Over the past week, I’ve been surfing the Net looking for the top blogs and articles that both recap online security trends from the past year as well as offer new cybersecurity predictions for the coming year. Here’s a summary of what I’ve seen that’s memorable so far:

Vendor Predictions:

Imperva Trends 2013 – “These trends include hackers adopting malware techniques from "state sponsored" attacks, hackers leveraging cloud infrastructure to conduct attacks and hackers targeting less-protected SMBs; underscoring the need for greater security community collaboration.”

Websense – “A top threat projection is that mobile devices will be the new target for cross-platform threats, facilitated by Web-based cross platform exploits. Attacks will also continue to increasingly use social engineering lures to capture user credentials on mobile devices.

…Cybercriminals will use bypass methods to avoid traditional sandbox detection. As more organizations are utilizing virtual machine defenses to test for malware and threats, attackers are taking new steps to avoid detection by recognizing virtual machine environments.”

McAfee – “…The first areas of focus for the report is the emergence and growth of mobile malware. McAfee predicts an increase in ransomware,…. also predicts a new mobile worm will go on a ‘shopping spree,’ as criminals add the app-buying functions of the Android/Marketpay.A Trojan to a mobile worm…, a decline in the influence of the Anonymous hacktivist group…, an increase in both “crimeware” and “hacking as a service,” an increase in large-scale attacks….”

Symantec Top 5 2013 Predictions –

-          “Cyber conflict becomes the norm - In 2013 and beyond, conflicts between nations, organizations, and individuals will play a key role in the cyber world….

-          Ransomware is the new scareware - As fake antivirus begins to fade as a criminal enterprise, a new and harsher model will continue to emerge. Enter ransomware….

-          Madware adds to the insanity - Mobile adware, or “madware,” is a nuisance that disrupts the user experience and can potentially expose location details, contact information, and device identifiers to cybercriminals….

-          Monetization of social networks introduces new dangers - …Symantec anticipates an increase in malware attacks that steal payment credentials in social networks and trick users into providing payment details, and other personal and potentially valuable information, to fake social networks…

-          As users shift to mobile and cloud, so will attackers - Attackers will go where users go, and this continues to be to mobile devices and the cloud….”

Trend Micro – Check out their prediction video:

 The Youtube link for this video is: http://www.youtube.com/watch?v=yupELaC4Plg

Kaspersky Labs Predictions for 2013 and Analysis of 2012 Predictions –

Kaspersky made the following predictions last year:

-          Hacktivist groups, who attack computer systems for political or social reasons, would continue to increase their activities

-          A higher rate of "advanced persistent threat" attacks, or state-sponsored espionage efforts

-          More incidents of cyberwarfare involving customized, state-sponsored malware

-          Attacks on software and game developers such as Adobe, Microsoft, Oracle and Sony

-          More aggressive actions from law-enforcement agencies against cybercriminals

-          An increasing rate in the growth of threats to the Android mobile platform

-          Successful attacks on Apple's Mac OS X computer platform

Overall, I’d say Kaspersky Labs did fairly well in their 2012 predictions. Here’s what they think is coming up in the new year:

“As for 2013, "we expect the next year to be packed with high-profile attacks on consumers, businesses and governments alike, and to see the first signs of notable attacks against the critical industrial infrastructure," Raiu said in a company press release. ‘The most notable trends of 2013 will be new examples of cyberwarfare operations, increasing targeted attacks on businesses and new, sophisticated mobile threats.’" 

Here’s a Brief Summary of Technorati.com Top 5 Predictions –

-          More mobile malware than ever before, targeting mostly Android devices. [Android leadership] should continue through 2013 with Google estimating that there are over 1 million new devices, be it smartphones or tablets activated daily.

-          More aggressive mobile adware invading user privacy. …Your information (including email, device ID, location, browsing habits and even phone number) is what's being exchanged for that flashlight, calculator, or nifty new game instead. This trend will… raise the conversation about privacy to new levels. 

-          Online fraud will remain rampant in 2013. …Ransomware is set to skyrocket. Ransomware, which combines malicious code with human panic, basically holds systems hostage by restricting access and demanding a ransom be paid to remove the restrictions….

