Michigan is known as the Wolverine State in deference to the ornery quadruped that roams its wild country.
However, after a recent visit to Detroit, Ann Arbor and Grand Rapids as a guest of the Michigan Economic Development Corp., or MEDC, I’m prepared to rechristen Michigan the Cybersecurity Best Practices State.
Related: California’s pioneering privacy law ripples through other states
This new nickname may not roll off the tongue. But it does fit like a glove. (Michigan’s other nickname, by the way, is the Mitten State, referring to the shape of the larger of its two main peninsulas.)
I was recently privileged to be part of a group of journalists covering the 2018 North American International Cyber Summit at Detroit’s Cobo Convention Center. My reporting trip included meetings with Michigan-based cybersecurity vendors pursuing leading-edge innovations, as well as a tour of a number of thriving public-private cybersecurity incubator and training programs.
It was the latter that jumped out at me. In an age when cybersecurity intelligence sharing and collaboration is in dire need — but all too short supply — Michigan has quietly and methodically, stood up some well-thought-out programs that could – if not should – be a model for other states to follow.
I had the chance to meet briefly with two-term Gov. Rick Snyder, who is about to leave office and can point to significant strides Michigan has made ‘reinventing’ its economy under his watch. What’s noteworthy, from my perspective, is that Snyder had the foresight to make cybersecurity readiness a key component of his reinvent Michigan strategy, from day one.
Snyder says his experience as head of Gateway Computers and as an investor in tech security startups, prior to entering politics, gave him an awareness of why putting Michigan ahead of the curve, dealing with cyber threats, would be vital. “I just wanted to be proactive about it,” he told me.
Given his tech background, Snyder foresaw that any drive to revitalize and diversify Michigan’s economy could only truly work if business networks generally got a lot more secure than they were at that time.
When Snyder took office at the start of 2011, Google had just disclosed details about Operation Aurora – China’s systematic breach of dozens of marquee corporations; details were trickling out about a worm, called Stuxnet, that had corrupted the controls of Iranian nuclear plants; and the massive Target retail chain breach, which was to pivot off the overlooked third-party access of a ventilation contractor, was two years in the future.
And yet when the topic of cybersecurity readiness came up as discussion point at a working group at the National Governors Association that Snyder attended “some governors didn’t even show up because they didn’t even think it was an issue,” Snyder recalls.
Within weeks of taking office Snyder got proactive. He pulled together the Michigan Cyber Range, an unclassified, private cloud network initially set up to teach, test and train IT staff to defend their organizations’ networks. A key to this was persuading Merit Network, Ann Arbor-based nonprofit organization, to supply the infrastructure.
Merit has a fascinating heritage. Merit is an acronym for the Michigan Educational Research Information Triad. It was founded in 1966 by three state universities; Michigan, Michigan State and Wayne State, ergo the “triad.” What began as an obscure experiment to tie together mainframe computers residing on three remote campuses ultimately became a key piece of what was to become the Internet as we know it today.
Merit has endured as a cutting-edge regional network used primarily by its owners: a dozen four-year universities. Snyder approached Merit officials and asked them if they could leverage this infrastructure to provide cybersecurity training and testing services at different hubs around the state. They answered, yes.
Shoring up weak links
The first Cyber Range training and testing hub opened at Eastern Michigan University in late 2012. Other hubs followed at military bases, other state universities and even a high school and a non-profit community arts and tech center.
Related: Michigan moves to close the cybersecurity skills gap. Coming on Wednesday, Nov. 28.
“The governor saw around the curve, a bit, in terms of what was coming,” says Jeff Mason, chief executive officer of MEDC.
“This notion of needing to protect the weakest link was the impetus behind his determination to really be a leader in thinking about how to secure our IT infrastructure, whether it’s in the public or the private space,” Mason told me.
The early Cyber Range hubs were mainly used to help educate and certify military technicians and cybersecurity professionals at selected companies. But the program has steadily morphed. It is now makes general cybersecurity training and certification testing accessible to high school students, as well as underemployed adults. In 2015, construction began on a dedicated facility located a 12-acre business incubator campus, called the Velocity Collaboration Center, in Sterling Heights, a Detroit suburb.
The Velocity hub, which opened in 2016, is the collaborative output of the Merit Network, the MEDC’s Michigan Defense Center , Macomb County Department of Planning & Economic Development, the City of Sterling Heights and Oakland University. The partners designed this hub expressly for general business use. It can host training, such as capture the flag exercises, demonstrate how known hacks play out, test defensive responses and be utilized for software security testing.
Imagine if every state supported accessible, flexible training and testing facilities that served as a nerve center for training talent and helping companies implement the latest best practices.
“Michigan has developed a robust cybersecurity community focused on connecting the interests of the cyber, automotive, defense and aerospace industries,” Mason says. “Michigan’s focus has been to facilitate innovative solutions to prevent and respond to cyber threats while building a ‘cyber ecosystem’ in which both the public and private sectors work collaboratively, as seen through our Cyber Hubs around the state.”
Beyond its Cyber Range hubs, Michigan has several other notable cybersecurity readiness initiatives gaining traction and demonstrating what’s possible when business leaders, government officials and educators get on the same page.
MEDC, for instance, forged a research and development pact with the US. Army Tank Automotive Research, Development and Engineering Center, aka TARDEC, to identify economic growth potential in the state’s defense sector. This spawned cybersecurity testing of autonomous defense vehicles – research findings that ultimately will find their way into public autonomous transportation systems.
To further leverage this unprecedented partnership between a state agency and U.S. military unit, MEDC and TARDEC this summer hosted the second annual Commercial CyberTruck Challenge.
College students, U.S. military cadets, academics and IT pros convened in Southeast Michigan for two days of classroom time followed by two-days of very cool hands-on activities. Participants competed in exercises to detect improvised explosive devises targeting semi-trucks and military vehicles.
Another remarkable program is the Michigan Cyber Civilian Corps, or MiC3, an organization set up to function as a volunteer first-responder unit – in the event of a cyber incident. MiC3 recruits cybersecurity experts from government, education and private industry and then dispatches them to provide local governments, non-profits and businesses with technical assistance if and when they should sustain a cyber attack.
In 2017 a new state law took effect requiring MiC3 volunteers to undergo criminal background and FBI checks, but also provided volunteers with civil immunity if they give advice or make a decision that inadvertently causes harm.
What the long run impact of Michigan’s cybersecurity readiness initiatives will be remains to be seen. There are metrics showing positive results. For instance, Michigan ranked third for cybersecurity jobs growth potential in Business Facilities’ 13th annual ranking report, topped only by Louisiana and Utah. And some 13,160 tech jobs cropped up in 2017, third only to California and Texas.
But from what I saw, much more valuable intangible benefits have begun percolating. That includes wider sharing of intelligence and resources between public and private entities; and students and underemployed adults finding there are paths available to them to fulfilling careers filling the cybersecurity talent gap.
Good for Michigan. I truly hope this catches on.
(Editor’s note: Last Watchdog has provided consulting services to MEDC.)
*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: https://www.lastwatchdog.com/my-take-michigans-cybersecurity-readiness-initiatives-provide-roadmap-others-should-follow/