At the Forefront of the Cybersecurity

Show Notes

Cyberattacks are more sophisticated and happening with more frequency than ever before. They’re also costing companies and governments billions. Fortunately, KBR has a team of well-respected, highly certified experts helping to meet those challenges. Our guest on this episode, Derrick Nixon — vice president of Cybersecurity Solutions at KBR — talks us through KBR’s cutting-edge capabilities and world-class workforce that are helping customers respond to and defend against threats in the cyber domain.

Transcript

IN ORBIT: A KBR PODCAST

 

Season 3, Episode 11

 

At the Forefront of the Cybersecurity

 

INTRODUCTION

 

John Arnold

Hello! I’m John, and THIS is In Orbit.

 

Welcome, one and all, to the podcast. We appreciate you being with us for what is going to be a doozy, because we’re talking about CYBER!

 

Malware, data breaches, phishing — OH MY! We hear or read about cyber and cyberattacks seemingly on a daily basis. And the score is getting higher all the time as cybercrime and cyberattacks become more sophisticated.

 

The average cost of a data breach in 2022 reached a record high of 4.35 million U.S. dollars, according to a joint study by IBM and the Ponemon Institute. Now they’re thinking the average cost could reach $5 million in 2023. And speaking of 2023, it’s been a busy year for cyberattacks.

 

I’m going to share a few examples of the many attacks reported so far from the Center for Strategic and International Studies.

 

In January 2023, hackers deployed a ransomware attack against the UK postal service, the Royal Mail, which disrupted the systems used to track international mail, and it took 20 days for the to fully restore services. Also in January 2023, hackers targeted government, military, and civilian networks across the Asia-Pacific leveraging malware to obtain confidential information. The wild part is that malware targeted data on victims’ machines as well as audio captured by the microphones ON infected machines.

 

In February 2023, Italian officials claim hackers conducted a ransomware attack against Acea, an energy utility in Rome. In May 2023, T-Mobile announced — and I’m not trying to pick on any particular mobile service provider — that it suffered its second data breach of 2023, after a hack revealed the PINs, full names, and phone numbers of more than 800 customers. This was T-Mobile’s ninth data breach since 2018 and second this year already.

 

And just a few days ago — we’re in mid-June now — the American states of Oregon and Louisiana, a bunch of universities, and several U.S. agencies were targeted in a massive data breach that exposed the information of millions.

 

Now my intent is not to terrify you. But I am trying to give you a smattering of the KINDS of cyberattacks — from civilian focused to government targeted by both independent and state-sponsored groups — that are happening around the world.

 

With us here today to talk about all this, but more importantly about the kinds of cyber solutions KBR is delivering to help customers meet these kinds of challenges is Derrick Nixon. Derrick is vice president of Cybersecurity Solutions in the Defense Systems Engineering business unit, which is part of KBR’s Government Solutions United States business. Welcome to the podcast, Derrick.

 

Derrick Nixon

Hey. Yeah, thank you for having me on, John. This is an exciting topic to talk about.

 

John Arnold

Oh, we are so glad to have you. I get geeked out about this because as people can tell from the open, it's something I'm very, very interested in because as these threats and vulnerabilities grow and evolve it, it's something that affects us all. But before we get into that stuff, I wonder if you could just tell us and our listeners a little about yourself and your career journey.

 

Derrick Nixon

I'd be glad to. I'm originally from central North Carolina, little town called Randleman, North Carolina. It's probably most famous for Richard Petty, the NASCAR all-time winner. I actually went to school with Kyle [Petty, Richard Petty’s son]. After school and going through that, joined a Marine Corps, spent my time in the intelligence community, and later, towards the end of my career, I had the opportunity to go to Marine Corps Systems Command, which is up in Quantico and serve as a project officer for the Marine Corps' Intel surveillance and Reconnaissance Systems. And was able to really get involved in the acquisition, anything from a requirements' development to developing this system, working up the training packages and delivering it to the Marines.

 

After that, like all good marines, they told me to retire. Stepped out to the defense industry, started out with a small business, eventually moved over to Honeywell, and that's how I was introduced to KBR. Honeywell Technology was acquired by KBR and joined a company, now just celebrated 10 years with the company. It's been a great trip.

 

John Arnold

Well, first of all, thank you for your service, sir.

 

Derrick Nixon

Well, I appreciate that.

 

John Arnold

Yeah, absolutely. And secondly, happy to celebrate that 10-year anniversary with you.

 

Derrick Nixon

Yeah, it's just a great opportunity. I mean, when you come to a company that you just enjoy coming to work each and every day. And more importantly, and we'll get into this, how it has transformed itself and how it's grown and introduced new capabilities. This is not your dad, your grandfather's KBR. This is a new, very innovative company that is continuing to transform and grow. And it's getting recognized not only by our customer, but the competition.

