by James A. Bacon
Not long ago, an unknown hacker from outside the United States shut down the server of Professional Dermatology Care PC in Reston in what appeared to be a ransomware attack: Give us money or you’ll never see your 13,000 patient records again. The dermatology practice posted a statement on its website, stating that it had contacted the FBI, increased its cyber-security measures, and would be sending written notices patients. So starts this month’s cover story of Virginia Business magazine about cyber-security.
Let’s just say that I can feel the dermatologists’ pain. No one is holding Bacon’s Rebellion for ransom, but my blog has been shut down for more than a week now in a “distributed denial of service” attack on the shared server that hosts Bacon’s Rebellion and hundreds of other blogs and websites. Readers can no longer find old blog posts. I can’t access a draft of an article I was writing the day before the attack. Readers are thwarted in efforts to register and post comments. Other than moving to a new server to set up the jury-rigged blog that you are now reading, I am helpless.
In a distributed denial of service (DDOS) attack, an outsider bombards the server with superfluous requests from hundreds, even thousands, of computers — typically slave computers infected with malware. The fusillade crowds out legitimate users trying to visit the site. The web host company — Hostmonster.com in my case — can identify and block the IP addresses of attacking computers, but the attackers simply shift to other computers.
“Basically, we have to wait out the attack,” a Hostmonster technician told me this morning. “It’s essentially out of our hands.”
These attacks are increasing in frequency because the bad guys — most of them residing in Russia, Ukraine and Eastern Europe — have figured out how to make money by holding companies ransom, stealing credit cards, and other means. Just as IT is a growth industry in the U.S., cyber-thuggery is a growth industry overseas. Every time the good guys introduce an innovation to make cyberspace safer, the bad guys match them with an innovation of their own. We live in a world in which the Chinese break into corporate computers and steal technology, parties unknown probe for vulnerabilities in the electric grid, and Russians compromise the computers of the Democratic National Committee (and, most likely, the private email server of a certain former Secretary of State). No one is immune…
Which, ironically enough, makes cyber-security a potential growth industry for Virginia. As Virginia Business observes, some 650 Virginia companies are engaged in one aspect of cyber-security or another. Many arose from the security obsessions of the U.S. military, intelligence and homeland security communities, but newcomers are developing niches to serve private industry. The greater the cyber-threat, the greater the business opportunity for Virginia-based enterprises.
Here’s the rub: Virginia faces a severe manpower shortage. Writes Virginia Business: “Virginia has an immediate need for about 17,000 cybersecurity professionals, with each job paying an average of $80,000 per year.”
If those positions could be filled, they would amount to nearly $1.4 billion in payroll! The McAuliffe administration sees a huge economic-development opportunity.
“Cybersecurity firms by and large are based on talent, and they are pretty much as good as the talent they are able to fund,” says Secretary of Technology Karen Jackson. “And so the states that have the best people and have the most talented workers are going to be the ones that garner the most amount of [cybersecurity companies] over the long term.
Many of the Virginia initiatives noted by Virginia Business focus on workforce development:
- The Mach37 cybersecurity business accelerator in Herndon, an initiative of the Center for Innovative Technology, has helped launch 35 cybersecurity companies collectively employing more than 100 workers.
- State government established a cybersecurity apprenticeship program to help students in community colleges and technical centers get on-the-job experience while earning degrees and certificates in cybersecurity fields.
- Virginia Tech has received a $19.4 million National Science Foundation grant to use for cybersecurity workforce development.
- The state’s New Economy Workforce Credential Program funds two-thirds of the cost of workforce credentials programs for students who complete vocational certification programs and earn industry-recognized credentials in high-demand professions such as cyber-security.
- The state Department of Education sponsored a pilot program of 32 cybersecurity summer campus for high school students across Virginia.
- Governor Terry McAuliffe signed into law this summer a measure requiring computer science be integrated into State Standards of Learning by 2017.
“A lot of us have insomnia,” said Northern Virginia cybersecurity consultant William Lumpkin, known by his hacker handle InfoJanitor. “Because if you knew how vulnerable things are all the time, it would make you a little nervous too.”