Foreign actors have stepped up efforts to access sensitive data and control systems across the United States via the Internet. To help keep the nation on its toes, a small company is quietly providing tech support to businesses and the US government from right here in Mount Airy.
Vigilant Cyber Systems, Inc. (VCS) was founded in 2010 by Michael Shields. VCS is a cybersecurity company that focuses on penetration testing and vulnerability assessments for the Department of Defense and commercial customers. Penetration testing is used to help companies determine where they are most likely to face an attack and to consolidate those weaknesses.
When not serving large government accounts, VCS works with several energy and marine companies and bids for jobs related to traffic and water systems with local municipalities.
The aspirant remains on his guard
Shields was a submariner upon graduating from the US Naval Academy in Annapolis. Retired from active service, he embarked on research and the chair at the Naval Postgraduate School in California before becoming a consultant for the Defense Advanced Research Projects Agency, or DARPA.
DARPA was born out of the Cold War, after the launch of Sputnik in 1957, Uncle Sam felt the egg on his face after being beaten into space by the Soviets. “From this point on, (the United States) would be the initiator and not the victim of strategic technological surprises,” as DARPA describes on its website.
Pioneers and thinkers from across the country in different areas of expertise are working together as an interlocking ecosystem of diverse collaborators to take big shifts in innovation. The miniaturization of global positioning systems down to sizes suitable for portable devices, automated voice recognition and language translation, and the internet itself all owe something to DARPA.
Using skills developed in the armed forces and while supporting the Department of Defense, VCS has worked behind the scenes on innovations the general public may never hear about. Having a good idea is part of the equation, although it often takes money to bring those ideas to fruition.
Small Business Innovation Research (SBIR) and Small Business Technology Transfer (STTR) were developed with this in mind. Both are competitive programs that encourage small businesses to engage in federal research and development with commercialization potential.
SBIR Phase I studies establish the technical merit and feasibility of the proposal. In Phase II, funding is based on the results obtained in Phase I, the scientific merit and the commercial potential of the project. Getting to Phase III is the end goal, and where federal and state aid typically ends, because that’s where the project has achieved viability for commercial development.
STTR is the sister program with similar goals, but the small business is required to partner with a sanctioned nonprofit research institution. SBIR and STTR are federally funded, and North Carolina is one of the few states to partially match funds to maximize the impact of federal dollars.
The state has assisted VCS with its Phase I grant application on several different projects. “VCS was successful in winning ten Phase I grants,” Dustin Heath said of their grant submission success. “They range from $80,000 to $200,000 each and then turn those into Phase II grants that are more in the range of $750,000 to $1.2M each.”
“We make about $2 million in revenue every year between testing and R&D contracts,” he continued before hitting the limits of the classification. “The information shown on our website is roughly what we are permitted to share due to confidentiality agreements with the Department of Defense.”
The average federal grant awarded to the VCS was $149,900 with a state match of $50,000. Yadkinville’s Nano Tech Labs is the only other company in this field to receive an SBIR grant.
Funding sources for these grants include the Department of Energy, Army, Navy, Air Force, and National Institutes of Health.
Titles of VCS grant applications may sound straight out of science fiction. For example, the “Warfighter Health Dashboard” is an Android application designed to allow fighters and medics to quickly and accurately assess health status.
Hopefully never needed, the Electromagnetic Disturbance Recovery Time Toolkit is used by test engineers to determine recovery time from an electromagnetic pulse.
Cybercrime, the pain of the real world
The majority of corporate espionage is done through simple attacks. Soft probing access attempts to obtain personal information such as date of birth are widely known. While hacks of this nature are annoying and can cause problems, they pale in comparison to high profile corporate hacks such as Colonial Pipeline in 2021, even though they come from similar places.
In the Colonial example, the hackers entered the corporate networks on April 29 through a virtual private network account. This network allowed employees to remotely access the corporate computer network from another device, so they could work in the field or at home.
The calamity ensued because the private network account was not using multi-factor authentication, now a common cybersecurity tool. Multi-factor authentication may be more common to consider such as when a code is sent to your phone or email that you need to enter on a website. By doing so, you provide a second verification of your identity to prove that you are authorized to access.
The Colonial hackers were able to break into the network using a compromised username and password. It turns out that the hundreds of friendly suggestions to change and not reuse the same password can be ignored by almost anyone.
“We did a pretty extensive search of the environment to try to figure out how they actually got those credentials,” Charles Carmakal of cybersecurity firm Mandiant said in an interview. The account password was found among a group of leaked passwords, the unidentified employee used the same username and password for work as for a private account that was hacked.
Colonial had to take drastic measures to limit the incursion into their systems, which meant taking everything offline. It was the first time they shut down the entire system in their 57-year history, Colonial general manager Joseph Blount said.
A major player, they transport approximately 2.5 million barrels of fuel per day from the Gulf Coast to the East Coast. The outage led to long queues at gas stations, many of which ran out, and higher fuel prices. Colonial began to return to service on May 12 after almost two weeks of inactivity.
Access to private accounts or, in the worst examples, like Colonial, can cripple business. The nightmare scenario would be the loss of satellite control systems, missile control systems, or home power grids.
Thinking it’s just a Russian problem is one-dimensional, Microsoft just sounded the alarm about Iranian hackers in December. VCS works to strengthen America’s cybersecurity and develop industry-leading tools for the Surry County Department of Defense.