Earlier this year, the Tampa Bay region landed in the national spotlight when a hacker infiltrated the city of Oldsmar’s water treatment system.
Now, the statewide cybersecurity education and outreach center housed at the University of South Florida campus wants Tampa Bay, and more broadly the state of Florida, to establish itself on the national stage as a leader in the cybersecurity field.
The Florida Center for Cybersecurity, or Cyber Florida, was created in 2014 with a mission to work with the 12 institutions in Florida’s State University System to advance education programs and academic research. In the last 12 months, it has focused on ramping up those efforts.
“Up until last year, the focus has been primarily getting the USF program, as a start up, on its feet,” says Cyber Florida Staff Director Ron Sanders. “When USF President Currall (Steven C. Currall) hired Mike (J. Michael McConnell) as executive director to take Cyber Florida to the next level and focus on engaging and involving all 12 SUS schools.”
In fact, Cyber Florida programs and initiatives now begin with students starting in kindergarten and go all the way through an online certificate program for adults looking to enter the field.
Cyber Florida is also using its voice to spotlight the need for more federal and state support to help local communities protect key infrastructure from cyber threats. In an op-ed piece published at the beginning of the recent legislative session in Tallahassee, McConnell, Cyber Florida’s Executive Director and the former director of the National Security Agency, described the cyberattack on Oldsmar as a “wake-up call” and urged lawmakers to support cybersecurity funding requests in Gov. Ron DeSantis’ budget proposal and policy changes proposed by a Florida Cybersecurity Task Force that convened for a yearlong period. In his column, McConnell noted that the Oldmar hack ,while thankfully unsophisticated and ultimately unsuccessful, “underscores once again how dependent we’ve become on information technology to deliver public services … and how vulnerable we’ve become as a result.”
An even more jarring reminder of that dependence and vulnerability impacted millions along the east coast in May.
Exposing a real threat
A similar chain of events often follows a major cyberattack or data breach. An initial round of alarm and intense media attention, the event eventually fades from public discussion until the next big one comes along.
But the Russian malware attack through the SolarWinds software system, which even infiltrated the federal Cybersecurity and Infrastructure Security Agency, the Oldsmar water system hack, and then the May cyberattack on the Colonial Pipeline, the largest oil pipeline in the country, have kept the significant cyber threats that exist against corporations, government, and key utilities and infrastructure in front of the public’s attention and concern.
Cyber Florida Chief Technology Officer Tony UrbanovichOfficials with Cyber Florida and local experts in Tampa Bay’s growing cyber security sector say the sense of alarm is legitimate and the solutions have to include improved frontline defenses against cyberattacks, increased state and federal support for utilities, particularly smaller ones like Oldsmar, and a focus on education and workforce training to address the country’s shortage of cybersecurity professionals.
“These threats are real and they have the potential to cause great harm to critical infrastructure,” says Cyber Florida Chief Technology Officer Tony Urbanovich. “Local utilities and municipalities such as Oldsmar are especially vulnerable because they don’t have the technical resources, expertise or funding to support cybersecurity. Their technical expertise is focused on their core service-providing customers with water or electricity.”
James McQuiggan, a security awareness advocate at Clearwater-based global cybersecurity firm KnowBe4Critical infrastructure such as a water system, fuel pipeline or electric grid are particularly attractive targets for bad actors, says James McQuiggan, a security awareness advocate at Clearwater-based global cybersecurity firm KnowBe4. The ability to control or shut down a system we rely on for necessities such as gasoline, electricity, or water grabs attention and has the ability to wreak havoc on society, says McQuiggan, who also is a professor teaching cybersecurity at Valencia College in Orlando.
That ability to wreak havoc was on display with the Colonial Pipeline hack, which led to panic buying at the pump and gas shortages in many places.
Simon Ou, a professor of Computer Science and Engineering at USF, researches the topic of cyber physical system security, which focuses on the systems used to monitor and control water treatment plants, power plants, manufacturing facilities, and other types of industrial uses.
Simon Ou, a professor of Computer Science and Engineering at USFOu says many of these computer systems date back decades, before widespread use of the internet, and have not been updated with appropriate security measures and applications. They often use a mix of different hardware components and a collection of different software systems, which means nearly every component can be a contributing factor in a cyber attack.
“These systems tend to be very vulnerable because when they were built, they did not have this cybersecurity threat in mind,” Ou says. “The challenge here is it is costly to update or replace these systems.”
Frontline responses to the threat
McQuiggan says multi-factor authentication is a key line of defense to protect against a cyberattack. He uses the analogy of a medieval castle, where the king and queen are protected by multiple layers of defense such as a drawbridge, a moat, and the castle wall.
Urbanovich, who previously worked in the cybersecurity field in the military, at the national security level and the private sector, says his current role with Cyber Florida has him speaking routinely with local government officials about the need to practice good “cyber hygiene.”
That includes a firewall, strong, updated passwords, limited access, regular updates to computer applications and software systems and a routine cybersecurity assessment.
“Small organizations and local governments need funding and skills to mitigate these risks,” Urbanovich says. “That’s where the federal and state governments need to step in and help.”
With debate and discussion ongoing in Washington D.C. over a massive investment to fix and modernize the country’s aging infrastructure, Urbanovich says cyber infrastructure needs to be part of the plan.
Moving in the right direction
While there is much more work to be done, Sanders says some positive steps this year in Tallahassee included legislative approval of $30 million to upgrade state agencies’ cybersecurity and protect state data. Policywise, the Legislature approved recommendations of the prior Florida Cyber Security Task Force, including the establishment of the Florida Digital Service within the Department of Management Services to address cyber threats and increase cybersecurity training and resources at state agencies. The Legislature has also established a Florida Cybersecurity Task Force to provide expertise on how to tackle cyber threats.
Seeking to address the issue on the local level, the Florida League of Cities and Florida Association of Counties had sought $5 million in last year’s session to help municipal governments improve their defenses against cyberthreats. The funding did not come that year. In his column at the start of this year’s legislative session, McConnell, the executive director of Cyber Florida, says he expects the request to return in 2022.
At the federal level, President Joe Biden has nominated an NSA veteran, Chris Inglis, as the nation’s first cyber director, a position intended to better coordinate and organize the efforts to protect against cyber threats that are scattered across several federal agencies.
Cyber Florida’s plans
Right now, the country has more than 500,000 unfilled cybersecurity jobs. Cyber Florida is taking a big picture, multifaceted approach to help fill that gap. Support for the state’s universities includes grant funding for academic research and some innovative partnerships to grow the field. Sanders says those include working with the University of West Florida on a cyber workforce training program for members of the military and working with the University of Central Florida and Mohawk Valley Community College in New York on a regional and national competition for college “cyber ninjas.”
Cyber Florida is also working with the State University System Board of Governors to better identify the full array of majors that are producing workers for the cybersecurity field. He says that review previously focused on only the cybersecurity major. Sanders says expanding it can help draw firms to Florida by showing them there is talent here to fill jobs.
Educating and training the next generation of cyber citizens and cyber professionals is another focus area. He says that includes organizing cyber camps for elementary students, working with school districts to develop cybersecurity curriculums as well as educational programs to help spot misinformation online.
“We have a whole inventory of things to get at kids in the K-12 space,” Sanders says. “It is among our highest priorities.”
For more information, visit USF’s Cybersecurity, Computer Science and Engineering, or online academic programs.