Building the resources to thwart
A VIRTUAL ABYSS
On a seemingly uneventful night in 1992, hackers targeted Virginia Tech and slipped undetected into the university’s computer system.
Reality set in the next morning, when then-management of information technology specialist Randy Marchany uncovered the breach and discovered that a server had been wiped clean.
“It was an ‘oh s---’ moment,” said Marchany, now chief information security officer of Virginia Tech and director of Virginia Tech’s Information Technology Security Laboratory. “It took us months to recover.”
Determined to avoid another breach, Marchany and his colleagues deconstructed the attack, using it as a catalyst to devise a more proactive approach to protecting the university’s information network.
“We said, ‘Let’s figure out how they got in, because we don’t want to have to go through this again,’” he said.
The incident helped university leaders uncover an enormous void in knowledge about data security and set in motion a chain of events that would propel Virginia Tech toward a role in the research and workforce development needed to address cybersecurity.
A quarter century later, the university has decoded more than a few cybersecurity puzzles and stands as a leader, not only in cyber research but also in the education of data defense professionals.
A 21st-century challenge
Digital technology is advancing by leaps and bounds. The world is shrinking as global connectivity continues to increase. Cybercrime, once limited to minor disruptions and childish pranks, has moved in a more dangerous direction.
Today, computer criminals steal personal data, influence public opinion, and threaten critical infrastructure. Cyberattacks that once targeted mega-computers housed in large corporations and government agencies now reach people in their most personal spaces—from homes and automobiles to purses and pants pockets.
According to data collected by the Virginia Cyber Security Commission, from January to May 2017 more than 78 million cyberattacks were attempted in the commonwealth, about six per second. On a national level, the World Economic Forum reported 15.4 million U. S. citizens were casualties of identity theft in 2016. And experts estimate that businesses will lose $6 trillion per year to cybercrime by 2021.
The threat is magnified in Virginia, where nearly 36,000 cyber jobs sit vacant—a number that jumps to about 42,000 when including the greater Washington, D.C., metro area.
“Governments, corporations, universities, and individuals are all at risk from the growing range of cyberthreat actors,” said Charles Clancy, professor of electrical and computer engineering and director of the Hume Center for National Security and Technology at Virginia Tech. “Corporations have major challenges with hackers, primarily because they don’t have the people they need to counter increasingly sophisticated attacks.”
The Commonwealth of Virginia is seeking to address the deficiency head-on in its 2018-20 budget, committing $25 million to build a world-class cybersecurity ecosystem. Established as the Commonwealth Cyber Initiative (CCI), the effort provides for cybersecurity workforce development, research, and technology commercialization through a primary “hub” in Northern Virginia and a network of “spoke” sites across the state.
“Given the ever-growing cyberthreat, Virginia’s innovative technology sector, and strong research institutions in higher education, it makes perfect sense for the commonwealth to seed a significant cyber research and workforce initiative.”
Del. Chris Jones (R-Suffolk), chair of the House Appropriations Committee
Legislators specified that Virginia Tech serve as a lead organization to develop a blueprint for moving the initiative forward.
Decades of groundwork have positioned Virginia Tech faculty as experts in cybersecurity and cultivated the critical public and private sector relationships needed to put that expertise to work. The university’s influence extends far beyond the mountains of Southwest Virginia and has accelerated through the expansion of programs, faculty, and facilities in the National Capital Region (NCR).
Moreover, at Virginia Tech, cybersecurity is no longer viewed as a specialized skill set, but rather baseline knowledge spanning the entire academic spectrum, as evidenced by such cross-disciplinary efforts as the Integrated Security Destination Area.
“Virginia Tech is building an ecosystem of cyber-related research, education, and engagement that will position the commonwealth as a world leader in cybersecurity,” said President Tim Sands. “We’re excited about the opportunities this will create for our students, researchers, and partners across Virginia.”
The Commonwealth Cyber Initiative
A common threat is often the best bridge between disparate groups. Virginia educational institutions are joining forces with industry and government to fight a common enemy for the greater good of the state and nation.
The CCI encourages these partners to jointly address the critical shortage of cybersecurity professionals and to position Virginia as a global leader in the cyber arena.
“The Commonwealth Cyber Initiative will help fill the tens of thousands of open cyber jobs in Virginia, spur the development of new real-world offensive and defensive cyber technologies, and help diversify our economy,” said Jones, the House delegate.
