Cybersecurity a National Nightmare… and Opportunity for Virginia

cyber_securityby James A. Bacon

Not long ago, an unknown hacker from outside the United States shut down the server of Professional Dermatology Care PC in Reston in what appeared to be a ransomware attack: Give us money or you’ll never see your 13,000 patient records again. The dermatology practice posted a statement on its website, stating that it had contacted the FBI, increased its cyber-security measures, and would be sending written notices patients. So starts this month’s cover story of Virginia Business magazine about cyber-security.

Let’s just say that I can feel the dermatologists’ pain. No one is holding Bacon’s Rebellion for ransom, but my blog has been shut down for more than a week now in a “distributed denial of service” attack on the shared server that hosts Bacon’s Rebellion and hundreds of other blogs and websites. Readers can no longer find old blog posts. I can’t access a draft of an article I was writing the day before the attack. Readers are thwarted in efforts to register and post comments. Other than moving to a new server to set up the jury-rigged blog that you are now reading, I am helpless.

In a distributed denial of service (DDOS) attack, an outsider bombards the server with superfluous requests from hundreds, even thousands, of computers — typically slave computers infected with malware. The fusillade crowds out legitimate users trying to visit the site. The web host company — in my case — can identify and block the IP addresses of attacking computers, but the attackers simply shift to other computers.

“Basically, we have to wait out the attack,” a Hostmonster technician told me this morning. “It’s essentially out of our hands.”

These attacks are increasing in frequency because the bad guys — most of them residing in Russia, Ukraine and Eastern Europe — have figured out how to make money by holding companies ransom, stealing credit cards, and other means. Just as IT is a growth industry in the U.S., cyber-thuggery is a growth industry overseas. Every time the good guys introduce an innovation to make cyberspace safer, the bad guys match them with an innovation of their own. We live in a world in which the Chinese break into corporate computers and steal technology, parties unknown probe for vulnerabilities in the electric grid, and Russians compromise the computers of the Democratic National Committee (and, most likely, the private email server of a certain former Secretary of State). No one is immune…

Which, ironically enough, makes cyber-security a potential growth industry for Virginia. As Virginia Business observes, some 650 Virginia companies are engaged in one aspect of cyber-security or another. Many arose from the security obsessions of the U.S. military, intelligence and homeland security communities, but newcomers are developing niches to serve private industry. The greater the cyber-threat, the greater the business opportunity for Virginia-based enterprises.

Here’s the rub: Virginia faces a severe manpower shortage. Writes Virginia Business: “Virginia has an immediate need for about 17,000 cybersecurity professionals, with each job paying an average of $80,000 per year.”

If those positions could be filled, they would amount to nearly $1.4 billion in payroll! The McAuliffe administration sees a huge economic-development opportunity.

“Cybersecurity firms by and large are based on talent, and they are pretty much as good as the talent they are able to fund,” says Secretary of Technology Karen Jackson. “And so the states that have the best people and have the most talented workers are going to be the ones that garner the most amount of [cybersecurity companies] over the long term.

Many of the Virginia initiatives noted by Virginia Business focus on workforce development:

  • The Mach37 cybersecurity business accelerator in Herndon, an initiative of the Center for Innovative Technology, has helped launch 35 cybersecurity companies collectively employing more than 100 workers.
  • State government established a cybersecurity apprenticeship program to help students in community colleges and technical centers get on-the-job experience while earning degrees and certificates in cybersecurity fields.
  • Virginia Tech has received a $19.4 million National Science Foundation grant to use for cybersecurity workforce development.
  • The state’s New Economy Workforce Credential Program funds two-thirds of the cost of workforce credentials programs for students who complete vocational certification programs and earn industry-recognized credentials in high-demand professions such as cyber-security.
  • The state Department of Education sponsored a pilot program of 32 cybersecurity summer campus for high school students across Virginia.
  • Governor Terry McAuliffe signed into law this summer a measure requiring computer science be integrated into State Standards of Learning by 2017.

“A lot of us have insomnia,” said Northern Virginia cybersecurity consultant William Lumpkin, known by his hacker handle InfoJanitor. “Because if you knew how vulnerable things are all the time, it would make you a little nervous too.”


  1. Larrytheg

    mission critical systems are backed up / replicated to separate systems almost on a real-time basis…

    what is or is not thought to be “mission critical” is somewhat in the eyes of the beholder once you get beyond govt and corporate systems….

    there are companies that scrub systems on a daily basis and also replicate files so that if a site goes down – and loses data – they can be rebuilt…

    but if you KNOW there are evil folks out there doing malware, ransomware, DOS, etc.. there ARE defenses….

    of course it is churlish to mention this … on Monday morning!


    this is really no different than physical security in that you’re dealing with folks who will exploit your weaknesses so you have to adapt…. it’s not that we have no way to defend – we do – but it takes more effort than we’re accepting as necessary.

    and yes – I’d love to see Virginia’s Universities and Community Colleges to become world-class cyber-security institutions and for kids in Va schools to KNOW that it’s almost a guaranteed job if they apply themselves academically …

    we have the ability to do this – if we want to drop all the partisan political blame games… and get on with things we actually can accomplish.

  2. Acbar

    Ah, yes, there are defenses. But as discussed in “Lights Out,” Ted Koppel’s recent book on the associated risk to the Grid (which we discussed here on BR around a year ago), those defenses are weak, and likely to prove only partially effective at best. Then, we won’t be talking about nuisance and inconvenience but about billions of dollars of economic losses. We know what to do and it’s not getting done; as you say, Larry, “it takes more effort than we’re accepting as necessary.”. Koppel explains, the greatest vulnerabilities are often found with the smallest, oldest, independent components of the interconnected grid, the little municipal electric facilities and small rural cooperatives in remote locations – but once the hacker is “inside” he can do his damage anywhere. When it happens — and human nature tells us it WiLL happen — public opinion will mobilize to do something about this risk and the employment opportunities for those 17,000 cybersecurity professionals will shoot up by orders of magnitude overnight! And this will happen nationwide simultaneously. Yes, it’s the kind of opportunity that offsets the dislocations of globalization etc — and yes, it requires education, education, and respect for education, in all those households where it never mattered before. Quite a challenge.