-          Mobile & online shopping will continue to rise, but not without increased risk. …Relying on built-in security measures alone won't protect most consumers, which is why having a mobile security product will become even more important than ever over the next 12 months.

-          More advanced persistent threats (APT) will be discovered. …The expectation is that we will hear more about APT's in 2013, either new ones or strains of already known ones.

What was probably the most surprising blog? CIO Magazine blogger Constantine von Hoffman offered his list of 2013 cybersecurity predictions that he described as “all the painfully-obvious and self-serving 2013 cybersecurity-threat-prediction lists on the Web into a single tasty nugget.” Respectfully, I think he fell into his own trap. While he offers an good list, I certainly would not make it the only list you need to review. His top ten threats facing us for 2013 are worth reading. Here are the first five of his ten threats listed:

-          “The Cloud – Lots of vulnerabilities out there.

-          BYOD/Mobile malware – It’s a problem dealing with all these devices.

-          Opportunistic Attacks/Social Engineering – Someone is going to try to get malware on your systems using targeted attacks.

-          DDoS Attacks – You might be the target.

-          Big Data – Again, lots of vulnerabilities.”

And finally, Maria Deutscher, offers these comments from John Casaretto on noteworthy cybersecurity events in 2012:

“Casaretto … mentions the $60,000 prize that Google recently awarded a hacker for discovering a Chrome exploit. His take is that this approach to crowdsourcing can prove to be a very valuable strategy in increasingly complex technological environments where a problem may be discovered eventually, but not before hackers use it to their advantage.

The second big topic Casaretto chooses to focus on is the Megaupload shutdown, in context of Kim Dotcom’s upcoming venture. The internet entrepreneur plans to launch a new file sharing site in 2013 that, based on early descriptions, will be rather accommodative of illegal content uploads. Authorities will have to bypass many legal and technological barriers to take down the provocative new service, but not before tackling all the existing issues.

My Predictions –

Last year, I took at stab at a few predictions over at CSO Magazine – with specific trends regarding Privacy, Piracy and Parental Controls. I think I was fairly accurate, if not very bold. The major social media sites, websites and mobile apps assume that you want to share your personal information widely as the default.  

In state and local governments, we saw the several of the largest breaches in the nation in our corner for the first time. Sadly, I suspect that we will see more of that to come.  

Moving forward, I don’t know how I can disagree with any of the major vendor predictions – except to say that the big new prediction that I see all over the place seems to be the coming rise of ransomware (see above). The other predictions about the rise of mobile malware and cloud computing threats are fairly obvious trends that have been building over the years.

What’s missing regarding predictions? No one seems ready to say that this will be the “The Year of the Big One” in which we see a “Cyber 9/11” or a “Cyber Pearl Harbor” that disrupts infrastructure in some major way. Yes, many groups are calling for more major company breaches, but that is really a given. I’m not ready to make that prediction either. However, I do think it will happen within 3-5 years. That event will bring about major changes in the way we secure our data, our corporate and personally-owned technology as well as our critical infrastructure in America.

The bottom line for 2013 is that the bad guys will follow the crowds, and the crowds are going to cloud computing, smartphones and tablet PCs. Get ready...

Happy New Year everyone!

Our nation has developed a fairly long list of doctrines that have historically provided statements of what we believe and the principles by which we’re going to base our future actions. Two examples that come to mind are the Monroe Doctrine and the Reagan Doctrine, but there have been many others.  In addition, military doctrine has long provided a guide to national defense actions.

Do we need such a national doctrine on cybersecurity? If so, what needs to be included? How will the rest of the world view this doctrine? Can a cyberdoctrine help guide our actions?

Earlier this week, I was contacted by Sarah Rich from Government Technology Magazine and asked to comment on recent efforts to develop a national doctrine on cybersecurity. Sarah wrote this article entitled: Should the U.S. Develop a National Cyberdoctrine? Here’s an excerpt:

“Earlier this month, the Potomac Institute Press released a new book #CyberDoc: No Borders – No Boundaries, which addresses the rising concern of cyber-related disasters and the growing need for such a doctrine.

