Virginia Economic Review: First Quarter 2025

Page 1


CREATING CYBERSECURITY’S NEXT ERA

Innovation, talent make Virginia a national tech leader

PERSPECTIVES FROM THOUGHT LEADERS: STEVEN CHEN, BLU VENTURE INVESTORS | CANDICE LING, MICROSOFT | BRAD MEDAIRY, BOOZ ALLEN HAMILTON

The Riverview Inn in Colonial Beach, located a block from Virginia’s second-longest beach, was built in the 1950s. Each of the hotel’s 21 rooms has its own unique theme.

How

Virginia

5

Humpback Rocks is a scenic, moderately strenuous hike convenient to Interstate 64 and the Blue Ridge Parkway. The hike to the summit offers 360-degree views of the George Washington National Forest.

Creating Cybersecurity’s Next Era: Inside Virginia’s Leadership Position

THE BEGINNING OF 2025 brought major news about a key element in the future of computing when Chinese company DeepSeek’s AI assistant appeared to deliver similar performance to much more expensive models. That news was followed by a sad sign of the times: The company had to limit registrations for its app, at the time the top free application on Apple’s App Store in the United States, because of a cyberattack.

In today’s connected environment, cybersecurity is never far from the front pages, or from the worried minds of business leaders — and AI technology is a major element of the strategy for cybercriminals and their potential victims. Safeguarding the world’s computers and networks from malicious actors has long been a priority for businesses, governments, and individuals.

Virginia remains at the forefront of those efforts, just as it has been since the days when the Advanced Research Projects Agency Network (ARPANET), the precursor to today’s internet, was developed at the Pentagon in Arlington County. The Commonwealth is home to the second-largest cybersecurity industry in the United States and boasts the highest concentration of tech talent in the country. Virginia’s proximity to the federal government in Washington, D.C., offers access to the Pentagon, the Defense Advanced Research Projects Agency (DARPA), and other key

federal assets, making the Commonwealth an advantageous location for cyber companies.

In this issue of Virginia Economic Review, we go in depth on the cybersecurity industry in Virginia, including the vital task of securing the Commonwealth’s critical infrastructure; efforts across the Commonwealth to bring more women into the cybersecurity industry; a Fairfax County-based arm of the Army National Guard devoted to cybersecurity; federal cybersecurity partnerships at Virginia universities; efforts to fill the ever-increasing need for cyber talent through internships and apprenticeships; and an update on the innovative Commonwealth Cyber Initiative five years after its founding. Also inside are discussions with Brad Medairy, leader of national cyber at Booz Allen Hamilton; Candice Ling, head of Microsoft’s federal government business unit; and Steven Chen, a partner at cybersecurity investment firm Blu Venture Investors.

We hope you enjoy this look at how Virginia continues to lead in an industry that is essential to American national security and economic prosperity.

Jason El Koubi

and CEO, Virginia Economic Development Partnership

Business Facilities, 2024 WalletHub, 2024 1# 3# 3#

Business Facilities, 2024

Highest Share of Technology Companies

Number of New Tech Business Establishments

National Science Foundation, 2022 CompTIA, 2024 2# 3# 4#

SBIR Awards Federal R&D Obligations

Largest Supply of Cybersecurity Workers

CyberSeek, 2024

California

Virginia

Texas

Florida

New York

Selected Virginia Wins

2,015 $1.35B

Microporous LLC, a leading manufacturer of battery separators, will invest $1.35 billion to establish a new manufacturing facility at the Southern Virginia Megasite at Berry Hill in Pittsylvania County. Virginia successfully competed with North Carolina for the project, which will create 2,015 new jobs.

Microporous, headquartered in Tennessee, is a manufacturer, developer, and marketer of battery separators and engineered materials. The company plans to build on its core strength of lead battery separators, expanding into battery separators for lithium-ion batteries used in electric vehicle, energy storage, industrial, and consumer electronics applications.

Support for Microporous’ job creation will be provided through the Virginia Talent Accelerator Program, ranked the No. 1 Customized Workforce Training Program in the United States by Business Facilities in 2023 and 2024. The program, created by VEDP in collaboration with higher education partners, accelerates new facility startups through the direct delivery of recruitment and training services that are fully customized to a company’s unique products, processes, equipment, standards, and culture. All program services are provided at no cost to qualified new and expanding companies as an incentive for job creation.

Microporous LLC rendering, Pittsylvania County

With the new facility in Berry Hill, Microporous is taking a major step toward the future of energy storage technology. We extend our deepest gratitude to the Department of Energy, the Commonwealth of Virginia, Pittsylvania County, and the city of Danville for their incredible support and collaboration in making this project possible. Microporous is dedicated to developing the local workforce, investing in the community to improve opportunities for the local economy, and creating a better tomorrow for everyone.

Selected Virginia Wins

Greater Fredericksburg

Aspetto, Inc.

Jobs: 98 New Jobs

Locality: Stafford County

Greater Richmond

Haleon

CapEx: $54.2M

Locality: City of Richmond

Super Radiator Coils

Jobs: 160 New Jobs

CapEx: $22M

Locality: Chesterfield County

Northern Shenandoah Valley

Clasen Quality Chocolate

Jobs: 250 New Jobs

CapEx: $230M

Locality: Frederick County

Northern Virginia

AttainX, Inc.

Jobs: 32 New Jobs

CapEx: $175K

Locality: Fairfax County

CMC Electronics

Jobs: 89 New Jobs

CapEx: $5M

Locality: Fairfax County

Micron Technology, Inc.

Jobs: 340 New Jobs

CapEx: $2.2B

Locality: City of Manassas

Nodal Exchange, LLC

Jobs: 33 New Jobs

CapEx: $300K

Locality: Fairfax County

Shenandoah Valley

AD Engineering

Jobs: 25 New Jobs

CapEx: $1.2M

Locality: Shenandoah County

Serioplast

Jobs: 45 New Jobs

CapEx: $25.7M

Locality: Shenandoah County

South Central

Virginia

Carolina

Structural Systems

Jobs: 58 New Jobs

CapEx: $5.5M

Locality: Greensville County

Southern Virginia

Cambridge Pavers, Inc.

Jobs: 55 New Jobs

CapEx: $47.4M

Locality: Pittsylvania County

Microporous LLC

Jobs: 2,015 New Jobs

CapEx: $1.4B

Locality: Pittsylvania County

Southwest Virginia

Wrap Technologies

Jobs: 126 New Jobs

Locality: City of Norton

Northern Shenandoah Valley

Northern Virginia

Shenandoah Valley

Central Virginia

Washington, D.C.

Greater Fredericksburg

Lynchburg Region

Southern Virginia

South Centr al Virg inia

Greater Richmond

Northern Neck

Middle Peninsula

Virginia’s Gateway Region

Hampton Roads

Easte rn Sh

Investments, Tech Partnerships, and the Future of Cyber

A Conversation With Brad Medairy

Brad Medairy is executive vice president at Booz Allen Hamilton, a Virginia-based Fortune 500 company where he leads the national cyber account and focuses on the cyber missions of national-level clients like the FBI, the U.S. Department of Defense (DoD), the U.S. Department of Homeland Security, and the U.S. Cyber Command. VEDP President and CEO Jason El Koubi spoke with Medairy about the key cybersecurity issues his company works on for its clients and the future of cybersecurity with the rise of AI and quantum technology.

Jason El Koubi: Let’s start with a little bit about Booz Allen. We know the firm very well here in Virginia. You work with some high-profile, high-stakes clients. Give us a sense of what you do, what challenges your clients are facing, and why they turn to Booz Allen for support.

Brad Medairy: We have been in this [cybersecurity] fight for over 30 years, in hand-to-hand combat with our adversaries, supporting the U.S. federal government, including the Department of Defense, the intelligence community, civilian agencies, as well as the Fortune Global 500. Our origin story goes back to our work in the DoD and the intelligence community. That has taken us on a journey in cybersecurity over the last 20-plus years, as we’ve seen threats evolve and our adversaries’ tactics evolve as they’ve grown in sophistication.

Today, we’re a global leader. We have a broad footprint. We’re embedded in some of the nation’s most critical missions at the national level, where we support the cybersecurity infrastructure. Or we’ve been involved in critical initiatives to help protect and defend the government on programs like Continuous Diagnostics and Mitigation (CDM).

We’re involved in some large transformational programs in the DoD, like Thunderdome, which is helping accelerate zero-trust adoption across the entire department. We’re involved in also looking at the application of artificial intelligence, which I think will define the future of cybersecurity. And we’re involved in critical DoD pathfinder programs.

We’re supporting all 16 U.S. critical infrastructure sectors. A lot of people don’t recognize the breadth of our commercial footprint, but we’re engaged in over 1,000 incident responses annually. We’ve been in the fight since almost the beginning. We’re deeply rooted in the defense and intelligence communities. We have a large workforce, much of it in Virginia, who have been

in daily hand-to-hand combat with the adversary. We’re passionate about the mission, we’re passionate about technology, and we’re passionate about innovating toward the future.

El Koubi: I’m struck by the language you’ve used around the fight and handto-hand combat. For folks unfamiliar with what this work looks like, give us a sense of what we’re dealing with here.

Medairy: The problems we tend to face are defending the nation and supporting our clients — really protecting critical infrastructure, their high-value assets, their networks, the physical world, whether it’s an industrial control system or a power grid or a weapons system — and defending those against very sophisticated, well-resourced nation-state adversaries. When you think about cyber, it’s often viewed as just computers and machines. But the reality is that there are human beings. And now, there’s AI on the other end, conducting sophisticated campaigns intended to disrupt, to potentially harm, to potentially exfiltrate intellectual property. This daily challenge in cyberspace is defending what’s most important to us. It’s been interesting to watch the evolution.

Cyber became notable publicly with some of the big retail breaches like Target and others. We saw smashand-grabs of credit cards, and then it escalated to global ransomware attacks. In the early days of ransomware, someone would lock down some machines and you would pay to unlock them. We’ve seen that continue to escalate, and now ransomware is a big, big, big business — in many cases directly sponsored by state entities.

We’ve seen nation-states continue to use cyber for espionage, whether it’s targeting manufacturing from a commercial perspective, like pharma and other manufacturing verticals, or the defense industrial base, where they’re interested in military-grade secrets. It’s been interesting to watch how that has evolved

Part of the employee value proposition [at Booz Allen] is that we don’t hire you just to work on a single job. We hire you for a career, and part of that career is being able to build your skill set, work on different opportunities, and gain different experiences. Organizing and thinking about this more holistically as a battle space provides a tremendous value proposition for our people because you can move across different assignments.

over time, with the stakes continuing to escalate. Just in the last 18 months, we’ve seen Volt Typhoon, where a sophisticated nation-state adversary used advanced tradecraft to infiltrate the power grid, not only in the United States, but also in some of our partners and allies.

That particular attack was really alarming because it represented an escalation. No longer were nation-states just trying to steal secrets. They were in those environments for no purpose other than to potentially cause some type of disruption or kinetic effect — meaning they could turn off the power grid to disrupt electricity or other services that Americans and people around the world rely on. Today, I think the stakes have never been higher. Salt Typhoon is another attack aimed at telecommunications infrastructure. This is going to be a continued cat-and-mouse game.

We’re dealing with well-resourced adversaries who are not going to quit, and this fight changes daily. If you look toward the future, we’re talking about artificial intelligence. We’re seeing early versions of adversaries using artificial

intelligence in their offensive cyber and exploitation operations. But I think the future will be defined by machine-on-machine battles. It’s going to be adversary AI versus our AI applied in the cyber defense domain. Continued investment will be needed. I think companies like Booz Allen, where we are one of the largest cybersecurity providers globally, and the largest provider to the U.S. federal government around artificial intelligence, will be able to bring that together to prepare for what’s next.