 

John Arnold

That's outstanding. And I guess that's a perfect segue into this next question, and I'll get you to set the stage a little bit. Just for our listeners' sake, in communicating with Derrick before the interview, Derrick, you mentioned that there's been a period of transition for KBR from being a company, your granddad's KBR, if you will, that offered customers, specifically government customers services, "To being a provider of solutions." Would you explain to our listeners what the difference is between those two concepts?

 

Derrick Nixon

Absolutely. The fact that we're actually having this conversation is amazing because seven to eight years ago, cyber really did not exist in KBR through a number of acquisitions. Going back to Wyle, Honeywell, SGT [Stinger Ghaffarian Technologies, Inc.], and most recently Satori, even the Frazier-Nash [Consultancy, a wholly owned KBR subsidiary based in the UK] has brought these capabilities to KBR. It was originally services. We hired very smart people that were highly certified and got paid to be thinkers for the government. They were very specialized in certain aspects, either from things like ethical hacking, compliance, to certain policies and laws, to operational system engineers that really looked at the systems. Each one of these acquisitions continued to grow.

 

And we went from ... again, we're in the market to higher thinkers and these very, very, very smart individuals that are, again, are very highly certified, to now looking at the government's problems and our customer's problems and trying to offer them holistic solutions to answer maybe a capability shortfall, the technology gap. Something that really changes and helps their ability to defend and respond to cyberattacks.

 

One of the big areas for us, and it came with some of that Honeywell heritage, is industrial control systems. Our ability to look at those and look at potential attack surfaces in it, being able to securely build those systems and harden those systems to defend itself from a cyberattack is something that we do really well. It's now been recognized by the government. And again, our competition's starting to figure it out as well. Our goal, strategic goal within KBR Cyber is to have a balance between services solutions so we can address any of our customers' requirements.

 

John Arnold

It's amazing to hear about that evolution from someone who's seen it firsthand. And with that in mind, I wonder if you'll talk a bit about, more specifically, about how KBR has begun to differentiate itself in that respect, particularly around cyber.

 

Derrick Nixon

Yeah, it's an amazing story. Again, we're starting to be recognized by very specialized cyber organizations — government organizations, even on the commercial side, for our cyber skills. And I'll give you an example here. KBR hosts DSA, which DSA is the organization within the U.S. Department of Defense (DOD) that manages all the networks, all the devices that they set the standard. They push out the requirements that certain devices have to meet to be able to connect to DOD networks. Well, we house what's called DSA Works, their innovation cell for cybersecurity and network advancement within our Columbia, Maryland facility. That's something that they could have went to any DOD defense industry partner out there, but they came to KBR because we were able to show them that we can quickly define the requirements, we can quickly look for either existing capabilities, and sometimes it's with a niche small business, or we can develop that. And more importantly, we've taken the role on as a system integrator to bring maybe bits and parts of solutions together to provide a holistic solution for their bigger problem.

 

One of the things that — very proud of, and again, seven, eight years ago just wasn't really on the radar for KBR as we were just starting down on cyber — but we recently have trademarked and taken two solutions to market. One’s CRYSTALVISTA(TM) that really focuses on that secure transmission of data at a very high rate. Another one is QUANTUM PANTHEON(TM). And that system is a tactical edge device that puts a heck of a lot of computing capability out at the forward edge. If there is an adversary was to take out a cloud infrastructure backbone, these systems are still able to take and ingest big data and use artificial intelligence to provide very actionable information back to decision makers. Again, it's part of our transition point, going from 100% services to that balance of services and solutions within the company.

 

John Arnold

And there's an extraordinary level of trust on behalf of our customers like the US DOD, to have us providing these kinds of solutions, it sounds like.

 

Derrick Nixon

Absolutely. You only get one chance at it. And what they have seen ... I mean, look at our ability to deliver base camps and support of world crisis. They came to KBR because we deliver. And whether it's loading ships, it's taking man back to the moon, we deliver in cybersecurity. For us, it's a position of pride to be able to help the U.S. government and our allies overcome cyber challenges.

 

John Arnold

That's outstanding. Well, as I was speaking in the cold open, telling our listeners about some of these threats that we experience, that the world experiences. We seem to be hearing with greater frequency about cyberattacks, ransomware, hacking, both independent and some state-sanctioned from near peers, on utilities, hospitals, vital infrastructure, and the list goes on and on. How are we seeing the landscape of vulnerabilities evolving?

