Cybersecurity in West Virginia

In today’s world, it is uncommon for anyone to experience a day untouched by the cyber industry. For many, information technology (IT) infiltrates most aspects of life, beginning the moment they wake up to their cellphone alarm and continuing throughout the day while working, shopping, banking and interacting with the modern world online.

“Cybersecurity impacts all users and citizens, regardless of their profession,” says Lexy Guenther, chief technology officer for enterprise IT and mission solutions operations at Leidos. “The interconnectedness of people and technology has put the cyber industry front and center and illustrated the need to build security into all our projects and methodologies.”

Photo by Leidos.

Leidos is the contractor hired to protect the cyber and enterprise security operations for federal agencies in West Virginia, including the National Oceanic and Atmospheric Administration, FBI and U.S. Department of Defense (DOD). The company is one example of how the Mountain State is staying in step with increasingly important cybersecurity measures for businesses and organizations of all kinds. From private businesses to the military to higher education, the efforts to protect the businesses and people of West Virginia from cyber­attacks are more important than ever.

Ahmed Mian demonstrates VR technology.
Photo by NextGen.

“Cybersecurity is akin to physical security and insurance costs that businesses used to incur 25 years back,” says Chetan Desai, COO of NextGen Federal Systems. “A business must place proper controls to secure its IT assets and protect itself from cybercrime-related liabilities. Businesses that develop intellectual property have to take additional measures to ensure that it is not stolen or duplicated by another company anywhere in the world.”

Companies worldwide lose billions annually due to cyberattacks.

“The reality is that there is no getting around it. Companies cannot risk the disruption and revenue loss from cyberattacks,” says Jim Estep, president and CEO of the High Technology Foundation. “Even a perceived vulnerability to cyberattacks can have a negative reputational impact.”

So, what is considered a cyberattack? According to Lieutenant Colonel William Hargis, director of joint communications for the West Virginia National Guard (WVNG), the DOD defines it as any hostile act using a computer or related network or system that is intended to disrupt and/or destroy an adversary’s critical cyber systems, assets or functions.

“Cyberattacks, like any crime, are made possible with malicious motive and means,” Guenther says.

Attackers have increased access to tactics, techniques, procedures and tools to carry out the attacks, and there has also been an increase in attacker collaborations.

The possibilities are alarming. There have been instances across the country where cyber threat actors have taken power grids offline and shut down energy pipelines, causing disruptions to our normal way of life, according to cyber experts from the WVNG.

“The cyber domain actions can have an almost immediate and detrimental impact on our physical way of life,” says Major William Keber, former battalion commander for the Critical Infrastructure Protection (CIP) Battalion of the WVNG. “Cyber threat actors continue to probe our nation’s critical infrastructure defenses. They only have to be right once to put the public’s safety at risk.”

Another worrisome factor that has come into play is remote work. For businesses, the changing work environment since the onset of the COVID-19 pandemic, with more workers accessing and inputting information from remote locations, has increased risks for many organizations.

“I think network security is likely the greatest risk since each home can have a different network—internet service providers, firewalls—through which employees access the corporate data and information resources and interact with co-workers, customers and vendors,” Desai says. “Companies are not thinking about the vulnerabilities posed by such disparate accesses. A determined player can exploit this vulnerability to gain access to your business’s competitive information and intellectual property.”

Human error is always the biggest risk, according to Keber.

“Whether that is an unwitting employee clicking on a malicious link or attachment or the human being susceptible to social engineering schemes, the human will continue to be the focus area for adversaries,” Keber says. “Since COVID, adversaries have shifted focus to remote work capabilities such as virtual private networks, or VPNs. This trend is expected to continue as people continue to telework.”

According to Hargis, end-to-end encryption must be built into a remote work business plan.

“Most modern operating systems and software suites provide encryption tools at no additional costs, but many fail to incorporate that into their standard operating procedures during their business and personal activities in cyberspace,” Hargis says.

Guenther agrees that the increase in a remote and mobile workforce and the interconnectedness of assets increases the attack surface.

