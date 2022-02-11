Foreign actors have ramped up their efforts to gain access to sensitive data and control systems across the United States via the internet. Helping the nation remain on guard, a small firm has quietly been supplying technical support to businesses and the US government from right here in Mount Airy.

Vigilant Cyber Systems, Inc. (VCS) was founded in 2010 by Michael Shields. VCS is a cybersecurity firm that focuses on penetration testing and vulnerability assessments for defense department and commercial clients. Penetration testing is used to help businesses find out where they are most likely to face an attack and shore up those weaknesses.

When not serving large government accounts, VCS works with several energy and maritime companies, and is bidding on jobs related to traffic and water systems with local municipalities.

Midshipman remains on guard

Shields was a submariner upon leaving the US Naval Academy at Annapolis. Retiring from active service he went into research and professorship at the Naval Postgraduate School in California before a time consulting for the Defense Advanced Research Projects Agency, or DARPA.

DARPA was born of the cold war, after Sputnik launched in 1957 Uncle Sam felt the egg on his face after having been beaten into space by the Soviets. “From that time forward, (the US) would be the initiator and not the victim of strategic technological surprises,” as DARPA describes on its website.

Pioneers and thinkers from across the country in different fields of expertise work together as an interlocking ecosystem of diverse collaborators to take big swings at innovation. Miniaturization of global positioning systems to shrink them to sizes that fit into handheld devices, automated voice recognition and language translation, and the internet itself all owe something to DARPA.

Using skill sets developed in the armed services and while in support of the defense department, VCS has been working in the background on innovations that the general public may never hear a word about. Having a great idea is one part of the equation, often though it takes money to make these ideas come to fruition.

A helping hand

The Small Business Innovation Research (SBIR) and Small Business Technology Transfer (STTR) were developed with this in mind. Both are competitive programs that encourage small businesses to engage in federal research and development with the potential for commercialization.

SBIR Phase I studies establish the technical merit, feasibility of the proposal. In Phase II, funding is based on results achieved in Phase I, the scientific merit, and commercial potential of the project. Getting to Phase III is the end goal, and where federal and state aid usually ends, for this is where the project has reached viability for commercial development.

STTR is the sister program with similar objectives, but the small business is required to partner with a sanctioned non-profit research institution. SBIR and STTR are funded by the federal government and North Carolina is one of few states to partially match funds to maximize the impact of federal dollars.

The state helped VCS with its Phase I grant application on several different projects. “VCS has been successful in winning ten Phase I grants,” Dustin Heath reported of their success in grant submission. “They range from $80,000 to $200,000 each, and then turning those into follow on Phase II grants which are more in the $750k-$1.2M each.”

“We do about $2M in revenue each year between testing and R&D contracts,” he went on to explain before reaching the limits of classification. “The information stated on our website is about as much as we’re allowed to share due to confidentiality agreements with the Department of Defense.”

The avearge federal grant issued to VCS was $149,900 with a state match of $50,000. Nano Tech Labs of Yadkinville is the only other company in this area to receive SBIR grant funding.

Among funding sources for those grants are the Department of Energy, Army, Navy, Air Force, and National Institutes of Health.

The titles for the VCS grant submissions may seem right out of science fictions. An example, the “Warfighter Health Dashboard” is an android application designed to enable warfighters and medical practitioners to assess health status rapidly and accurately.

Hopefully never needed, The Toolkit for Assessing Recovery Time After and Electromagnetic Disruption is used by test engineers to determine recovery time after an electromagnetic pulse.

Cyber-crime, real world pain

The majority of corporate espionage takes place via simple attacks. Attempts to gain access by soft probing to get personal information such as birthdate are widely known. While hacks of this nature are annoying and can cause problems, they pale in comparison to high level corporate hacks such as the one of Colonial Pipeline in 2021, even though they arose from similar places.

In the Colonial example the hackers entered the company’s networks on April 29 through a virtual private network account. That network allowed employees to remotely access the company’s computer network from another device, to allow for work in the field or at home.

Calamity ensued because the private network account did not use multifactor authentication, now a common cybersecurity tool. Multifactor authentication may be more common to think about as when a code is sent to your phone or email that you must enter into a website. In doing so, you are providing a second verification of your identity to prove you are allowed access.

The Colonial hackers were able to breach the network using a compromised username and password. As it turns out, the hundreds of friendly suggestions to change and not reuse the same password can get overlooked by almost anyone.

“We did a pretty exhaustive search of the environment to try and determine how they actually got those credentials,” Charles Carmakal, of cybersecurity firm Mandiant in an interview. The account’s password was found among a group of leaked passwords, the unidentified employee used the same login and password for work as for a private account that got hacked.

Colonial had to take drastic action to limit the incursion into their systems, and that meant taking everything offline. It was the first time they shut down the entire system in their 57-year history, Colonial Chief Executive Officer Joseph Blount said.

A major player, they transport roughly 2.5 million barrels of fuel daily from the Gulf Coast to the eastern seaboard. The outage led to long lines at gas stations, many of which ran out, and higher fuel prices. Colonial began resuming service on May 12 after nearly two weeks out of action.

Gaining access to private accounts or in the worst examples like Colonial, can grind business to a halt. The nightmare scenario would be the loss of control systems regarding satellites, missile control systems, or domestic power grids.

Thinking this is just a Russia problem is one dimensional, Microsoft just sounded the alarm on Iranian hackers in December. VCS is working to bolster American cybersecurity and develop cutting edge tools for the department of defense all from Surry County.