 

Derrick Nixon

I mean, it's definitely the cyberattacks like ransomware, denial service, they're still out there. It's almost weekly if not monthly, that we read about schools, business, banking being held under ransomware, and it interrupts our day-to-day lives. It interrupts the flow of business, and it affects the ability to disseminate data and receive data. But what we've also seen recently is, and if you look at the Ukraine-Russian conflict, Russia is targeting critical infrastructure. They're going after the power grid. They're going after the hospitals, as you mentioned. They're going after things that support life. And what they're doing, they're developing new types of attacks and new methods of engaging that, some of are kinetic, some are nonkinetic. And for us, we have to adjust our ability to defend and respond to those new emerging attacks. But attacks are on the rise. It's anything from adversary countries, to rogue states, to just outright internet terrorists. And your 12-year-old who's sitting in his mom and dad's house with a computer who goes, "Watch this." We have to look and respond to all those type of threats.

 

John Arnold

And no one is immune. It boggles the mind. It really does.

 

Derrick Nixon

With cyber, it not only affects us as a nation, or as a coalition, as a global entity, but cyberattacks can affect you on a very personal level. I think that's why it continues to be at the forefront and use, it's something on one side — chaos affects us on our day-to-day through cyberattacks, but it also brings new opportunities for us. And what we are seeing, and it's a challenge throughout any contractor, the government has the same challenge, is qualified, certified workforce. Automation and artificial intelligence (AI) is playing a bigger role in our ability to defend and respond to cyberattacks. And KBR is sitting right there in the forefront of it. I mean, we're in a top 10 AI providers for the government. We're leveraging that knowledge. We're leveraging the partnerships to really try to get in front of this workforce shortfall right now to be able to, again, defend these sometimes multiple attacks on the same target. It's something that I think that, again, chaos creates opportunity and we're trying to make the best of it.

 

John Arnold

Yeah. You just mentioned the proliferation of AI. That's exciting and a source of pride to know that KBR is at the forefront of that. And with that in mind, I wonder if you'd tell us about some of the integrated cyber capabilities KBR has at its disposal and how they can help our customers.

 

Derrick Nixon

Well, I'll tell you the number one asset that we have is our employees. They are phenomenal. We have some just incredible employees that understand systems, human behavior, the intelligence community, and these entities that want to attack both IT systems and operational technologies. Now, one of the things that we've done is made an investment, we being KBR, an investment in this thing called a cyber range. Now, when I throw out cyber range, most of the folks that have been in DOD, they want to see a kinetic range — a bullseye — something that they can aim in on and hit with a projectile or a kinetic weapon. But really, a cyber range is an environment that mimics networks and devices and operational technology. Now, ours is a little bit different than some of the other cyber ranges out there because we actually incorporate both virtualization, VMware type stuff, along with actually physically connecting to some devices.

 

If you come into our demo room, one of the things that we've done is connect it everyday household items — a refrigerator, a microwave, a pressure cooker, a coffee maker — to show you and demonstrate to not only our team, but the customers that come in to see the demonstrations, how easy it is to manipulate and gain control of those type of devices. What it really allows our government partners to do is leverage that environment to test, train and look for vulnerabilities. It allows them to look at their cyber problems in a very low risk environment because it's not actually happening on their production systems. They're not testing and training on the network that runs their organization. However, for the users that we bring in and work with, it looks and smells just like it.

 

The other thing that we could do is bring in devices — and we've done it for some of the Navy and Nav Air type customers, we've done it for Department of Transportation — is look at devices. We know why we bought it. We know what's integrated in, say, a vehicle, but what else can we do with it? Can we change the firmware to do something that it shouldn't do? Can we manipulate something to make it look like it's operating correctly, but in essence it's collecting data and being able to transmit it somewhere else?

 

Our goal is to have our cyber range, our KBR cyber range act like an adversary would. Checklist, very fluid, an evolving environment so we can train our individuals that when they see these attacks, it's second nature to them. It's just like a fire team in the Marine Corps. You adjust and overcome. That's our goal. That's one of the tools that we have. It's been used both internally. We do a lot of the one KBR support, helping other programs of record, and it's used by our customers to test different systems and theories out. It's been a great revenue driver for us for actually a very low investment.

 

John Arnold

That's just extraordinary, especially to think about the physical connection to devices via the Internet of Things and thinking about needing to know how all these things work just in case there was an incident.

 

Derrick Nixon

It's incredible. It's muscle memory. It's really taking in ... with this system, we can quickly identify a problem, we can either quarantine that problem, keep some production going, or we've already got a potential fix that we've developed to apply and move on to the next threat that pops its ugly head up.

 

John Arnold

Gosh, that's just fascinating. You've already mentioned our amazing people, and if people are regular listeners to the podcast, they know that we talk a big game about our people because we should. They're amazing. And so these solutions, of course, they're not being created in a vacuum. Would you tell us a little about how our people and the kinds of skills that they need are bringing these solutions to bear and how their skillsets are evolving?