El Koubi: Give us a little insight into how you’re planning for this future within Booz Allen. What’s it like to be on your side of this?

Medairy: One of the important things with cybersecurity is there’s a massive investment stream in Silicon Valley and the global tech ecosystem around it, and we’re talking about Virginia here. There’s a tremendous number of startups and new and interesting tech coming directly out of Virginia. It’s important for Booz Allen to be an integral part of that broader tech ecosystem — to know the capabilities

and be able to help assemble and bring those capabilities into our client’s mission.

On programs like CDM and Thunderdome, we’ve been a key player. We spend a lot of time in Silicon Valley. We look at hundreds, if not thousands, of tools and technologies annually. We’re able to help curate that technology, bring it in, and tailor it to our client’s mission.

One critical role we play is being the bridge translation in the tech ecosystem between commercial tech and the U.S. federal government and bringing some of that dual-use technology to bear. That’s really, really, really important. Another thing we do to prepare here is invest heavily in our own intellectual property and intellectual capital. We have a technology and solution incubator, DarkLabs, where we invest in solutioning.

We’re focused on a couple of areas right now. One is zero-trust, and also the intersection of cyber and the physical world. Whether it’s supporting DoD to better secure weapon systems, or the military to secure their bases and installations, or U.S. critical infrastructure clients to secure the power grid, we think the intersection of cyber in the physical world is really important.

I think everything will be defined by the application of artificial intelligence in the cyber domain. We’re pushing the envelope in applying new concepts like agentic AI to advanced cyber detection. We’re looking at how to use large language models to do things like advanced malware analysis. We’re continuing to invest in new tradecraft and the application of artificial intelligence to the cyber defense domain.

El Koubi: One of the things Booz Allen talks about in its approach is this notion of one battle space. What does that phrase mean and how does it influence how you think about approaching cybersecurity?

Medairy: A lot of times we talk about cybersecurity in silos, such as defending the .mil domain or the .gov domain. We’ll talk about 16 separate critical infrastructure sectors. We’ll talk about the intelligence community, or our partners and allies. But the reality is if you put yourself in the adversary’s seat, they look at our nation not as separate domains, but one target-rich environment. So, as opposed to having siloed businesses focused on each of those sectors individually, one of the things we did in Booz Allen, and the business I lead called National Cyber, is we fused all those clients into a single business entity that allowed us to task organize.

We say we meet the adversary where they are. That enables us to look at global cybersecurity trends around what the adversaries are doing — their tactics, techniques, and procedures — so we can get a holistic view of the adversary in the battle space. Based on that holistic view, we’re able to anticipate emerging trends, invest smartly, and source new technology in the way best aligned to combat and defeat those particular adversaries at the moment.

This provides a tremendous value proposition for our talent. At Booz Allen, we have a large workforce of over 8,000 cybersecurity professionals. Part of the employee value proposition is that we don’t hire you just to work on a single job. We hire you for a career, and part of that career is being able to build your skill set, work on different opportunities, and gain different experiences.

Organizing and thinking about this more holistically as a battle space provides a tremendous value proposition for our people because you can move across different assignments. You can get different skills, you can work different problems, you can work with different people, get different mentorship, and grow in a much more accelerated way.

El Koubi: You touched on the employee value proposition and what this looks like as a career. When we talk about AI,

there’s this notion that maybe AI changes the way we work. In some cases, folks predict it will destroy some jobs. What’s going on in the cyber labor market? Are you seeing less demand for cyber talent, or is there an inexhaustible demand?

Medairy: One consistent thing that’s talked about at the national level in our country is the cyber workforce crisis. We just don’t have enough cyber professionals to support the massive demand across our entire nation. That includes the public sector, federal clients, and the commercial sector. I think AI will certainly help fill some of those gaps. Cyber is all about speed. AI will drive automation and acceleration around detection and other elements of the cyber defense kill chain. But more importantly, it’s going to free up analysts and cyber operators to focus on more of the heavy lifting and true analysis that we need to really spend time on.

AI may shift where people are focusing, but I think it’s going to help accelerate and scale. Things continue to get more complicated and sophisticated. We’re finally getting enterprise security under control and there are still a lot of breaches. Cars, space, the power grid, all the rest of the critical infrastructure sector — everything is hyperconnected now. The problem is getting bigger and we can’t just throw more and more people at it. We need talented cyber professionals, augmented by AI and machine learning, to combat this significant challenge we’re facing.

El Koubi: You’ve talked about what Booz Allen and your team do to support the U.S. government and partners in this area relative to adversaries, including foreign nation-states. But there’s a certain amount of international coordination on these issues as well. How important is international coordination to our national cybersecurity measures?

Medairy: Partners and allies are a key piece of the puzzle. We have this

notion of one battle space, where the adversary looks at our nation as one target-rich environment. The reality is that the adversary is executing activities and campaigns globally. The more we can collaborate with partners, the more we can piece together the picture of what’s happening and be able to address it at speed and pace. Collaboration, information sharing, and maintaining strong partnerships with our allies are really critical.

As we’ve seen with things like Volt Typhoon, when we’re relying on partners, allies, and their critical infrastructure in certain countries, that directly impacts our military readiness and capabilities in those areas as well. Partnership will continue to be important in the future to get the holistic global picture of what’s happening, so we can best respond from a cyber defense perspective in our nation.

El Koubi: Cybersecurity is one of the key industries my team at VEDP is cultivating. Give us a sense of what the cybersecurity industry in Virginia is like. How does that fit into the overall industry as we think about the United States and globally?

Medairy: Because some key U.S. federal government agencies and departments in cyber are in Virginia, there’s a need to build a cyber workforce to support them. I view Virginia as a cybersecurity talent incubator, and I think we do an amazing job in building talent and accelerating that talent into mission and new skill sets.

Because we have some of the most complex cybersecurity missions, and some of the best talent nationwide, there’s naturally going to be a group of entrepreneurs in that population. Because those folks are in hand-to-hand combat with the adversary, they’re able to anticipate over-the-horizon threats and needs from a technology perspective. I see a lot of interesting startups and technology companies coming out of

There’s a tremendous number of startups and new and interesting tech coming directly out of Virginia. It’s important for Booz Allen to be an integral part of that broader tech ecosystem — to know the capabilities and be able to help assemble and bring those capabilities into our client’s mission.

Virginia and feeding that tech ecosystem I talked about.

A few years ago, part of our DarkLabs team had an interesting idea, a threat detection, hunting, and detection engineering concept. We incubated it within Booz Allen as SnapAttack. As we started market testing across both federal and Fortune 100 clients, it quickly became apparent that this was a product. We had an interesting concept that was market-backed and marketvalidated, and Booz Allen made the strategic decision to spin SnapAttack into a new company.

We partnered with a local venture capital firm to do a Series A funding round, and we launched it. Booz Allen maintained a strategic partnership, but this was a standalone entity, and they embedded themselves in the cybersecurity startup ecosystem. They continued to scale their product. They innovated in ways that we never anticipated and built something really special.

In February, Cisco, who had bought Splunk, acquired SnapAttack. Now, SnapAttack is fueling innovation in

defensive cyber operations that’s going to power the future of Splunk and Cisco. That’s just one great example of what’s coming out of Virginia. Amazing talent — folks who are close to the mission, who have this amazing tradecraft, who can anticipate both the threat and future capability needs. Those with entrepreneurial spirit are launching startup companies that have the opportunity to change the world. That’s happening in our own backyard here in Virginia.

I think Virginia is a talent incubator and accelerator. I think we’re contributing to the global startup ecosystem, building some emerging tech that’s transformative by itself, but then through acquisition, transforming big companies as well.

We also did something pretty cool a couple of years ago, in recognition that we’re a big company, but a lot of startups also have amazing ideas. One problem the startups have is translating their capability and accelerating into the U.S. federal government. One of our nation’s strategic advantages is our entrepreneurial spirit and all this amazing tech we’re developing.

There’s not one single skill set needed from a cyber perspective. Cyber is defined by being able to fuse multidisciplinary skill sets to get a holistic perspective around the problem. I think that’s what’s really cool about cyber. It offers an opportunity for so many different folks of different backgrounds and experiences to come into this world and have an impact.

The question is, how do we use it to our strategic advantage to accelerate government and national security?

One conclusion we came to is that we’ll invest and build stuff within the walls of Booz Allen that’s really special and going to help our clients. We’ll continue to do that. We may build things like SnapAttack that may be best suited as a startup. But the strategic question we had was: How do we help accelerate some of these emerging tech startups so they can best help our U.S. government clients? We concluded that we needed to stand up our own venture arm. So we established a $100 million venture capital fund, Booz Allen Ventures.

We do targeted investments ourselves now in new and emerging companies. That’s an important role we think we can play in that ecosystem — to be a startup accelerator, not only from a funding perspective, but to help teach them the government mission, help them engage in conversations with those clients, and translate their capabilities to accelerate our clients’ mission outcomes.

El Koubi: That kind of collaboration is really driving and enriching that ecosystem. I’d like to turn back to talent. Give us an overview of what’s happening in the cyber talent pipeline in terms of strengths and weaknesses you encounter when recruiting people to Booz Allen.

What would you tell university folks? Or folks in the military who are transitioning to civilian life and looking to transfer their skills? Give us a sense of the state of the pipeline — good, bad, and ugly.

Medairy: It’s always great to have classroom experience, but putting those insights into action is really important. Engaging in the cyber defense world takes a multidisciplinary skill set. You need folks who do embedded systems and reverse engineering. You need computer scientists and data scientists. You need AI/machine learning professionals and engineers and, potentially, industrial control system engineers. There’s not one single skill set needed from a cyber perspective. Cyber is defined by being able to fuse multidisciplinary skill sets to get a holistic perspective around the problem. I think that’s what’s really cool about cyber. It offers an opportunity for so many different folks of different backgrounds and experiences to come into this world and have an impact.

El Koubi: What’s your view of big trends the next five or 10 years? For somebody thinking about getting into this business, is there anything you’d add about challenges and opportunities for impact ahead?

Medairy: I think that we’ve got to fundamentally modernize and transform our infrastructure to infuse

core zero-trust principles. That’s going to pave the way for a series of activities that will happen probably over the next three to five years.

El Koubi: What does that mean, zero-trust principles?

Medairy: It’s modernizing your architecture and infrastructure to implement better data security, to look at the future of identity and how you actually protect and defend your networks. Look at principles of least privilege holistically to modernize both your infrastructure and cyber operations defense. I think that’s going to drive a lot of activity over the next couple of years, and it really comes down to infrastructure modernization.

I also think AI will be the future of defensive cyber operations. It’s going to transform how we structure and run a security operations center. It’s going to change how we fuse and analyze cyber data across an enterprise. We’ve spent a lot of time bringing all this big data together and having security operations teams run through it. We’ll be able to do that at machine speed now.

I think cybersecurity is going to move more to the edge. We’ll conduct more sophisticated analytics, using things like agentic AI at the edge, at the point where data’s collected, so we can detect and respond to sophisticated adversary tradecraft faster. I think that’s going to lead us on a journey over the next several years around the application of our artificial intelligence.

Another area is this notion of cyber in the physical world. Hyper-connectivity is driving this. Electric cars are basically computers. There’s a massive set of activities happening in space. We’re looking at the power grid and the critical infrastructure sector. Things that were never connected before are connected. It takes an attack surface that we spent years and years bounding and exponentially expands it and makes it

more difficult to defend. So we’re heavily investing in the intersection of cyber and the physical world, and how to best protect and defend that.

