company’s products and services, compiling background information, identifying potential representatives, conducting due diligence, and arranging appointments with potential distributors and customers.

FINDING THE SERVICES THAT FIT INTERNATIONAL NEEDS Cynalytica specializes in hardware and software for industrial control systems and the industrial internet of things (IIoT). Critical infrastructure around the world is vulnerable to ever-more-sophisticated cyberattacks, making security more important than ever. Yet the hardware — and often any software — that constitutes this infrastructure often consists of legacy systems that need to be upgraded to meet today’s technology standards. Cynalytica’s analytics and machine learning-driven products are compatible with critical infrastructure for most applications. Finding the right fit is not a problem, but when selling into other countries, the company — which, in addition to its U.S. federal clients, exports to Australia and the United Arab Emirates, along with several South American countries — needs assistance with understanding local laws, finding the

appropriate customers, and then working with the proper agencies to make sure that everything is conducted in a legal, cost-efficient manner. “One interesting thing going into these different regions is most of them require, as part of doing business, that there is a regional component to the business,” Robinson said. That might mean setting up a subsidiary in that area or sourcing as much labor or supplies locally as possible.

GUIDANCE WITH COMPLICATED ISSUES VEDP’s international trade resources help guide companies through any roadblocks that may exist in selling into another country. For example, some countries have very strict rules about the percentage of local employees who must be hired by a foreign entity setting up a business. VEDP services help companies fulfill those requirements and deploy their resources where they can make the greatest impact. While many ventures overseas are intended to set up new business, companies also often need to expand to better serve existing international clients. BluVector works in European countries where parent company Comcast or affiliates like Sky are already located. A U.S. company using BluVector’s services will open offices in other countries, which requires increasing and shifting operations deployment. This

allows an easy, efficient introduction into the international market, which can lead to new opportunities. “It opens the number of conversations we’re having. The more conversations, the more relationships you’re going to close,” said Malawer. To help with that process, BluVector joined VEDP’s Virginia Leaders in Export Trade (VALET) program in 2021. VALET is an award-winning, two-year international business acceleration program. Benefits include executive training, international sales plan development, educational events, and customized research provided by VEDP and private sector partners.

CHALLENGES AND RISKS Cybersecurity is focused on addressing and mitigating risks. Managing cybersecurity across cultures offers some unique challenges. With so many U.S. vendors offering cybersecurity products and services, the noise level in the overall cybersecurity market is deafening. It’s difficult enough to get American companies to find the right security systems among the hundreds of vendors; that difficulty increases in foreign markets, where regulations may impact the system’s viability. Data privacy laws, such as the General Data Protection Regulation in the European Union, are in various stages

BluVector, Arlington County

of legislation and implementation all around the world. Deploying cybersecurity solutions in different countries may require different approaches to how customer data is handled. Another potential issue is how security systems are delivered. Managed security service may work in one location, but in another country with a more bureaucratic environment, a managed service offering might have to be shifted to a more hands-on, in-person solution. Legacy systems with an archaic internet infrastructure require a different level of expertise to put together the right security solution for an international company’s needs and network architecture. “Maturity” is a term used often in the cybersecurity space, particularly when working in a global setting. Most American cybersecurity companies rely on next-generation solutions, but because of the vast selection of offerings, organizations in the United States have more options when considering the right solution based on their own levels of tech sophistication. When working across

XXXXXXXXXXX

different countries, the cybersecurity company’s solutions can be more mature than the demand in those markets. For example, while AI and machine learning are emerging tools for cybersecurity solutions, an international organization may not yet have a need for this type of cybersecurity. The level of service from Virginia-based companies has to make sense for both the cybersecurity company and the international business. “Our solutions can be a bit ahead of where some organizations are in how they think about their cybersecurity problems and their level of maturity in the problems they’re currently trying to solve,” Malawer said. In such a competitive, global cybersecurity market, education is a must — both on what the product or solution offers and on how employees use the product or solution to cut down on errors that lead to cyber incidents. Exporting cybersecurity systems and tools overseas leads to questions for companies. For example, will an overseas market have the capabilities and maturity to ensure

that a company’s solution will be a good fit? Companies must be prepared to provide support for international clients, even if it requires sending support personnel overseas. The logistical considerations of providing customer support should be a primary consideration before any overseas deals — a big investment that is often overlooked until it is too late, according to Malawer. “Later comes pretty quickly sometimes,” he said. However, those questions shouldn’t deter companies from exporting cybersecurity services if they have the capacity, and VEDP’s customized services can help determine whether that’s the case. By exploring opportunities internationally, cybersecurity companies can make global communications and internet traffic safer, reduce exposure to the risk of domestic economic slowdowns, and increase revenue, leading to more jobs and investment back home.

