Fixing the Glitch: the face of cyber security

From cyberattacks to technology malfunctions, our private information is at risk every day. We have developed vast networks, security protocols, and automated processes to handle many of our daily tasks, and every industry–from military to finance to entertainment–has  critical vulnerabilities revealed by attacks on data and functionality. We are facing serious gaps in both technology and the manpower to fix it.

Fixing the Glitch: The Face of Cyber Security

Information Security = Job Security

Those with a degree or certification in information security have an excellent career outlook. According to the U.S. Bureau of Labor Statistics, the job outlook for Information Security Analysts is expected to grow 37% through 2022, well above the 11% projected growth rate for all occupations. Information security analysts also receive a median annual wage of $86,170, which is higher than the average $76,270 for all computer occupations. (source: Bureau of Labor Statistics, U.S. Dept. of Labor, Occupational Outlook Handbook, 2014-15 Ed., Information Security Analysts (visited July 13, 2015).

The path to these careers is found through both degree and certificate programs. Information security jobs are highly competitive, and require a comprehensive understanding of security and privacy throughout an organization’s technology network. IT security specialists set up and maintain their organization’s information security, from installing security software to responding to cyber attacks. And as cyber attacks become more sophisticated, approaches to information and network security must evolve in similar ways to counter the threat.

Growing a new cyber force

The Department of Defense outlined a new Cyber Strategy in April 2015, with a target of 133 Cyber Mission teams by 2018. The Mission Teams will have three primary goals: defending DoD networks, systems, and information; defending against cyberattacks; and providing cyber support to military plans.

We live in a time of growing cyber threats to U.S. interests. State and non-state actors threaten disruptive and destructive attacks against the United States and conduct cyber-enabled theft of intellectual property to undercut the United States’ technological and military advantage. …We must be dynamic, flexible, and agile in this work. We must anticipate emerging threats, identify new capabilities to build, and determine how to enhance our partnerships and planning. …By working together we will help protect and defend the United States and its interests in the digital age. (The DoD Cyber Strategy, PDF, April 2015)

To this end the Department of Defense, along with private sector and academic partners, hold annual Cyber Guard exercises that provide participants an opportunity to practice live cyber operations on a closed network against simulated adversaries. This approach blends industries with different backgrounds, to help share tactics in preparation for future cyberattacks on both government and the private sector.

Cyber Guard 2015, held in Suffolk, VA

Our area is becoming a hub for government cyber interests; the annual Cyber Guard exercise is growing rapidly each year, and the NSA and Defense Information Systems Agency have established a U.S. Cyber Command headquarters in Fort Meade, MD. From its inception in 2010, the Cyber Command staff has grown to just over 1,000; that number is expected to double over the next few years. The growth at Cyber Command has attracted the interest of technology companies in the area, including commercial tech and cybersecurity firms.

The White House has also recognized the need for more qualified candidates for technology jobs, especially positions in information technology and cybersecurity. Of the approximately 5 million available jobs in the U.S. today, almost a quarter are in IT fields such as software development and cybersecurity. Many of these jobs did not exist 10 years ago.

The average salary in a job that requires information technology (IT) skills … is 50 percent higher than the average private-sector American job. Helping more Americans train and connect to these jobs is a key element of the President’s middle-class economics agenda. …Employers across the United States are in critical need of talent with these skills. Many of these programs do not require a four-year degree. (“President Obama Launches New TechHire Initiative,” March 2015)

These jobs require skills that can be learned in industry-certified training programs, in months, not years. And they’re not solely in high-tech companies; many IT and cyber jobs are available in health care, retail, energy, financial services, or even transportation.

The TechHire initiative  is focused on connecting more Americans to available technology jobs in order to keep the U.S. competitive in a global economy. TechHire is working with over 300 employer partners to recruit, train, and place applicants in over 120,000 open technology jobs. In addition, TechHire is seeking to expand training models to create more fast-track learning opportunities to meet the growing need for a tech workforce.