We’ve been talking about post-quantum cryptography. The National Institute of Standards and Technology has offered some guidance around post-quantum readiness for national security systems. We don’t know when our adversaries will have quantum supremacy, but we need to be ready. There’s going to be a flurry of investment and activity around that over the horizon.

Those are all areas that will define our future. It’s something we spend a lot of time thinking about. And I think it’s something that our clients are working through as well. It’s going to define investment and activity over the next couple of years.

El Koubi: Brad, thank you so much for this fascinating, insightful conversation, for everything you and your team are doing to enrich and build Virginia’s incredible cybersecurity ecosystem and industry — and most importantly, for keeping our country safe, along with many partners now and in the future in this evolving domain.

Medairy: It was a great chat. Thank you. For the full interview, visit www.vedp.org/Podcasts

Securing the Future

How Virginia is safeguarding its critical infrastructure

States, nations, and any municipality can build and tout their critical infrastructure that, on the surface, may appear second to none.

Think: thriving, automated food and agriculture ecosystems. Sprawling office buildings outfitted with remote smart sensors. Unflappable financial markets. Hyper-efficient transportation systems. Ubiquitous utility and energy access. Dependable and downstream supply chains.

All in the name of securing everything needed to sustain and grow a thriving society. Impressive, right?

But dig deeper. None of it is possible without a comprehensive plan and collaborative approach to securing all of these systems from myriad, ever-changing cyber threats.

This is the journey that the Commonwealth has embarked on, like other states but in a uniquely Virginia way: to evolve from difficult spot fixes and upgrades to planning, developing, and maintaining all critical infrastructure assets with cybersecurity top of mind from Day One.

“The only way to address cybersecurity is from the get-go,” said Paulo Costa, Professor and Chair of George Mason University’s (GMU) Cybersecurity Engineering department. “You don’t develop it and then make it secure. You make it secure from the very beginning.”

And that’s precisely the destination the Commonwealth is charting toward.

BUILT FOR THE MOMENT

Like many of Virginia’s leading cybersecurity authorities, Costa plays many roles, including serving as director of the school’s Center of Excellence in Command, Control, Communications, Computing, Cyber, and Intelligence (see page 42), the nation’s first, and still one of the few, civilian academic institutions devoted to military applications of information technology and cybersecurity. Another researchintensive post Costa holds is at the Cybersecurity Manufacturing Innovation Institute (CyManII), a U.S. Department of Energy initiative where he’s focused on cybersecurity energy and emissions quantitation as well as being a lead investigator.

“We are setting up the framework for the secure introduction of new technologies, standards, and best practices…versus a ‘let’s build it first and then protect’ usual approach,” Costa said of CyManII.

The combined responsibilities represent a balancing act that allows Costa to bring real-world scenarios into the classroom while inviting the next wave of big cyber thinkers into the professional ranks.

And that wave is growing — fast. This includes the students in GMU’s Cybersecurity Engineering department — home of the first Cybersecurity Engineering undergraduate program in the country — with an enrollment that has ballooned to 800 since 2015.

“If you’re anyone who wants to be a player in cybersecurity, you need to be in Virginia, and that’s just a no-brainer,”

The Smart Grid Lab at George Mason University is used for teaching and research connected to energy generation and management. The lab will support future research into various power topics, including cybersecurity and ensuring power systems are equipped to manage and mitigate threats.

Manufacturing now sees the most cyberattacks of any industry, comprising more than a quarter of security incidents in 2023, according to IBM X-Force’s 2024 Threat Intelligence Report. Aberdeen Research data indicates that unplanned downtime can cost a manufacturing company more than $250,000 an hour.

PROTECTING LAND, SKY, AND SEA

said David Ihrie, chief technology officer and vice president of strategic initiatives with the Virginia Innovation Partnership Corporation (VIPC), a state agency that creates technology-based economic development strategies to accelerate innovation.

And it’s easy to see the reasons why companies are coming here, from Loudoun County’s “Data Center Alley” and its 25 million square feet of rack space to America’s most automated, fully cybersecure port facilities. And from seas of office space requiring employees with top-secret clearance to the Blue Ridge Mountains’ endless waves of evergreens.

Of course, it’s not just the usual suspects of critical infrastructure and natural resources that are vulnerable to attacks, both malicious and otherwise. It’s every piece and part, both the information technology and networks they’re facilitated through — and any random Internet of Things (IoT) component installed in a dizzying array of systems ranging from air traffic control to water treatment.

“The underlying theme is that we need cybersecurity on all of these data feeds,” Ihrie said.

That need extends beyond the public sector into all manner of critical infrastructure across Virginia’s factories. Any piece of connected technology that is relied on for continuous operation is a potential target, with companies standing to lose out on significant amounts of production and revenue if operations are compromised.

Part of Ihrie’s VIPC’s responsibilities include Smart City IoT Innovation (SCITI) Labs, where he splits his time between emergency management functions as well as U.S. Department of Homeland Security missions, which can overlap into a federal and state focus.

SCITI Labs was designed to bring together federal agencies and private sector companies pinpointing new and existing technology that meets the operational needs of first responders

The Port of Virginia is known as America’s Most Modern Gateway, in part because of its heavily automated operations. Advances in connected operational technology at the port and other key facilities lead to increased productivity, but also provide a target for cyberattacks.

while enhancing commercial buildings.

SCITI’s work includes supporting environments as diverse as Washington, D.C.’s Capital One Arena and remote forests, where it has built and distributed smart wildfire sensors that now are detecting wildfire ignitions as much as 30 minutes before emergency calls arrive.

One of the key differentiators between legacy smart tech and the new equipment SCITI has been championing is that the latter is being built on zero-trust architecture, which operates under the premise that no users or devices should be trusted.

“We think we’ll be the first ones to do that — zero-trust for data feeds on distributed devices,” Ihrie said of VIPC’s current collaboration with private companies. “Our role is really to experiment and pilot early-stage technology.”

That’s out in the woods, in stacks of cubicles, among racks of servers, and even with actual pilots.

Ihrie’s eyes are also on the skies — the low-altitude space that drones frequent. Even as a hobbyist’s delight, drones represent tiny but not insignificant potential intrusions into regulated airspace.

Ihrie found this out when deploying a

125%

Annual increase in global cost of cyberattacks

Average cost of a data breach $4.73 million

Source: World Economic Forum, 2024

trailer-mounted sensor to detect low-level flight activity, running a roadshow of sorts monitoring the areas surrounding the Commonwealth’s airports. In Richmond alone, expecting to detect a couple dozen flights, they picked up on 500 drones.

Now he’s leading the effort to build a real-time picture of everything flying under the radar in Virginia.

“We think that’s a responsibility for the Commonwealth to provide an authoritative feed of what’s flying under 1,000 feet,” Ihrie said. “No one else has been able to do that.”

It’s a capability that’s already been deployed in Stafford County, having been adopted as one of the county’s baseline cybersecurity standards and run by the Virginia Department of Aviation.

SECURING VIRGINIA’S VITAL LOGISTICS INFRASTRUCTURE

Another critical infrastructure asset is The Port of Virginia, which operates numerous facilities around Norfolk Harbor in the Hampton Roads region, along with the Richmond Marine Terminal on the James River and the Virginia Inland Port in Warren County. As one might imagine, containers of retail goods, coal shipments, and marble countertops aren’t all that’s arriving at the East Coast’s second-largest port.

“We have seen several companies in the shipping, logistics, and global supply chain industry faced with costly attacks that impact everything from reputation to finances,” said Joseph Harris, a spokesperson from the port. “Our goals, simply put, are to constantly evolve our defenses, be prepared, and avoid becoming a victim.”

The port’s approach to thwarting such attacks, including cyber threats, includes using its experienced in-house information team, reputable private contractors, and federal and state law enforcement professionals to both monitor threats and build a better understanding

of how best to combat them. Specific tactics include required online monthly training sessions for the entire port team, specialized “sweeps” of new equipment, and constant testing of existing security measures. Regular communication among the port’s users, equipment manufacturers, law enforcement, and the industry is also critical to maintaining a secure environment.

A SHIFT IN THINKING

Similar to Ihrie, Costa’s manifold roles and perspectives enable him to see cybersecurity as far more than a one-size-fits-all problem or solution.

“Cyber education in general has to be planned in such a way that you understand your target population,” he said. “Otherwise you can’t reach them.”

In other words, a computer scientist and a mechanical engineer are going to see things very differently. And when they all don’t have a seat at the table when building a new system, Costa said, you end up with a “Frankenstein” — born of siloed thinking, piecemeal construction, and ripe with vulnerabilities, and complicated by the reality that many IoT components were never designed to be upgraded.

But Virginia nonetheless is making progress, Costa said, with most larger enterprises and government agencies quickly understanding the need to lead the development of new systems with cybersecurity at the forefront.

LOCKING THE DOOR

Here’s the strange parallel between cyber intrusions, from malware to ransomware, and the countermeasures being deployed specifically to disarm the threats. It’s almost insignificant at first. And then momentum builds.

“The first compromise can be very small and then they grow from that,” Costa said of typical intrusions he researches. “It can be months before companies know they’re compromised.”

The growing cyberattack problem

Number of significant cyberattacks

Average global cost of significant cyberattacks per year

Source: World Economic Forum, 2024

Downtime costs by industry

Similarly, defensive efforts can add up exponentially. But it requires that “A-ha” moment, an awareness that can make a stakeholder as vulnerable as a system.

“If you don’t see the problem, you don’t need a solution,” Costa added.

At VIPC, Ihrie is looking years down the road, primarily at defense and aerospace security. He and his colleagues are also

looking to leverage the progress that the private sector is making.

“Are there places where there’s interesting entrepreneurial activity in a future-looking technology where we can do something to move the needle?” he asked.

Virginia’s critical infrastructure is by and large a hardened fortress built on best practices and the talents of among

Lost revenue

Contractual/legal: Regulatory fines, SLA penalties, settlement/legal costs

Damage control: Brand trust campaigns, PR/investor relations

Security lapse costs: Ransomware payouts, cyber insurance premiums, extortion payouts

Staffing/productivity: Overtime wages, lost productivity

Upgrade needs: Additional infrastructure capacity, recovering from backups

Source: Splunk, “The Hidden Costs of Downtime,” 2024

the most forward-thinking workforces in the nation. But more than that, it’s gaining ground when it comes to hardening its critical infrastructure out of the gates — embracing a cyber-first development approach to systems and solutions.

“The future is taking cybersecurity awareness to a different level,” Costa said.

HACKING THE GLASS CEILING

How Virginia women are addressing the gender gap in cybersecurity

In an increasingly digital world where data breaches, ransomware attacks, and other cybercrimes are pervasive, a skilled cybersecurity workforce is more important than ever. Yet the industry grapples with a significant worker shortage. Globally, there are an estimated 3.5 million unfilled cybersecurity jobs, including nearly 500,000 vacancies in the United States, according to research firm Cybersecurity Ventures.

At the same time, a large talent pool is being underutilized: female professionals. Women represent only 20–25% of the cybersecurity workforce, according to reports from Cybersecurity Ventures and the International Information System Security Certification Consortium (ISC2), a cybersecurity member organization.

Cultivating a diverse workforce with an equitable number of men and women is crucial to safeguarding our digital infrastructure. Organizations put in thousands of controls to protect their data, but hackers only need one vulnerability to infiltrate, noted Karen Cole, CEO of Assura, a Henrico

County-based cybersecurity managed services and advisory firm.

The best protections come from “a layered approach of different people and different perspectives,” Cole said. Diversity of thought, experiences, and backgrounds spurs innovations and bolsters resilience.

Attracting and retaining a diverse range of cybersecurity talent in Virginia is particularly critical, given the Commonwealth’s outsized place in the industry. Virginia is home to government agencies, critical assets, defense and aerospace firms, technology firms, manufacturing companies, and other organizations that need failproof protection.

