Addressing the talent shortage with IBM SkillsBuild – Think 2022

IBM collaborates with U.S. Department of Veterans Affairs, Specialisterne Foundation, and six Historically Black College & Universities to train underrepresented communities on technology

ARMONK, N.Y., May 10, 2022 — IBM (NYSE: IBM) today announced education initiatives with the U.S. Department of Veterans Affairs (VA)Specialisterne Foundation, and six Historically Black Colleges & Universities (HBCUs) to provide no-cost STEM job training to U.S. military veterans, neurodivergent learners worldwide, and university students from underrepresented communities in the U.S.

These collaborations underscore IBM’s focus on providing STEM job training to traditionally underrepresented communities as part of its commitment to skill 30 million people worldwide by 2030 to create equitable, inclusive economic opportunities while also addressing a longstanding STEM job skills shortage impacting the business community.

IBM SkillsBuild
  • U.S. Department of Veterans AffairsIBM SkillsBuild will be an enhanced resource for transitioning Service members who are seeking job training and credentials through the VA to pursue a career after completing their military service. Together with the VA’s Veteran Employment Through Technology Education Courses (VET TEC) Employer Consortium, IBM will help military veterans to pursue customized learning paths and other accelerated, non-traditional job training for high-demand technology careers. The Department of Defense estimates that 250,000 Service members transition annually to veteran status.
     
  • In 2021, IBM Chairman and CEO Arvind Krishna pledged for IBM to partner with HBCUs to establish Cybersecurity Leadership Centers, with the goal of building a more diverse U.S. cyber workforce. Today, IBM is announcing the first six of more than 20 Cybersecurity Leadership Centers with the following HBCUs and HBCU systems: North Carolina A&T State University, Southern University System, Clark Atlanta University, Xavier University of Louisiana, Morgan State University, South Carolina State University.

Participant universities will have access to a customized, multi-year cybersecurity experience with IBM, including cybersecurity curricula, cloud access, and an immersive learning experience to expand HBCUs’ capacity to develop top talent in the cybersecurity sector.

  • Cybersecurity curricula: IBM will develop for each HBCU, a customized IBM Security Learning Academy portal – IBM client offering – including courses designed to help the university enhance its cybersecurity education portfolio. In addition, IBM will continue to give access to IBM Academic Programs.
  • Immersive learning experience: HBCUs’ faculty and students will have an opportunity to benefit from IBM Security’s Command Center, through which they can experience a highly realistic, simulated cyberattack, designed to prepare them and train them on response techniques. Moreover, HBCUs’ faculty will have access to consultation sessions with IBM technical personnel on cybersecurity.
  • Cloud access: IBM will provide faculty and students with no-cost access to multiple SaaS IBM Cloud environments.
  • Specialisterne Foundation: Together with the Specialisterne Foundation, IBM SkillsBuild will be tailored to the job training needs of neurodivergent individuals across 13 countries (Australia, Austria, Brazil, Canada, Denmark, France, Iceland, Ireland, Italy, Mexico, Spain, UK, U.S.). Specialisterne Foundation helps harness the talents of autistic persons and those with profiles such ADHD, OCD, and dyslexia.

IBM is committed to extending skills training and technology credentials to individuals from underrepresented communities and will continue to pursue new and enhanced education partnerships like these.

“We believe that the most promising job candidates for today’s demanding careers will come from communities that may have been historically overlooked or excluded due to outdated hiring policies and old-fashioned credentialling,” said Justina Nixon-Saintil, Vice President, IBM Corporate Social Responsibility and ESG. “That’s why we’re uniting the public, private, and not-for-profit sectors to cultivate STEM talent from underrepresented communities to address the world’s most critical challenges.”

“We want Veterans to have as many pathways to employment and career success as possible,” said Michael Frueh, VA’s Principal Deputy Under Secretary for Benefits. “This is an urgent need and goes beyond hiring. This partnership will offer our Veterans a unique opportunity to obtain skills and find job opportunities across companies and industries.”

“We strongly believe that hiring diverse talent increases companies’ success,” said Steen Lohse, CEO and Managing Director of Specialisterne Foundation. “Neurodivergent people across the world will have access to free, online courses from IBM SkillsBuild on disruptive technologies such as AI, cybersecurity, and cloud computing, enabling meaningful employment for neurodivergent learners.” 

“NC A&T State University being chosen as one of the first six HBCU Cybersecurity Leadership Centers is a great privilege that will provide our students with access to top-notch education, technology, and industry professionals and will ensure the future cybersecurity workforce will be diverse, experienced, and capable of protecting this country,” said Hossein Sarrafzadeh, PhD, Director of the Center of Excellence in Cybersecurity Research, Education and Outreach. “IBM recognizes the untapped talent at HBCUs and with this investment they are building a cybersecurity education infrastructure that will propel underrepresented communities to the forefront of security leadership.”

