By day, Charles “Chas” Jeffries leads a group of Microsoft techies. When he leaves his Redmond office, he often sheds his suit and tie for military fatigues as commander of an elite band of cybersoldiers who are quietly waging global warfare on malicious hackers. Jeffries, chief of security and a lead program manager at Microsoft, is also Colonel Charles Jeffries of the Washington Air National Guard, commanding its 252nd Cyberspace Operations Group, one of the first military cybersecurity units formed in the United States.
Jeffries’ two professional lives share one goal: getting the bad guys who sneak their way into private computers and wreak havoc on businesses, schools, governments and households.
Not only is cybersecurity one of the top priorities of the United States armed forces, it has also become a hot-button issue for businesses, universities and local governments nationwide, including mom-and-pop operations.
The Puget Sound region, home to one of the largest high-tech sectors in the nation, is a fertile “threat landscape” for cybercriminals. For that reason, companies like Microsoft, Boeing, Google and Amazon are implementing resilient IT systems and have woven cybersecurity culture into their corporate fabric.
“Any internet-connected company today that doesn’t take cybersecurity seriously likely won’t be in business for long,” says Jeffries. “The more companies do to make it harder for cyberattackers to penetrate their networks and systems raises the bar collectively against the variety of cyberthreats the community is dealing with today.”
The job of safeguarding high-tech data traditionally has been relegated to information security professionals. But in today’s digital age, cybersecurity has a front-and-center seat in just about every corporate boardroom in America. IBM CEO Ginni Rometty has said cybercrime may be the greatest threat to every company in the world.
Cyberattacks cost businesses $400 billion to $500 billion a year, says cybersecurity expert Peter Singer, who recently spoke at a Microsoft Virtual Security Summit recorded at the company’s Redmond campus. That’s more than the national income of most countries.
Singer describes the state of cybersecurity today as both a blessing and a curse. He says the “blessing of the digital age” has brought a world of opportunities to half of the world’s population, but it has also created “cyberanxiety” over vulnerable targets.
If any good can come out of “hacktivism” — the breaching of a computer system for a politically or socially motivated purpose — it’s that the movement has created a fast-growing security industry that is predicted to generate $170 billion in revenue by 2020, says Singer, the co-author of Cybersecurity & Cyberwar: What Everyone Needs to Know. In his book, he points out the scale of the threats:
- 97 percent of Fortune 500 companies have been hacked — and the other 3 percent likely have been, too, but just don’t know it yet.
- 500 new pieces of malware — malicious software designed to cause harm — are discovered every minute.
“As real life and online become indistinguishable from each other, cybercrime has become part of our daily lives,” says a 2016 Symantec Corporation security report. “Attacks against businesses and nations hit the headlines with such regularity that we’ve become numb to the sheer volume and acceleration of cyberthreats.”
The more technology becomes ingrained in our everyday lives, the more cybercrime develops.
“Cybersecurity is a board-level issue that everyone is talking about,” Pete Boden, partner director of C+E Security Infrastructure Services at Microsoft, said at a recent forum on cybercrime. He says most of his time is spent on detecting and protecting against cyberattacks. Most days, he’s “part police officer, part fireman, part judge and part emergency doctor.”
One of the best defenses, Boden says, is to keep your computer clean. In other words, make sure every computer has updated software, is in good working condition and is well protected from malware.
“Ninety percent of our attacks are [due to] basic vulnerabilities,” Boden says. “Protection goes beyond technology. Good hygiene is crucial. We wouldn’t forgo brushing our teeth for a month.”
Recent cyberattacks on Sony Pictures Entertainment, Target and Home Depot catapulted cybersecurity into the national consciousness and forced business leaders to rethink their strategies in defending and protecting infrastructure, networks and systems. The hacking of email files of the Democratic National Committee only underscored the threat.
Companies with 500 to 2,500 employees and local governments are especially fertile ground for cybercriminals looking to exploit unsuspecting organizations that have valuable data to steal and much more to lose, according to Florida-based Threat Track Security.
“Hackers think local government is an easy target,” Linda Gerull, director of information technology for Pierce County, said at the cybercrime forum.
David Shaw, CEO of Global Business Analysis, a Gig Harbor cybersecurity firm, agrees, warning business leaders and city officials that cyberthreats are becoming more sophisticated and widespread. “It’s a [100 percent] probability that you will be breached,” he asserts.
Businesses and households with computers face a slew of cybersecurity challenges that can cripple office operations and disrupt daily lives. Today’s cybercriminals don’t fit the stereotype of teenagers wearing hoodies. They are sophisticated, transnational, black-market specialists who prey on businesses and individuals, stealing intellectual property and financial information.