 

Derrick Nixon

Absolutely. Our cyber workforce is very heavily certified. Within that domain, certifications — whether it's in certain operating systems, certain devices, certain applications that are used to discover vulnerabilities — certification is one of the bigger requirements. We see it from the government when they ask for service, they ask for individuals that have certain certifications to support their requirements. But even on the solution side, you've got to have individuals that have that … now, we are extremely lucky because KBR has a great tuition assistance, and more importantly, they do professional certifications. One of the few companies, believe me, we absolutely use that as a recruiting piece, but they will pay for certifications for these individuals. What that allows us to do is to bid those individuals against higher labor categories. It opens doors for their promotion. It allows us to bid on new work. That's been a great benefit for the employees. It's a great return on investment for the company, allowing us to continue to grow.

 

The other thing that we have is our employees jump on this cyber range. Again, they, they've got to experience, we call it scar tissue. They've got to get the scar tissue to learn to fail fast, to be able to look at these cyber problems and understand them so they can do a better job of reacting to them. And then the last thing I'll talk about is that we've got some great partners out there that we bring in industry standards. We've got relationships with the Amazons, the Googles, the Microsofts. Splunk is just about everywhere within cyber. We do a lot of things with Zscaler and some of these other major vendors. Well, they offer training for our employees and stuff, so our employees get a chance to actually get on there from the developer side, really understand the tool, and be able to maximize it and use it to its full effect for our customers and in our solution.

 

It's not just one little thing that we do. It is a tool bag of things that we offer for these employees to continue to evolve in that. And then the big thing that I've got to give credit to is our staffing. Our staffing is always looking for the best and brightest cyber individuals out there. We've just brought on two or three game changers in the cyber community where I will tell you, reputation, it's a big player. If you got the right people doing the right behaviors, it gets out. People know who they are, and our new customers will come to us just because we have those individuals and stuff. It's a mixed bag that gets you growth and success within this community.

 

John Arnold

Well, 1) it's encouraging to hear about those top-notch recruitment efforts going so well. And No. 2), encouraging to know that these people are staying at the forefront. The KBR people are staying at the forefront of the requirements needed to meet these challenges. Derrick, before I let you go, is there anything else that you'd like to add?

 

Derrick Nixon

Yeah, I got to share this story. It's an amazing story. It really talks about the diversity of our workforce. We actually have a true MD, yes, a medical doctor, who is a certified ethical hacker.

 

John Arnold

Oh, wow.

 

Derrick Nixon

That just shows you the diversity of our cyber workforce. I mean, this individual, when he's looking at ethical hacking, looking at behaviors and that, he's understanding the human behavior. The curiosity. "Well, I'm going to pick up this USB that's sitting in the parking lot." Then the desire to help people. "I'm going to plug it into my computer at work, my KBR computer to find out who it is so I can return it to them." Well, not unethical hack, I should say in this case, plays off of those human behaviors. And the more we understand that, the more we can counter that. That's what our IT and security folks have a great training plan, internal, to help prevent insider threat.

 

Most security breaches are done by employees. It's not just magical as you see on TV type of takedowns. It's somebody has given somebody unauthorized access to our domains and stuff. Again, our security, our IT department does a great job reinforcing breaking bad behaviors and really looking at that human aspect. It's a team effort. We use those type of tricks and things to help exploit our systems for the government so we can show them the vulnerabilities of it. But we also go back in-house, and again, KBR does a great job of trying to prevent our systems, our backbone, our business systems from being exploited.

 

John Arnold

That's outstanding. Well, sir, I appreciate your time and thank you so much for coming and speaking with us about this. Fascinating, sometimes a little bit terrifying, but very, very infinitely interesting subject.

 

Derrick Nixon

Yeah. If you lose sleep tonight, I did my job today.

 

John Arnold

Thank you, sir. We'll talk to you again soon.

 

Derrick Nixon

Thank you. Have a good day.

 

CONCLUSION

 

John Arnold

And there you have it! The prospect of cyber threats is daunting, and they’re something we all need to take seriously. But thankfully, KBR’s got a world-class team of experts standing in the gap.

 

We want to thank Derrick Nixon for sharing his time, expertise and passion in this awesome discussion about KBR’s cyber capabilities.

 

If you’d like to learn more about those capabilities, check us out over at kbr.com. Of course, a big thank you to Emma, our producer, for her wonderful work on the podcast. Finally, if you like what you heard today, or if you have an idea for a future episode, please feel free to reach out to us by emailing inorbit@kbr.com.

 

And that’s all from me! Thank you so much, dear listeners, for tuning in and keeping us in your orbit.

 

Take care.