Next Score View the next score

    Mass. at center of a war on hackers

    State’s growing network-protection sector may be 2d in nation

    From his office in Burlington, Richard Wang, a security expert at Sophos, can determine where cyberattacks originate and which websites have been corrupted.
    From his office in Burlington, Richard Wang, a security expert at Sophos, can determine where cyberattacks originate and which websites have been corrupted.

    The job seemed straightforward: A client wanted the cybersecurity company Core Security Technologies to probe for vulnerabilities in a new system to let customers use its Wi-Fi network.

    But the client was an airline, and Core Security found a big and potentially dangerous hole. The network was so vulnerable to being hacked that a terrorist could use it to remotely detonate a bomb, much like a cellphone is sometimes used by militants as a timing device on explosives.

    Core Security declined to identify its client, which has fixed the problem in its Wi-Fi network. But the airline joins a long list of companies, many of which also remain anonymous, that have had their critical systems protected or improved by a Massachusetts cybersecurity company, burnishing the reputation of the state as a stronghold of tech sleuths working to fortify corporate and government networks.

    The growing cadre ranges from the giant defense contractor Raytheon Co. to small start-ups such as Co3 Systems Inc. in Cambridge. Many of them, such as Arbor Networks Inc. of Burlington and Courion Corp. of Westborough, are on hiring sprees to keep up with the demand for their services.

    Their growth is helping to fuel a cybersecurity sector in Massachusetts that many say is second only to Silicon Valley’s in terms of its concentration of security professionals and academics who focus on a potent and costly problem. The state is home to more than two dozen cybersecurity companies and organizations that, combined, employ hundreds of professionals.

    The sector is also drawing a growing amount of venture capital investment. Nationally, venture capitalists poured some $649 million into cybersecurity companies last year. One of the biggest deals of any kind in 2012 by a venture capital firm for a New England start-up in 2012 was the $34.5 million financing of Bit9 Inc. of Waltham.


    “Money is flowing pretty freely into cybersecurity companies,” said John Backus, managing partner of New Atlantic Ventures, an investment firm with an office in Cambridge that funds security companies.

    Get Talking Points in your inbox:
    An afternoon recap of the day’s most important business news, delivered weekdays.
    Thank you for signing up! Sign up for more newsletters here

    No wonder. After a spate a high-profile security lapses at major American corporations, businesses are spending big money to protect their networks. Spending on software security is expected to grow more than 40 percent to $85.6 billion by 2016, according to Gartner Inc., a research company.

    The high level of investment, as well as growing acquisitions in the security sector, indicates that both large and small companies want better ways to bolster cybersecurity because criminal hackers continue to devise new ways to strike.

    “It’s pretty clear to everyone out there that the current antivirus model doesn’t work,” said New Atlantic’s Backus, noting that antivirus software is often unable to prevent the most malicious attacks.

    During the past few years, attacks on computer networks have become more common and more high-profile. In 2012, criminal hacker groups executed successful strikes on the business networking site LinkedIn to steal passwords and broke into the South Carolina Department of Revenue, exposing financial data from more than 3 million people.


    “The bad guy is constantly reinventing and designing new ways to get into systems,” said Larry Ponemon, founder of the Ponemon Institute, a cybersecurity think tank in Traverse City, Mich.

    In a survey of 56 organizations, the institute found that cybercrime cost them an average of $8.9 million a year, and companies in the study each experienced about two successful attacks per week.

    “Most attackers are mercenaries,” he said. “They are motivated by the bucks.”

    But while the majority of cyberattacks are aimed at extracting valuable data that can be used to steal or extort money, hackers have also used computer networks to execute massive attacks on public services, such as government agencies and utility systems.

    One of the most alarming computer worms is called Stuxnet, which was designed to cripple industrial control systems. Many experts believe the US government used it in 2010 to attack Iran’s nuclear program before the worm made its way to the open Internet.


    “When Stuxnet hit, it really drove the conversation in the boardroom,” said Brian Ahern, chief executive of Industrial Defender Inc., a Foxborough company that provides software to utilities to help them detect and defend against attacks on their computer systems.

    Ahern pointed out that a successful strike on an electric grid or water utility could jeopardize homeland security and public safety, and that trying to safeguard such systems is becoming a bigger priority in the federal government and among utilities nationwide.

    The Industrial Control Systems Cyber Emergency Response Team, a federal agency that monitors attacks on critical infrastructure, responded to 198 “cyber incidents” last year, such as malicious e-mail attacks known as “spear phishing” that are meant to gain unauthorized access to utilities.

    Indeed, dangers on the Web are varied. Strikes come from foreign governments trying to steal national secrets as well as in “ransomware,” which takes over a computer until the owner pays off the attacker.

    The challenge for security companies, whether big players such as RSA, the security division of the Bedford database company EMC Corp., or midsize businesses such as Sophos, a British company with its US headquarters in Burlington, is to ensure products they sell stay ahead of the criminal cybergangs.

    “It’s pretty much an ongoing battle between the people who are trying to protect systems and those who are trying to attack them,” said Richard Wang, a security expert with the division at Sophos that tracks and analyzes Web attacks.

    From his office in Burlington, Wang can determine where attacks originate and which websites have been corrupted.

    “Even simple attacks have multiple layers of attackers . . . located across the world,” he said.

    Sophos and others are growing on the promise of keeping their clients’ networks safe. But the best defense for thwarting an e-mail scam or a Web con artist, Wang said, is often a dose of skepticism.

    Michael B. Farrell
    can be reached at