“As we know, technology-related services are in constant demand, and cybersecurity is paramount,” said Dr. Ray L. Belton, President of the Southern University System. “Consistent growth in all areas of industry requires a well-prepared workforce. We are proud to partner in this initiative that will offer in-demand programming and opportunities to our students, adding to a diverse, global marketplace.”

“Through South Carolina State University’s collaboration with IBM, students, staff, and faculty have access to modern technology, resources, and skills development,” said Dr. Nikunja Swain, Chair and professor, Computer Science and Mathematics Department; Executive Director, Center of Excellence in Cybersecurity. “We are glad to be part of this new IBM HBCU Cybersecurity Leadership initiative, which will further enhance our ongoing activities on several key areas, including cybersecurity, data science analytics, cloud computing, IOT, blockchain, design thinking, quantum computing, and artificial intelligence.”

“Xavier is excited to partner with IBM to expand the opportunities offered to our talented students,” said Dr. Anne McCall, provost and senior vice president of Academic Affairs at Xavier University of Louisiana. “At Xavier, we are responsible for cultivating the talents of the next generation, and cybersecurity is an industry of the future. This partnership will help our nation meet the growing need for skilled professionals in the cyberspace workforce.” 

“The Morgan State University CAP Center is excited about this partnership opportunity as we work together with IBM to address the high workforce demand in the cybersecurity industry,” said Dr. Kevin T. Kornegay, Professor and IoT Security Endowed Chair, Morgan State University.

“Clark Atlanta University welcomes the partnership and the expanded collaboration with IBM to build a more diverse and innovative U.S. cyber workforce. This amazing opportunity prepares our students for the future in developing cutting edge technology to solve complex cybersecurity challenges and better protect organizations in a challenging and uncertain global security environment,” said Silvanus Udoka, Ph.D., Dean, Clark Atlanta University School of Business Administration.  

In 2020, Manpower Group found that the talent shortage in the U.S. has more than tripled over 10 years, with 69% of employers surveyed struggling to fill skilled positions, up from just 14% in 2010. By September 2021, there were more than 1.2 million U.S. job vacancies postings in software-related professions, according to the National Foundation for American Policy.

— Source, video, and cover photoIBM


A D V E R T I S E M E N T


Capitol Tech Hosts Cyber Saturday 2022

LAUREL, MD—BDPA Members, alumni, and regional students visit Capitol Technology University’s cyber labs during workshops, presentations, and Capture The Flag (CTF) activities during this weekend’s annual Cyber Saturday events.

Capitol Technology University is Washington D.C.’s premier STEM University–supplying human capital to America’s most technologically advanced government agencies and their private sector supply chains. In 2020, Capitol Tech was awarded a two-year grant from the National Security Agency (NSA) to lead the National Center of Academic Excellence (CAE) Northeast Regional Hub, which includes 14 states, the District of Columbia, and hundreds of institutions offering cybersecurity programs. BDPA’s relationships with Capitol Tech, staff, and alumni, span two decades.

Capitol Tech staff and alumni attend annual National BDPA Career Conferences and Tech Expos.

Dr. Kellep Charles serves as an assistant professor and chairs the Capitol Technology University’s Cybersecurity department. He completed his Doctorate in Cybersecurity at Capitol Technology University.  He also holds a Master of Science in Telecommunication Management from the University of Maryland University College and a Bachelor of Science in Computer Science from North Carolina Agricultural and Technical State University.

Dr. Kellep Charles (above) welcomes students and guests during Cyber Saturday.

Dr. Charles worked as a government contractor in the Washington, DC area as an information security analyst for over 20 years in the areas of incident response, computer forensics, security assessments, malware analysis, and security operations. He is the creator and executive editor of SecurityOrb.com, an information security and privacy knowledge-based website with the mission to share and raise awareness of the motives, tools, and tactics of the black-hat community, and provide best practices and countermeasures against malicious events.

bdpatoday photos © 2022 by Evan Carter


A D V E R T I S E M E N T

Pre-register before April 20, 2022

DISA Business Match Announced

FORT MEADE, MD—The Defense Information Systems Agency (DISA), in partnership with the Fort Meade Alliance, presents DISA Business Match, a full-day matchmaking event to connect small businesses with industry primes and DISA officials. The in-person event will take place on Monday, April 25 from 8 a.m. to 4 p.m. at the BWI Airport Marriott (1743 W Nursery Rd, Linthicum Heights, MD 21090).

Sign-ups and matching selections/priorities will be on a first-come, first-serve basis. Sign up early for your first picks!  As an added bonus, when you are in between appointments, meet with DISA’s Chief of Staff, Senior Enlisted Advisor, the SETI Program Manager, or DISA’s Office of Small Business Personnel!  DISA’s updated forecast will be hot off the presses for the event!

You will have the opportunity to share your company’s capabilities with multiple potential partners in this speed-dating format. Registration details for in-person matchmaking with DISA Program Managers and DISA’s Prime Contractors are linked below.

Select here to pre-register before Friday, April 8, 2022.