Cyber Virginia

In February 2014, Governor Terry McAuliffe signed Executive Order No. 8, launching the Virginia Cyber Security Commission, recognizing the economic benefit to creating new cyber jobs in Virginia. According to CompTIA’s 2015 Cyberstates (February 2015), almost 1 in 10 of Virginia’s private-sector workers are in tech industries, with an average wage of $105,000 per year. The tech industry drives 8.6% of Virginia’s economy, with over 275,000 tech industry jobs throughout the state.

The Cybersecurity 500 List for Q2 2015, published in April 2015 by Cybersecurity Ventures, lists 39 Virginia-based companies. Only California has more companies on the list, with 150. Massachusetts is behind Virginia with 35 companies. Steve Morgan, Founder and CEO of Cybersecurity Ventures, contemplates Virginia as a hotbed for cybersecurity:

Demand for vendor-furnished information security products and services by the U.S. federal government will increase from $7.8 billion in FY 2014 to $10.0 billion in 2019 … according to Deltek’s Federal Information Security Market Report (published Oct. 2014)…. When you consider these market-sizing estimates and projections, which align to the federal sector – and all of the federal agencies that are headquartered in Virginia – it explains a lot. (Virginia is for Cybersecurity, July 7, 2015)

With all the companies in Virginia dedicated to advancing cybersecurity and new technologies for information networks, there is an accompanying need for a trained workforce to fill these positions. The “Techtopia” map below, provided by Northern Virginia Technology Council, shows the concentration of tech and cyber companies in Northern Virginia.

techtopiaVA

Become a cyber professional

In April I discussed the job outlook for cybersecurity professionals and NOVA’s Workforce Development Division dedication to addressing the skills gap here in Northern Virginia. To meet the growing need for Information and Cybersecurity professionals in the area, our Cyber Security certificate program includes entry-, mid-, and advanced-level certificates in Cyber Security. We have many IT and computer skills certificates available to IT professionals who are already working in Information Security, and provide customized training to organizations who need to advance skills of IT staff. For information on our cybersecurity certificate programs, call 703-948-3703.

 


NOVA Workforce Development Division | Blog
Northern Virginia Community College’s Workforce Development Division is dedicated to improving Northern Virginia’s economic development and business landscape with a comprehensive variety of training options, including Professional Development, Certificate Programs, Enrichment Courses, Continuing Education, and Customized Training. Visit us online to learn more.

Fixing the Glitch: cyber security and broken systems

Remember the AP Twitter hack-and-hoax of 2013, where the Syrian Electronic Army (SEA) gained access to the Associated Press’ Twitter account and posted a fake tweet reporting explosions at the White House and the injury of the President? Within seconds, financial markets dropped by 1%. Within minutes, Twitter became a hornets’ nest of refutations and announcements. AP reporters tweeted that @AP had been hacked. Things returned to normal.

This hack proved that financial markets, which move reliably and quickly to perceived threats, can be vulnerable to manipulation by hackers; any glitch in the system causes software—and people— to react, so response before context and clarification is given usually causes damage. (A hacker’s market, @Economia, May 2013)

Cybersecurity_NOVAworkforce

Why hackers hack

Causing disruption in financial markets is only one small incentive for cyberattacks. Large amounts of useful data live in networks and in the Cloud, and hackers are finding creative ways to get to it, to be used for everything from “simple” identity theft to industrial espionage.  In May 2015, The Internal Revenue Service confirmed that hackers had used stolen identity data (and shady email domains) to defraud the “Get Transcript” application to steal account information for 100,000 taxpayers.

CareFirst BlueCross Blue Shield was also hit in May 2015 with a data breach that compromised personal information on over 1 million customers. The same attack methods may have been used in earlier breaches at Anthem and Premera, which collectively involved data on more than 90 million Americans. All companies are providing credit monitoring and identity theft protection services for members while they seek solutions to provide more robust security for their networks.

Katherine Archuleta, the director of the U.S. Office of Personnel Management (OPM), is currently dealing with one of the largest government data breaches in U.S. history. The scope of this disaster is still growing, since additional reports have surfaced indicating that the breach has affected  almost 20 million background investigation forms and 1.1 million fingerprint records for Federal employees.