Adding more women to Virginia’s cybersecurity workforce can also strengthen local economies. Employers reap the benefits of a larger number of qualified professionals, while workers have access to in-demand, well-paying cybersecurity jobs that often include flexible work schedules.

PROMOTING THE POSSIBILITIES

Organizations across Virginia and beyond are creating pathways for women to enter and explore the cybersecurity field through educational programs, specialized training, internship and mentorship opportunities, and other initiatives.

Many of those endeavors introduce girls to STEM-related subjects (science, technology, engineering, and mathematics) during their primary and secondary school years. One effective model comes from CodeRVA Regional High School in Richmond. It uses a lottery-based admissions system to ensure girls and boys in partnering school divisions have equitable

access to a rigorous computer science-focused education.

“There’s no minimum GPA requirement, no essays or tests, or any admission criteria other than to be in the right grade level,” said CodeRVA Executive Director Kume Goranson. “We want to increase the number of underrepresented groups in computer science, which we know are girls and all students of color. Our mission is to diversify the workplace.”

Also on the education front, Virginia colleges offer some of the nation’s top cybersecurity programs, with 23 colleges and universities in the Commonwealth earning the National Center of Academic Excellence in Cybersecurity designation (see page 40).

PFP Cybersecurity, Fairfax County

HANDS-ON TRAINING AND COMMUNITY SUPPORT

Outside traditional academic settings, girls and women are discovering what’s possible in cybersecurity and gaining valuable skills through certification courses, coding boot camps, cyber sports competitions, technology workshops, mentorship programs, and more.

National organizations like Girls Who Code, Black Girls Code, Black Girls Hack, and Techbridge Girls provide hands-on training and support. Some offer Virginia-based events for girls, such as the summer camp Black Girls Code held in Arlington last year.

Other valuable resources at the national and state levels include Women Who Tech, Latinas in Tech, AnitaB.org, the Women’s Society of Cyberjutsu, and the Commonwealth Cyber Initiative (see page 42). In addition, Virginia has local technology councils and chapters of national industry organizations such as ISACA, also known as the Information Systems Audit and Control Association, and ISC2.

Many of Virginia’s most advanced female cybersecurity professionals began their careers before many of those resources were available, coming to the field later after epiphanies that it presented a viable career. Jessica Gulick, founder of Loudoun County cybersecurity consulting firm Katzcy had that epiphany overseas when working in Germany for Fairfax County-based SAIC, a Fortune 500 technology company.

Gulick has taken that philosophy even further by founding US Cyber Games, an organization that emphasizes the value of e-games in developing a strong, diverse cybersecurity workforce. The organization’s competitions, which simulate cybersecurity challenges, help players develop technical skills while learning about teamwork, communication, and resilience under pressure.

HIGH LIGHTING CAREER OPTIONS

Introducing girls to a varied range of skills and career paths can help them understand that cybersecurity is about more than just coding, said Amanda Satterwhite, managing director of Accenture Federal Services’ Cyber Mission and Enablement.

And while many highly credentialed cybersecurity programs are available at colleges, a computer science degree isn’t always necessary to succeed.

“There’s no one path or cookiecutter program that someone has to follow to get into a cyber career,” Satterwhite said, noting that some of the best cybersecurity experts she works with have degrees in nonrelated fields. Satterwhite herself majored in management science with a concentration in decision support systems at Virginia Tech’s Pamplin College of Business before embarking on a career in federal contracting.

“I was hooked,” she said. “It let me explore all my interests at once.”

Desiree Driver, a program manager at Leidos in Richmond, followed a similar path. She began her career at Leidos as a mechanical engineer after earning her bachelor’s degree at the University of Virginia and her master’s at Old Dominion University.

It was a company-run leadership program that changed the course of her career. Leidos gives employees the opportunity to explore different fields within the company, and Driver’s first rotation had her supporting a program manager on its Cyber Accelerator team.

“I never left that first rotation,” she said. “The project manager went on to a different opportunity, and I was able to get that role.”

The true credentials for success are curiosity about how things work, the

willingness to put in the effort, and the desire to stay up to date, Driver said.

“It’s not about executing perfectly the first time out. It’s about persevering and learning as you go,” Gulick said.

“You try new things and see what works and doesn’t work. As you learn, you become more flexible and can adapt and overcome whatever comes next.”

‘SEE IT TO REALIZE YOU CAN BE IT’

Creating a more inclusive cybersecurity industry requires a nuanced approach, said Debbie Sallis, executive director of The Cyber Guild, a Fairfax County-based nonprofit that fosters diverse, nontraditional thinking and talent at all levels of cybersecurity.

Change can’t be solely the human

resource department’s domain, she stressed. It takes conscious, collaborative effort on behalf of top management in all areas. To make a meaningful difference, organizations must understand and address deeper cultural and systemic issues. In addition, efforts to build innovative, inclusive workspaces and teams must align fully with a business’s core values and goals.

Sallis and other cybersecurity professionals stress the importance of mentorship and sponsorship. Among the many initiatives in this area are The Cyber Guild’s annual conference, Uniting Women in Cyber, scheduled for Oct. 9 at Amazon’s HQ2, and the recently launched RISE program. RISE is an 11-month mentoring program designed to “recruit, inspire, support, and empower” women who want to

CodeRVA Regional High School in Richmond uses a lottery-based admissions system to ensure equitable access to its computer science-focused curriculum.

advance their careers, transition into the cybersecurity field, or return to the workforce after a break.

Driver credits her mentors and sponsors with helping her navigate career growth, from securing new opportunities to achieving well-earned advancements.

“Their support was instrumental in helping me step into new roles,” she said.

Seeing other professional women in the industry also expanded her idea of what was possible.

That’s the power of visible female role models, Satterwhite said. They help others realize what’s possible.

“Sometimes you just need to see it to realize you can be it.”

It’s not about executing perfectly the first time out. It’s about persevering and learning as you go. You try new things and see what works and doesn’t work. As you learn, you become more flexible and can adapt and overcome whatever comes next.

ID.me, Fairfax County

THE ROLE OF AI IN

A Conversation With Candice Ling

Candice Ling is a senior vice president at Microsoft and head of the company’s federal government business unit. Previously, she served as the company’s government industry lead in Asia. VEDP President and CEO Jason El Koubi spoke with Ling about Microsoft’s cybersecurity work with the federal government and potential future developments in the cybersecurity industry.

Jason El Koubi: Can you tell us a bit about Microsoft Federal and some of your top priorities?

Candice Ling: In the past few years, we’ve been helping agencies across the government transition to cloud. It’s been a privilege to see the benefit from that efficiency the technology brings and the effectiveness we’ve enabled. We expect to continue building on those efforts, which we believe will help accelerate the adoption of cloud. But the main focus is truly driving our federal government’s mission effectiveness. I would say that is a top priority for us.

I think you’ve heard us talk about Copilot and its capabilities. We’re excited about that, and we believe a lot of the federal agencies can accelerate some workflows and gain insights to the data a lot faster, with a focus on doing more with less. We believe the responsiveness will be there, but also cost reduction. An example would be identifying potential waste and fraud in various programs. Cybersecurity will be an important part that could enhance things we have done, like patching vulnerability at scale.

For me, the part that’s most important is being nimble and adaptive to new threats and threat actors. There’s a lot of potential. We’re excited for the next 50 years so that our federal customers can meet their mission goals, and we intend to be their partner for the next 50.

El Koubi: Microsoft Federal’s capabilities are very impressive. Part of your experience is doing this kind of work in Asia and, of course, there’s a lot of discussion about technology capabilities in the United States and competition with China. How did your work with Microsoft in Asia inform what you’re doing with the federal government now in the United States?

Ling: It was a privilege to have that opportunity. Whether it’s the Australian government or the Singaporean government or the Japanese government, at the core of any federal or central government is really the ability to effectively serve the public, the citizen, through services that are relevant, and where it matters.

Despite different countries and cultures that I was exposed to in Asia, the challenges are similar. Whether that’s siloed data or legacy IT, we need to modernize our exposure to cybersecurity risk that impedes operation. Take away the name of the country and you’ll still have that and the need for closer collaboration.

El Koubi: I framed that question against the backdrop of competition, but you also mentioned how important collaboration is, not just within this country, but also with partners outside the United States. In helping the federal government with national-level cybersecurity issues, how important is international collaboration and coordination with other global partners? How can U.S. industry leaders better engage with global partners in this evolving domain?

Ling: At Microsoft, we refer to cybersecurity as a team sport. The competition’s not about other industry players, it’s truly about how do we work together. Whether that’s across industry or across government, it’s about threat actors, and we need to work together as a cyber community so that we can collectively share information and, at times, coordinate actions to repel threats that have become much bolder, from much more sophisticated threat actors.

Our company is fully engaged in partnering with many organizations on cybersecurity, whether that’s technology or the idea of our platform’s interoperability and the ability to integrate with cyber tools. The

The question is how to best mobilize and use AI to support proactive protection. We’ll see greater reliance on AI to augment what I would call cyber defensive capabilities, how to repel threats before they happen, using AI to be proactive.
CANDICE LING

No. 1 goal is to be proactive, also ensuring maximum coverage and flexibility for our customers to design cybersecurity answers and systems that work best for their needs. That, to me, is international coordination — internal coordination and at the national level — but also working outside the tech companies to make sure we are protecting critical infrastructure.

El Koubi: I would love to get your take on the cybersecurity landscape for industry in the United States. In particular, your assessment of it in Virginia. We know Virginia has a lot of strengths in this area. Help us understand the national landscape and how the Commonwealth fits in on a national level.

Ling: My vantage point right now is the federal community in and around the DMV area. It’s hard for me to compare what’s happening elsewhere in the U.S. from state to state to state. I would say that the focus has been on the federal government where it’s headquartered here. So, for me, the spotlight is on how to secure critical infrastructure in the system. I believe we’re celebrating the fact that many amazing companies here in Virginia are building and innovating cyber technology, and we have a chance to help and partner with them.

I know we’ve been partnering with Governor Youngkin on his executive directives, whether that’s on AI, how we provide IT safeguards for K-12 and higher education, or how to bring people to Virginia to work here. I also understand Virginia has an interest in cybersecurity, whether on the research side or leading on AI innovation, and that’s interesting to watch. I love that Virginia has talked about responsible AI and responsible security — ethics and transparent use of AI.

El Koubi: You mentioned AI and its role. Talk about the role AI plays in Microsoft’s cybersecurity work. What’s on the horizon? How does it relate to cybersecurity?

Ling: I think they work hand in hand. It is essential that AI is part of how we look at cybersecurity. AI, as we know, in the company and with the government, surfaces anomalies and creates that alert system. AI is essential to building world-class cybersecurity capabilities for our customers. We are proud that AI is infused across our technology and our product stack.

One thing we know is important is not just about the technology, but to understand there are end-to-end scenarios. I mentioned threat hunting and intelligence gathering, but there are other things, like incident response. Once you’re hit, what do you do? It’s technology plus customer real-life scenarios.

El Koubi: As we think about managing cybersecurity issues at the federal level in the United States and elsewhere, what do you see as the big trends? What are you looking at over the next few years in terms of opportunities and challenges?

Ling: We want to tie back to AI. I would expect the level of sophistication of cyber threats to increase, and we all know that it will continue. The question is how to best mobilize and use AI to support proactive protection. We’ll see greater reliance on AI to augment what I would call cyber defensive capabilities, how to repel threats before they happen, using AI to be proactive.

Another element of social engineering will also continue to be a challenge. We’ve got to partner to make sure that AI does not dupe people. Training, awareness, and policies must be in place to spot that kind of campaign, similar to the work we’ve done at an earlier stage to train people to spot phishing.