— Sources: DISA and SAM.gov

__________________________
Host Chapter(s):
BDPA Baltimore, BDPA-DC, and BDPA NoVA

For additional information or business intelligence research regarding contract opportunity pipelines, BDPA and H.O.P.E. Project Members or Alumni, business owners, HBCU/MI executives, or JROTC instructors may email us at: info@bdpadc.org for related cybersecurity, quantum technology, or STEM information, assistance, or BDPA mission-partner questions.


A D V E R T I S E M E N T

TEDCO

SHIELDS UP: Readout of CISA Call With Critical Infrastructure Partners on potential Cyberattacks Against the U.S

WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA) convened a three-hour call on March 22, 2022 with over 13,000 industry stakeholders to provide an update on the potential for Russian cyberattacks against the U.S. homeland and answer questions from a range of stakeholders across the nation.

As President Biden noted yesterday, evolving intelligence indicates that the Russian Government is exploring options to conduct potential cyberattacks against the United States. CISA echoed the President’s warning on the call today and reinforced the urgent need for all organizations, large and small, to act now to protect themselves against malicious cyber activity.

On the three-hour call, CISA Director Jen Easterly, Deputy Executive Assistant Director for Cybersecurity Matt Hartman, and Tonya Ugoretz, Deputy Assistant Director for the FBI’s cyber division, encouraged organizations of all sizes to have their Shields Up to cyber threats and take proactive measures now to mitigate risk to their networks. They encouraged those on the line to visit CISA.gov/Shields-Up to take action to protect their organizations and themselves and urged all critical infrastructure providers to implement the mitigation guidelines enumerated on CISA.gov/Shields-Up, including:

  • Mandate the use of multi-factor authentication on your systems to make it harder for attackers to get onto your system;
  • Update the software on your computers and devices to continuously look for and mitigate threats;
  • Back up your data and ensure you have offline backups beyond the reach of malicious actors;
  • Run exercises and drill your emergency plans so that you are prepared to respond quickly to minimize the impact of any attack;
  • Encrypt your data;
  • Sign up for CISA’s free cyber hygiene services; and
  • Educate your employees to common tactics that attackers will use over email or through websites, and encourage them to report if their computers or phones have shown unusual behavior, such as unusual crashes or operating very slowly.

Director Easterly urged all organizations, regardless of size, to contact CISA immediately if they believe they may have been impacted by a cyber incident. When cyber incidents are reported quickly, CISA can use the information to render assistance and help prevent other organizations and entities from falling victim to a similar attack. All organizations should report incidents and anomalous activity to report@cisa.gov or call the 24/7 CISA Central Operations Center at (888) 282-0870.  

Today’s event built on a series of briefings that CISA has been convening since late 2021 with U.S. Government and private sector stakeholders at both classified and unclassified levels. This outreach was provided to Federal Civilian Executive Branch Agencies, Sector Risk Management Agencies, private sector partners, state, local, tribal, and territorial (SLTT) governments, and international partners. To date, CISA has hosted or participated in more than 90 engagements reaching tens of thousands of partners. 

–Source: CISA.gov


A D V E R T I S E M E N T

Octo

Blacks In Cybersecurity Makes History with Black Badge laden Capture The Flag Competition at DEF CON 29

LAS VEGAS, NV (BPRW) — Blacks in Cybersecurity known as “BIC” seeks to ignite a cultural change in the Black community through their Cybersecurity education and career pipeline initiatives. BIC seeks to educate and operate in a way to expose Cybersecurity as a hobby and outlet that can be experienced in any walk of life, in a casual and no-pressure environment. In reimagining the traditional way in which knowledge is shared and presented, and adopting a philosophy that encourages lifelong learning, skill building and “tinkering” with concepts to gain hands-on understanding, BIC seeks to change the face of what a stereotypical Cybersecurity professional or hobbyist may look like.

Since its conception in 2018, BIC has not only been the nexus for the Black Cybersecurity community in Washington, D.C. Metro area with their events and conference series but has expanded globally with over 40+ chapters referred to as “BIC@Locations” and “BIC@Campus” (University chapters) expanding across the United States, Canada, Europe and Africa. 

Michaela Barnett, Garrison Best and Blacks In Cybersecurity Village Staff at DEF CON 29. Photo courtesy: BIC

On August 8, 2021 Blacks In Cybersecurity was able to make Black History by having the honor and privilege of being the first black owned and operated competition to be present and to present a Black Badge to the winners of their competition. The DEF CON Black Badge is a “powerful talisman” , awarded to those who have emerged unbeaten from the crucible of an elite DEF CON competition. The competition that receives this badge varies from year to year and seeks to highlight the very best in competitors. Those who receive the badge enter DEF CON free of charge for the duration of their natural life. In participating in this honored pastime of the Hacker community, BIC seeks to continue its work in creating space for and uplifting the Black community in Cybersecurity.