The effort will emphasize three areas: the development of a cybersecurity workforce, research and development of new technology to improve security for the internet of things, and innovation and entrepreneurship designed to accelerate the tech economy of Northern Virginia. Much of the work will occur at the intersection of cybersecurity, data analytics, and autonomous systems.
An important link
Dan Larimer, Block.one chief technology officer and blockchain pioneer.
This spring, Virginia Tech teamed up with a blockchain pioneer to develop a revolutionary curriculum with tremendous potential for cybersecurity defense.
“All multi-user websites will move to a blockchain in the future because blockchain provides accountability and auditability of user interactions,” said Dan Larimer, a Department of Computer Science alumnus and chief technology officer of Block.one. “Traditional systems have one server that can be compromised by hackers and corrupt everyone’s data without trace. With blockchain applications, hackers must attack individual users; it is more difficult to hack multiple users than attack a single server.”
Block.one, a global leader in blockchain and publisher of the EOSIO blockchain software, has made an initial $3 million commitment to the Department of Computer Science in Virginia Tech’s College of Engineering to help students build skills in blockchain.
The funds will be used primarily to update and develop blockchain courses and curricula and hire faculty and staff for the department. This will enable the university to deliver a full blockchain offering, including a variety of courses, an undergraduate minor or concentration in blockchain development, and a boot camp or short course. Implementation of the program began this fall.
As part of the collaboration, Larimer will advise the university on curricula development, including participation in live classroom sessions, seminars, and symposia.
“The courses we hope to develop at Virginia Tech will allow students to write blockchain applications, which require high-performance, deterministic, and safe code,” Larimer said.
Over the next two years, some of the CCI resources will create the initiative’s main hub site in Northern Virginia.
"A physical presence in Northern Virginia allows this new dedicated research operation to be literally down the street from the largest cyber customers in the world,” said Del. Mark Sickles (D-Fairfax).
The success of the initiative will hinge on teamwork.
“It’s a multistakeholder process, and we’re working to integrate it all together to expand the pipeline for future cybersecurity workers, bolster research, and accelerate technology commercialization,” Clancy said.
Nearly 50 organizations from industry, government, and academia have teamed up to draft a blueprint for moving forward. Phase one wrapped up in September, with an all-in team meeting in Arlington, Virginia. The CCI blueprint will be delivered to the Virginia Research Investment Committee by Dec. 1.
“Today’s global landscape demands security in the cyberdomain. Tomorrow’s landscape will merge cybersecurity with emerging technologies like machine learning and autonomous systems. Investing in research and discovery transfer for the next generation of cybertechnologies will cement Virginia’s economic leadership,” said Theresa Mayer, vice president for research and innovation at Virginia Tech and chair of the CCI Blueprint Executive Committee.
“This is a collaboration that’s really going to build on the work we have been doing to deliver innovative solutions,” Mayer said. “It is definitely going to depend on partners from every corner of the state bringing their expertise and resources to the table to reach its full potential.”
The state’s commitment to CCI is impressive and will serve as a seed, which, if appropriately cultivated, will catalyze a world-changing effort to dramatically increase safety and security across the cyberlandscape.
“This is a monumental moment, not just for Virginia Tech, but for all of Virginia,” said Mayer.
How did Virginia Tech move from crime casualty to defensive leader?
“It was a lot like building a ladder and climbing as you go. Rung by rung. It took years of earnest work, innovative thinking, and that roll-your-sleeves-up-and-get-it-done mentality synonymous with being a Hokie,” Clancy said.
It’s an effort that’s nearly impossible to capture close-up, but when viewed through a wider lens that connects components, becomes crystal clear.
In the early 1990s, researching a network-based cyberattack wasn’t exactly easy. In fact, simply finding a book on the topic was challenge because most studies were focused on encryption and code-breaking.
Eventually, Marchany and his colleagues stumbled upon a startup security company, the SANS Institute, which had plans to host a cybersecurity conference in Washington, D.C. Unable to cover the registration fees, the team from Virginia Tech opted to speak at the event in return for a fee waiver for their attendance.
“We said, ‘Well, we don’t know anything about cybersecurity, but we could talk about what happened to us with our attack,’” Marchany said. “We didn’t realize that at that time, nobody really talked about successful attacks against themselves.”
The humble presentation led Marchany to join SANS on future projects. Officially known as Instructor No. 2, he’s been a part of their teaching team since.
