In cybersecurity, change is the constant — and 2017 has brought plenty of change to the industry in Colorado Springs.
The National Cybersecurity Center, the first National Cyber Symposium, the launch of Exponential Impact, ever-evolving cyber threats, and the looming NIST SP 800-171 compliance deadline gave businesses a good deal to adjust to this year.
National Cybersecurity Center
The NCC started the year with Ed Rios at the helm as CEO, and former Colorado Springs Business Journal publisher Jenifer Furda came on board as COO Feb. 24.
Rios resigned Aug. 29 “to devote more time to his business interests,” according to a release from the NCC, and Vance Brown, co-founder and executive chairman of Springs-based Cherwell Software, assumed the interim CEO position. Furda left to join Kaiser Permanente as program manager of external customer relations Nov. 27.
In the latter part of the year, the NCC has redefined itself as a think tank/institute, focused on building an ecosystem of cybersecurity job creation, workforce development and public policy. Its board adopted a new strategic plan Dec. 5. Artificial intelligence and blockchain technology are now central areas of focus.
It marked a shift from the NCC’s original model, which included a center offering emergency help for businesses after cybersecurity breaches, along with a research and training center.
“For us now it’s about each of the elements or pillars of the ecosystem — who all can get involved and be part of that, who should we invite in and who should we recruit,” Brown said.
In mid-January, the NCC will make the long-awaited move from temporary quarters on Austin Bluffs Parkway into new offices at its 150,000-square-foot facility on North Nevada Avenue.
“We’re just going to have our offices there — there’s nothing else there yet,” Brown said. “But one day the whole thing will be a cyber community center.”
The facility will host training and educational events and will eventually house a cyber lab, a cyber range for educational activities and the Exponential Impact accelerator.
Exponential Impact started taking shape in August, aiming to recruit entrepreneurs to the city and boost cyber economic development.
The nonprofit security tech accelerator was founded by Vance Brown — before he became the NCC’s interim CEO — and his wife Betsy.
Hannah Parsons became CEO of Exponential Impact on Dec. 1, leaving her position as chief economic development officer at the Colorado Springs Chamber & EDC.
Applications for the accelerator’s first cohort also went live Dec. 1 and will continue through the end of January, with the first cohort planned for the spring.
According to Exponential Impact’s website, the accelerator has “committed to support the efforts of the National Cybersecurity Center.”
And it’s establishing a unique structure: The nonprofit accelerator will operate alongside a separate for-profit investment fund that will provide seed funding for startups coming through the program, in exchange for equity. As the startups grow and the for-profit fund makes money on those investments, about 10 percent to 20 percent of the earnings will be returned to Exponential Impact to support operations for investment and job creation.
“We know that’s something that will take time to build, but we’re confident the long-term sustainability of this will be very strong,” Parsons said. “The thing we’ve been missing to really take our entrepreneurial community to the next level has been that commitment of seed funding.”
Exponential Impact is focusing on cybersecurity, artificial intelligence and blockchain technologies — and on encouraging startups to stay in the Springs.
“Exponential Impact is the lead institution for the job creation [element of the NCC’s cyber ecosystem] and the reason is they’re focused on security technologies and bringing in those kind of entrepreneurs, and they’re focused on keeping them here,” Brown said last week. “There’s no other accelerator I know of that cares where you live. We’re trying to incentivize and embrace and keep them here, and help them be successful.”
Once the accelerator’s nonprofit status is finalized, the goal for 2018 is to secure “around $750,000-$1 million in combined contributions and grants, for us to run the program incredibly well,” Parsons said, “but if we don’t hit that, we’ll run lean and mean.”
National Cyber Symposium
The inaugural National Cyber Symposium was the jewel in the crown of the NCC’s year. It drew hundreds of tech experts to The Broadmoor hotel Nov. 1-3, where former CIA Director Gen. (Ret.) David Petraeus and Gov. John Hickenlooper delivered the keynote address.
The landmark event focused on bringing together industry, government, military, startups, educational institutions and think tanks to create a cybersecurity and innovation ecosystem.
“I’m incredibly proud of what we’ve accomplished in a very short time,” Brown said near the end of the event, “and I’m ecstatic about what we can do in the future to make it way better.”
Brown said the event had a 95 percent satisfaction rating and 97 percent of attendees would recommend it next year. Looking ahead, he said the NCC hopes to grow the event “to be like the Space Symposium — it’s a phenomenal model of what we need to have in the [National] Cyber Symposium.”
The second National Cyber Symposium is slated for October 2018.
The Business Journal drew attention to numerous cybersecurity threats throughout the year, but Qualtek Manufacturing president Christopher Fagnant put a human face on the dangers facing Springs businesses.
Qualtek was hit by a ransomware attack Aug. 31 and the company faced chaos while it scrambled, with the help of five other organizations, to pay a $4,850 ransom, secure its systems and get back to work.
In October, Fagnant took the unusual step of talking publicly about the cybersecurity nightmare, so other Springs companies could avoid the same ordeal.
He told the Business Journal the hackers held half a year’s worth of data hostage, along with everything else on Qualtek’s server: digital work instructions, accounting software, email, and the manufacturer’s material requirements planning system, which included order entry, invoicing, work order generation, shipping and documentation.
“I don’t want to keep my mouth shut because I don’t want it to happen to somebody else,” he said at the time.
The cost of recovering from the ransomware attack: $45,000-$50,000. Qualtek, which had secured cyber liability insurance a couple of months before it was hit, paid only a $10,000 deductible.
After the story published, “I had probably nine or 10 folks email me directly after they read [the] article in the CSBJ — more than past articles either about Qualtek or written by me,” Fagnant said. “[They were] very appreciative of us sharing the experience.”
NIST SP 800-171
The deadline for complying with National Institute of Standards and Technology Special Publication 800-171 looms large for companies in the Springs — but many haven’t started working on the requirements soon enough.
In September, the Business Journal covered NIST SP 800-171, a set of 110 cybersecurity controls and reporting standards mandated by Defense Federal Acquisition Regulations System — and reported that companies doing business with the Department of Defense must comply with NIST SP 800-171 by Dec. 31 or face losing their contracts.
Experts warned that small businesses in particular could struggle to meet the standards.
At the time, Bob Reehoorn, COO of Springs-based advanced data analytics firm ISSAC Corp., said NIST SP 800-171 presented “immense fiscal challenges.” Local startup Sudolynx Inc. planned to launch a turnkey cybersecurity-as-a-service solution to ease the burden on DoD contractors and subcontractors.
Sudolynx CEO Greg Roman said the LynxLocker integrated suite of tools was designed to allow businesses to comply with all 110 controls quickly, for about a quarter of the cost of a do-it-yourself solution. It became fully operational Oct. 1.
LynxLocker now has three clients, Roman said, and expects to sign three more before the end of December.
“It’s a little slower than we had anticipated because companies are still trying to sort through the best way to do it — and I get it, because there’s so many people out there that are offering to help you with your solution, and trying to wade through all that and apply your scarce resources to the most effective solution, it’s a challenge,” he said.
“There’s been a lot of pressure from small business associations to their congressmen as well as to the DoD to try to relieve some of the pressure, and the government is saying ‘Hey, we’re trying to work with you, but the deadline is still the deadline. You’re still going to have to have a plan in place.’
“Most small businesses in Colorado Springs will not be compliant by Jan. 1,” Roman added in an email. “If they start now to build their own solution, it’s going to take six months.
“There is uncertainty about what really is going to happen, but if the Defense Department enforces their minimum standards of compliance, this will put the majority of companies at risk from bidding on government work.”