— Source and images: Blacks In Cybersecurity and Black PR Wire


A D V E R T I S E M E N T

Explore Careers at Northwestern Mutual

IBM To Establish New Cybersecurity Center For US Federal Clients

IBM Center for Government Cybersecurity to help agencies navigate current and future threats Convenes advisory group of former government officials for expanded expertise

WASHINGTON—IBM today announced that it is creating the IBM Center for Government Cybersecurity, a collaborative environment focused on helping federal agencies address current and future cybersecurity threats. The center will facilitate events and learnings, drawing on IBM’s cybersecurity expertise from delivering software and managed services to over 17,500 security customers globally. Working with a group of internal IBM experts and external advisors, including former government officials with decades of cybersecurity experience, the center will leverage IBM technology and host workshops focused on priorities such as zero trust frameworks and cloud security, complemented by access to IBM Research labs to collaborate around the future of encryption.

As recent threats like SolarWinds and the Colonial Pipeline ransomware attack against critical infrastructure have shown, the threat landscape has crossed over from the digital world to the physical. In fact, the 2021 IBM Security X-Force Threat Intelligence Index found that ransomware accounted for 33% of the attacks on government organizations in 2020. With the US Federal government furthering its investment in hybrid cloud, new approaches for cybersecurity should focus on protecting both systems as well as data – no matter where it is – either on premise, in the cloud, or at the edge.

The IBM Center for Government Cybersecurity will be housed at IBM’s offices in downtown Washington DC. The new facility will feature secured laboratory space where government customers can collaborate on unique solutions for advanced security threats leveraging insights from demos of IBM technologies and services. Initially, IBM will conduct virtual sessions to accommodate any challenges to meeting in person, with the capability to execute engagements at on-site customer locations.

“IBM is committed to helping our US Federal government customers meet cybersecurity modernization requirements – both for current and future threats,” said Stephen LaFleche, General Manager Public and Federal Market, IBM. “Hybrid cloud environments can provide an opportunity to implement new technologies and techniques, like a zero trust framework and advanced encryption – while helping make the government more accessible and easier for citizens work with. These techniques are also being applied in other highly regulated industries, such as financial services, telecommunications and healthcare.” 

Center Exploring Current and Future Threats

A central goal of the IBM Center for Government Cybersecurity is to provide access to information on cybersecurity technologies IBM is using with the public and private sectors, and security innovations being developed in IBM Research laboratories via workshops. Some of initial examples of the sessions IBM will conduct include:

  • Adapting to a Zero Trust World – Exploring the unique implementation needs for government to apply the core principles of zero trust: least privilege access; never trust, always verify; and assume breach. IBM will leverage blueprints from successful public and private sector implementations to assist agencies to plan their zero trust journey. The session will explore four initiatives including: Securing the hybrid and remote workforce, Reducing the risk of insider threats, Protecting the hybrid cloud and Preserving customer privacy. As part of the center, IBM can demonstrate the capabilities of IBM Cloud Pak for Security to help orchestrate zero trust approaches. Customers can also experience the IBM Zero Trust Acceleration workshop to help manage new emerging requirements for a zero trust approach at US Federal agencies – with added expertise via partnerships like Zscaler and Illumio.
     
  • Hybrid Cloud Security Challenges for Data Portability – Part of adapting zero trust models is disrupting the architecture design for IT systems. Agencies using multi-cloud and multi-tenant environments may be looking to securely modernize their applications and move data between on premise and cloud environments. As part of this workshop, IBM Security architects can demonstrate the use of trusted execution environments, containers, and open standards as a reference point for future hybrid cloud designs via  IBM Security Services for Cloud. IBM is also helping customers protect data across hybrid environments for current threats. For example, IBM services and technologies are designed to maintain the highest available level of cryptographic key encryption protection to help protect existing data in the cloud1 and prepare for future threats that could evolve with advances in quantum computing. 
     
  • The Future of Cryptography – With modern day cryptographic techniques threatened by advancements in computing, IBM Research is expanding its efforts in hardening this essential technology. IBM currently has several Quantum-safe cryptography standards in consideration with NIST and is at the forefront of making data usable while encrypted via Fully Homomorphic Encryption (FHE) and Confidential Computing. As part of this workshop, IBM researchers can help US Federal agency teams understand the implications that the technology will have on next-generation architectures and security protocols. IBM Z helps agencies protect against, and respond to threats, with technologies such as: encryption everywhere for data at rest and in transit to protect against data loss or corruption.

Expertise Available via IBM Center

The IBM Center for Government Cybersecurity Advisory Group brings together former public sector leaders and private sector experts that can advise US Federal customers on historical challenges and help evaluate best practices for navigating current and future regulations and orders. Access to the advisory group will be made available via on-site and virtual conferences as well as individual discussions. The Center Advisory Group will also publish thought leadership and research on cybersecurity issues and solutions.

Advisory group members include:

  • Tony Scott – Former US Chief Information Officer
  • Curt Dukes – Former Information Security/Cyber Security Lead for NSA
  • Kiersten Todt – Former Cybersecurity Advisor for President Obama
  • Margaret Graves – Former Deputy Federal CIO and Deputy DHS CIO
  • Daniel Chenok – Former Branch Chief for OMB
  • Brian Dravis, Major General (ret) – Former Director Joint Service Provider DISA, DOD
  • Terry Halvorsen – Former DOD CIO, DON CIO, and Deputy Commander Network Warfare Command

The world-renowned IBM Security X-Force research organization will also be available via Center events. IBM Security X-Force monitors 150 billion+ security events per day in more than 130 countries. Early access to research from X-Force will be available for US Federal customers engaged via the Center.