“This increases the likelihood of a potential successful cyberattack,” she says. “That is why, in a world where work from home has become the new normal, cyber-savvy employees and advanced detection capabilities remain key areas for cyber defense.”

This is also where the importance of West Virginia’s expanding cybersecurity expertise and partnerships come into play. There are a number of cybersecurity professionals sharing knowledge across organizations and constantly honing their skills to better protect the state’s businesses and residents.

Members of the WVNG collaborate on a scenario inject during a simulated cyberattack as a part of Locked Shields 2022.
Photo by Maj. Holli Nelson.

Major General William Crane, the current adjutant general for the WVNG, has made cybersecurity a priority and tasked his staff with developing strategies to increase synergy with state partners such as the West Virginia Office of Technology, higher education institutions and the West Virginia Secretary of State’s Office. The WVNG also has the Defensive Cyber Operations Element and CIP Battalion, which specialize in infrastructure and resource protection, cyber risk assessments and cyber incident response.

Desai’s company, NextGen, develops complex hardware and software systems for defense and intelligence customers.

“One of the buzzwords for new systems engineering processes is DevSecOps—development, security and operations—which is an approach to culture, automation and design that integrates security as a shared responsibility throughout the entire IT lifecycle,” Desai says. “All our system development requires a DevSecOps approach. Without proactive planning and design, the systems will be left vulnerable at some point during the lifecycle.”

According to Guenther, Leidos is leading modernization efforts to transform a number of federal security operations centers into security intelligence centers.

“Leidos provides security solutions, incident response and engineering services to help defend against emerging cyberattacks,” she says.

Cultivating a culture of cybersecurity awareness is prioritized at Leidos and includes annual user trainings, periodic phishing testing and reminders to keep security at the front of mind. Millions of dollars are also being invested in internal research and development around assessing and implementing zero trust principles for the company and its customers’ work environments.

“We readily provide our customers with access to our zero trust lab and share analyses of alternatives across many common secure access service edge providers,” says Guenther.

According to Hargis, all businesses can take a proactive approach among their own employees by remaining vigilant in providing cybersecurity user training, investing in cybersecurity programs and ensuring mission essential data is consistently backed up off-site to ensure data loss can be recovered. The time to be cognizant of your organization’s cyber risk posture is before experiencing a cyber incident, not after.

“Organizational management will see a return on investment and some cost savings during an incident by exercising both a most likely and most dangerous cyberattack scenario to their infrastructures, paired against techniques a reasonable threat actor would take,” Keber says. “Planning for and developing the list of questions that will be asked by a response team during a cyber incident will help an organization apply limited and precious resources to key segments and devices or areas of the network to ensure business operations continue.”

There are many free services and native security features available with most routers and internet service providers to ensure users understand what is connected to their home networks. Guenther advises taking the time to confirm passwords are secure and strong.

“Consider using a password manager and routinely check antivirus and scanning features to evaluate your risk profile,” she says. “At the enterprise level, companies and federal agencies apply these same principles on a global scale.”

Beyond the measures that businesses can take on their own are the efforts that require highly trained professionals,
and West Virginia institutions are working to answer that call.

“A big challenge facing the cyber­security community is a lack of workforce,” Estep says. “There simply are not enough trained people to fill the positions. Virtually every college and university in West Virginia is mobilizing to address this workforce shortage. The West Virginia Development Office is working with the state’s technical and community colleges to help them bring unconventional students into the workforce through expanded programs. This is a novel approach to the workforce problem with a high probability of success, which could set the state apart.”

The players in this field are teaming up with universities and colleges across the state, including West Virginia University, Marshall University, Fairmont State University and more. They provide college students with internships, hands-on training and research and development opportunities. In return, they have highly trained graduates they can recruit. It’s a tremendous career opportunity for students.

“Cybersecurity is a growth market because so much of our society and businesses operate on computers,” Desai says. “Protecting our computers and networks is becoming increasingly complex, and businesses have to establish processes to develop and deploy cybersecurity solutions throughout the organization. Education programs that holistically teach and indulge in research related to cybersecurity will graduate students in career fields that are vital to today’s global marketplace.”