We are excited to see if we can continue to solidify adoption of that. We mentioned that the U.S. Department of Defense has a goal to implement all those

At Microsoft, we refer to cybersecurity as a team sport. The competition’s not about other industry players, it’s truly about how do we work together.
CANDICE LING

practices across their system by 2027. We are really just working, being diligent, given that the Navy met their zero-trust goal in 2024. Now we’ve got to make sure that others would take a similar approach because it’s important for national security. It is really about being proactive and not just reactive. Then, obviously, partnering with higher ed or even high school and community colleges to bring that kind of skill set to bear in Virginia and our federal government.

El Koubi: Candice, we’re thrilled to have you personally in the Commonwealth. You like to get outside — you’re not always in the office or behind a computer. What are some of your favorite things to do here in Virginia?

Ling: Hiking is definitely a personal favorite. We’ve been picking up pickleball. My son plays competitive ice hockey, so we travel around Virginia and outside Virginia to many, many ice rinks, some of them stinkier than others. But especially in the cold months here, we continue to support the homeless shelters because, as a family, we strongly believe how important it is to be good citizens and residents of our local community in Loudoun County. I think it’s those things that are important — not just enjoying what God has given us here in the Shenandoahs of Virginia, but also to be a good resident of Virginia and supporting what is needed here, especially in these colder months.

El Koubi: Candice, thank you so much for joining us today.

Ling: Thank you, Jason. I appreciate your time.

For the full interview, visit www.vedp.org/Podcasts

Cyber Mission Ready

91st Cyber Brigade delivers cyber training and security

VIRGINIA’S PROXIMITY to the federal government and the wealth of private technology leaders headquartered in the Commonwealth have helped its workforce rise to the forefront of the cybersecurity industry. It boasts the second largest cybersecurity workforce in the country, with approximately 80,000 cybersecurity professionals operating within the Commonwealth. Yet Virginia is also home to a unique asset that provides its businesses with a secure operating environment and access to singular skill sets that they can’t develop in-house.

The 91st Cyber Brigade, the Army National Guard’s first and only cyber brigade, has a footprint that spans 31 states, but it is headquartered at Fort Belvoir in Fairfax County. From this location, the brigade oversees training and readiness oversight for cyber units in support of the U.S. Cyber Command, operated by the U.S. Department of Defense (DoD) and Army Cyber Command. The training and readiness of the 91st Cyber Brigade benefit businesses across Virginia.

FROM PUNCH CARDS TO FIREWALLS

The brigade was stood up formally in 2017, but traces its roots to the Virginia Data Processing Unit, which provided support for the National Guard Bureau Computer Center in the 1970s, when punch cards were state of the art. The unit evolved as risks shifted into the digital world. Today, the 91st Cyber comprises:

◾ Cyber security companies, which support critical infrastructure, incident response, and digital forensics

◾ Cyber warfare companies, which prioritize cyber operations support and pen-testing simulations to evaluate system security

◾ Cyber protection teams, which hunt, clear, harden, and assess the Army’s networks

As with any role in the National Guard, participation in the brigade demands part-time service, typically one weekend each month, with the potential for additional training and service. Lt. Col. Melissa Messare, 91st Cyber Brigade officer in charge and battalion commander for the 123rd Cyber Protection Battalion, noted that anyone with interest in cybersecurity is eligible to join the brigade. “We have a number of people in civilian roles, such as software developers or network engineers, who have come into the unit, but you don’t have to have a cybersecurity job in the civilian world in order to join our brigade,” she said.

For employers working to strengthen their team’s cybersecurity skills, the training that soldiers receive through the Guard can be a tremendous asset. Upon joining the Guard, soldiers receive 10 weeks of basic combat training, as well as 19 weeks of cybersecurity-specific training. “Then they come back and they’re one weekend a month, two weeks a year, part-time soldiers — but they’ve learned skills that are hugely beneficial, both for the Guard and for a civilian company that needs cybersecurity,” Messare said.

“That’s the great thing about the Virginia Army National Guard,” said Col. Gerald

Mazur, commander of the 91st Cyber Brigade. “Soldiers can get highly sought-after industry certifications and take those skills back to their employer.”

DEVELOPING IN-DEMAND SKILLS

Through their service, soldiers have an opportunity to gain industry-level certifications such as CompTIA’s Network+ and Security+ and others offered by Cisco and the SANS Institute. These certifications, in combination with the background checks and security clearances required in some areas of service, make the brigade’s soldiers valuable assets for local businesses.

“Many soldiers are able to align their military career with their civilian skill set,” said Command Sgt. Maj. Scott Rivera-Wenger of the 91st Cyber. Rivera-Wenger holds responsibility for developing the noncommissioned officer corps within the brigade. He added, “If somebody is doing technical work in their civilian job, it makes sense to allow them to pursue that specific specialty within the military and hone their expertise. We get an overall more technical soldier,

and on the civilian side, they’re getting certifications that help them.”

Yet an advantage to serving in the Guard is that soldiers don’t gain training solely on technical skill sets. They also gain leadership development.

“One of the challenges I’ve had within Cyber is that everybody wants to focus on technical areas,” Rivera-Wenger said. “That’s very different from the way other branches work. So, part of my work is to develop technical leaders who can lead troops.” Through the Army’s leadership development programs, Rivera-Wenger helps soldiers grow into leadership roles that prepare them for management roles in their civilian life.

The Army National Guard also leads a more intensive training event each summer. The Cyber Fortress exercise in Virginia brings guardsmen together with the professionals who manage critical infrastructure. The two-week exercise provides an opportunity for decision makers to meet and strengthen partnerships as they test the Commonwealth’s cyber

The Virginia National Guard hosted Cyber Fortress 3.0 in Virginia Beach in 2024, bringing together state and federal organizations, including the 91st Cyber Brigade, to conduct an exercise based on historical malicious cyber incidents on U.S. water systems.

response plan in preparation for a real-world cyber incident.

PRACTICING COLLABORATION

More than 40 organizations were represented at the 2024 event, with delegates from other states’ National Guards, the U.S. Federal Bureau of Investigation, the U.S. Cybersecurity and Infrastructure Security Agency, the U.S. Marine Corps, federally funded laboratories, and event representatives from Finland, the Virginia National Guard’s (VNG) official partner under the State Partnership Program. The VNG signed a memorandum of understanding with Finland in 2024 to build a partnership focused in part on interoperability defense, including defense against cyber threats.

This broad representation is a key part of what makes the exercise so valuable, Mazur explained. “The most important part about incident response is forming partnerships and knowing who to call and when to call,” he said.

The first week of the event typically features a tabletop exercise targeted toward decision makers. Members of academia and vendors attend to provide insight and training on emerging technology. For example, private companies have brought internet intrusion detection devices, AI-driven monitoring solutions, and microgrids to the event for participants to evaluate. The second week is a “live fire exercise” during which participants practice the response to an attack on state infrastructure. By integrating a hardware-in-a-loop system into the simulation, teams can simulate real-world impact within a virtual network environment.

In the third iteration of the Cyber Fortress in 2024, seven water authorities from across Virginia participated in the exercise. The red team, led by the brigade’s cyber warfare company, based their attack on historic malicious

cyberattacks on U.S. water infrastructure, while the blue team defended its network.

Previous iterations of the event have brought guardsmen together with electricity, telecom, and 5G utility providers. Mazur notes that some partners, like Verizon, have participated in multiple events. “A cyberattack on one element of a critical infrastructure sector doesn’t mean there wouldn’t be multiple or simultaneous events affecting others,” he said. As an added bonus, “We actually have folks in the unit in the Virginia Guard who are from Verizon to help facilitate this.”

All this training comes together to make a major impact on state operations and federal missions. At the federal level, soldiers typically are mobilized every five years as part of their mission to support the U.S. Army Cyber Command’s Joint Force Headquarters-Cyber at Fort Eisenhower in Georgia.

“Soldiers who go on those missions are immersed in cybersecurity jobs for the Department of Defense for a one-year period. They gain valuable skills that they may not have access to in the civilian sector,” Messare said. “The feedback we’ve gotten is that it’s been hugely beneficial for civilian employers.”

The most important part about incident response is forming partnerships and knowing who to call and when to call.

COL. GERALD MAZUR Commander, 91st Cyber Brigade

Col. Gerald Mazur (right) took command of the 91st Cyber Brigade in 2024.

Virginia Tech’s Hume Center for National Security and Technology, part of the Virginia Tech National Security Institute, partnered with the U.S. Central Intelligence Agency to train students through the Inflectors Project Escape Room Adventure, where they had to complete a series of puzzles using a real-world scenario.

Recently, an Air Force research agency reached out to George Mason University (GMU) with a pressing issue. Drones were attacking Air Force facilities around the globe. Could GMU’s C5I research hub help the Air Force design a system that would detect the incoming drones and prevent adversarial attacks?

C5I stands for Center of Excellence in Command, Control, Communications, Computing, Cyber, and Intelligence, and director Paulo Costa and his team called upon all of those disciplines as they reached out across GMU’s engineering departments. They brought on board experts in radars, drone security, sensor fusion, and others from diverse engineering and computing departments to weigh in on their areas of expertise.

“We built a team that wrote a proposal, sent it to them, they approved it, and we developed a system that is in use today,” Costa said. “This can only be done if you have a center that is capable of reaching out to the right people, a center that is made by professors itself, who know their colleagues and know who can do what.”

Today, across Virginia, universities are partnering with the federal government and industry to chart new paths for cybersecurity and the deployment of artificial intelligence.

SHAPING CYBERSECURITY POLICY AT VIRGINIA TECH

“We work with both the intelligence community and the [U.S. Department of Defense], and half of our money flows through industry, so we have this really interesting portfolio,” said Eric Paterson,

executive director of the National Security Institute at Virginia Tech.

Founded three years ago as an outgrowth of the university’s Ted and Karyn Hume Center for National Security and Technology, the institute is grounded in the expertise of Virginia Tech’s College of Engineering. It has a payroll of more than 500 people (students included), about $50 million in research expenditures this fiscal year, and more than 250 active projects, Paterson said. About 60% of the institute’s staff and faculty are based in Blacksburg; the rest are at the university’s research center in Arlington.

The projects that come from industry giants like Lockheed Martin or Boeing are funded from their internal R&D money, or “golden money,” Paterson said.

“That’s a really special thing,” said Paterson, who is also the Rolls-Royce Commonwealth Professor of Marine Propulsion in Virginia Tech’s College of Engineering, “because they are choosing to spend it at a university instead of on their own.”

The institute’s mission is twofold: research, and workforce development for the engineering sectors of the cybersecurity and intelligence industries. A thousand students worked with the institute in the past year alone.

“It sounds simple, but there are very few places in the country that do what we do,” Paterson said. “There are hundreds and hundreds of research institutes and labs of many different varieties, but none of them have the chartered mission of doing this workforce development at scale.”

The institute brings faculty together from across the university and pairs them with teams of students to tackle outside research projects, he explained. The projects are often classified, but the majority are focused on devices, machines, and communication research and development.

For instance, “How do you decrypt other people’s communications?” he wondered. “How do you design anything from satellites to drones to undersea vehicles? We want all of these to talk to each other. How do you do that and do it securely? It’s extraordinarily complex.”

The institute has been growing at the rate of 30–40% per year. One goal for the future is to apply its engineering expertise to help government shape policy.

“What we want to do is help the government and all of our industry partners solve hard problems,” Paterson said.

A NEW DATA-CENTRIC PARTNERSHIP AT UVA

Virginia’s newest higher education

institute aims to do just that for the federal intelligence community. Last fall, the University of Virginia (UVA) partnered with the U.S. Office of the Director of National Intelligence (ODNI) to establish UVA’s National Security Data and Policy Institute, which is charged with bringing academic insight to government policy and decision making in the realms of artificial intelligence and data usage.