The theft of these forms represents a major national-security and intelligence failure, given that they contain records of past drug use, mental health and contacts with people overseas and other sensitive information that could prove useful to a foreign intelligence agency. (Wall Street Journal, July 9, 2015)

Archuleta will likely be held accountable for the current OPM breach, but the problem is systemic, and much more than any one person or committee can solve.

In April 2015,  the U.S. Government Accountability Office presented GAO-15-573T, a testimony on Cybersecurity and the need for government agencies to address cybersecurity challenges that are growing steadily each year.  “Specifically, the number of information security incidents reported by federal agencies to the U.S. Computer Emergency Readiness Team (US-CERT) increased from 5,503 in fiscal year 2006 to 67,168 in fiscal year 2014, an increase of 1,121 percent.

Wait. what?

Yes, you are reading that correctly. Between FY 2006 and 2014, the number of information security incidents—stolen data, malware installation, phishing or SPAM attacks, and so on—increased over ONE THOUSAND PERCENT. Here’s a visual from page 7 of the GAO report:

GAO chart from 2006 to 2014 showing increase in security breaches

Furthermore, the report details the types of threats and the purposes of the attacks. Keep in mind this is the stuff we know about.  And the government sector is expanding its cyber warfare capabilities in an attempt to meet these threats head on.

Intentional versus unintentional threats

In addition to cyber attacks, computer glitches are wreaking havoc with automated software systems worldwide. Software that runs massive systems involves millions of lines of code. Despite thorough quality checks and regular security upgrades, a tiny error—such as one misplaced string of code or a missing character—can cause programs to act erratically, or  even crash completely.

A United Airlines computer system glitch grounded flights nationwide for a few hours Wednesday morning, July 8, leaving thousands stranded and causing a domino effect of delays for almost 5,000 flights worldwide.

The glitch affected software that automates United’s operations, according to the FAA. And its failure shows just how sensitive computerized companies are nowadays. (CNNMoney)

Fears of systemwide technical vulnerability were brought to light when the New York Stock Exchange went dark from 11:32 a.m. to 3:10 p.m. on the same day of the United Airlines debacle. This outage was longer than the 2013 NASDAQ collapse, which spawned an order from the Securities and Exchange Commission to improve the vulnerable systems that form the backbone of Wall Street. According to market analysts,

… the SEC, which polices the markets, has struggled to keep up with the technological revolution that has come to dominate modern trading. It has also missed out on opportunities to address key vulnerabilities, opening the door to other damaging threats. (@WashingtonPost)

Luckily, technology kept the outage a non-crisis. The availability of alternative electronic trading platforms has resulted in the NYSE handling less than 14% of the trading in American shares. So while the NYSE’s glitch is still problematic, it wasn’t catastrophic. (Glitch Perfect, @theEconomist, July 9, 2015)

Shortly after the beginning of the NYSE computer crash, the Wall Street Journal displayed a 504 error on its site until a modified homepage could be uploaded. The full site was restored shortly thereafter.  The Wall Street Journal has not yet reported what caused their website crash, but theories abound, from the serious (bandwidth overload, virus issues, cyber attacks) to the silly (anniversary of first print issue in 1889, SkyNet waking up).

The Wall Street Journal 504 error on its site.

Leaving the door open

United Airlines cited a faulty router for the systemwide halt; the New York Stock Exchange crash seems to have been caused by a faulty software update that was installed Wednesday morning before trading began. And the Wall Street Journal experienced a systems-overload (only on its non-mobile browsers) that was likely an effect of overload from users seeking information on the other two (my theory, at any rate).

While nothing indicates the three technical glitches are linked, speculation is causing a lot of fears about technology infrastructure and data security. With the Sony Pictures hack from late 2014, to the still-fresh nationwide OPM hack blamed on old software, cyberattacks and malfunctions are becoming part of the public awareness of our dependence on vast, vulnerable systems.