‘The book is a call to action,’ said Tim Sample, vice president and sector manager of special programs at Battelle and co-editor of #CyberDoc.”

I won’t reiterate my comments to Sarah here, except to emphasize that I support the overall call to action in the book for a national discussion on key cyber issues. Nevertheless, I also think that getting a meaningful national consensus on the answers to key questions will be very difficult. (See Sarah’s article in the gray box for some of the key questions, beginning with ten questions that are foundational.)

Further Analysis

But I am highlighting this topic again for another reason. I urge readers of my cybersecurity blog to take 15-20 minutes and ponder the transcript of the Potomac Institute for Policy Studies event on cybersecurity held in early December.

This transcript for the event covers many excellent topics of discussion and provides a wealth of information regarding why a doctrine for dealing with cybersecurity is important. It also discusses many relevant topics that should guide our thinking on dealing with the new cyber environment moving forward.

Here is a brief sample of intriguing statements from the panel discussion:

-          “…Nobody thinks that the government can provide cybersecurity. We don't want to turn it over to the government; it doesn't do that well. We must recognize that cybersecurity costs money and that somebody has to do it.

-          I think one of the things that came out of the conference is that there clearly needs to be someone in charge.

-          Somewhere along the line in the last four or five, six, seven years, this thing has changed from essentially "isn't this cute," to "gosh, this is useful," to a public utility. And the question becomes, how does a government deal with that?

-          So what do you need to know? Well, you need to know what are you trying to deter. You need to know who are you trying to deter. And you need to know how.

-          If somebody attacks you and you notice that and people die and buildings come crashing down, it's a pretty obvious thing. But what if they don't attack you? What if all they do is put in place the ability inside all your infrastructure to take it down if they wanted to at some point in the future? It's all benign, nothing's happening, nothing's being taken down; it's just sitting there.”

I also found this article written by well know cybersecurity policy expert and author, Dan Verton, to be very helpful. Here’s an excerpt from that piece:

“President Barack Obama’s signing last month of Presidential Policy Directive 20 (PPD 20), a classified directive that establishes guidelines by which the federal government can operate beyond the confines of federal networks to respond to serious cyber attacks, may have finally laid the foundation upon which a national doctrine governing cybersecurity can be built….

“The issue here is that the status quo is no longer acceptable,” said Rear Admiral Jamie Barnett (USNR-Ret.). “We’re no longer going to simply defend the networks and continue to take the attacks and intrusions. We’re not going to be in a corner with our boxing gloves over our face. We’re going out and we’re going to swing at people who are attacking us.”

One more things on this topic: There are several additional classic questions that are particularly useful when setting forth a doctrine. These were sent to me by Andris Ozols, who is an excellent researcher and adviser on our Michigan CIO’s staff.

-          What is it that we don’t know (regarding cybersecurity)? This question is not a logical impossibility, but an ongoing open inquiry.

-          What happens if we under or overreact (to cyberattacks)? Risks in both – how to choose.

-          What is plan B, C and so on? No plan in effect is a plan, but can it ever be a good plan? Perhaps better than some plans.

 All of this is thought-provoking stuff that makes for important dialogue as we consider the future direction of cybersecurity in America and around the world. I agree with the sentiment that we can’t keep doing the same things and expect different results. We all know that we need to be taking new actions to protect critical infrastructure as a nation, as states, as local governments and as private companies.

Now if we can just agree on the right questions (and the same answers.) Perhaps an open process of building a cybersecurity doctrine can help.

What are your thoughts?

What were the top government data breaches in the USA in 2012 (so far)? It appears that this year will be remembered more for state and local breach headlines than for federal government breaches.

I’m starting off this blog with highlights from one of those “scary headline” articles that government technology leaders want their organizations to avoid. And yet, there is an ominous sense across the nation right now amongst security professionals. Most Chief Information Security Officers (CISOs) understand that there are more breaches to come in 2013. To some extent, the sentiment is: “I could be next.”