“We’re figuring out how to bridge the gap” between the intelligence community and the academic world, said Philip B.K. Potter, an intelligence expert and professor of politics and public policy, who leads the new institute.

The institute was initially funded with a $20 million grant from ODNI. “Our partners at ODNI are struggling with novel problems and questions,” Potter said. Essentially, he said, they want to know “how can they leverage the rapid pace of technological change and the proliferation of data to gain strategic advantage instead of falling victim to surprise?”

Potter was the founding director of the National Security Policy Center at UVA’s Batten School of Leadership and Public Policy. While the center’s mission focuses on public policy and serving students, the institute is designed to draw expertise from across the university, with an orientation toward research and government-academic coordination.

To start, that means scrutinizing AI and machine learning, biotechnology, and microprocessors, to better understand how U.S. capabilities compare to those of other countries, he said.

“I don’t think we always know what it means to be ahead or behind in technological progress, not to mention how to assess where we are in that competition,” he said. “The institute is charged with finding answers to those questions.”

TRAINING A WORKFORCE FOR TOMORROW’S NEEDS

While Virginia’s centers and institutes partner with government and industry, other higher education programs are more directly focused on educating and training students.

Then-Director of National Intelligence Avril Haines spoke at the University of Virginia in November 2024 at the ribbon-cutting for the National Security Data and Policy Institute, a partnership between the university and the U.S. Office of the Director of National Intelligence.

For example, at Old Dominion University, a cybersecurity program that launched a decade ago with 11 students has mushroomed into a School of Cybersecurity with an enrollment of roughly 1,650 undergraduate and graduate students. The program was originally designed as interdisciplinary and has maintained that focus, said Daniel Takabi, the school’s director, a professor of electrical and computer engineering, and the Batten Endowed Chair in Cybersecurity.

“What makes our program unique is we have technical courses, but we also offer courses in other nontechnical aspects of cybersecurity,” he said. For instance, philosophy faculty teach courses on the ethics of cybersecurity. A public policy professor teaches cyber policy, and the school offers courses in cyber law and management. The idea is to open the school’s doors to the widest possible variety of students.

Students can participate in basic research, like a recent project that looks at large language models and their vulnerability to so-called jailbreaking

attacks. That’s when an outside actor tries to fool the AI into either providing information it was designed to protect, or acting in harmful ways that it was not designed to do. “We’re trying to come up with defense mechanisms to avoid these kinds of prompts working on the model in the future,” Takabi said.

In Northern Virginia, GMU created the first cybersecurity engineering major in the country, which helps support its bustling C5I center. The major launched with 105 students 10 years ago. A decade later, 800 students are enrolled in what is now a department, and interest continues to increase unabated. Throughout, the focus has remained the same, said Costa, professor and chair of the department: to treat cybersecurity not as an afterthought, but as an integral system in any engineering project, built in from the ground up.

“We are changing the paradigm,” he said, “from, ‘Let’s build a system and, oh, we have to put in cybersecurity, let’s put in some passwords.’ That was too late. You already have a lot of vulnerabilities embedded in its design. You need to have

cybersecurity in the very first place.”

‘POSE YOUR IDEAS AND GO FOR THEM’

Cybersecurity is the latest spoke in the wheel of C5I, which was founded in 1989 with the then-novel concept of creating a common ground where industry, government, and academia could collaborate to address and solve intelligence challenges. The center’s founder, Dr. Harry Van Trees, had deep roots in all three worlds, including serving as chief scientist for the U.S. Air Force. Van Trees, who died in 2022, believed the best place for common ground was at a university, where “you have that academic freedom to pose your ideas and go for them, something you cannot really do in government or industry,” Costa said.

A quarter century later, GMU now has a cybersecurity department with about 80 master’s students and graduates upwards of 200 undergraduates each year, while the C5I center works with government agencies and industry, drawing on deep wells of expertise to provide road maps for solutions to pressing issues. “We help our professors develop answers to questions ranging from, ‘Is this a problem?’ and ‘What is the problem?’ all the way to, ‘Okay, here’s the proof of concept, it’s working,’” Costa said.

As AI grows increasingly more sophisticated, and cybersecurity becomes both more complex and more critical, Virginia’s universities are poised and ready to help, educating the next generation of workers for these high-tech sectors, while engaging in the research that will power their future.

As Virginia Tech’s Paterson said, “We’re really building the pipeline for service to the country.”

Old Dominion University’s School of Cybersecurity offers bachelor’s, master’s, and doctoral degrees in cybersecurity and related disciplines.

Virginia’s National Centers of Academic Excellence in Cybersecurity

George Mason University’s Fuse at Mason Square opened for commercial use in 2024 and will open to students in fall 2025. The state-of-the-art building will house the university’s new School of Computing and host courses in artificial intelligence and cybersecurity.

In an era where cyberattacks threaten everything from bank accounts to national security, the need for cybersecurity has never been higher. In 2020, data breaches, ransomware, and other cybercrimes cost the United States over $4 billion in damages, according to the Federal Bureau of Investigation. As cybercrime advances, damages could reach $10.5 trillion globally by the end of 2025, research firm Cybersecurity Ventures estimates — nearly 36% of America’s GDP, according to the Bureau of Economic Data.

In Virginia, the stakes are even higher. The Commonwealth is home to critical defense infrastructure, major technology companies, and one of the largest concentrations of data centers in the world. Attacks on these systems would not only lead to mass technological disruptions, but potentially destabilize the country.

Virginia’s Commonwealth Cyber Initiative (CCI) is devising innovative solutions to these emerging threats. Launched in 2020, CCI is a statefunded program that collaborates with businesses, higher education institutions, and local governments to support research, innovation, and workforce development in cybersecurity across the

region. In 2024, CCI brought in $112 million in fresh grants and contracts, more than triple the amount it had raised since its inception. More than 45 higher education institutions in the Commonwealth, including community colleges and universities, participate in the initiative, and that network continues to grow.

By harnessing expertise across sectors, CCI has spearheaded leading work in areas like AI-driven threat detection and secure wireless communications through grants, key faculty hires, and regional collaboration. The initiative’s focus on advancing knowledge and technology aims to bolster companies’ ability to counter evolving cyber threats.

“One way we see impact is the success our faculty has in attracting teams, especially large-scale research projects, where you need some critical mass of capabilities to be able to compete,” said Luiz DaSilva, executive director of CCI. “We’ve seen enormous growth, especially in the last two years, where our early investments made five years ago are providing concrete results today.”

SOLVING THE AI ISSUE

CCI takes a regional approach to its research. Programming is divided across four geographic nodes in Virginia: Northern Virginia, Central Virginia, Coastal Virginia, and Southwest Virginia. Each node tailors research to its region’s expertise, but AI has become a central focus across all areas to address its rapid evolution and the unprecedented threats it introduces.

AI is starting to touch every aspect of life, creating challenges such as sensitive data leakage in generative AI models, robocall scams, and deepfake extortion scandals. To address these threats, CCI launched the “Cybersecurity for AI and AI for Cybersecurity” program in 2024. Since it launched, CCI has awarded 18 grants worth up to $100,000 each, totaling $1.6 million.

These grants foster collaboration among universities. For one project, researchers from Old Dominion University (ODU) and Virginia Tech are using deep learning methods to develop intrusion detection tools that track evolving cyberattacks. Another project involves Virginia Commonwealth University (VCU) and ODU researchers using AI and machine learning to monitor deepfake threats and create a safety framework for industries and federal labs.

Other initiatives include using generative AI to secure iris biometric data, creating AI models that detect software vulnerabilities, and developing wireless AI systems to monitor cattle on farms. These projects demonstrate how research catalyzes innovative techniques to ensure technology is prepared for unexpected attacks.

“We have a big focus on cybersecurity for AI and AI for cybersecurity because it goes both ways,” DaSilva said. “You can use AI to improve cybersecurity for things like intrusion detection. At the same time, AI is being incorporated into everything, opening up possibilities for new attacks, which is why more research is needed.”

REGIONAL FOCUS, INDUSTRY-WIDE APPLICATIONS

CCI’s nodes specialize in cybersecurity research based on their region’s unique characteristics. The Northern Virginia Node focuses on cybersecurity and autonomous systems, leveraging its proximity to federal agencies like the U.S. departments of Defense and Transportation. Since 2020, the node has granted $4.5 million to over a dozen projects, including research on cyber-physical systems security and transportation safety.

“Industry is struggling with the use of AI and security, and we want to meet that challenge,” said Liza Wilson Durant, associate dean of George Mason University’s engineering department and director of CCI’s Northern Virginia

By focusing on supply chain and cyber, we provide information that is valuable to the entire Commonwealth. It doesn’t just benefit our region, it benefits the whole state.

Former

Commonwealth Cyber Initiative Coastal Virginia Node

Node. “The outcomes of our research will fuel solutions that will better position Virginia industry to lead in the security of emerging technologies and ensure national security.”

In the Coastal Virginia Node, research emphasizes maritime, defense, and transportation industries. Hampton Roads — home to naval bases, shipbuilding facilities, and The Port of Virginia’s largest facilities — is a critical hub for the region’s economy. Cyberattacks on this infrastructure could halt shipping, disrupt military operations, and expose confidential data, causing widespread harm. Coastal Virginia’s focus on these risks allows institutions like ODU to address vulnerabilities specific to the region and attract new faculty members with expertise in the field.

“By focusing on supply chain and cyber, we provide information that is valuable to the entire Commonwealth,” said Brian Payne, former director of CCI’s Coastal Virginia Node. “It doesn’t just benefit our region, it benefits the whole state.”

TESTBEDS DRIVE INNOVATION

CCI’s research extends beyond combating cybercrime. It also involves inventing new technologies through testbeds established across Virginia’s universities. Testbeds are controlled environments where prototypes of 5G, wireless sensors, and Internet of

Virginia Commonwealth University hosts the Commonwealth Cyber Initiative’s Central Virginia Node, which leads research related to medical device security and smart cities and showcases a multidisciplinary approach to cybersecurity.

Things (IoT) devices can be evaluated for vulnerabilities.

One notable example is the xG testbed, located at Virginia Tech’s research center in Arlington. It evaluates the evolution of wireless networks and their cyber resiliency. A key focus is on open radio access networks, a new form of wireless connection that could enhance cyber resiliency and diversify the industry. Wireless network technology is currently dominated by a few companies, including Chinese vendors Huawei and ZTE, which can pose risks to data privacy. Open networks, however, assemble networking hardware from various sources, encouraging innovation.

“There’s no major vendor in the U.S.,” DaSilva said. “Open networks could spur innovation, allowing new vendors to

emerge in the U.S., Europe, and beyond. More competition brings prices down and drives innovation.”

REIMAGINING CYBERSECURITY

CCI’s work extends beyond traditional computer science applications, involving departments from the humanities to health sciences to the arts. For example, the Southwest Virginia Node, based at Virginia Tech, invests in “intelligent agriculture” research, exploring how agricultural machinery can be hacked and protected from malicious actors.

The Central Virginia Node, housed at VCU, leads research on medical device security and smart cities, showcasing Virginia’s multidisciplinary approach to cybersecurity and helping to protect the burgeoning life sciences hub surrounding Richmond and nearby Petersburg.

CCI also integrates art into its

programming. The CyberArts and Design Program offers grants of up to $25,000 for Virginia artists to produce installations that explore cybersecurity. Since its 2020 launch, CyberArts has hosted semiannual exhibitions. The 2024 showcase featured mosaics of discarded phones with personal information, a virtual reality installation exposing surveillance, and a live performance based on digital scam victims. These projects offer creative ways for the public to reflect on how cybersecurity impacts daily life.