…OPM has other responsibilities, including payroll and health benefit processing for government employees. [OPM Director] Archuleta repeatedly blamed legacy systems, some of which dated back to 1985 and use outdated COBOL programming language, as part of the problem. Such legacy systems, she said, could not be encrypted, for example. Office of Management and Budget (OMB) CIO Tim Scott noted that information-security practices such as data segmentation in databases are much more difficult in legacy systems. (“OPM Blames Legacy IT Systems in Contentious Hearing,” @PrivacyTech, June 17, 2015)

Obviously, we can’t just pull the plug on old systems and start from scratch. New critical systems and enhanced, secure infrastructure is needed everywhere, but these improvements will take time. The shortage of skilled IT and cybersecurity professionals has been widely publicized; in February 2015 the White House held a summit on Cybersecurity and Consumer Protection at Stanford University, calling for “industry, tech companies, law enforcement, consumer and privacy advocates” and others to come together to work through the issues facing cybersecurity. President Barack Obama explained that the government cannot tackle this “cyber arms race” on its own due to so many systems residing in private industry (non-government) sectors. Since cybercrime is systemwide, it makes sense for both government and private industry to work together to grow our defenses against cyberattacks.

Part 2:
Fixing the glitch: the face of cybersecurity


NOVA Workforce Development Division | Blog

Northern Virginia Community College’s Workforce Development Division is dedicated to improving Northern Virginia’s economic development and business landscape with a comprehensive variety of training options, including Professional Development, Certificate Programs, Enrichment Courses, Continuing Education, and Customized Training. Visit us online to learn more.

Summer 2015: Saturday Management Series

July 11, 18, and August 15  |  NOVA Loudoun  |  Management Series
July 11, 18, and August 15 | NOVA Loudoun | Management Series

 

Hone your management skills with three essential courses this summer at NOVA’s Loudoun Campus. Addressing employee management, project and time management, and successful teamwork, any one of these core-skills courses will prove helpful to business colleagues and managers at your company:

July 11  9am–3:30pm  |  BUSC 1406
Essential Management Skills for Human Resource Management

Employees are an organizations most valuable resource. Supervisors are responsible for effectively addressing various issues affecting their employees. This course will address the essential skills supervisors need to address employee performance and personnel actions.

July 18  9am–12:30pm  |  BUSC 1758
Successful Time Management: How To Stay in Control

Are you stressed or find yourself overwhelmed by projects, performance issues and deadlines? Do you feel like work keeps piling up and you can’t seem to see the forest for all the trees? Learning to manage your time can actually minimize stress and improve your quality of work and life. We’ll address various suggestions for effectively managing your time and alleviating stress.

August 15  9am–12:30pm  |  BUSC 1787
Teamwork in Today’s Work Environment

In today’s virtual work environment, the definition of team has taken on a whole new meaning. Employees are now required to work with colleagues across the globe. Face-to-face meetings are now conducted via video conferencing. So, how can employees overcome some of the challenges of trying to work together? What are some of the barriers that prevent team members from being a cohesive group? Discover the seven components of a well-rounded and successful team and how those components can be used to create effective synergy among team members at every location.

Check out the course listings at the Loudoun Campus to see all the Business and Management courses available this summer. Of course, all six of our campus locations feature courses that will enrich your skills for both business and self-improvement. Or if you need a more customized training approach, our Corporate Performance Solutions Team can develop and deliver a training program for your organization.

 

Risk and Change Management: July 2015 at NOVA

Space is still available:
Risk and Change Management (July 2015)

Register online or call 703-257-6630 for more information.

Risk and Change Management, Summer 2015 at NOVA Manassas Innovation Park
Risk & Change Management ( BUSC 1522-01M) | July 16 & 17, 2015, 9am–5pm | Manassas

Change must be expected in today’s business environment. Unmanaged change results in chaos. Understanding how to handle changes and risks, and how they are related, is both an art and a science. A good project manager needs the tools necessary to identify, quantify, measure and report on all aspects of a project, including these unknowns. This course embraces not only the technical aspects of risk and change, but also the human aspect. Technical topics include risk identification and assessment , risk response development and control, configuration management, and change control. Human factor topics include acknowledging change, strategies to reduce stress induced by change, and perception as a factor in evaluating risk.

Thursday and Friday, July 16 & 17, 9 AM to 5 PM
Manassas Innovation Park, 9485 Innovation Drive, Manassas
Instructor: Michael Van Dyke, PMP
For more information, call 703-257-6630