A shout-out goes to Rock Rakowski, one of our Michigan cybersecurity managers, who sent me an excellent article which addressed this question and even listed ‘lessons learned’ from each breach. The article was written by Ericka Chickowski  for Dark Reading. Here’s the abbreviated first five on the list, but I urge you to read her entire piece, including the recommendations:

1)      South Carolina – 3.3 million unencrypted bank account numbers and 3.8 million tax returns...

2)      California Department of Social Services - Sensitive payroll information about approximately 700,000 individuals…

3)      Utah Department of Health - The health information and PII of more than 780,000 Utah citizens...

4)      California Department of Child Support Services - lost more than 800,000 sensitive health and financial records…

5)      United States Bureau of Justice Statistics - Anonymous embarrassed the United States Bureau of Justice Statistics (BJS) when it leaked 1.7 GB of sensitive data…

Global Trends

More sobering news came from “across the pond” back in August, with the announcement that United Kingdom (UK) data breaches are up 1000% in five years.   Here’s an excerpt:

“According to the data, local government data breaches have increased by 1609%, with the next largest increases coming from other public sector organizations (1380%) and the private sector (1159%). Data breaches in the NHS have increased by 935%, and central government breaches are up by 132%. The average increase across all eight recorded sectors since 2007 is 1014%.”

Not to be left out, private sector breaches in America are equally as daunting. Fishnet Security initially reported the following expectations at the beginning of 2012:

“Data Breaches Expected to Rise - The majority of respondents (97%) stated that the number of data breaches will increase; only 3 percent stated that the number of breaches would decrease.

Top Three Threat Sources - Executives and security practitioners believe that the top three computing sources that present the greatest threats to information security today are Mobile Computing (35%), Social Networks (27%) and Cloud Computing Platforms (18%).

Cloud Computing Moving Up the Risk Ladder - While 31 percent of respondents believe Mobile Computing will remain the top threat area for the next two years, 28 percent believe that over this same two-year period Cloud Computing will replace Social Networks as the second-riskiest computing environment.

Mobile Computing is a Growing Concern in Data Breaches - Nearly a third of respondents (30%) expect Mobile Computing to increase the most among all data breach sources this year. Organized Cybercriminal Hackers (25%) came in second, while Accidental Exposure of Data (19%) came in third.”

So What Other USA Breaches Have We Seen This Year?

This Network World slide show listed the top breaches through June 2012. Naming 13.73 million records within 189 major breaches, while the government breaches are mentioned, the top two breaches named were:

1)      “New York State Electric & Gas Co. - Number of records exposed: 1.8 million files that contained customer Social Security numbers, dates of birth and bank account number, due to unauthorized access by a contractor.

2)      Global Payments, Inc. - Atlanta, Ga. - No. of records exposed: 1.5 million payment-card numbers, plus in June the company disclosed its investigation is also turning up potentially hacked servers with names of merchant applicants.”

A Plot Against the Internet?

One story that does seem to be getting quite a bit of year-end attention is what Politico calls “The plot against the Internet.” No, this is not some new malware or distributed denial of service (DDOS) attack, but a possible change of Internet governance. Here’s an interesting excerpt:

“The hype is a perfect storm for Matt Drudge: The U.N. will take over the Internet — unless you act fast…. What’s more likely — almost certain to happen, really — is that the World Conference on International Telecommunications will fail to change much of anything about the way the Web works or who cashes in during the two weeks of meetings that start Monday in this Middle Eastern enclave....

Conservative commentators have taken up the case. Wall Street Journal columnist Gordon Crovitz this week wrote a piece with the headline ‘The U.N.'s Internet Sneak Attack,’ arguing that ‘having the Internet rewired by bureaucrats would be like handing a Stradivarius to a gorilla….’”

Meanwhile, Google also posted a message on their front search page about supporting a free and open Internet with a link to this page, which discusses options for getting involved. Their page headline is "a free and open world depends on a free and open web."

Wrap-Up

In conclusion, 2012 (minus December) has already been one of the top years for data breaches, and certainly the most significant year for government data breaches at the state and local level. The breach trends do not look good going into 2013.