In 1998, Virginia Tech, leveraging Marchany’s teaching experience, created an information technology (IT) defense course for the computer engineering department.
“We said, ‘You’re teaching a lot of good stuff. Why don’t you convert that into a course?’” said Joseph Tront, then-associate dean in the College of Engineering (COE) .
This academic year marks Marchany’s 20th teaching the course. The class, which has evolved to reflect current needs, is taught as the senior-level Computer and Network Security Fundamentals course and is a core requirement for the cybersecurity minor.
“You can really go all the way back to Randy Marchany and that course when searching for a root of Virginia Tech’s history in cybersecurity,” Clancy said. “Those early courses laid the groundwork for what we’re doing today.”
In the early 2000s, Virginia Tech began to shift other pieces into place. In 2001, the IT security department opened a lab, making it available for student research.
“It’s kind of like a teaching hospital,” Marchany said.
“What it gives students is the opportunity to analyze data and study situations in a real-time environment,” Tront said.
In 2004, Virginia Tech earned recognition as a National Security Agency (NSA) Center for Academic Excellence in Information Assurance Research. Today, the university holds the designation as an NSA Center for Academic Excellence in Cybersecurity Operations as well.
Cybersecurity curriculum and research continued to expand throughout the decade, with a heavy focus on unclassified projects, but a philanthropic act and an enterprising leader would soon change the university’s cyberlandscape.
The national challenge
If the cybersecurity challenge in the U.S. had a home, it would likely be in or around Northern Virginia.
Virginia Tech made a major investment, matched by a generous gift from an alumnus, in addressing the nexus of cybersecurity and national security with the launching of the Ted and Karyn Hume Center for National Security and Technology in 2010. The center was established with offices in Blacksburg and Arlington to educate the next generation of leaders in national security technologies, as well as conduct research and development for the defense and intelligence communities.
The Hume Center was an almost immediate success, but when Charles Clancy, who had a background in wireless research programs within the U.S. intelligence community, joined the campus in Northern Virginia, the center really began to bloom.
Clancy came to Virginia Tech in 2010 and by 2011 was named director of the Hume Center. He injected a drive for research and an entrepreneurial spirit that accelerated growth tenfold by 2013.
According to Jim Bohland, former vice president of the NCR, gaining the trust of various government agencies was key to building successful cybersecurity programs, and the only way to do that was to prove yourself. Clancy came to Tech with a network of key relationships and the commitment to make things happen.
“I found him very willing to go the extra mile on things,” Bohland said.
Today at the Hume Center, over 80 research and affiliated faculty members engage more than 400 students each year in a variety of research and experiential learning projects. Faculty also maintain their own research portfolios at academic departments across the university.
“There are a million different research projects ongoing,” Clancy said. “But the challenge in talking about them is that many are sensitive.”
Clancy notes that this research offers vast benefits for government and private industry, and although the subject matter is not always publicly available, Hume Center faculty are routinely invited to speak before governing bodies and agency leaders.
Also some nonclassified studies are garnering attention.
Jim Hawdon, sociology professor and director of the Center for Peace Studies and Violence, is part of a Virginia Tech research team recently awarded a $170,000 National Science Foundation grant for their work investigating algorithms for threat detection. Hawdon’s focus builds on a five-year analysis of how information in the cyber realm can be weaponized.
From social media posts that proliferate fake news to electronic propaganda that elevates hate-groups and terrorism, the potential impact of Hawdon’s work spans from the individual to the national level.
“In the U.S., the rates at which people are exposed to this, as well as the rate they are producing it, has dramatically increased since 2013,” Hawdon said.
Likewise, assistant professor of political science Eric Jardine’s research on the dark web has been made public. His studies resulted in development of a course at Virginia Tech that introduces students to navigating and measuring content in a largely unmonitored corner of the internet.
“The dark web permeates a lot of things. You can buy malware, drugs, guns, or worse,” Jardine said. “But knowing the dark web exists and that there are ways you can leverage it can help law enforcement and government agencies figure out anything from what information has been leaked and how to counter identity theft to tracing perpetrators engaged in human trafficking and child abuse.”
The course also explores policy, examining how jurisdictions apply law enforcement to the dark web.
The Hume Center has also become a catalyst for developing technology that translates to the public market. Since 2012, the center has spun off eight venture-backed startups.
