ANNAPOLIS — Maryland — home to the National Security Agency, the National Institute for Standards and Technology, research institutions and an ever-growing number of network security businesses — has grown into a cybersecurity powerhouse.
And with large-scale and high-profile attacks on organizations like Target and Neiman Marcus, which have thrust security into the spotlight, the industry continues to thrive.
Cybersecurity experts who aim to thwart hackers armed with increasingly potent programs and techniques seem to work from a point of disadvantage, almost by definition.
“We have to be right 100 percent of the time,” said Jim Close, federal account manager for Sourcefire, a Columbia-based network security company that was acquired by Cisco in October. “[Hackers] only have to be right once.”
Chad Carroll, vice president of information operations at Chiron Technology Services in Columbia, added that most data breaches are the result of user error.
“Not everybody is technically savvy, and not everybody is able to maneuver around a computer,” Carroll said. “They rely on others to be security-savvy for them.”
Remote exploits, in which a hacker breaks through a gap in network security from outside the network, are “few and far between,” he added.
He also said most employees who aren’t on a network security team don’t consider security a top priority, and mere curiosity can lead an employee to open a suspicious email attachment or click a link to a malicious site.
“Too many times, the folks that defend the network … think like a defender,” Carroll said. “And you can’t. You have to think like an attacker.”
But when even savvy defenders are caught off-guard, cyber attacks can deal significant damage. Greg Smith, cyber technical adviser for the Alabama-based Camber Corp., said in 2013, 122 successful cyber attacks were launched against businesses each week.
In all, the attacks cost businesses nationwide an average of $11.56 million per year. Smith said $4 million of that could have been mitigated by proper practices.
Smith, who spoke recently at the Cybersecurity Innovation Forum in Baltimore, added that “$7 million is still not an acceptable loss.”
As security technology becomes more advanced, relying on software to prevent and manage breaches may seem like a sound strategy. However, Carroll said having humans involved is a critical component of cybersecurity.
“Any time I hear the word ‘automated,’ I instantly assume you’re … removing the human aspect of it. And that’s not necessarily the right thing to do,” he said. “Somewhere, there’s a hacker who’s going to get around that. And you have to have that human element when you’re doing network defense.”
The defenders’ precarious position is unlikely to change soon. Carroll said that while most hacks involve known techniques and programs, skilled hackers can create their own tools that won’t get caught easily.
“How are you going to defend against something that you don’t know exists?” Carroll said.
Anupam Joshi, director of University of Maryland, Baltimore County’s Center for Cybersecurity Programs, aims to refine the human element by broadening students’ focus in the ever-evolving field.
“You teach the fundamentals,” Joshi said. “The idea is not to say ‘how to do X’ … what you do is say, ‘Here are the tools.’”
Close added that his company benefited from being in Maryland because of the proximity of powerful government technology and the availability of government contracts.
According to Joshi, Close is far from alone. With industry leaders like the NSA and NIST nearby — U.S. Sen. Barbara Mikulski said she wanted Maryland to be “the epicenter for cybersecurity in the United States” — there is plenty of cybersecurity brainpower to go around.
The industry frequently benefits when NSA employees leave to work in the private sector, unleashing intelligence and innovation otherwise that “may have been trapped for years” in the agency’s secretive environment, said Jeffrey Wells, executive director of cyber development at the Maryland Department of Business and Economic Development.
Cybersecurity firms and organizations are constantly growing in number in Maryland; Wells said the combination of government intelligence and top-tier colleges has resulted in “explosive” growth.
But even so, there are plenty of holes to fill. A report released by the Baltimore Cyber Technology and Innovation Center last year found that 19,000 cybersecurity job openings remained in Maryland alone. And educators may not be letting young students know of these opportunities.
A study by published in part by Raytheon, a defense contractor, said that less than a quarter of young adults surveyed found the idea of a career in cybersecurity at all interesting. Of those surveyed, 82 percent said a high school guidance counselor had never mentioned the possibility.
Joshi said that even high schools’ brightest students taking Advanced Placement courses were rarely taught skills that cybersecurity firms value. If a student is particularly good at math, Joshi said, the highest track typically focuses on “higher and higher levels of calculus, which is great if you’re going to be a theoretical physicist. But that’s not the kind of math you need if you’re going to be a computer scientist.”
The AP computer science exam had about a tenth as many test-takers as the biology and mathematics exams, according to Joshi. He added that discussions of cybersecurity are often limited to computer scientists when other academics, such as economists, should be heavily involved.
“I shouldn’t even call it computer science. We should call it computational thinking,” he said. “In some sense, cybersecurity is broader than computing. ... I don’t think any of this message is making it down to high school.”
If there is a silver lining to the recent rash of major breaches like those at Target, Neiman Marcus, Michael’s and Kickstarter, Carroll said, it’s an increase in security awareness. High-profile hacks tend to encourage companies to revamp security programs and policies to make sure they won’t be easy targets.
Maryland lawmakers are also starting to focus more on cybersecurity issues. The Senate passed a bill on Feb. 4 that would add a cybersecurity framework to the state’s “Information Technology Master Plan,” recommending that it be similar to a framework published by NIST.
Joshi also said that the state has been generous with its funding of computer science-related education. Similarly, The National Cybersecurity Center of Excellence, located in the Universities at Shady Grove and scheduled to move to Rockville, received more than $24 million in funding for an expansion, and Gov. Martin O’Malley has proposed increasing the tax credit for cybersecurity startups in the state from $3 million to $4 million.