Looking ahead, CCI will continue expanding its research to attract talent, spur entrepreneurship, and position Virginia as a national leader in cybersecurity. As DaSilva stated, “What we built in these five years is toward making Virginia the best place in the country, and one day the world, for cybersecurity.”

Steven Chen is the founder of PFP Cybersecurity, a cybersecurity firm in Fairfax County, and a partner at Blu Venture Investors, a venture capital fund focused on early-stage firms in several fields, including cybersecurity.

VEDP Vice President of Knowledge

Work Meghan Welch spoke with Chen about the cybersecurity funding environment in Virginia.

Supporting the Cyber Ecosystem in Virginia

A Conversation With Steven Chen

Meghan Welch: Can you give us a high-level overview of Blu Venture Investors, what kinds of companies the fund supports, and the ecosystem it operates in?

Steven Chen: Blu is a venture investment firm that was founded in 2010. We specialize in early-stage investment in technology companies, with 70% of our investments in cybersecurity, although we also invest in health tech and B2B software. We think we are special because, besides capital, we also offer strategic guidance.

We have 25 partners, all former operators, including the former head of Microsoft federal sales, the CFO of a multi-billion-dollar public company, and many serial entrepreneurs. I particularly want to mention the cyber seed investment program we started about eight years ago, because with those companies, today, they could be too early, and tomorrow, we could be too late. So, we develop a cyber seed and we can develop partnerships with entrepreneurs in early stages.

Welch: What is your assessment of the cyber capital landscape in Virginia?

Chen: We consider Virginia a premier cybersecurity hub in the whole nation. When we started the cyber seed investment program, we did a survey. We concluded that, in particular, Northern Virginia has a concentration of talent from federal agencies, et cetera, and also the benefit of proximity to the Fortune 1 customer, the federal government. Virginia state government and many of the counties are business friendly, and they have cyber-friendly policies.

So now, we have a concentration of cybersecurity startups. We have some funding with local investment partners, but overall, we still lag behind Silicon Valley and Boston in cyber capital volume. But we think we’re attracting investors from outside the area. We have several investment firms that do co-investments with us, and they say, “Hey Blu, we would like to co-invest with you in your backyard.” So, we hope this trend will continue and expand so we can support our local startups better.

Welch: You hit on this a little bit, but what advantages outside of funding does the Commonwealth offer cyber companies?

Chen: There are several state initiatives. For example, Mach 37 has been a great accelerator that created many successful cyber companies. The Commonwealth Cyber Initiative helps with building talent, sponsoring researchers and universities. We look at co-investment from state government. We also look at the space like a co-workspace, with accelerators from the counties.

The last one is proximity to customers. In the last few years, we’re seeing federal regulation drive commercial cyber market development. For example, the concept of supply chain software bill of materials started a few years ago, and that’s going to be more and more

important. I just heard last week that Silicon Valley startups are coming into Washington. In one way, there’s more opportunity in the federal space, but it could mean more competition. So, we will see.

Welch: What do companies like yours look for when you’re making investment decisions? And as you’re thinking about those factors, where do Virginia companies tend to rate the highest?

Chen: We publish our 5T guidelines, and its most important factor is the team. For the CEO, we prefer someone who knows what to build, how to build, and how to sell. That’s the team. The second T is the TAM, the total addressable market. We would like to see a big TAM, and also know how they go to market.

The third one is traction. Do they have a minimum viable product? Do they get customer revenue? The fourth one is technology. Do they have a proprietary edge? Do they have entry barriers? Are they scalable? And the last T is the terms. Are they asking for a market or attractive valuation? Are they investor friendly? Those are how we look at deals.

From what we have seen in Virginia, usually, startups are heavy in technology and TAM because they could be cyber warriors, or they have been involved with cyber for decades. They know the needs of the market, and they’ve been doing it for many years, so they’re strong in technology. Many of them have federal R&D funding, and many of them have service backgrounds.

Welch: What do you see happening in the cyber space nationally in the near future?

Chen: One is AI-enabled cybersecurity. The majority of our portfolio companies are using AI, and they have demonstrated significant savings in

manpower. We haven’t seen it, but we anticipate the capability enhancement will happen maybe in 12 months, if not sooner. The second one is cybersecurity for AI. It would be a disaster if adversaries or criminals find a way to attack the AI infrastructure.

We also see strong demand in identity and assets management. We have been very successful with ID.me in the space. The next one is post-quantum security — we anticipate many companies will use post-quantum, and we hope some of them will come out with unique solutions. The last one is consolidation of cybersecurity startups. We see that in our portfolio. More mature companies are asking, “How can I grow? How can I bring in new capability?” So, maybe they will look at a younger startup.

Welch: Which of those national trends do you anticipate as the greatest opportunity for Virginia?

Chen: One area I can think of is the connection of cloud and AI. Northern Virginia has a significant cloud data center presence, so we have many researchers or practitioners who understand cloud infrastructure. I have heard the Navy wants to have zero-trust from the cloud for scalability, and I think Northern Virginia has a unique position here.

Welch: Steven, thank you so much for your perspective and your time. We really appreciate you speaking with us today.

Chen: Thank you very much. Blu Venture has a history of collaborating with the state of Virginia and the counties, and we look forward to investing in more startups in the Commonwealth. We also look forward to the opportunity to develop a cybersecurity brand in Northern Virginia.

BRIDGING THE GAPS IN THE CYBER

SECURITY TALENT

PIPELINE

Internships, apprenticeships help Virginia cybersecurity students gain critical real-world experience

Cybersecurity attacks are evolving at rapid speed, and the U.S. lacks sufficient professionals to address them. Research firm Cybersecurity Ventures estimates that there are nearly 500,000 cybersecurity vacancies in the United States in 2025, including IT technicians and security analysts, leaving the country vulnerable to ransomware, data breaches, and IT disruptions.

Virginia is leading efforts to address the country’s talent gap. The Commonwealth has the second-largest cyber workforce in the U.S., with demand continuing to grow. Between September 2023 and August 2024, Virginia employers sought to fill 51,005 cybersecurity jobs, and that number is only expected to rise, according to CyberSeek.

To meet the demand, Virginia is scaling up a broad array of initiatives to develop and expand its cybersecurity workforce. Through a combination of governmentfunded internships, apprenticeships, and university and nonprofit-led workforce development programs, the Commonwealth is strategically investing in cultivating the next generation of cybersecurity professionals to meet regional and national security needs, ensuring that no Virginian is left behind.

“The Virginia Information Technologies Agency team thwarts over 106 million cyberattack attempts each year.

That’s 3.36 attacks every second,” said Chief Information Officer of the Commonwealth Robert Osmond, referring to a state agency that protects Virginia’s cybersecurity. “We must have great talent dedicated to keeping us safe in today’s cyber risk environment.”

FILLING CRITICAL ROLES

Addressing the cybersecurity talent gap is critical to Virginia’s economy. In 2023, the U.S. cybersecurity market was valued at $67.69 billion and is projected to grow to $135.34 billion by 2030, according to Grand View Research. Cyber risks are top of mind for companies because they can be costly to resolve, according to the Allianz Risk Barometer, and federal contracts are awarded to firms with strong cybersecurity measures.

Mitigating potential threats to the Commonwealth’s public and private sectors requires a steady pipeline of skilled professionals, particularly as AI and machine learning continue to gain prominence. Job training programs are the key to building that.

Workforce development is a key component of the Commonwealth Cyber Initiative (CCI), a state-funded program that invests in fostering Virginia’s cyber talent. Nearly 50 higher education institutions, in partnership with companies and local governments, participate in CCI, offering internships, apprenticeships,

and hands-on learning experiences to hundreds of students annually across the Commonwealth.

In 2023 alone, CCI supported 863 jobs, adding $97 million to Virginia’s GDP. Between 2020 and 2024, CCI awarded 36 proposals for experiential learning programs totaling $3.9 million. One such program is “Cyber Startups,” which places students in Northern Virginia-based tech startups as paid interns. CCI covers the costs, enabling startups to offer students valuable professional exposure without straining their limited resources. Another program is “Cyber as a Service,” where students deliver penetration testing, cyber risk analysis, and other security services to small businesses, nonprofits, and local governments around their universities.

CCI also runs project-based learning programs. Paid micro-internships are offered to college students during the school year. For 8–10 hours a week, students work with companies on cybersecurity case studies. One Microsoft-sponsored project involved students learning how to assess digital vulnerabilities using a Flipper Zero hardware exploration device. Additional projects from GuidePoint Security and PBS are planned for 2025.

“We have placed such a high value on entry-level job seekers having some kind

We have placed such a high value on entry-level job seekers having some kind of experience. Opportunities that provide that experience are incredibly impactful and need to be scaled.

Cyber

The Cyber Bytes Foundation in Stafford County offers numerous training programs for interested students to obtain industry-recognized cybersecurity certifications. Its outreach programs engage children as young as 6 in cybersecurity and other STEM fields.

of experience,” said Sarah Hayes, CCI’s director of workforce development. “Opportunities that provide that experience are incredibly impactful and need to be scaled.”

INTERNSHIPS FOSTER CYBER TALENT

Outside of CCI, Virginia’s universities are bolstering efforts to help students secure entry-level cybersecurity roles. Old Dominion University (ODU), for example, aims to ensure that all students complete an internship before graduation. Through its internship coordinator, ODU’s School of Cybersecurity helps connect and prepare students for internships in the federal government, private industry, and local companies. In the last two years, 260 cybersecurity students have completed internships.

To expand its offerings, ODU has partnered with employers to create in-house internships. Collaborations

In 2024, the Commonwealth Cyber Initiative partnered with Microsoft for an experiential learning experience using the Flipper Zero, a portable hardware exploration multi-tool.

include a partnership with the National Security Agency, providing students 12week summer internships at the agency, and a partnership with the Virginia Space Grant Consortium to subsidize internships offered in the surrounding area. The university also operates the Cybersecurity Clinic, a 15-week semester-long program where students evaluate cyber risks for small businesses, nonprofits, and local governments based in Coastal Virginia.

“Our school has been growing rapidly,” said Daniel Takabi, professor and director of ODU’s School of Cybersecurity and CCI’s Coastal Virginia Node director. Undergrad enrollment in the department, he added, was close to 1,400 as of fall 2024, with an overall enrollment of roughly 1,650 students. “You can imagine we need a lot of internships to support our students.”

However, not everyone has the resources to pursue a bachelor’s or master’s degree.

As salaries stagnate and inflation rises, residents may be feeling the squeeze, especially those from lower-income communities and families.

For those unable to pursue traditional degrees, Virginia’s community colleges offer affordable alternatives. Community colleges including Blue Ridge near Harrisonburg, Germanna near Fredericksburg, and Virginia Western in Roanoke provide short cybersecurity certificate programs designed for entry-level roles. Others like Northern Virginia Community College offer two-year associate degrees taught by expert faculty that explore a broader range of security topics.

ALTERNATIVE PATHWAYS

Beyond schools, nonprofits are stepping in to bring cybersecurity training to their communities. For example, the Cyber Bytes Foundation in Stafford County provides a more affordable,

College is not for everybody, and we’re able to give people a path into cyber that does not include higher institutes of education. It’s creating more opportunities, and we make sure we go into underserved and underrepresented communities.

flexible alternative to traditional degree programs, breaking down barriers to entry in the sector.

“College is not for everybody, and we’re able to give people a path into cyber that does not include higher institutes of education,” said Nancy Pattillo, the foundation’s director of operations. “It’s creating more opportunities, and we make sure we go into underserved and underrepresented communities.”