“These companies have raised nearly $130 million in venture funding since 2012 and currently employ nearly 200 people, the majority in the Commonwealth of Virginia,” Clancy said.
Most recently, the Arlington-based startup DeepSig executed a licensing agreement to allow further development of Hume Center-incubated, groundbreaking technology that uses artificial intelligence to design powerful wireless communications systems.
“It will be faster, more cost-efficient, more secure, and easier to deploy than today’s wireless systems,” said Virginia Tech researcher and DeepSig founder Tim O’Shea.
“There are different ways to harm us through technology. Often, it’s using devices as weapons. What we’re looking at is using the device as the delivery system, and the weapon is information.”
Jim Hawdon, sociology professor and director of the Center for Peace Studies and Violence
The research that resulted in this breakthrough was in part the result of a more than $1.1 million state grant approved by the Virginia Research Investment Committee and matched by DeepSig.
O’Shea said the culture of innovation at the heart of the Hume Center gave him the opportunity to pursue research in his areas of interest and supported the proposal that took his ideas from concept to reality.
That culture also drew the interest of intelligence professional Letitia Long ’82.
A former director of the National Geospatial-Intelligence Agency, Long became aware of the Hume Center long before joining its Advisory Board in 2016. The opportunities for students fuel Long’s motivation to serve on the board.
“When I think of the Hume Center, I think of students,” Long said. “I think the success of the center is the value proposition of getting students their security clearances and having them on classified projects that address our nation’s toughest problems. In real life, you don’t work alone. You work as a team. You solve problems as a team. And that takes interdisciplinary understanding, along with experiential learning. Hume is doing that.”
Current Virginia Tech students can take advantage of a variety of Hume Center opportunities, including the year-long CyberLeaders program. Students in the program, which is sponsored by a grant from the Hewlett Foundation, spend the fall semester taking courses in Blacksburg. In the spring they travel to the NCR to participate in further study and complete a capstone project.
“The class schedule was more like a part-time job,” said senior Eamon Heaney of the intensive course load while at the NCR.
A computer engineering and political science double-major, Heaney was one of seven students in the 2017-18 program, which involved research projects focused on the emerging security risks resulting from the growing connectivity of common tools and appliances, commonly called the internet of things.
“My biggest takeaway was ‘don’t connect meaningless devices to meaningful devices,’” he said.
Fellow CyberLeaders participant Helen Huavil said working alongside students studying political science enlightened her about the overarching reach of cybersecurity issues.
“I knew it would have a policy component, but I was surprised to see how much we would get into it,” said Huavil, a computer engineering major. “I now have a better idea of what leaders in the industry feel, and I understand the policy issues related to the technology.”
Students plugged in at the Hume Center come face-to-face with top-level leaders in public and private agencies. These special networking opportunities have helped many jumpstart their careers.
“The Integrated Security Destination Area is kind of the next step, in my belief. Cybersecurity is not just a major or a minor. I don’t care what area of study you’re in, there’s some aspect of cybersecurity that’s got to be a part of your job.”
Randy Marchany, an ISDA stakeholder
“I had more job offers than I knew what to do with when I got out,” said one former Hume Center student, who after earning both bachelor’s and master’s degrees at Virginia Tech, chose a job with a public sector agency. (The critical nature of her work requires that many of the details about herself and her job be concealed.)
She chose Virginia Tech because of the emphasis on hands-on learning, co-ops, and integrative research projects. Her decision paid off.
“We were getting to look at top-notch technologies, and we were getting to access the risk factors associated with them,” she said. “It made it real easy to see the real-world applications of the work I was doing.”
She said her favorite part of the experience was working with the Hume Center team.
“They just have a wealth of perspective that I think is hard to find in a lot of other places,” she said.
At one time, participation in cybersecurity programs was limited to students studying computer engineering and computer science, but Virginia Tech is eliminating barriers between academic disciplines. Cybersecurity is evolving from a niche interest into a baseline skill for all students.
There is perhaps no greater example of this kind of cross-disciplinary education than the university’s investment in Destination Areas, including one focused on integrated security.
“The Integrated Security Destination Area (ISDA) is kind of the next step, in my belief,” said Marchany, an ISDA stakeholder. “Cybersecurity is not just a major or a minor. I don’t care what area of study you’re in, there’s some aspect of cybersecurity that’s got to be a part of your job.”
