Sometimes, the arc of an entrepreneur’s startup concept dovetails unexpectedly with the headlines. Mike Crandall saw this happen to an extent during his Air Force service, but even more so with Digital Beachhead, the risk assessment and security company he founded in 2015.
In December 2020, commercial firms, government agencies and prime contractors were caught off-guard by the discovery of a cyber breach, allegedly perpetrated by the Russian hacker outfit CozyBear. The exceptionally complex supply chain attack saw the hackers insert malicious code into the commercial software application made by security monitoring developer SolarWinds, which created a backdoor into customers’ IT systems.
In April, a catastrophic ransomware attack on Colonial Pipeline abruptly shut down its 5,550-mile gas network and sent prices and demand for fuel skyrocketing across the East Coast. Colonial paid almost $5 million in ransom — a figure described as “very low” for a pipeline, that nonetheless made many companies realize that ransomware attacks loom as a future cost of doing business.
As CEO of Digital Beachhead, Crandall hopes his company’s risk assessment services will keep more companies from having to pay exorbitant sums to cybercriminals in order to keep IT systems (as well as embedded systems like pipelines) up and running.
Crandall’s career in both the military and civilian worlds is long and storied, but he’s not one of those extreme geeks that built his own computer before the advent of DOS and MacOS. He learned a smattering of FORTRAN and DOS programming early in college, but never owned a home computer before joining the Air Force in 1990, where he initially worked on the message-passing network known as AUTODIN. In those pre-PC days, security specialists tried to claim they could provide message security through hard-disk partitioning alone, and Crandall showed his commanding officers how a network could be brought down with a simple Control-C command. He was almost reprimanded until higher-ups realized his skills might be put to use.
Crandall spent 12 years in Europe, first stationed at Aviano Air Base in Italy, where he was put in charge of a small computer shop, then mostly devoted to Novell networking software and Thinnet cabling for ethernet networking. By the end of his time in Europe, Crandall had graduated to multiple-base Combat Information Systems, and was learning more modern client-server systems based on Linux servers. His most important work was in describing the “Barrier Reef” system of defined Demilitarized Zones, or DMZs, within larger computer networks. The Barrier Reef project defined a two-router architecture to allow military base networks to connect to the Internet at large, which helped identify some of the early uses of network firewalls. Crandall also helped design the first Network Security Operations Center at Ramstein Air Force Base in Germany.
Crandall was transferred to Schriever Air Force Base in 2002, where he was tasked with managing operations and security for the Satellite Control Network under the 50th Space Wing. For six years in a row, from 2005 to 2010, Crandall was named Information Assurance Professional of the Year for the 50th Space Wing, and took a similar award in 2005 for the Air Force Space Command as a whole.
After retiring from the Air Force in 2010, Crandall spent five years watching the companies he worked with get acquired or merge, until he decided to try his hand at a startup, using “digital beachhead” — a term he’d coined in 2005 to describe a beachhead without a specific geographic or hardware-based point of presence, a defense that can be present wherever a computer network exists.
Crandall spoke with the Business Journal about building his business, and the evolving challenges of network security and the future of ransomware.
It seems like your background gave you wider views on end-to-end security than a network specialist coming from a strict PC or Mac client-server world.
Yeah, the years studying FORTRAN weren’t a waste, they gave me insight into older thinking from the mainframe and minicomputer worlds. And those first assignments in the Air Force, working on aging systems like AUTODIN, those were an eye-opener. When we got to work in ad-hoc labs with networked PCs or server farms, that was seen as way beyond where the Air Force was at the time. Even in the 21st century, in my early days at Schriever, there were a lot of people thinking that standalone networks were safe — that physically isolating a network provided all the security you needed.
The broader education came not just from the technology; I got to serve under people that played critical roles in rethinking network security. Lt. Gen. [Robert] Skinner, he’s head of the Defense Information Systems Agency now. He was commander of the network operations group at Schriever while I was there, and was responsible for implementing the 8570 rules that formalized the information assurance certification methods from 2005 on. He later went on to be deputy commander of Air Force Cyber at Fort Meade, before heading up DISA. When you work with people like that, you can see information security thinking advance right before your eyes.
