By ANJANA SCHROEDER
Capital News Service
LANSING – A state cyber initiative is incorporating the Michigan Cyber Range – a virtual training program – to prepare technical staff, technology professionals and university students for team combat against a cyber-attack, in a real world setting.
According to Dan Lohrmann, chief security officer for the state, a cyber range is a variety of tests on security equipment used in training. “Critical areas that will benefit from the Michigan Cyber Range include infrastructure defense, Homeland Security, criminal justice and law enforcement, academic and educational programs, and small and medium businesses,” he said.
The training, run through Merit Network, based in Ann Arbor, prepares trainees to identify, prevent, and thwart cyber-attacks on vital infrastructure such as power grids and hospitals or personal identities and finances.
Lohrmann said the Range is very advanced technical training for technical and cyber teams on the latest techniques and advanced capabilities to stop aggressive attacks against cyber networks. However, he said, “We also need to train the 50,000 state employees, county employees, businesses, etc. because everyone has a role in this and not everybody will be trained at the Cyber Range.
“I’m not aware or seen a major breach in Michigan for the seven years of being the chief information security officer for the state,” he said.
Lohrmann said Cyber Range training is preventive, designed to be proactive measures against situations Michigan has seen in other state governments. In South Carolina, a foreign hacker broke into the database and its tax system compromised more than 3.6 million citizen data records.
Joe Adams, Merit’s executive director of research and cyber security, said cyber attacks are a growing threat with the concern that these attacks can lead to significant financial and data loss.
The Cyber Range provides access to training content wherever the user is, Adams said, and “when the state wants to hold cyber training, we can put that on the range and then connect one of their classrooms or conference rooms.”
He said, “Training is definitely needed so that people understand what they’re doing and how they need to use the tools they’re given.”
Adams said state departments choose employees to be trained and decide the length of the training.
Kurt Weiss, public information director for the Department of Technology, Management and Budget, said the cost will be assumed by those who take the training but there is no set cost for a student to take the training.
According to Lohrmann the cost of the Cyber Range and training is not being paid for by the state but through grants, including $200,000 from FEMA, and the private sector.
“There will be a review process for participants in the training but they don’t want to get into the details of this process because they don’t want hackers to know exactly what they’re doing or planning for,” Weiss said.
“We use the Cyber Range as a partnership with areas of critical infrastructure like roads, water, food, gas or oil – they all have components of cybersecurity.”
The State Police is a Cyber Range partner. Gene Kapp, the assistant director for emergency management and homeland security, said, “One example of the partnership is through the state police Cyber Command Center where we gather information on attacks, methods, trends, not just in the state but across the nation.”
The Cyber Command Center is overseen by the state police working with the FBI and the Department of Homeland Security, Kapp said.
He added, “There isn’t a specific area of cybersecurity that the state police is looking into but it sees cyber crime as an up-and-coming issue that we have to deal with so we’re partnering with Merit to see how we best thwart crime in the cyber world.”
Kapp gave the example of a Michigan teenager getting bullied over the Internet with the criminal based in Missouri. “The state police partner with the FBI to investigate that case and possibly bring charges through the FBI and not necessarily through the state police. The internet and cyber crime is so far reaching that it gives us the challenge of also having to look at jurisdictions.”
Adams said, “In order to maintain a technical certification, such as a Certified Information Systems Security Professional (CISSP) certification, you have to get a certain number of continuing education credits every year.”
A CISSP certification is the credential for professionals who develop policies and procedures in information security, according to experts.
The range will provide enough training so that employees can take the exam. The company will help them maintain that certification over the years, he added.
Adams said the state has a two-year contract with Merit and the nature and cost of the training is still being worked out, depending on the number, duration and type of training the state wants.
Kapp said it’s also important and beneficial for the state police to connect with emergency managers for local counties. “They have information that we can share back and forth and if we can help counties better protect their systems and infrastructures; it will only make us stronger as a state.
Adams said, “Michigan has a ready pool of infrastructure and manufacturing expertise and the state is trying to leverage those workers, get them trained in cybersecurity and hopefully continue building an industry here in Michigan.
Lohrmann said businesses and citizens can use the Range and actually try cybersecurity measures out and see how they perform – does it stop malware, viruses and attacks like advertised? It will provide a different environment to test these practices.
Michigan already has an industry in cybersecurity with Duo Networks, Arbor Networks and Secure 24 among a long list of companies already in this industry, Lohrmann said, “I foresee other states sending their people to Michigan for training.”
Adams said the health care industry is an example of how cybersecurity training would be highly beneficial because it’s “a highly regulated industry, especially when it comes to medical records and electronic transfers. When you walk into a doctor’s office and see scanning machines and see that records are completely digitized, to people like me, it is all a target for a cyber attack.”
In the health care industry, system and network administrators as well as people in charge of records management would take the training. Adams said the best training involves teams playing against each other and seeing how to attack and defend.
By ANJANA SCHROEDER