Of course, the presidential election news in 2012 and the current fiscal cliff headlines continue to move cybersecurity stories and breach headlines into a lower priority category for citizen engagement. True, these breach stories get some front-page attention, but the news-talk radio focus is simply not there yet.

However, I believe that sooner or later these issues will be seen as a national crisis that needs to be addressed with an additional level of focus. The country is also ready for a change in the way we communicate credit card, social security, health records and other sensitive information. Passing this data around openly plastic cards, telephones and unencrypted emails is simply too 20^th century.

We’ll get there, but we just need to work through our “hot” topics one at a time.

What are your thoughts on the data breaches we’ve seen in 2012? Where are we headed in 2013?

Everyone is talking about the General David Petraeus scandal.  No matter where I’ve turned since the day after the election, from CNN to the BBC, from cable TV news to Hollywood gossip or from the office coffeepot chatter to Drudge headlines, inquiring minds want to know more.

The stories are all over the map. The women involved, the Congressional testimony, the General’s distinguished career, warnings telling us “don’t throw stones,” Saturday Night Live (SNL) videos, the lifestyles of four-star generals and even articles proclaiming Petraeus is a scapegoat.

Like a soap opera, most answers just seem to lead to more questions. Did his affair reveal secrets? Who knew what, when? Did his relationship somehow affect military actions in Benghazi? Was information withheld prior to the election?

Personal Technology Advice: What About My Email Privacy?

  But what I find most intriguing are the articles, blogs and opinions analyzing what all of this means for the rest of us who use technology – with a special emphasis on redoubling efforts to protect email privacy. There are lessons about how the General could have used his email more securely to avoid being caught, steps to avoid online detection and much more. 

For example, John  D. Sutter starts off his CNN commentary with this question: "When the CIA director cannot hide his activities online, what hope is there for the rest of us?"

Here are some of the articles I’ve been reading along with my reactions:

PC Week (under practical security advice): Here’s how to secure your email and avoid becoming ‘Petraeus’ – my reaction… really?

ComputerWorld: Email Lessons from the Gen. Petraeus downfall - "The best way to protect yourself is to simply realize that privacy doesn't necessarily exist in the electronic world," said Dan Ring, a spokesman for the security company Sophos. "Simply put, if you don't want it out there in the world, don't put it in the electronic world." – my reaction… I like this advice more.

Today.com: Think before hitting send: Lessons from the Petraeus scandal – my reaction… some good reminders.

Computerworld: US lawmakers ask if federal workers have email privacy – my reaction… don’t forget about e-discovery and FOIA requests.

AOL.com: The Petraeus Affair: Email Lessons For The Rest Of Us – my reaction… an interesting list of don’ts, but the real list is much longer.

Time.com: The mind of Petraeus: Why cheaters think they won’t get caught – my reaction…. I like this ending: “There would, perhaps, be something good in all this if the tragedy of these men served as teachable moments for others — and the fact is they probably do. You can’t prove a negative, and we can never know of the career-wrecking affairs that didn’t take place because successful men looked at the narcissistically fallen and made a sharp turn in the other direction. But there are more than enough — as we repeatedly learn — who who plow straight ahead, and there probably always will be. David Petraeus, the latest in a very long line, is highly unlikely to be the last.”

Vanity Affair: Tricks from Terrorists and Teenagers Alike: How to Keep the Romance of an Extramarital Affair Alive – my reaction... the steps that General Petraeus and Paula Broadwell took to conceal their activities make it very clear this one not a “one night stand,” nor does this easily fit into the category of “we all make minor mistakes sometimes.”

What’s My View?

Back in June, I listed my favorite survival tips for social media, which you may want to review. Earlier, I wrote this rebuttal called Dr. Jekyll and Mr. Hyde: Managing online indulgence for CSO Magazine, in response to a blog in the Harvard Business Review describing how we can safely hide activities online.

Still, I’d like to take this topic a bit further. Why?

Recently I ran into my editor at a state technology conference. He urged me to be more bold on current events. So here’s my view on Petraeus’ now famous emails as well as most of the follow-up articles addressing online etiquette for the rest of us. 