“They come in all sorts of shapes and sizes,” says Singer, a strategist at New America Foundation, a Washington, D.C., think tank. “They are not all teenagers living out of their parents’ basements. You never know where it’s coming from. We are all at risk.”
While the security marketplace is booming, Singer says there’s a “people gap” affecting it — 200,000 unfilled jobs in the United States and a million worldwide. “There’s just not enough talent to go around,” he notes.
In the next three years, the demand for security talent is expected to grow by 2.5 million, but the supply only by 1 million, leaving a gap of 1.5 million, according to Experis, a Wisconsin-based staffing and recruiting firm with offices in Bellevue. “Companies need to get ahead of this trend and start thinking more about development and how they will resource their growing talent needs going forward,” says Sean Costello, senior North America vice president of Experis, which recently released the report, Protecting Your Organization in a Talent Scarce Market.
This shortage has led to universities, local governments and companies offering more classes and training programs in cybersecurity. The University of Washington–Tacoma, for example, created a Center for Information Assurance and Cybersecurity. Columbia Basin College in Pasco and Richland-based Pacific Northwest National Laboratory (PNNL) teamed up to offer a Cybersecurity Bachelor of Applied Science Program. And more than a dozen colleges and universities in the state, including community colleges in Lakewood, Auburn, Lynnwood, Seattle, Des Moines and Spokane, have programs related to cybersecurity training.
There’s even a cybersecurity summer camp for children in Pasco. In June, Columbia Basin College and PNNL offered the free “Cyber Patriots” camp for kids ages 7-12. It featured presentations on ethics, online safety and cybersecurity career opportunities.
A shortage of security labor also has led to the creation of more than 100 military cybercommands around the world, including Jeffries’ Air National Guard unit in Washington state. They comprise military and citizen soldiers helping to thwart cybersecurity incursions that President Obama has said “pose some of the most serious economic and national security challenges of the 21st Century.”
Jeffries says his role at Microsoft enables him to be more effective in his cybersecurity role with the Air National Guard. “This is a real benefit we realize in the National Guard for these units,” he says. “We train airmen and soldiers in cybersecurity to perform our cyber defense missions in the military department, and at the same time regional companies are able to hire those same airmen and soldiers as technical employees and leverage that training to protect their companies.”
The model also works in reverse, in that the Air National Guard benefits from those airmen and soldiers working in technical civilian careers with high-tech companies in the region.
Jeffries’ unit, which includes employees of Microsoft, Google and Amazon, conducted a study last year on the control system used by the Snohomish County Public Utility District (PUD). It was the first time the airmen carried out a threat assessment for a local government agency, and it helped the PUD strengthen its security.
Today, four Washington Air National Guard units are used in a cybersecurity capacity and can be deployed in “red team” exercises to evaluate the strengths of the state’s digital networks and the effectiveness of existing cyber emergency plans.
Earlier this year, the squadron caught the attention of U.S. Defense Secretary Ash Carter when he visited Joint Base Lewis-McChord in Tacoma. He described Jeffries’ unit as being “famous throughout the country” for several high-profile vulnerability assessments. “It brings in the high-tech sector in a very direct way to the mission of protecting the country,” Carter told reporters. “And we’re absolutely going to do more of it.”
In 2012, the state launched a “bottom-up” cybersecurity program to prepare for any type of major cyber incident. “We are the world’s center for digital commerce,” Governor Jay Inslee said at the Governor’s Summit on Cybersecurity and Privacy earlier this year. “We know that in this digital era, good cybersecurity is essential to the continuity of global commerce and to a thriving economy.
In April, Inslee signed into law a measure that makes it a crime to commit various types of internet-based data theft. The Washington Cybercrime Act identifies electronic data interference, theft and tampering as first- and second-degree crimes. This allows law enforcement and prosecutors to keep pace with new types of criminal activity.
The new law came on the heels of the creation of a state Office of Cyber Security and an Office of Privacy and Data Protection — the latter being a partnership between Washington state and the U.S. Department of Homeland Security to strengthen critical infrastructure and government services.
“Here in Washington state, we have a special responsibility to get this right,” Inslee said. “In a world where more and more personal data has moved into electronic format and [is] stored on electronic networks, we need to make the right investments in both smart security and in smart people to safeguard the personal data that is entrusted to us.”
Microsoft exevutive Chas Jeffries is a colonel in the Washington Air National Guard, commanding the 252nd Cyberspace Operations Group, one of the first such units in the United States.