IBM X-Force Command Cyber Tactical Operations Center

Industry’s first fully functional Security Operation Center (SOC) on wheels was launched by IBM in 2018. The IBM X-Force Command Cyber Tactical Operations Center (C-TOC) travels onsite for cybersecurity training, education and response, including immersive cyberattack simulations to help organizations improve their incident response efforts.

The IBM X-Force Command Cyber Tactical Operations Center (C-TOC) will travel onsite for cybersecurity training, education and response, including immersive cyberattack simulations to help organizations improve their incident response efforts.

The IBM X-Force C-TOC provides a gesture-controlled cybersecurity “watch floor,” data center and conference facilities that can accommodate two dozen operators, analysts and incident command center staff.

About IBM Security
IBM Security offers one of the most advanced and integrated portfolios of enterprise security products and services. The portfolio, supported by world-renowned IBM Security X-Force research, enables organizations to effectively manage risk and defend against emerging threats. IBM operates one of the world’s broadest security research, development and delivery organizations, monitors 150 billion+ security events per day in more than 130 countries, and has been granted more than 10,000 security patents worldwide. IBM Security offers a completely flexible deployment model from consultancy, advice from industry experts, advanced technology to managed security services.

For more information, please check www.ibm.com/security, follow @IBMSecurity on Twitter or visit the IBM Security Intelligence blog.

Source and photo credits: IBM and Feature Photo Service

A D V E R T I S E M E N T

Visium Technologies Announces The Hiring of VP-Worldwide Sales

FAIRFAX, VA — Visium Technologies announced the appointment of Keith Scott as its Vice President of Sales and Client Success. Mr. Scott, brings with him more than 20 years’ experience at some of the world’s leading technology and cybersecurity enterprises, and will be responsible for all global direct sales and reseller functions. Keith’s responsibilities will encompass sales team leadership, accelerating Visium’s revenue through expanding Visium’s presence in new geographies, development of new channels, and contributing to the company’s marketing and business strategies.

Keith Scott “I’m pleased to have Keith coming aboard and am looking forward to seeing him make an immediate impact on sales and help us achieve significant growth,” said Mark Lucky, CEO of Visium Technologies.

“Keith has led winning sales operations teams for 20 years and he brings a strong track record of building global sales teams that are focused on delivering customer value and maximizing revenue opportunities.”

Mr. Scott brings a broad range of experience to his new position including executive sales and business development roles at both startups and large enterprise organizations, including with AppDynamics, FireEye, CA Technologies, Concord Communications, Getronics and J.G. Van Dyke & Associates. Three of these companies were acquired and two had successful IPOs. Moving quickly, Mr. Scott has already started an initiative to double Visium’s North American sales team by assembling the necessary regional and inside sales infrastructure including technical, channel and additional sales resources that will play an essential role in Visium’s revenue growth.

Keith Scott, (far right), is a U.S. Air Force veteran and Lifetime Member of BDPA. He brings with him more than 20 years’ experience at some of the world’s leading technology and cybersecurity enterprises supporting the Department of Defense and Intelligence Community (DOD/IC). Mr. Scott oversees regional Cyber Programs for National BDPA’s Greater Washington, D.C. Chapter (BDPA-DC). Above, Mr. Scott is participating in CyberEarth17, his region’s inaugural Earth Day Tech Summit with BDPA-DC and In3DC Incubator at Howard University. — Photo credit: Lynn Dunigan, © 2017 bdpatoday

“I’m honored to join the Visium team and help to build on the solid foundation of our context-based TruContextTM platform ensuring the best possible customer experience and enhancing the capabilities of existing cyber tools and technologies. Visium is perfectly positioned to help its clients improve business outcomes with visualizations and analytics. Exciting times!”

Source and top photo: Visium/ACCESSWIRE
Photos: bdpatoday


A D V E R T I S E M E N T

The Gula Tech Foundation Announces Winners of $1 Million Grant Program

COLUMBIA, MD—Gula Tech Foundation, a nonprofit focused on awarding $1,000,000 in competitive grants to cybersecurity nonprofits several times each year, announced the winners of its initial competitive grant program. This competitive grant focuses on funding nonprofits with the mission to increase African American engagement in cybersecurity.

“We reviewed over a hundred submissions from impressive nonprofits impacting the cybersecurity industry. So many of the nonprofits that submitted are making a noticeable change in the industry and driving our industry forward,” said Ron & Cyndi Gula, Co-founders of The Gula Tech Foundation. “It was difficult to choose, but the three winners truly exemplify the mission, persistence and vision needed to succeed in this environment.”