I think all these tricks and tips and online hiding shenanigans listed in hundreds of advice columns are basically fool’s gold. Sure, some email privacy techniques or other ways to hide personal activities online may work for a while and fool most people some of the time. But they won’t fool all of the people all of the time. Sooner or later you will get sloppy or an observant hacker or coworker or friend or spouse will figure out what you’re doing.

I am actually pretty stunned that so much attention after the Petraeus situation is on email privacy at work, when most government and business networks have very clear policies which state that there is no presumption of personal privacy on work email or office networks. Even if you use Gmail or Yahoo.com on work computers, your information can generally be seen, if desired, by good cybersecurity teams.

 I am not saying that reading employee emails is a frequent occurrence on workplace networks, because it isn’t. In fact, most Chief Security Officers (CSO) will tell you that their teams don’t have the time or desire to read employees’ email. Nevertheless, if you are doing something that you shouldn’t, don’t be surprised when you eventually get caught. The reduction of insider threats is part of our security job, and that means uncovering hidden things when asked by human resources to check on certain staff or when inappropriate activities are suspected.

And My Best Advice Is?

But the best personal advice that I can provide you on this topic is not new or original. In fact, it comes from a very old book that still applies just as much to our 21^st Century online world as it did thousands of years ago. “Whoever walks in integrity walks securely, but whoever takes crooked paths will be found out.”

Yes, we all make mistakes. Surely, there can be forgiveness, mercy, second chances and the rebuilding of trust. But the main lesson to learn from the Petraeus story is that inappropriate behavior has consequences – and NOT that the Director of the CIA needed better email processes or technology.

Ultimately, honesty, accountability and forgiveness are still the only approaches that work.

I’d like to introduce our new Michigan Cyber Range which was formally launched on Friday, November 9, 2012. But before I do, I’d like you to reflect on a few questions that we have been thinking long and hard about in Michigan over the past eighteen months.

With the “bad guys” getting better and America probably outgunned in cyber, where can business and government cybersecurity teams go to learn how to defend against complex cyber attacks?

Knowing that over 80% of critical infrastructure is owned and operated by the private sector, who is working to answer important cyberdefense questions across all layers of government, business and academia?

How do private sector utilities apply best practices to prevent critical infrastructure like our new smart grid from being manipulated inappropriately?

What test & research facilities are quipped and available to simulate different advanced malware attack scenarios – without impacting operational networks? Is there a way to bring together world-class training, virtual connectivity, public/private partnerships, available expertise and computer software/hardware reuse into a state-of-the-art cyber lab in order to allow all sectors of the economy to work together and achieve common security goals?

Can these stories about major security breaches lead to new career opportunities for our young people regarding cyberdefense in a wide variety of industries? Assuming yes, how can we make it happen?

What skills and real-world experience is needed for future cyber jobs? How can we assist our K-12 schools, community colleges, universities and continuing education programs in building these competencies? 

Many of the roads that lead to the answers to the above questions converge at our Michigan Cyber Range that is being run by Merit Network, Inc. in Ann Arbor. To get a sense for the concept, check out this video that we highlighted at the beginning of the cyber range launch on Friday.

What is a Cyber Range?

Almost everyone has heard of a gun range, where people can practice shooting targets under a variety of conditions. Similarly, a “proving ground” has long been established to test and train on military equipment. One example is Aberdeen Proving Ground.

In the same way, a cyber range is a facility that can be used to test and train as individuals and teams on a variety of computer security equipment. A National Cyber Range was set up by the Defense Advanced Research Projects Agency (DARPA) as a national defense testbed for critical security research.  But these facilities are classified and used for military personnel at classified levels. What about the businesses and governments around the country that must defend their networks from attack without secret networks?

 As stated by the Governor, DTMB Director John Nixon, CIO David Behen and others at our launch, the Michigan Cyber Range enables individuals and organizations to develop detection and reaction skills through simulations and exercises. The program offers students and Internet technology professionals a full curriculum of meetings and workshops as well as critical cybersecurity training and awareness tools.

