For companies like the Bethesda, Md.-based Lockheed Martin Corp., the threat of a cyberattack calls for accelerated preparation.
Lockheed Martin is where military aircraft, including the F-16 fighter jet and the Black Hawk helicopter, are designed and manufactured. The company, which has 98,000 employees worldwide, also researches and develops products for space exploration, robotics, nanotechnology, energy management and cybersecurity.
This is the sort of work that makes a company a lightning rod for cyberterrorists.
“Lockheed Martin and other members of the Defense Industrial Base are frequent targets of adversaries from around the world,” said Michael Panczenko, Lockheed’s director of cyber engineering and technology, adding that the company has made “significant investments in countering persistent threats.”
Everything in the defense and aerospace industries is network enabled, which means cybersecurity has to be part of everything the company does, he said. In addition, security threats against the U.S. government and the private sector are “becoming increasingly sophisticated and complex.”
The company’s computer specialists place a great emphasis on intelligence analysis, characterization and prediction to respond quickly to attacks, and even before that, to build resistance to them, he said.
“If unusual activity is identified, we use a disciplined process to track the adversary, understand their motivation and secure our customer, program and employee personal data,” Panczenko said.
Every business with a network is susceptible to a cyberattack.
A cybersecurity plan is as important as any other aspect of business, said Sitima Fowler, co-CEO of Capstone Information Technologies Inc. in Perinton.
“Every business, doesn’t matter how small, needs to have a cybersecurity plan in place,” she said. “Cybersecurity plans usually comes in layers. It’s like a homeowner locking the front door but forgetting to lock the first floor windows.
“Companies in Rochester should seek out an IT firm to review their current cybersecurity plan and then fill the gaps as needed. This is not a DIY type of activity; cybersecurity has become very sophisticated and one needs to consult with a professional,” she said.
To prepare for a breach, Fowler recommends starting with an IT professional to understand needs specific to the business, having a professional firm monitor all the layers continuously, and incorporating protection for employees working in the office or on the road or for zero-day attacks. Companies also need email spam detection, virus protection, firewalls with cybersecurity protection and employee education.
“The money is in the data,” Fowler said. “The criminals will go wherever there is data because that is where the money is. Don’t take shortcuts and think that it won’t happen to you. Also, consider buying a cybersecurity insurance policy in case you do have data stolen.”
All industries should be wary of hackers, said Reg Harnish, CEO of GreyCastle Security LLC, which has a location in Rochester.
“No one industry is more susceptible to cybercrime, but some industries are more frequently targeted,” he said. “This makes them more likely to experience some kind of incident. The reality is all businesses are getting hit on a regular basis. The only questions that remain are how often and how severe.”
Keeping the public safe
In October, the Maricopa County Sheriff’s Department in Arizona arrested an 18-year-old man who posted a message on Twitter that, when clicked, continuously called 911, interrupting the service in areas of Arizona and at least 11 other states.
After that attack, the Department of Homeland Security encouraged 911 call centers to evaluate their risk, a spokesperson said. The agency has been referring public safety officials to the Alexandria, Va.-based National Emergency Number Association for a best practices review to minimize risk in a denial of services attack.
“The advice we are giving 911 call centers at this time is related specifically to responding and mitigating the effects of the attack,” said Trey Forgety, NENA’s director of government affairs.
There is “no way to directly influence attackers to not attack,” he said.
But there are plenty of steps that 911 operators can take when an attack happens. If a caller unintentionally perpetrates an attack through a third party who has hijacked his or her phone, for example, operators can find out the make of the phone, the service provider and have the caller reboot their phone.
This kind of preparation does not involve a lot of resources, which is good,
Forgety said. Because 911 call centers have worked so well historically, state and local governments have become complacent about making cybersecurity resources available.
That is changing, though, Forgety said, in part because of a public safety cybersecurity conference held this year in Columbus, Ohio, that brought together the tech types and politicians who oversee 911 centers.
“In public safety, we don’t like to talk about vulnerabilities,” he said, adding that now it is important to talk “long and loudly about the problem.”
With national cyberattacks, it can be easy for local businesses to feel overwhelmed regarding cybersecurity. If large corporations with much more funding can be hacked, what is a small to midsize business supposed to do? Focus on what they can control, GreyCastle Security’s Harnish said.
“It’s easy to get distracted by headlines and hysteria, but businesses need to focus on their own risks,” he said. “No doubt, hacks like at the NSA, Yahoo and the Democratic National Committee continue to open our eyes to what is possible, yet each business needs to continue addressing their own individual risks.”
Every business needs to pull its head out of the sand, Harnish said. There will be breaches no matter what.
“Cybersecurity is hard work, but it’s not rocket science,” he said. “Our clients are successful in reducing their risk, not because they bought whiz-bang technology or discovered some silver bullet, but rather because they’ve committed to solving the problem. Secondarily, people are the problem. If you think your cyber risks come down to anything but a human being, you’re wrong.”
Starting in the classroom
Roughly 70 percent of students enrolled in the University of Tulsa’s Cyber Corps program graduate to careers at the National Security Agency and Central Intelligence Agency. Others get positions at the Department of Defense, NASA and the FBI.
Sujeet Shenoi, the program’s director, said students earn those jobs by working with the government and Fortune 500 companies that allow the students, who range from freshmen to Ph.D. candidates, to get real world experience on attacking and defending infrastructures, such as gas pipelines or 911 call centers.
“One thing I feel really strongly about is that you must have hands-on access,” Shenoi said.
In this field, in particular, there is only so much students can learn from books or lectures, he said. They need to see the complexities of a system, and through practical lessons, try to “craft a solution that deals with the complexity.
“The students come away very well-trained,” he said.
Shenoi would not comment on the companies the university works with and said that students selected for the Cyber Corps must have integrity and discretion. Like any employee with a security clearance, the students are trusted not to pass information to other entities without permission.
“Acquiring the trust so that my students and I can attack these systems has been the hardest (endeavor) in my entire life,” Shenoi said.
The results are worth it, though. To build a lab or the infrastructure needed to train students for these high-security industries would cost billions of dollars, Shenoi said.
“If you aren’t working on a realistic structure, then you are not doing real science and engineering. It’s only a model,” he said.
Kerry Feltner contributed to this story. Gina Gallucci-White is a frequent writer for The Daily Record in Baltimore. Jessica Gregg, an editor at The Daily Record, contributed to this story.
12/16/2016 (c) 2016 Rochester Business Journal. To obtain permission to reprint this article, call 585-546-8303 or email email@example.com.