G R E AT E R F R E D E R I C K S B U R G

Virginia’s

Center of Opportunity With a population that has nearly doubled since 2000, Greater Fredericksburg, or the Fredregion, is situated halfway between Washington, D.C., and Richmond. That proximity to major cities, in addition to Fredericksburg’s own historic downtown, provides urban amenities, while outdoor attractions include the Rappahannock River and various aquatic recreation opportunities on Lake Anna, the largest lake in the northern half of Virginia. Interstate 95 passes through all but one of the region’s localities, carrying 150,000 vehicles per day. The Fredregion’s educational institutions support the target industries of distribution and logistics (e.g., Lidl US, DHL Supply Chain, McKesson), advanced manufacturing (Una-Dyn, idX Corporation, M.C. Dean), defense and security (Northrop Grumman, PAE, SimVentions), and cybersecurity and technology (Digital Cloak, GCubed, Inc.). In addition, the region is home to more than 35,000 veterans and has one of the highest concentrations of cleared residents in the nation, with more than 6,000 workers in the national security and public affairs sector.

G R E AT E R F R E D E R I C K S B U R G O F F E R S Historic heritage including Colonial, American Revolution, and Civil War attractions

A strategic location on the I-95 corridor, accessible to major cities and markets along the East Coast

Access to three major military installations: Marine Corps Base Quantico, Naval Support Facility Dahlgren, and Fort A.P. Hill

Fredericksburg

Ferry Farm in Stafford County, where President George Washington spent most of his childhood, features a reconstruction of his boyhood home on the site where remnants of the original building were found61 in 2008.

Carl’s Frozen Custard in Fredericksburg, listed on the National Register of Historic Places, still produces its frozen custard using the original Electro Freeze machines from its 1947 opening.

Virginia has strong transport links catering for all modes of transport, access to a high-quality workforce, and an above-average level of GDP per capita, which contributes to an attractive investment environment. CARL DeLUCA Head of Real Estate Americas, DHL Supply Chain

R E G I O N A L S P OT L I G HT: G R E AT E R F R E D E R I C K S B U R G

The Cyber Warfare Engineering Lab at Naval Surface Warfare Center Dahlgren Division in King George County helps enhance cyber resiliency in specific projects within the U.S. Department of Defense portfolio.

R E G I O N A L S P OT L I G HT: G R E AT E R F R E D E R I C K S B U R G

Major employers like GEICO in Spotsylvania County draw their workforce from Greater Fredericksburg’s highly skilled, educated talent pool.

U.S. News & World Report ranked the University of Mary Washington No. 8 on its “Top Public Schools” list in the “Top Public Regional Universities — South” and No. 11 on its “Best Colleges for Veterans” list in 2021.

Greater Fredericksburg boasts one Amtrak station and four Virginia Railway Express locations, along with plentiful commercial rail service and the connectivity of Interstate 65 95.

Economic Development Partners in Virginia VEDP works in close partnership with local and regional economic development organizations. For a full list of local and regional partners, visit www.vedp.org/Regions In addition, VEDP regularly works with a wide network of statewide partners, including: State Leadership Partners

Project Delivery Partners

Governor

Center for Innovative Technology

General Assembly

Policy and Programmatic Partners GO Virginia

Virginia Department of Housing and Community Development

Major Employment and Investment (MEI) Commission

Colleges and universities across the Commonwealth (e.g., UVA, Virginia Tech, William & Mary)

Secretary of Commerce and Trade

CSX, Norfolk Southern, and short-line railroads

Virginia Department of Small Business and Supplier Diversity

Secretary of Finance

Dominion, AEP, and other electric utilities

Virginia Department of Taxation

The Port of Virginia

Virginia Department of Transportation

Virginia Community College System Virginia Department of Agriculture and Consumer Services

Virginia Department of Rail and Public Transit

State Council of Higher Education for Virginia

Virginia Chamber of Commerce, as well as many local and regional chambers of commerce

Virginia Agribusiness Council

Virginia Economic Developers Association

Virginia Association of Counties

Virginia Farm Bureau

Virginia Business Council Virginia Business Higher Education Council Virginia Cable Telecommunications Association, Virginia Manufacturers Association, Virginia Maritime Association, Virginia Realtors Association, and many other trade associations

Virginia Tobacco Region Revitalization Commission Virginia Tourism Corporation

Virginia Department of Environmental Quality

Virginia Municipal League Virginia Association of Planning District Commissions

220

Virginia Rural Center Virginia’s Technology Councils

220

Roanoke Region New River Valley

460

Southwest Virginia

220

221

I81-I77 Crossroads 77 58

66 66

460

Northern Shenandoah Valley

Washington, D.C.

66 81

Northern Virginia

211 33

Shenandoah Valley

250

Greater Fredericksburg

Central Virginia

301

95 81

Northern Neck

360

Eastern Shore

Middle Peninsula 13

Greater Richmond Lynchburg Region

60 288

360

295

Greater Williamsburg

460

Virginia’s Gateway Region

460

501

South Central 360 Virginia

Southern Virginia

460

Hampton Roads

168

501

# America’s Top State for Business 2019–2021