This story is one in a statewide series about cyber security and small businesses, supported by the Michigan
. Read the first article of the series
Cybersecurity measures keep our private electronic information safe on a daily basis. But how do cybersecurity professionals know that those measures actually work?
"There’s no way to really test how much a virus or a firewall or something will really affect a network," Tonia Cronin says. "If you take something and you attack a real network, you have the potential to shut it down. You have the potential to really leak data. There’s a cost of business."
Cronin is the business development manager for the Michigan Cyber Range
(MCR), a unique solution to that problem. Cyber ranges are so named to draw a parallel to a shooting range -- a controlled space where people can practice, in Cronin’s words, "completely dangerous things."
Although there are other cyber ranges in the United States, notably DARPA’s National Cyber Range
, MCR is the largest unclassified cyber range in the country. MCR offers a wide variety of training and development services, but one of its key resources is the Secure Sandbox
. The sandbox is a virtual environment where users can test security measures, either by using the sandbox’s preexisting simulated web servers and mail servers, or by building their own personalized testing grounds.
"What goes on in the Sandbox stays in the Sandbox," Cronin says. "People can’t steal intellectual data off of it. People can’t get to the Internet from it."
MCR is a nonprofit under the umbrella of the Ann Arbor-based Merit Network, Inc.
, which provides networking services to Michigan schools, libraries, government organizations and other nonprofits. The range opened in 2012 as a component of Gov. Rick Snyder’s cybersecurity initiative
. With a variety of partners including the U.S. Department of Homeland Security, DTE Energy, Eastern Michigan University and the Michigan State Police, Cronin says MCR fits neatly into Merit’s mission of promoting technology access and education through cooperation.
"Oftentimes, especially in technology, folks don’t collaborate," she says. "They get into their own islands or their own database structure. So enhancing the community is at the core of what we do."
Small business solutions
Although MCR serves a wide range of organizations, Cronin says working with MCR may be of particular benefit to small businesses. Given its nonprofit status, MCR can offer services like penetration tests (or "pentests"), which check a system or application for vulnerabilities, at 70 to 80 percent less than what the same test might cost in the public sector.
"Most of the companies developing these smaller applications and softwares don’t have the staff or the power or the funding to put them through these pentests ahead of time," Cronin says. "So the Secure Sandbox is a great way to do that at a very reduced cost."
Besides providing a proving ground for cybersecurity measures, MCR also offers a wide range of educational opportunities for folks to learn their way around existing cybersecurity issues. MCR offers about 30 classes at any given time, welcoming thousands of students per year -- at both Merit’s physical campus and through online learning opportunities.
"You may not be big enough to have things you want to put on our network, but you do need help with PCI (credit card security) compliance," Cronin says. "And it’s at that point that we do really want to sit down with folks who need our help."
Cybersecurity can be a costly proposition, but MCR endeavors to help small businesses, in particular, keep those costs in check. Cronin says she commonly sees small businesses using security programs much larger and more expensive than the size of their business actually calls for.
"Sometimes it can be as easy as helping them understand that you can get a smaller product," she says. "We’ll help you use it right and now you’re saving money."
The greater cyber-good
In addition to these smaller-scale solutions for individual cybersecurity problems, MCR is also helping to cultivate a couple of projects that address the much bigger cyber-picture. MCR is host to Alphaville
, which Cronin describes as "a virtual, always-there, living, breathing city that is a true cyber-ecosystem." Alphaville includes virtual electronic infrastructure for all the amenities of an average municipality: a city hall, a school, a library, a small business, an electric grid. Cronin says Alphaville provides a great training ground for IT teams seeking to sharpen their skills in defending against a simulated cyber-attack on the town.
"People always just look at their device or their application or their system, not realizing the fact that even if your system is safe, in the internet of things you are connected to a whole world of things that could open you up to make you vulnerable to an attack," she says. "So in Alphaville we have those things that act just like they do in the real world."
Cronin is also the program manager for the Michigan Civilian Cyber Corps
(MiC3), a burgeoning all-volunteer team that is the cyber-equivalent of a fire or police department. MiC3 members take MCR courses and use Alphaville to hone their cyber defense skills in preparation for the possibility of a governor-declared state of cyber emergency.
"We started, years ahead of other states, in saying, ‘If we were to have a cyber attack, it would hit our infrastructure. Not only could we be crippled, but there could be many, many, many deaths involved. Let’s start right now putting together a response, a remediation and an action plan.'"
MiC3 has attracted national attention, most recently receiving a write-up in the Christian Science Monitor
. Like MCR itself, the program is truly one-of-a kind in the U.S. Cronin says Michigan is leading the nation in cybersecurity thanks to initiatives like MCR and MiC3, and the work accomplished thus far is only the tip of the iceberg.
Michigan’s small businesses can rest easy knowing that they have a cutting-edge resource on their side in the MCR -- whether the electronic world is the key dominion of their business or just a necessary component of it.
"In 20 years people are going to think of Michigan as cyber, not automotive," Cronin says. "And we’re going to be able to tell our kids that we did that. We were part of that."
This story is a part of a statewide series about cyber security and small businesses edited by Lauren Fay Carlson. Support for this series is provided by the Small Business Development Center, which has just launched a free online security assessment tool and resources at www.SmallBusinessBigThreat.com to help small businesses measure their cyber security