2021 Winners:

First Place: $500,000

  • Black Cybersecurity Association: BCA creates a multigenerational pipeline of qualified professionals to enter the workplace and has more than 2,000 cybersecurity mentors enabling a variety of programs.

Second Place: $300,000

  • NPower Inc: NPower’s advanced Cybersecurity program is currently offered two times per year starting March or July for 100 students. The program is 14 weeks of full-time virtual classroom training followed by 12 weeks of on-the-job training and professional development through a paid internship in the cybersecurity departments of NPower’s corporate partners.

Third Place: $200,000

  • Girl Security: Girl Security provides multi-disciplinary, equity-informed programming through its “SEA Model,” where girls and young women are Secured, Empowered, and Advanced.

“We are thrilled to be announced as the first place winner of this initial competitive grant program. With a keen focus on creating qualified Black professionals to enter the cybersecurity workforce, this grant will enable us to accelerate this effort to reach 10,000 professionals by 2030,” said Darold Kelly Jr., President & CEO of Black Cybersecurity Association.

The Gula Tech Foundation’s March 2021 grant will support nonprofits that demonstrably raise public awareness about cybersecurity. Public awareness about cybersecurity is part of the Gula’s initiative to expand cybersecurity into the “Data Care” industry.  Applications for a competitive grant open March 22, 2021 and the winners will be announced May 20, 2021 as part of the 2021 RSA Conference.

“RSA Conference is very proud to partner with The Gula Foundation in their efforts to increase understanding of personal responsibility to care for data and, in doing so, positively impact inclusivity and diversity of those who seek out a career in our industry through their ‘Data Care’ grant,” said Britta Glade, Senior Director of Content & Curation for RSA Conference. “The ‘team sport’ vision that a Data Care term implicitly carries with it can help broaden the lens of who feels like our field is a possible career option. The Gula Foundation’s ‘Data Care’ Grant is a great way to move this important effort forward.”

To learn more about the next competitive grant competition, visit: https://www.gula.tech/foundation/.

About Gula Tech Adventures
Founded by cybersecurity entrepreneurs Ron and Cyndi Gula, Gula Tech Adventures invests in companies and nonprofits that help close the gap in needed technology and workforce to defend the country in cyberspace. They work directly with cybersecurity startups, investment funds and nonprofit organizations. Since 2017, the Gula’s have made more than 40 investments in cybersecurity startups like AutomoxCybraryHuntress and Scythe, cybersecurity funds including Inner Loop CapitalDataTribe and Forgepoint Capital, and also supported cybersecurity nonprofits like Defending Digital Campaigns and voting.works.

— Source and images: Gula Tech Foundation

The U.S. Spent $2.2 Million on a Cybersecurity System That Wasn’t Implemented — and Might Have Stopped a Major Hack

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.

NEW YORK—As America struggles to assess the damage from the devastating SolarWinds cyberattack discovered in December, ProPublica has learned of a promising defense that could shore up the vulnerability the hackers exploited: a system the federal government funded but has never required its vendors to use.

The massive breach, which U.S. intelligence agencies say was “likely Russian in origin,” penetrated the computer systems of critical federal agencies, including the Department of Homeland Security, the Treasury Department, the National Institutes of Health and the Department of Justice, as well as a number of Fortune 500 corporations. The hackers remained undetected, free to forage, for months.

The hackers infiltrated the systems by inserting malware into routine software updates that SolarWinds sent to customers to install on its products, which are used to monitor internal computer networks. Software updates customarily add new features, remove bugs and boost security. But in this instance, the hackers commandeered the process by slipping in malicious code, creating secret portals (called “back doors”) that granted them access to an untold bounty of government and company secrets.

The incursion became the latest — and, it appears, by far the worst — in a string of hacks targeting the software supply chain. Cybersecurity experts have voiced concern for years that existing defenses, which focus on attacks against individual end users, fail to spot malware planted in downloads from trusted software suppliers. Such attacks are especially worrisome because of their ability to rapidly distribute malicious computer code to tens of thousands of unwitting customers.

This problem spurred development of a new approach, backed by $2.2 million in federal grants and available for free, aimed at providing end-to-end protection for the entire software supply pipeline. Named in-toto (Latin for “as a whole”), it is the work of a team of academics led by Justin Cappos, an associate computer science and engineering professor at New York University. Cappos, 43, has made securing the software supply chain his life’s work. In 2013, Popular Science named him as one of its “Brilliant Ten” scientists under 40.

Cappos and his colleagues believe that the in-toto system, if widely deployed, could have blocked or minimized the damage from the SolarWinds attack. But that didn’t happen: The federal government has taken no steps to require its software vendors, such as SolarWinds, to adopt it. Indeed, no government agency has even inquired about it, according to Cappos.

“In security, you almost never go from making something possible to impossible,” Cappos told ProPublica, during two video interviews from Shanghai, where he is teaching. “You go from making it easy to making it hard. We would have made it much harder for the [SolarWinds] attackers, and most likely would have stopped the attack.” Although the SolarWinds breach was a “really sneaky” approach, Cappos said, “in-toto definitely can protect against this. It’s very possible to catch it.”