Critical areas that will benefit from the creation of the Michigan Cyber Range include: Infrastructure defense, Homeland Security, criminal justice and law enforcement, academic and educational programs, and small and medium businesses.

Michigan Cyber Range Development

In the late spring and summer of 2011, Michigan Governor Rick Snyder brought together a diverse group of technology, security and business experts from across multiple sectors in Michigan to answer the questions listed above as a part of a formal Michigan Cyber Initiative. The answers to the opening questions started to take shape last October at our 2011 Michigan Cyber Summit.  At the same time we launched a new consolidated security team that brought together physical and cybersecurity within Michigan State Government. 

Side note: many details of these broader Michigan security efforts are chronicled in this National Association of Chief Information Officers (NASCIO) award submission under the category of security and privacy. As a follow-up to the Cyber Summit last year, we also completed our statewide 2012 Cyber Breakfast Series this past week. For these security leadership efforts, Governor Snyder was recently recognized by Symantec with this national award.

Meanwhile, much more was going on behind the scenes. While we alluded to the benefits of a cyber range as well as a need for these new cybersecurity resources at a variety of events over the past year, we were quietly working behind the scenes to build the Michigan Cyber Range with support from the public and private sector. We were encouraged by our meetings in Washington D.C. with representatives from the National Institute of Standards & Technology (NIST), the U.S. Department of Homeland Security (DHS), the U.S. Department of Energy and others. We worked with others as we examined the case for a new enterprise cyber range.

Teams of technology leaders from within government, the private sector and academia met with companies from around the state and country over the past year to encourage support of these cybersecurity efforts, and the response was very positive.

The State of Michigan issued a Request for Proposal through the Michigan Economic and Development Corporation (MEDC) to determine who should run this critical public/private effort, and Merit Network, Inc. was chosen. Merit is a nonprofit, member-owned organization formed in 1966 to design and implement a computer network between public universities in Michigan.

The founding members of the Michigan Cyber Range, along with many other companies that hope to support the range in the near future, are excited that the necessary support was achieved in about one year.

What Happened at the Launch?

Friday’s launch event in Ann Arbor, which was attended by government, business and academic leaders from all over Michigan, included speeches from Governor Snyder, Merit President & CEO Don Welch and U.S. Department of Homeland Security Acting Director of Acting Director Critical Infrastructure Cyber Protection & Awareness, Carlos Kizzee.  Introductions and recognition of key sponsors were offered by DTMB Director John Nixon and State CIO David Behen. Also attending, but not speaking, was U.S. Department of Energy CISO, Gil Vega.   

After the opening comments and ceremonies, the Governor cut the ribbon on the cyber range, with the sponsors participating in photos and short presentations by students and experts on the cyber range plans and capabilities.

The launch of our new Michigan Cyber Range was covered by numerous media outlets around the Great lakes region and the country. Here is a small sampling of the media coverage we received on the cyber range launch:

Detroit TV 20 video: Protecting Our Networks

Emergency Management Magazine: Michigan Launches 'Cyber Range' to Enhance Cybersecurity

Ann Arbor Journal: Gov. Rick Snyder attends opening of Michigan Cyber Range

Oklahoma News: Gov. launches cyber security training facility

The Republic, Columbus, Indiana: Mich. governor launches opening of Michigan Cyber Range to detect, prevent electronic threats

Wish TV.com: Gov. launches cyber security training facility

So What’s Next?

 The reality is that this is just the beginning of a long cyber journey. This new capability and resource will enable an entirely new set of answers and more questions regarding cyberdefense. While we believe that this cyber range is unique and essential to fight and win current and future cybersecurity battles, we plan to partner with other cyber ranges such as the DETER Project.  Could this become the “Great Lakes” Cyber Range? Only time will tell.

But for now, it is enough to say: “Welcome, come in and explore the new Michigan Cyber Range.” Students will interact on the range through classes and programs at many Michigan Universities. Companies and government teams will connect through virtual private networks (VPNs) that will connect to the range and by visiting range facilities in person. 

If you’d like more information or want to know how get involved, please contact Merit Networks at: http://www.merit.edu/cyberrange/contact.php.