Destination: Integrated security
The Integrated Security Destination Area (ISDA) brings together leading academicians and industry experts to address complex issues related to human interaction with and reliance on interconnected technologies, and the need to secure global social, political, and financial networks. The ISDA leverages Virginia Tech’s existing strengths and partnerships to focus on four interrelated themes: cybersecurity, privacy and ethics, governance, and global security in modern society.
In the classroom, that translates to hands-on opportunities that mirror real-life situations.
Sophia Longmire wants to communicate complex intelligence information across diverse audiences but developing such skills requires practical experiences—something university students rarely have. Last spring in an ISDA gateway course, Foundations of Security, Longmire honed those skills alongside students from computer science, engineering, and business.
Longmire said she is “learning how to use my communication major with other majors, this is the only class I’ve been able to do that in.”
Of the 26 students enrolled in the course, Longmire was the lone communication major. That distinction earned her the role of press secretary during the multiweek catastrophic event simulation “The Crisis Games.”
Divided into four groups representing government and industry entities, students were provided with a real-world scenario—a hurricane-force storm reminiscent of Sandy that strikes the East Coast while a simultaneous cyberattack is unleashed on hospitals in the same region.
Each class period, students responded to the sorts of high-pressure problems—from nuclear threats to financial and physical security issues—that individuals and communities would face before, during, and after such an incident. Simulating reality, student participants representing government and private sectors organized public updates via press conferences and press releases, for which they leaned on the communication major.
“It was tough getting people who are used to talking in their own technical terms to kind of use more layman’s language so that not only I could understand and be able to write about it, but the people reading it would also be able to get it,” Longmire said.
Such cross-disciplinary awakenings are at the core of Virginia Tech’s Destination Areas, which work to build transdisciplinary teams to tackle the world’s pressing problems through research, education, and engagement.
“[The course is] an introduction to the world of problem-solving and decision-making, where it is essential to be aware of the multitude of different perspectives, and [the experience] stresses the ability to talk to each other,” said R.E. Sorenson Professor in Finance Janine Hiller, who helped develop the curriculum.
Through that model, the ISDA addresses a complex range of security challenges that affect individuals, institutions, and nations.
Hiller said the hope is that students will develop an interest within security that will focus their studies, then return to take part in a capstone course featuring a similar simulation during their senior year.
Course instructor Aaron Brantly, assistant professor in political science, said the gateway course and the game-like simulation was key to achieving the ISDA’s mission, eliminating the educational stereotypes that suggest certain academic majors successfully produce security and intelligence professionals.
“We’re trying to get [students] to think beyond their disciplinary studies by having them interact with tier-one faculty from across the university,” Brantly said.
Brantly, who spent much of the past decade working and teaching in the cybersecurity field, joined Tech this fall after teaching at West Point for three years. He built the software for the course simulation, which includes interactive shipping maps, power grids, flight plans, and news reports.
Computer science professor Daphne Yao, who has spent much of the past decade developing defenses against stealthy attacks and exploits, taught a portion of the course, as did Wade Baker in the Pamplin College of Business, who serves on the RSA Advisory Board and is recognized as a driving force behind Verizon’s annual Data Breach Investigations Report.
To create the realistic physical environment necessary for such courses, physics professor Patrick Huber joined forces with New Classroom Building manager Rob Viers. They visited various facilities offering similar simulations, including the Air Force University’s war gaming center at Maxwell Air Force base prior to establishing the Integrated Security Education and Research Center (ISERC).
“I’ve never done anything like this before,” said student Vibhav Nanda.
Nanda, who graduated in May with a degree in computer engineering, said being immersed in the working environment with students from other majors stretched his thinking on real-world situations.
“I’m just so trained in my major, trained to think from a technical perspective,” Nanda said. “I have the bigger picture now, like I don’t just have technology to work with, but I also have real people.”
Educational opportunities that emphasize real-world experiences and simulate actual workplace interactions set Tech students apart.
Driven by the university’s motto Ut Prosim (That I may Serve), Virginia Tech’s pursuit of effective, practical, hands-on strategies to tackle the world’s most pressing problems has led to a reputation as a reliable global community ally.
In 1992, a simple choice to share a transparent account of a campus data breach boosted the university’s climb from cybersecurity novice to cybersecurity leader.
Today, university research and education are transforming the future, filling gaps in the workforce and developing tools to help businesses, individuals, and communities across the globe avoid the pitfalls of the virtual abyss.