In-toto’s system has supporters among experts in the government and corporations. When ProPublica asked Robert Beverly, who oversees in-toto’s federal grant as a program director at the National Science Foundation, whether using in-toto could have saved the government from the hack, he replied, “Absolutely. There seems to be some strong evidence that had some of the, or all of the, in-toto technologies been in place, this would have been mitigated to some extent.” Beverly, whose NSF responsibilities include “cybersecurity innovation for cyberinfrastructure” and who is on leave from his post as a computer science professor at the Naval Postgraduate School, added that it’s impossible to know for sure what impact in-toto would have had, and that the system remains at an early stage of adoption. “Unfortunately,” said Beverly, “it often takes some of these kinds of events to convince people to use these kinds of technologies.”

Some companies have embraced in-toto, and others, like Microsoft, have expressed interest. “I am a big fan of in-toto,” Kay Williams, head of Microsoft’s initiatives in open source and supply-chain security, said in an email to ProPublica. A second Microsoft program manager, Ralph Squillace, praised in-toto in a recent NYU press release for applying “precisely to the problems of supply chain confidence the community expects distributed applications to have in the real world.” (After Williams’ initial response, Microsoft declined to comment further.)

One senator blasted the government’s failure to use a system it paid for. “The U.S. government invested millions of dollars in developing technology that can protect against this threat, and while several large technology companies have already adopted it, they are the exception,” said Sen. Ron Wyden, D-Ore., a member of the Senate Intelligence Committee. “The government can speed up industry adoption of this best practice by requiring every government contractor to implement the best available technology to protect their supply chains.”

The in-toto system requires software vendors to map out their process for assembling computer code that will be sent to customers, and it records what’s done at each step along the way. It then verifies electronically that no hacker has inserted something in between steps. Immediately before installation, a pre-installed tool automatically runs a final check to make sure that what the customer received matches the final product the software vendor generated for delivery, confirming that it wasn’t tampered with in transit.

Cappos and a team of colleagues have worked to develop the in-toto approach for years. It’s been up and running since 2018. The project received a three-year grant from the National Science Foundation that year, aimed at promoting “widespread practical use” of in-toto. (Later in 2018, President Donald Trump signed the Federal Acquisition Supply Chain Security Act, aimed at protecting government secrets from software supply-chain threats.)

In-toto could block and reveal countless cyberattacks that currently go undetected, according to Cappos, whose team includes Santiago Torres-Arias, an assistant electrical and computer engineering professor at Purdue University, and Reza Curtmola, co-director of the New Jersey Institute of Technology’s Cybersecurity Research Center. In an August 2019 paper and presentation to the USENIX computer conference, titled “in-toto: Providing farm-to-table guarantees for bits and bytes,” Cappos’ team reported studying 30 major supply-chain breaches dating back to 2010. In-toto, they concluded, would have prevented between 83% and 100% of those attacks.

“It’s available to everyone for free, paid for by the government, and should be used by everyone,” said Cappos. “People may still be able to break in and try to hack around it. But this is a necessary first step and will catch a ton of these things.” The slow pace of adoption is “really disappointing,” Cappos added. “In the long game, we’ll win. I just don’t know that we want to go through the pain that it’ll take for everyone to wise up.”

One of in-toto’s earliest adopters, starting in 2018, was Datadog, a SolarWinds competitor that provides monitoring software for internet cloud applications. Now a publicly traded company with 2020 revenues of nearly $600 million, its customers include Nasdaq, Whole Foods and Samsung. Datadog uses in-toto to protect the security of its software updates. In an NYU press release, Datadog staff security engineer Trishank Kuppusamy, who worked on the program’s design and implementation, said that what distinguishes in-toto is that it “has been designed against a very strong threat model that includes nation-state attackers.” (Datadog did not reply to ProPublica’s requests for comment.)

The General Services Administration, which provides access to software for federal government agencies, still lists SolarWinds products available for purchase. But it said in a statement that “compromised versions” of SolarWinds programs identified by DHS are no longer available.

SolarWinds itself declined to weigh in on whether its hack could have been prevented. “We are not going to speculate on in-toto and its capabilities,” a spokesman said in an emailed statement. “We are focused on protecting our customers, hardening our security and collaborating with the industry to understand the attack and prevent similar attacks in the future.”

Previously little known to the general public, SolarWinds is a public company based in Austin, Texas, with projected 2020 revenues of just over $1 billion. It boasts of providing software to 320,000 customers in 199 countries, including 499 of the Fortune 500 companies. In a recent SEC filing, the company said its flagship Orion products, the vehicle for the cyberattack, provide about 45% of its revenues. A SolarWinds slogan: “We make IT look easy.”

After the hack was discovered, SolarWinds’ stock plunged, and it is now facing shareholder lawsuits. The company has shifted aggressively into damage-control mode, hiring CrowdStrike, a top cybersecurity firm; elite Washington lobbyists; a crisis-communications advisor; and the newly formed consulting team of Christopher Krebs, the former director of the Cybersecurity and Infrastructure Security Agency (who was famously fired for contradicting Trump’s claims of mass voting fraud) and Alex Stamos, former security chief at Facebook.