Let’s back up to the early days of Barrier Reef. How did this project first get rolling?
We had our own little project going on at RAF [U.K. Royal Air Force base] Croughton, and our then-commander Col. Meyerrose tasked us with “beating” a team at Barksdale AFB in Louisiana that was supposed to be in charge. In truth, we did work with them on more than one occasion and passed our work product back and forth. We at RAF Croughton, though, were the first to implement a live version of the Barrier Reef concept. We had a Cisco PiX as an early firewall, and we would use specific scripts to identify people using networks inappropriately, which led to all kinds of interesting false positives. For example, we defined “XXX” as people potentially using secure nodes for porn, but that was the year of Super Bowl 30, so needless to say, there were plenty of XXX references out there.
Once you left the Air Force, it wasn’t a simple issue of going to one contractor and then deciding to do a startup?
Oh, I got caught up in rounds of fish swallowing littler fish on the way. After I left the military in 2010, I took friends’ advice to take a month off and get my resume out there. When that didn’t pan out, I was doing some work with CIBER Inc.’s federal division on Space Command information assurance. Then CIBER hired me on as director of operations just as CRGT of Reston, Virginia was about to take them over. I made the cut to stick with CRGT, but then Salient in turn bought CRGT in 2015. When I looked at where I might fit in the Salient org chart, there was a spousal team right in the middle of where I might be, so I could see the handwriting on the wall.
I had some service-related disabilities dating back to 2008 from a NATO billet in Afghanistan, and an ill-fated trip in an Isuzu Trooper-2. A friend mentioned the VA program as something that could help with a startup — great idea, but it never ended up being necessary. Prior to incorporating, I started asking questions in my contractor job to learn how to develop pricing models for something as tough to define as information assurance models.
Did your initial business plan specify how much work might be for federal agencies and contractors, vs. how much work with commercial companies and civilian agencies?
We had to decide on a certain number of seats for both, while preserving a lot of leeway on a definition of services. We didn’t want to just be a “trusted partner.” We’ve been defining some new types of configured definitions. When we work with managed service providers, for example, we offer something called the Virtual Chief Information Security Provider Service, so they get the same predictable services as if they had hired a CISO. So in the first three years, the business was all federal or federal-related. Commercial began picking up in 2018, and in the last 18 months, the commercial side has just expanded exponentially.
Because of the existence of the National Cybersecurity Center in Colorado Springs, we think there’d be a big opportunity for this area to be a center of excellence, and for large companies and agencies to act as test beds. Take Colorado Springs Utilities — they have a great internal security team, but we see them as being a great potential test bed as well.
What kind of impact did the pandemic have?
There certainly was no lack of interest out there, but during the height of the pandemic, the IT teams inside most companies were too busy bailing water to think about security risk assessments. Of course, everyone knew the dangers of remote Zoom meetings, and the shifting nature of virtual private networks, but they had to race to stay in business in many cases.
What have SolarWinds and the Colonial ransomware attack done to customers’ understanding of their own network risks?
For SolarWinds, we are just beginning to understand that we will be living with the impacts for years to come — and I do mean years. We don’t know what was hit for how long before the penetration was uncovered, and the federal taskforce looking at this is just beginning to understand how an intrusion could impact all kinds of cloud services, not just the companies and agencies directly in the line of fire.
We’ve talked before about how many hospitals and municipal agencies around the country are being hit by outrageous ransomware demands, but think about how much worse this could get given the expansion of the Internet of Things. Pipelines, transmission lines, water and sewer systems, all could be brought down. Suddenly you have to think about not only your children and their friends being on your secure network, but even your refrigerator!
We have this joke about creating a rock band for an information campaign with a song called “Just One Click.” A single click at the wrong place or time could open up an otherwise secure network to malware and all varieties of security-compromising events. The threats can come from any number of international crime networks, or even from other nation states. The one certainty for our own team in all this is that Digital Beachhead won’t be lacking for any business in the near future.