The Cyber Bytes Academy, part of the Cyber Bytes Foundation, offers courses leading to industry-recognized certifications like CompTIA A+ for IT

support. The academy also provides cybersecurity boot camps and employee training services for businesses, ensuring community members can upskill, stay competitive, and be employable by companies in the area. As of January 2025, more than 3,000 students have received training and education.

Cyber Bytes engages youth through its Cyber Titans programs, which introduce children as young as 6 to STEM and cybersecurity via hands-on projects. Its summer camps allow teens ages 13 to 18 to explore technology by building drones, 3D printers, and computers, fostering early interest in STEM careers.

Virginia’s wide array of workforce development programs demonstrates the Commonwealth’s commitment to leading the nation in cybersecurity. These initiatives not only address the widening talent gap, but also ensure a robust pipeline of skilled professionals for the future.

As Osmond said, “Growing the cyber workforce with students and young professionals will help Virginia attract new companies and investments and continue to stay at the forefront of innovation in cybersecurity.”

Fairfax County-based technology and professional services company CACI International Inc. partnered with the Commonwealth Cyber Initiative for project-based learning initiatives. CACI interns have described the initiatives as a way to put theory into practice.

Big Discoveries, Big Plans

After exposing Chinese data practices, Quokka uses VEDP trade services to grow in Asian markets

Quokka entered the cybersecurity world with a big reputation — under its previous name, the company landed on the front page of The New York Times after discovering a critical security vulnerability in some Android smartphones that sent user data to Chinese servers. In 2019, the company’s further investigations into mobile apps exposed that the massive social media app TikTok was sending data to China.

The Arlington County-based firm has never sat idly in a world where the explosive growth of mobile technology has been matched by the proliferation of threats to security and privacy.

If the name Quokka sounds unfamiliar, it’s because the name itself represents the evolution of a company that germinated in 2011 as Kryptowire, a small team that vetted apps for the departments of Homeland Security and Defense. Two years later, those agencies provided funding so the company could develop services for commercial clients.

A DISCOVERY WITH GLOBAL IMPLICATIONS

By 2016, Kryptowire became headline news after the company discovered that firmware made by many Android phones included a secret backdoor that relayed text messages, contact lists, call logs, and location information to servers in China.

The revelation dominated headlines and set off a debate that continues nearly a decade later: Is the Chinese government using consumer technology to spy on Americans and other foreign users?

The publicity opened to Kryptowire the

boardrooms of Fortune 500 companies. As the company began targeting commercial clients with its services, its leadership could see that, for private enterprise, security was just a starting point.

Companies need to reduce their mobile attack surface with security that doesn’t compromise the efficiency of their operations nor the privacy of their employees, explained Quokka CEO Dana Waldman.

“We started developing technology to strike a balance between security and privacy,” he said. “Other solutions can be rather invasive to provide their layer of security. Our R&D team has developed techniques that are extensive and comprehensive, yet do not compromise privacy.”

Quokka has developed proprietary app analysis engines that provide mobile risk intelligence. The company’s technology

Other solutions can be rather invasive to provide their layer of security.

Our R&D team has developed techniques that are extensive and comprehensive, yet do not compromise privacy.

builds digital twins in a cloud, so it can run deep app analysis without causing drag on hardware or bandwidth.

“It’s one of our differentiators,” Waldman said. “Our technology runs entirely in the cloud. Our customers get our actionable insights in minutes, without taxing their systems and devices.”

A BOOST FROM REMOTE WORK

That balance of security, efficiency, and privacy would grow more important over time as more people worked remotely, Waldman expected — but while he anticipated the shift in work culture, no one saw the oncoming tsunami that came in the form of the COVID-19 pandemic.

“This idea of remote work and remote access and working from anywhere… I call that a tailwind for us,” Waldman said. “If companies weren’t doing it before, they were certainly doing

it by the end of the pandemic. Now everybody takes advantage of remote work, whether fully working from home or the office or a hybrid model…there was a fundamental cultural shift.”

When the pandemic created an opportunity for its business, Quokka made best use of it because of help it had received from VEDP’s International Trade division.

Quokka turned to VEDP in 2018 and 2019 to seek commercial clients internationally. At the time, the company was too small to have its own market research team, so VEDP played that role, finding a part of the world that would be most receptive to mobile security, Southeast Asia.

“Most companies, at the stage we were at, you’re not going to go start some big-market research department. So, when you can have this kind of a partner

This was the perfect time to stake our claim as a user-friendly, low-friction, trusted partner. [Competitors’] imagery and themes are around fear. You go around a trade show in the security industry and you see lots of black and red images with shields and swords.

in VEDP, we found that to be value added,” Waldman said. “We wanted to learn more about the commercial markets so we could start to prioritize which markets might be of interest. How big are they? What are the growth rates? What are the hurdles one would have to overcome to get into these?”

Southeast Asia made sense because that marketplace is dominated by Android, whose mobile devices are more vulnerable to security breaches, the result of a supply chain with more players than Apple’s iOS and its company-controlled App Store, explained Christopher Gogoel, a Quokka vice president who oversees business units for the U.S. public sector and the Asia-Pacific region.

CRITICAL MARKET INSIGHTS DRIVE GROWTH

With guidance from VEDP, Quokka focused on three initial markets, where

they found leaders who were aggressive about finding better ways to enhance security, efficiency, and privacy.

VEDP then helped Quokka find business opportunities in those countries, introducing company leaders to business networks, matching them with potential partners, and arranging events where those interactions could happen, from trade shows to tailored business missions.

Those efforts delivered big returns. Since the summer of 2023, the company has tripled its revenue from the region. “It’s a very good place for us to do business,” Waldman said.

So good, in fact, that Quokka plans to double down on the region, again with the help of VEDP, this time through the Virginia Leaders in Export Trade (VALET) program, which has helped more than 400 Virginia companies to grow business. Quokka began the

two-year program in January 2025 and has targeted three additional markets.

“The VALET program, we think, will take this company to the next level,” Waldman said.

Taking on new challenges is old hat to a company that surprised some when, in 2022, it abandoned the name Kryptowire and replaced it with Quokka, the name of an obscure marsupial found along a small strip of southwestern Australia.

Quokkas are cat-sized, fuzzy creatures that look a bit like mini-kangaroos. The cute creature replaced Kryptowire’s shield emblem and helped the company stand out from rivals as the marketplace for mobile security was quickly growing.

“This was the perfect time to stake our claim as a user-friendly, low-friction, trusted partner,” Waldman said.

“[Competitors’] imagery and themes are around fear. You go around a trade show in the security industry and you see lots of black and red images with shields and swords.”

The name change was also needed, he explained, to position the company away from the rise of cryptocurrency, which had the potential to cause confusion among potential customers. That same year, the company received backing to grow from venture capital, specifically from U.S. Venture Partners with participation from Crosslink Capital. That investment came because of growth facilitated by VEDP.

“VEDP really came through for us as we started getting this traction outside the United States, and it was at that point we decided to take in some venture capital to accelerate our growth plans,” Waldman said. “Adding a little bit of gas in the tank is always a good thing.”

Downtown Roanoke landmarks include the Wells Fargo Tower, the Roanoke City Market Building, and the Taubman Museum of Art, designed by Frank Gehry associate Randall Stout.

ROANOKE REGION

A RAIL HUB, Reinvented

The city of Roanoke was initially developed as a corporate hometown for the Norfolk and Western Railway, and the surrounding metropolitan area is now Virginia’s largest population center west of Richmond, home to more than 330,000 people. The region serves as a cultural and business hub for more than 1 million residents in western Virginia. Major sectors in the area include transportation manufacturing (Altec Industries, Mack Trucks, Volvo Trucks North America, Yokohama Tire Manufacturing) and food and beverage processing and packaging (BIMBO Bakeries USA, Homestead Creamery, Coca-Cola Consolidated, New Belgium). The region boasts three private four-year universities (Ferrum College, Hollins University, and Roanoke College) and Mountain Gateway and Virginia Western community colleges, both of which are instrumental in developing workforce training for area employers. Virginia Tech and Radford University both have a strong presence in Roanoke’s innovation corridor, with the Fralin Biomedical Research Institute at VTC representing a core part of Virginia’s Research Triangle.

THE ROANOKE REGION OFFERS:

Strong connectivity, including stretches of interstates 81 and 64 and direct freight rail service to Southern and Midwestern markets

Outdoor recreation opportunities for hikers, bikers, and water sports enthusiasts, including McAfee Knob, the most photographed spot on the Appalachian Trail

A cost of living and average commute time below national averages

The Roanoke River Blueway runs from Montgomery County to Smith Mountain Lake, passing through scenic rural areas and urban neighborhoods and parks.

Carvins Cove Natural Reserve in Roanoke County is the second-largest municipal park in the United States. The park boasts more than 40 miles of multi-use trails in addition to Carvins Cove Reservoir, which supplies water for business and residential customers of the Western Virginia Water Authority.

Smith Mountain Lake is the home of the East Coast Open Water Festival, which includes numerous swimming and running events in addition to a 5K paddleboard race on the lake.
The Roanoke Region’s location in the Blue Ridge Mountains provides a wide variety of biking opportunities, from mountain trails in parks like Jamison Mill Park in Franklin County (below) to road rides on the Blue Ridge Parkway.

The Dragon’s Tooth Trail in Roanoke County gets its name from the rock formation at its peak. Dragon’s Tooth is one of the Triple Crown of Virginia hikes in the Roanoke Region, along with McAfee Knob and Tinker Cliffs.

The Foot Levelers Blue Ridge Marathon is billed as “America’s Toughest Road Marathon” because of significant elevation changes as the course goes up Mill and Roanoke mountains.

Numerous advanced manufacturers call the Roanoke Region home, including Micro Harmonics Corporation in Botetourt County, which specializes in ferrite components for use at millimeter-wave frequencies in testing and measurement, portal security, telecommunications, and radar applications.

Higher education providers in the Roanoke Region include Roanoke College (above), Mountain Gateway Community College, and Virginia Western Community College (left).

Economic Development Partners in Virginia

VEDP works in close partnership with local and regional economic development organizations. For a full list of local and regional partners, visit www.vedp.org/Regions

In addition, VEDP regularly works with a wide network of statewide partners,

State Leadership Partners

Governor

General Assembly

Major Employment and Investment (MEI) Commission

Secretary of Commerce and Trade

Secretary of Finance

Secretary of Education

Secretary of Labor

Secretary of Transportation

Project Delivery Partners

Colleges and universities across the Commonwealth (e.g., UVA, Virginia Tech, William & Mary)

CSX, Norfolk Southern, and short-line railroads

Dominion, AEP, and other electric utilities

The Port of Virginia

Virginia Community College System

Virginia Department of Agriculture and Consumer Services

Virginia Department of Environmental Quality

Virginia Department of Housing and Community Development

Virginia Department of Rail and Public Transit

Virginia Department of Small Business and Supplier Diversity

Virginia Department of Taxation

Virginia Department of Transportation

Virginia Innovation Partnership Corporation

Virginia Tobacco Region Revitalization Commission

Virginia Tourism Corporation

Policy and Programmatic Partners

GO Virginia

State Council of Higher Education for Virginia

Virginia Agribusiness Council

Virginia Association of Counties

Virginia Business Council

Virginia Business Higher Education Council

Virginia Cable Telecommunications Association, Virginia Manufacturers Association, Virginia Maritime Association, Virginia Realtors Association, and many other trade associations

Virginia Chamber of Commerce, as well as many local and regional chambers of commerce

Virginia Economic Developers Association

Virginia Farm Bureau

Virginia Municipal League

Virginia Association of Planning District Commissions

Virginia Rural Center

Virginia’s Technology Councils

Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.