News of what’s now known as the SolarWinds attack first came on Dec. 8. That’s when FireEye, perhaps the nation’s preeminent hack-hunter, announced that it had itself fallen victim to a “highly sophisticated state-sponsored adversary” that had broken into its servers and stolen its “Red Team tools,” which FireEye uses to try to hack into the computer networks of its clients as a test of their cyber-defenses. FireEye soon discovered the attackers had gained access through corrupted updates to the SolarWinds Orion network-monitoring software that it used.

On the evening of Dec. 13, CISA issued an emergency directive, identifying SolarWinds as ground zero for the hack and alerting federal agencies using Orion products to disconnect them immediately. Over the following weeks, investigators discovered that SolarWinds had been targeted back in early September 2019, when hackers started testing their ability to inject code into its software updates. After remaining undetected for months, they inserted malware in new updates between February and June 2020. SolarWinds estimated these infected updates affected “fewer than 18,000 of its customers.”

Precisely what the hackers saw, and stole, has yet to be determined and is under investigation. But the full impact of the breach is becoming clearer, as we now know it touches several tech companies, including Microsoft. The software giant has also labored to limit the damage by helping seize an internet domain in the U.S. that the hackers used to siphon data from some SolarWinds customers.

Stamos told the Financial Times, in an interview after being hired to help SolarWinds, that he believed the attackers had embedded hidden code that would continue to give them access to companies and government agencies for years. He compared the situation to Belgian and French farmers going out into their fields where two world wars were fought and discovering an “iron harvest” of unexploded ordnance each spring.

Dmitri Alperovitch, who co-founded CrowdStrike (the cybersecurity firm SolarWinds has hired to investigate the hack) before leaving last year to start a nonprofit policy group, said he thinks that, in theory, the in-toto system could work. But he warned that software is so complex, with many products and companies in the supply chain, that no one defense is a panacea. Still, he agrees that in-toto could provide protection, and said “it’s always a good thing to have more protection for supply chains.”

Russian intelligence services have clearly identified supply-chain attacks “as a much better way to get in,” offering “a much bigger set of targets,” Alperovitch said. “This is an indictment of the entire cybersecurity industry, as well as the intelligence community, that they were able to orchestrate such a broad, sweeping attack right under our noses.”

HPE, JEF, and BDPA Commemorate “Exascale Day” ― 10^18

Webinar + APBi: 17 OCT 20 10:00 am ET

Link to recorded webinar (October 17, 2020):
View webinar → https://www.youtube.com/watch?v=Ptj2yiciZiU&list=PLwwkfkXZ4yRqAiMIDUYDxJ3GQWruLPwwa

Industry Presenter: Steve Heibein
Steve Heibein is the Artificial Intelligence (Ai) Lead for Hewlett Packard Enterprise. Before HPE, he served as CIO, CTO, or VP Engineering for 20 years at several tech and media companies. In these roles, he oversaw Ai, machine learning, and data analytics projects in the areas of life science, fraud prevention, natural language processing, identity theft, cybersecurity, and energy forecasting. Steve advises organizations on the use and deployment of Ai solutions and regularly presents about high-performance computing and artificial intelligence.

Industry Moderator/Co-Host: Bryan Bemley
Bryan Bemley is an IT security specialist with Accenture Federal Services (AFS) and CIO of Joint Educational Facilities (JEF), Inc. Since the age of four, Bryan has always been fascinated with technology, beginning his leap with learning and understand DOS. Since then, Bryan has immersed himself in many different areas in Computer Science and Information Technology including Artificial Life, High Performance Computing (HPC), Web and Graphic Design, Cloud Computing, and Cyber Security. Using his experience and love of research and technology, Bryan strives to teach and mentor anyone who has an interest in IT to increase their body of knowledge.

Summary: Exascale Day is 18 October 2020
Exascale Day is the day we celebrate people and organizations actively using supercomputing and computational science to change the world for the better.

WEBINAR: Since 1982, HP, HPE, and Joint Educational Facilities, Inc. (JEF) have been Industry mission-partners with National BDPA and the High Performance Computing (HPC) Community. In this webinar and advance planning briefing for Interns and Industry (APBi) series, we highlight “Artificial Intelligence” or “Ai” along with, HPE, our HPC Community, and achievements across Industry featuring BDPA and JEF collaborations and related success stories. Our question and answer (Q&A) segment is facilitated by Bryan Bemley (JEF.org) and Perry Carter (bdpatoday.com).

Up next with JEF and BDPA: Autonomous Operations: Ai and Compute at “The Edge” and “Edge-to-Core Analytics” (our next sessions featuring HPE are November 7th and 14th).

A D V E R T I S E M E N T

Joint Educational Facilities, Inc. • High Performance Computing (HPC) in the Community • JEF.org
%d bloggers like this: